Assert ambiguity about HMAC key length

This commit is contained in:
Davide De Rosa 2018-09-10 20:28:31 +02:00
parent d53e7add10
commit a3fe740ad9
1 changed files with 7 additions and 2 deletions

View File

@ -52,6 +52,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
@property (nonatomic, unsafe_unretained) const EVP_MD *digest; @property (nonatomic, unsafe_unretained) const EVP_MD *digest;
@property (nonatomic, assign) int cipherKeyLength; @property (nonatomic, assign) int cipherKeyLength;
@property (nonatomic, assign) int cipherIVLength; @property (nonatomic, assign) int cipherIVLength;
@property (nonatomic, assign) int hmacKeyLength;
@property (nonatomic, assign) int digestLength; @property (nonatomic, assign) int digestLength;
@property (nonatomic, assign) int overheadLength; @property (nonatomic, assign) int overheadLength;
@ -83,6 +84,8 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher); self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher);
self.cipherIVLength = EVP_CIPHER_iv_length(self.cipher); self.cipherIVLength = EVP_CIPHER_iv_length(self.cipher);
} }
// as seen in OpenVPN's crypto_openssl.c:md_kt_size()
self.hmacKeyLength = EVP_MD_size(self.digest);
self.digestLength = EVP_MD_size(self.digest); self.digestLength = EVP_MD_size(self.digest);
self.overheadLength = self.cipherIVLength + self.digestLength; self.overheadLength = self.cipherIVLength + self.digestLength;
@ -122,6 +125,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
- (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey - (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey
{ {
NSParameterAssert(hmacKey); NSParameterAssert(hmacKey);
NSParameterAssert(hmacKey.count >= self.hmacKeyLength);
if (self.cipher) { if (self.cipher) {
NSParameterAssert(cipherKey.count >= self.cipherKeyLength); NSParameterAssert(cipherKey.count >= self.cipherKeyLength);
@ -131,7 +135,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
} }
HMAC_CTX_reset(self.hmacCtxEnc); HMAC_CTX_reset(self.hmacCtxEnc);
HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.digestLength, self.digest, NULL); HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.hmacKeyLength, self.digest, NULL);
} }
- (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error - (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error
@ -197,6 +201,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
- (void)configureDecryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey - (void)configureDecryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey
{ {
NSParameterAssert(hmacKey); NSParameterAssert(hmacKey);
NSParameterAssert(hmacKey.count >= self.hmacKeyLength);
if (self.cipher) { if (self.cipher) {
NSParameterAssert(cipherKey.count >= self.cipherKeyLength); NSParameterAssert(cipherKey.count >= self.cipherKeyLength);
@ -206,7 +211,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
} }
HMAC_CTX_reset(self.hmacCtxDec); HMAC_CTX_reset(self.hmacCtxDec);
HMAC_Init_ex(self.hmacCtxDec, hmacKey.bytes, self.digestLength, self.digest, NULL); HMAC_Init_ex(self.hmacCtxDec, hmacKey.bytes, self.hmacKeyLength, self.digest, NULL);
} }
- (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error - (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error