LibCrypto: Refactor HMAC implementations with OpenSSL

Author: devgianlu

Libraries/LibCrypto/Authentication/HMAC.cpp

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2025, Altomani Gianluca <[email protected]>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibCrypto/Authentication/HMAC.h>
+
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+
+namespace Crypto::Authentication {
+
+HMAC::HMAC(Hash::HashKind hash_kind, ReadonlyBytes key)
+    : m_hash_kind(hash_kind)
+    , m_key(key)
+    , m_mac(EVP_MAC_fetch(nullptr, "HMAC", nullptr))
+{
+    reset();
+}
+
+HMAC::~HMAC()
+{
+    EVP_MAC_free(m_mac);
+    EVP_MAC_CTX_free(m_ctx);
+}
+
+size_t HMAC::digest_size() const
+{
+    return EVP_MAC_CTX_get_mac_size(m_ctx);
+}
+
+void HMAC::update(u8 const* message, size_t length)
+{
+    if (EVP_MAC_update(m_ctx, message, length) != 1) {
+        VERIFY_NOT_REACHED();
+    }
+}
+
+ByteBuffer HMAC::digest()
+{
+    auto buf = MUST(ByteBuffer::create_uninitialized(digest_size()));
+
+    auto size = digest_size();
+    if (EVP_MAC_final(m_ctx, buf.data(), &size, size) != 1) {
+        VERIFY_NOT_REACHED();
+    }
+
+    return MUST(buf.slice(0, size));
+}
+
+void HMAC::reset()
+{
+    EVP_MAC_CTX_free(m_ctx);
+    m_ctx = EVP_MAC_CTX_new(m_mac);
+
+    auto hash_name = MUST(hash_kind_to_openssl_digest_name(m_hash_kind));
+
+    OSSL_PARAM params[] = {
+        OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, const_cast<char*>(hash_name.characters_without_null_termination()), hash_name.length()),
+        OSSL_PARAM_END
+    };
+
+    if (EVP_MAC_init(m_ctx, m_key.data(), m_key.size(), params) != 1) {
+        VERIFY_NOT_REACHED();
+    }
+}
+
+}

Libraries/LibCrypto/Authentication/HMAC.h

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2020, Ali Mohammad Pur <[email protected]>
+ * Copyright (c) 2025, Altomani Gianluca <[email protected]>
  *
  * SPDX-License-Identifier: BSD-2-Clause
  */
@@ -8,110 +9,51 @@
 
 #include <AK/ByteBuffer.h>
 #include <AK/ByteString.h>
-#include <AK/StringBuilder.h>
-#include <AK/StringView.h>
-#include <AK/Types.h>
-#include <AK/Vector.h>
-
-constexpr static auto IPAD = 0x36;
-constexpr static auto OPAD = 0x5c;
+#include <LibCrypto/Hash/HashManager.h>
+#include <LibCrypto/OpenSSL.h>
+#include <LibCrypto/OpenSSLForward.h>
 
 namespace Crypto::Authentication {
 
-template<typename HashT>
 class HMAC {
 public:
-    using HashType = HashT;
-    using TagType = typename HashType::DigestType;
+    explicit HMAC(Hash::HashKind hash, ReadonlyBytes key);
+    ~HMAC();
 
-    size_t digest_size() const { return m_inner_hasher->digest_size(); }
+    size_t digest_size() const;
 
-    template<typename KeyBufferType, typename... Args>
-    HMAC(KeyBufferType key, Args... args)
-        : m_inner_hasher(move(HashT::create(args...)))
-        , m_outer_hasher(move(HashT::create(args...)))
-    {
-        derive_key(key);
-        reset();
-    }
+    void update(u8 const* message, size_t length);
+    void update(ReadonlyBytes span) { return update(span.data(), span.size()); }
+    void update(StringView string) { return update((u8 const*)string.characters_without_null_termination(), string.length()); }
 
-    TagType process(u8 const* message, size_t length)
+    ByteBuffer process(u8 const* message, size_t length)
     {
         reset();
         update(message, length);
         return digest();
     }
+    ByteBuffer process(ReadonlyBytes span) { return process(span.data(), span.size()); }
+    ByteBuffer process(StringView string) { return process((u8 const*)string.characters_without_null_termination(), string.length()); }
 
-    void update(u8 const* message, size_t length)
-    {
-        m_inner_hasher->update(message, length);
-    }
-
-    TagType process(ReadonlyBytes span) { return process(span.data(), span.size()); }
-    TagType process(StringView string) { return process((u8 const*)string.characters_without_null_termination(), string.length()); }
-
-    void update(ReadonlyBytes span) { return update(span.data(), span.size()); }
-    void update(StringView string) { return update((u8 const*)string.characters_without_null_termination(), string.length()); }
-
-    TagType digest()
-    {
-        m_outer_hasher->update(m_inner_hasher->digest().immutable_data(), m_inner_hasher->digest_size());
-        auto result = m_outer_hasher->digest();
-        reset();
-        return result;
-    }
+    ByteBuffer digest();
 
-    void reset()
-    {
-        m_inner_hasher->reset();
-        m_outer_hasher->reset();
-        m_inner_hasher->update(m_key_data, m_inner_hasher->block_size());
-        m_outer_hasher->update(m_key_data + m_inner_hasher->block_size(), m_outer_hasher->block_size());
-    }
+    void reset();
 
