HMAC breaking due to dangling OSSL_PARAM (#405)
This commit is contained in:
parent
faa3c94391
commit
3bafce9a8e
|
@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
|
||||
### Fixed
|
||||
|
||||
- OpenVPN: HMAC breaking due to dangling OSSL_PARAM. [#405](https://github.com/passepartoutvpn/tunnelkit/pull/405)
|
||||
- OpenVPN: Bad error mapping. [#404](https://github.com/passepartoutvpn/tunnelkit/pull/404)
|
||||
- OpenVPN: Restore default security level. [#406](https://github.com/passepartoutvpn/tunnelkit/pull/406)
|
||||
|
||||
|
|
|
@ -50,6 +50,8 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
|
|||
|
||||
@property (nonatomic, unsafe_unretained) const EVP_CIPHER *cipher;
|
||||
@property (nonatomic, unsafe_unretained) const EVP_MD *digest;
|
||||
@property (nonatomic, unsafe_unretained) const char *utfCipherName;
|
||||
@property (nonatomic, unsafe_unretained) const char *utfDigestName;
|
||||
@property (nonatomic, assign) int cipherKeyLength;
|
||||
@property (nonatomic, assign) int cipherIVLength;
|
||||
@property (nonatomic, assign) int hmacKeyLength;
|
||||
|
@ -75,10 +77,14 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
|
|||
self = [super init];
|
||||
if (self) {
|
||||
if (cipherName) {
|
||||
self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]);
|
||||
self.utfCipherName = calloc([cipherName length] + 1, sizeof(char));
|
||||
strncpy(self.utfCipherName, [cipherName UTF8String], [cipherName length]);
|
||||
self.cipher = EVP_get_cipherbyname(self.utfCipherName);
|
||||
NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName);
|
||||
}
|
||||
self.digest = EVP_get_digestbyname([digestName cStringUsingEncoding:NSASCIIStringEncoding]);
|
||||
self.utfDigestName = calloc([digestName length] + 1, sizeof(char));
|
||||
strncpy(self.utfDigestName, [digestName UTF8String], [digestName length]);
|
||||
self.digest = EVP_get_digestbyname(self.utfDigestName);
|
||||
NSAssert(self.digest, @"Unknown digest '%@'", digestName);
|
||||
|
||||
if (cipherName) {
|
||||
|
@ -96,7 +102,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
|
|||
|
||||
self.mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
|
||||
OSSL_PARAM *macParams = calloc(2, sizeof(OSSL_PARAM));
|
||||
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)[digestName cStringUsingEncoding:NSASCIIStringEncoding], 0);
|
||||
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", self.utfDigestName, 0);
|
||||
macParams[1] = OSSL_PARAM_construct_end();
|
||||
self.macParams = macParams;
|
||||
|
||||
|
@ -116,6 +122,11 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
|
|||
bzero(self.bufferDecHMAC, CryptoCBCMaxHMACLength);
|
||||
free(self.bufferDecHMAC);
|
||||
|
||||
if (self.utfCipherName) {
|
||||
free(self.utfCipherName);
|
||||
}
|
||||
free(self.utfDigestName);
|
||||
|
||||
self.cipher = NULL;
|
||||
self.digest = NULL;
|
||||
}
|
||||
|
@ -175,7 +186,6 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
|
|||
memcpy(outEncrypted, bytes, length);
|
||||
l1 = (int)length;
|
||||
}
|
||||
|
||||
EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(self.mac);
|
||||
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_init(ctx, self.hmacKeyEnc.bytes, self.hmacKeyEnc.count, self.macParams);
|
||||
TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_MAC_update(ctx, outIV, l1 + l2 + self.cipherIVLength);
|
||||
|
|
|
@ -38,6 +38,8 @@ static const NSInteger CryptoCTRTagLength = 32;
|
|||
|
||||
@property (nonatomic, unsafe_unretained) const EVP_CIPHER *cipher;
|
||||
@property (nonatomic, unsafe_unretained) const EVP_MD *digest;
|
||||
@property (nonatomic, unsafe_unretained) const char *utfCipherName;
|
||||
@property (nonatomic, unsafe_unretained) const char *utfDigestName;
|
||||
@property (nonatomic, assign) int cipherKeyLength;
|
||||
@property (nonatomic, assign) int cipherIVLength;
|
||||
@property (nonatomic, assign) int hmacKeyLength;
|
||||
|
@ -61,9 +63,14 @@ static const NSInteger CryptoCTRTagLength = 32;
|
|||
|
||||
self = [super init];
|
||||
if (self) {
|
||||
self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]);
|
||||
self.utfCipherName = calloc([cipherName length] + 1, sizeof(char));
|
||||
strncpy(self.utfCipherName, [cipherName UTF8String], [cipherName length]);
|
||||
self.cipher = EVP_get_cipherbyname(self.utfCipherName);
|
||||
NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName);
|
||||
self.digest = EVP_get_digestbyname([digestName cStringUsingEncoding:NSASCIIStringEncoding]);
|
||||
|
||||
self.utfDigestName = calloc([digestName length] + 1, sizeof(char));
|
||||
strncpy(self.utfDigestName, [digestName UTF8String], [digestName length]);
|
||||
self.digest = EVP_get_digestbyname(self.utfDigestName);
|
||||
NSAssert(self.digest, @"Unknown digest '%@'", digestName);
|
||||
|
||||
self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher);
|
||||
|
@ -77,7 +84,7 @@ static const NSInteger CryptoCTRTagLength = 32;
|
|||
|
||||
self.mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
|
||||
OSSL_PARAM *macParams = calloc(2, sizeof(OSSL_PARAM));
|
||||
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)[digestName cStringUsingEncoding:NSASCIIStringEncoding], 0);
|
||||
macParams[0] = OSSL_PARAM_construct_utf8_string("digest", self.utfDigestName, 0);
|
||||
macParams[1] = OSSL_PARAM_construct_end();
|
||||
self.macParams = macParams;
|
||||
|
||||
|
@ -95,6 +102,9 @@ static const NSInteger CryptoCTRTagLength = 32;
|
|||
bzero(self.bufferDecHMAC, CryptoCTRTagLength);
|
||||
free(self.bufferDecHMAC);
|
||||
|
||||
free(self.utfCipherName);
|
||||
free(self.utfDigestName);
|
||||
|
||||
self.cipher = NULL;
|
||||
self.digest = NULL;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue