diff options
author | Andrew Scull <ascull@google.com> | 2023-05-15 20:56:54 +0000 |
---|---|---|
committer | Andrew Scull <ascull@google.com> | 2023-05-16 22:14:53 +0000 |
commit | b8528dcdde1cf0b7d51405444472c47d3764d1be (patch) | |
tree | f48dec66859df8a5581c5201a8aa7e28aa9e8626 | |
parent | 787faf931078d864b3cdfff03bfc3147db800f99 (diff) | |
download | openssl-b8528dcdde1cf0b7d51405444472c47d3764d1be.tar.gz |
Add boringssl hkdf derivation
Expose the pkey derivation API that is compatible with openssl and
allows for portable code.
This change has been merged to the upstream crate but is not yet part of
a release.
Test: TH
Change-Id: I5ada3911a84baeda213e1e14df8c5fdffc5c5dff
-rw-r--r-- | patches/0007-pkey_ctx-hkdf.patch | 89 | ||||
-rw-r--r-- | src/pkey.rs | 2 | ||||
-rw-r--r-- | src/pkey_ctx.rs | 21 |
3 files changed, 105 insertions, 7 deletions
diff --git a/patches/0007-pkey_ctx-hkdf.patch b/patches/0007-pkey_ctx-hkdf.patch new file mode 100644 index 0000000..6655f0c --- /dev/null +++ b/patches/0007-pkey_ctx-hkdf.patch @@ -0,0 +1,89 @@ +diff --git a/src/pkey.rs b/src/pkey.rs +index ebab5fb..21ba711 100644 +--- a/src/pkey.rs ++++ b/src/pkey.rs +@@ -86,7 +86,7 @@ impl Id { + pub const DH: Id = Id(ffi::EVP_PKEY_DH); + pub const EC: Id = Id(ffi::EVP_PKEY_EC); + +- #[cfg(ossl110)] ++ #[cfg(any(boringssl, ossl110))] + pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); + + #[cfg(any(boringssl, ossl111))] +diff --git a/src/pkey_ctx.rs b/src/pkey_ctx.rs +index f79372f..3d4203f 100644 +--- a/src/pkey_ctx.rs ++++ b/src/pkey_ctx.rs +@@ -470,7 +470,7 @@ impl<T> PkeyCtxRef<T> { + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] +- #[cfg(ossl110)] ++ #[cfg(any(ossl110, boringssl))] + #[inline] + pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { + unsafe { +@@ -503,10 +503,13 @@ impl<T> PkeyCtxRef<T> { + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] +- #[cfg(ossl110)] ++ #[cfg(any(ossl110, boringssl))] + #[inline] + pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { ++ #[cfg(not(boringssl))] + let len = c_int::try_from(key.len()).unwrap(); ++ #[cfg(boringssl)] ++ let len = key.len(); + + unsafe { + cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( +@@ -523,10 +526,13 @@ impl<T> PkeyCtxRef<T> { + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] +- #[cfg(ossl110)] ++ #[cfg(any(ossl110, boringssl))] + #[inline] + pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { ++ #[cfg(not(boringssl))] + let len = c_int::try_from(salt.len()).unwrap(); ++ #[cfg(boringssl)] ++ let len = salt.len(); + + unsafe { + cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( +@@ -543,10 +549,13 @@ impl<T> PkeyCtxRef<T> { + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] +- #[cfg(ossl110)] ++ #[cfg(any(ossl110, boringssl))] + #[inline] + pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { ++ #[cfg(not(boringssl))] + let len = c_int::try_from(info.len()).unwrap(); ++ #[cfg(boringssl)] ++ let len = info.len(); + + unsafe { + cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( +@@ -604,7 +613,7 @@ mod test { + #[cfg(not(boringssl))] + use crate::cipher::Cipher; + use crate::ec::{EcGroup, EcKey}; +- #[cfg(any(ossl102, libressl310))] ++ #[cfg(any(ossl102, libressl310, boringssl))] + use crate::md::Md; + use crate::nid::Nid; + use crate::pkey::PKey; +@@ -689,7 +698,7 @@ mod test { + } + + #[test] +- #[cfg(ossl110)] ++ #[cfg(any(ossl110, boringssl))] + fn hkdf() { + let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); + ctx.derive_init().unwrap(); diff --git a/src/pkey.rs b/src/pkey.rs index ebab5fb..21ba711 100644 --- a/src/pkey.rs +++ b/src/pkey.rs @@ -86,7 +86,7 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - #[cfg(ossl110)] + #[cfg(any(boringssl, ossl110))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(boringssl, ossl111))] diff --git a/src/pkey_ctx.rs b/src/pkey_ctx.rs index f79372f..3d4203f 100644 --- a/src/pkey_ctx.rs +++ b/src/pkey_ctx.rs @@ -470,7 +470,7 @@ impl<T> PkeyCtxRef<T> { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -503,10 +503,13 @@ impl<T> PkeyCtxRef<T> { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(key.len()).unwrap(); + #[cfg(boringssl)] + let len = key.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( @@ -523,10 +526,13 @@ impl<T> PkeyCtxRef<T> { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(salt.len()).unwrap(); + #[cfg(boringssl)] + let len = salt.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( @@ -543,10 +549,13 @@ impl<T> PkeyCtxRef<T> { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(info.len()).unwrap(); + #[cfg(boringssl)] + let len = info.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( @@ -604,7 +613,7 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; @@ -689,7 +698,7 @@ mod test { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); |