     ByteString class_name() const
     {
+        auto hash_name = MUST(hash_kind_to_openssl_digest_name(m_hash_kind));
+
         StringBuilder builder;
         builder.append("HMAC-"sv);
-        builder.append(m_inner_hasher->class_name());
+        builder.append(hash_name);
         return builder.to_byte_string();
     }
 
 private:
-    void derive_key(u8 const* key, size_t length)
-    {
-        auto block_size = m_inner_hasher->block_size();
-        // Note: The block size of all the current hash functions is 512 bits.
-        Vector<u8, 64> v_key;
-        v_key.resize(block_size);
-        auto key_buffer = v_key.span();
-        // m_key_data is zero'd, so copying the data in
-        // the first few bytes leaves the rest zero, which
-        // is exactly what we want (zero padding)
-        if (length > block_size) {
-            m_inner_hasher->update(key, length);
-            auto digest = m_inner_hasher->digest();
-            // FIXME: should we check if the hash function creates more data than its block size?
-            key_buffer.overwrite(0, digest.immutable_data(), m_inner_hasher->digest_size());
-        } else if (length > 0) {
-            key_buffer.overwrite(0, key, length);
-        }
-
-        // fill out the inner and outer padded keys
-        auto* i_key = m_key_data;
-        auto* o_key = m_key_data + block_size;
-        for (size_t i = 0; i < block_size; ++i) {
-            auto key_byte = key_buffer[i];
-            i_key[i] = key_byte ^ IPAD;
-            o_key[i] = key_byte ^ OPAD;
-        }
-    }
-
-    void derive_key(ReadonlyBytes key) { derive_key(key.data(), key.size()); }
-    void derive_key(StringView key) { derive_key(key.bytes()); }
-
-    NonnullOwnPtr<HashType> m_inner_hasher, m_outer_hasher;
-    u8 m_key_data[2048];
+    Hash::HashKind m_hash_kind;
+    ReadonlyBytes m_key;
+    EVP_MAC* m_mac { nullptr };
+    EVP_MAC_CTX* m_ctx { nullptr };
 };
 
 }

Libraries/LibCrypto/CMakeLists.txt

@@ -6,6 +6,7 @@ set(SOURCES
     ASN1/DER.cpp
     ASN1/PEM.cpp
     Authentication/GHash.cpp
+    Authentication/HMAC.cpp
     BigFraction/BigFraction.cpp
     BigInt/Algorithms/BitwiseOperations.cpp
     BigInt/Algorithms/Division.cpp

Libraries/LibCrypto/OpenSSL.cpp

@@ -47,6 +47,8 @@ ErrorOr<UnsignedBigInteger> openssl_bignum_to_unsigned_big_integer(OpenSSL_BN co
 ErrorOr<StringView> hash_kind_to_openssl_digest_name(Hash::HashKind hash)
 {
     switch (hash) {
+    case Hash::HashKind::MD5:
+        return "MD5"sv;
     case Hash::HashKind::SHA1:
         return "SHA1"sv;
     case Hash::HashKind::SHA256:

Libraries/LibCrypto/OpenSSLForward.h

@@ -15,6 +15,8 @@ typedef struct evp_pkey_st EVP_PKEY;
 typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
 typedef struct evp_kdf_st EVP_KDF;
 typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
+typedef struct evp_mac_st EVP_MAC;
+typedef struct evp_mac_ctx_st EVP_MAC_CTX;
 
 void ERR_print_errors_cb(int (*cb)(char const* str, size_t len, void* u), void* u);
 

Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp

@@ -7781,21 +7781,21 @@ WebIDL::ExceptionOr<GC::Ref<CryptoKey>> X448::import_key(
 
 static WebIDL::ExceptionOr<ByteBuffer> hmac_calculate_message_digest(JS::Realm& realm, GC::Ptr<KeyAlgorithm> hash, ReadonlyBytes key, ReadonlyBytes message)
 {
-    auto calculate_digest = [&]<typename T>() -> ByteBuffer {
-        ::Crypto::Authentication::HMAC<T> hmac(key);
-        auto digest = hmac.process(message);
-        return MUST(ByteBuffer::copy(digest.bytes()));
-    };
     auto hash_name = hash->name();
-    if (hash_name == "SHA-1")
-        return calculate_digest.operator()<::Crypto::Hash::SHA1>();
-    if (hash_name == "SHA-256")
-        return calculate_digest.operator()<::Crypto::Hash::SHA256>();
-    if (hash_name == "SHA-384")
-        return calculate_digest.operator()<::Crypto::Hash::SHA384>();
-    if (hash_name == "SHA-512")
-        return calculate_digest.operator()<::Crypto::Hash::SHA512>();
-    return WebIDL::NotSupportedError::create(realm, "Invalid algorithm"_string);
+    auto hash_kind = TRY([&] -> WebIDL::ExceptionOr<::Crypto::Hash::HashKind> {
+        if (hash_name == "SHA-1")
+            return ::Crypto::Hash::HashKind::SHA1;
+        if (hash_name == "SHA-256")
+            return ::Crypto::Hash::HashKind::SHA256;
+        if (hash_name == "SHA-384")
+            return ::Crypto::Hash::HashKind::SHA384;
+        if (hash_name == "SHA-512")
+            return ::Crypto::Hash::HashKind::SHA512;
+        return WebIDL::NotSupportedError::create(realm, MUST(String::formatted("Invalid hash function '{}'", hash_name)));
+    }());
+
+    ::Crypto::Authentication::HMAC hmac(hash_kind, key);
+    return hmac.process(message);
 }
 
 static WebIDL::ExceptionOr<WebIDL::UnsignedLong> hmac_hash_block_size(JS::Realm& realm, HashAlgorithmIdentifier hash)