-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CMAC #806
base: master
Are you sure you want to change the base?
Add support for CMAC #806
Conversation
The functions are available in each supported version of OpenSSL and LibreSSL, though deprecated in OpenSSL 3.0.
The functions are suggested in OpenSSL 3.0, though available only in that version.
The function was removed in LibreSSL 3.9.
Thanks for working on this! I wonder if we can get away with just implementing it with Having said that, I wonder if we want to further make the Perhaps we can implement an algorithm-agnostic What do you think? |
VALUE cCMAC; | ||
VALUE eCMACError; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These can be static
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I thought they could be, but I wasn't sure.
|
||
/* | ||
* call-seq: | ||
* CMAC.new(key, cipher = "AES-128-CBC") -> new_cmac |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO we should make cipher
a mandatory parameter without a default value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read your comment on #796, and now I agree we should.
That will be the best solution if we can stop supporting EOL versions of OpenSSL and all versions of LibreSSL, at least about new features. We are also supporting LibreSSL, and I think it has never had I thought about almost the same approach when I started working on this issue, but I didn't know if we could soon stop supporting live versions or add features that wouldn't work in some environments. That is why I made that hybrid code. I will try to implement In that case, we should add those subclasses under |
We also have a choice to define When the version number it will be implemented is unknown, we can check it at compile time in
That sounds reasonable to me. We can't break |
Implements #802 by adding the
OpenSSL::CMAC
class.The class has a similar set of methods to
OpenSSL::HMAC
except thatmac
s and that#reset
.The class uses different sets of OpenSSL functions depending on the version that the class is compiled against.