const char* (*get_provider_name)(void *ctx);
int (*add_random)(void *ctx, void *buffer, int length);
int (*random)(void *ctx, void *buffer, int length);
- int (*hmac)(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out);
+ int (*hmac)(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out, int out_sz);
int (*kdf)(void *ctx, int algorithm, const unsigned char *pass, int pass_sz, unsigned char* salt, int salt_sz, int workfactor, int key_sz, unsigned char *key);
int (*cipher)(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out);
const char* (*get_cipher)(void *ctx);
p[3] = (u8)(v>>24);
}
-static int sqlcipher_page_hmac(codec_ctx *ctx, cipher_ctx *c_ctx, Pgno pgno, unsigned char *in, int in_sz, unsigned char *out) {
+static int sqlcipher_page_hmac(codec_ctx *ctx, cipher_ctx *c_ctx, Pgno pgno, unsigned char *in, int in_sz, unsigned char *out, int out_sz) {
unsigned char pgno_raw[sizeof(pgno)];
/* we may convert page number to consistent representation before calculating MAC for
compatibility across big-endian and little-endian platforms.
ctx->provider_ctx, ctx->hmac_algorithm, c_ctx->hmac_key,
ctx->key_sz, in,
in_sz, (unsigned char*) &pgno_raw,
- sizeof(pgno), out);
+ sizeof(pgno), out, out_sz);
}
/*
}
if((ctx->flags & CIPHER_FLAG_HMAC) && (mode == CIPHER_DECRYPT) && !ctx->skip_read_hmac) {
- if(sqlcipher_page_hmac(ctx, c_ctx, pgno, in, size + ctx->iv_sz, hmac_out) != SQLITE_OK) {
+ if(sqlcipher_page_hmac(ctx, c_ctx, pgno, in, size + ctx->iv_sz, hmac_out, ctx->hmac_sz) != SQLITE_OK) {
CODEC_TRACE("codec_cipher: hmac operation on decrypt failed for pgno=%d\n", pgno);
goto error;
}
};
if((ctx->flags & CIPHER_FLAG_HMAC) && (mode == CIPHER_ENCRYPT)) {
- if(sqlcipher_page_hmac(ctx, c_ctx, pgno, out_start, size + ctx->iv_sz, hmac_out) != SQLITE_OK) {
+ if(sqlcipher_page_hmac(ctx, c_ctx, pgno, out_start, size + ctx->iv_sz, hmac_out, ctx->hmac_sz) != SQLITE_OK) {
CODEC_TRACE("codec_cipher: hmac operation on encrypt failed for pgno=%d\n", pgno);
goto error;
};
result = sqlite3_mprintf("error reading %d bytes from file page %d at offset %d\n", read_sz, page, offset);
sqlite3VdbeAddOp4(v, OP_String8, 0, 1, 0, result, P4_DYNAMIC);
sqlite3VdbeAddOp2(v, OP_ResultRow, 1, 1);
- } else if(sqlcipher_page_hmac(ctx, ctx->read_ctx, page, ctx->buffer, payload_sz, hmac_out) != SQLITE_OK) {
+ } else if(sqlcipher_page_hmac(ctx, ctx->read_ctx, page, ctx->buffer, payload_sz, hmac_out, ctx->hmac_sz) != SQLITE_OK) {
result = sqlite3_mprintf("HMAC operation failed for page %d", page);
sqlite3VdbeAddOp4(v, OP_String8, 0, 1, 0, result, P4_DYNAMIC);
sqlite3VdbeAddOp2(v, OP_ResultRow, 1, 1);
#include <openssl/objects.h>
#include <openssl/hmac.h>
#include <openssl/err.h>
+#include <openssl/core_names.h>
static unsigned int openssl_init_count = 0;
return (rc == 1) ? SQLITE_OK : SQLITE_ERROR;
}
-static int sqlcipher_openssl_hmac(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out) {
- unsigned int outlen;
+static int sqlcipher_openssl_hmac(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out, int out_sz) {
+ size_t outlen;
int rc = SQLITE_OK;
- HMAC_CTX* hctx = NULL;
+ EVP_MAC_CTX* hctx = NULL;
+ EVP_MAC* mac = NULL;
+ OSSL_PARAM params[2];
+ char* digest_name = NULL;
if(in == NULL) goto error;
- hctx = HMAC_CTX_new();
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ if (mac == NULL) goto error;
+
+ hctx = EVP_MAC_CTX_new(mac);
if(hctx == NULL) goto error;
switch(algorithm) {
case SQLCIPHER_HMAC_SHA1:
- if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL)) goto error;
+ digest_name = "SHA1";
break;
case SQLCIPHER_HMAC_SHA256:
- if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha256(), NULL)) goto error;
+ digest_name = "SHA2-256";
break;
case SQLCIPHER_HMAC_SHA512:
- if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha512(), NULL)) goto error;
+ digest_name = "SHA2-512";
break;
default:
goto error;
}
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, digest_name, sizeof(digest_name));
+ params[1] = OSSL_PARAM_construct_end();
+
+ if(!EVP_MAC_init(hctx, hmac_key, key_sz, params)) goto error;
- if(!HMAC_Update(hctx, in, in_sz)) goto error;
+ if(!EVP_MAC_update(hctx, in, in_sz)) goto error;
if(in2 != NULL) {
- if(!HMAC_Update(hctx, in2, in2_sz)) goto error;
+ if(!EVP_MAC_update(hctx, in2, in2_sz)) goto error;
}
- if(!HMAC_Final(hctx, out, &outlen)) goto error;
+ if(!EVP_MAC_final(hctx, out, &outlen, out_sz)) goto error;
goto cleanup;
error:
rc = SQLITE_ERROR;
cleanup:
- if(hctx) HMAC_CTX_free(hctx);
+ if(hctx) EVP_MAC_CTX_free(hctx);
+ EVP_MAC_free(mac);
return rc;
}