hmacsha.c revision 290001
1/* 2 * Copyright (C) 2005-2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id$ */ 18 19/* 20 * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 21 * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and 22 * draft-ietf-dnsext-tsig-sha-01.txt. 23 */ 24 25#include "config.h" 26 27#include <isc/assertions.h> 28#include <isc/hmacsha.h> 29#include <isc/platform.h> 30#include <isc/sha1.h> 31#include <isc/sha2.h> 32#include <isc/string.h> 33#include <isc/types.h> 34#include <isc/util.h> 35 36#ifdef ISC_PLATFORM_OPENSSLHASH 37 38void 39isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, 40 unsigned int len) 41{ 42 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1()); 43} 44 45void 46isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { 47 HMAC_CTX_cleanup(ctx); 48} 49 50void 51isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, 52 unsigned int len) 53{ 54 HMAC_Update(ctx, buf, (int) len); 55} 56 57void 58isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { 59 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; 60 61 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); 62 63 HMAC_Final(ctx, newdigest, NULL); 64 HMAC_CTX_cleanup(ctx); 65 memcpy(digest, newdigest, len); 66 memset(newdigest, 0, sizeof(newdigest)); 67} 68 69void 70isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, 71 unsigned int len) 72{ 73 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224()); 74} 75 76void 77isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { 78 HMAC_CTX_cleanup(ctx); 79} 80 81void 82isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, 83 unsigned int len) 84{ 85 HMAC_Update(ctx, buf, (int) len); 86} 87 88void 89isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { 90 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH]; 91 92 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); 93 94 HMAC_Final(ctx, newdigest, NULL); 95 HMAC_CTX_cleanup(ctx); 96 memcpy(digest, newdigest, len); 97 memset(newdigest, 0, sizeof(newdigest)); 98} 99 100void 101isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, 102 unsigned int len) 103{ 104 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256()); 105} 106 107void 108isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { 109 HMAC_CTX_cleanup(ctx); 110} 111 112void 113isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, 114 unsigned int len) 115{ 116 HMAC_Update(ctx, buf, (int) len); 117} 118 119void 120isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { 121 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH]; 122 123 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); 124 125 HMAC_Final(ctx, newdigest, NULL); 126 HMAC_CTX_cleanup(ctx); 127 memcpy(digest, newdigest, len); 128 memset(newdigest, 0, sizeof(newdigest)); 129} 130 131void 132isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, 133 unsigned int len) 134{ 135 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384()); 136} 137 138void 139isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { 140 HMAC_CTX_cleanup(ctx); 141} 142 143void 144isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, 145 unsigned int len) 146{ 147 HMAC_Update(ctx, buf, (int) len); 148} 149 150void 151isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { 152 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; 153 154 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); 155 156 HMAC_Final(ctx, newdigest, NULL); 157 HMAC_CTX_cleanup(ctx); 158 memcpy(digest, newdigest, len); 159 memset(newdigest, 0, sizeof(newdigest)); 160} 161 162void 163isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, 164 unsigned int len) 165{ 166 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512()); 167} 168 169void 170isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { 171 HMAC_CTX_cleanup(ctx); 172} 173 174void 175isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, 176 unsigned int len) 177{ 178 HMAC_Update(ctx, buf, (int) len); 179} 180 181void 182isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { 183 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH]; 184 185 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); 186 187 HMAC_Final(ctx, newdigest, NULL); 188 HMAC_CTX_cleanup(ctx); 189 memcpy(digest, newdigest, len); 190 memset(newdigest, 0, sizeof(newdigest)); 191} 192 193#else 194 195#define IPAD 0x36 196#define OPAD 0x5C 197 198/* 199 * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key. 200 */ 201void 202isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, 203 unsigned int len) 204{ 205 unsigned char ipad[ISC_SHA1_BLOCK_LENGTH]; 206 unsigned int i; 207 208 memset(ctx->key, 0, sizeof(ctx->key)); 209 if (len > sizeof(ctx->key)) { 210 isc_sha1_t sha1ctx; 211 isc_sha1_init(&sha1ctx); 212 isc_sha1_update(&sha1ctx, key, len); 213 isc_sha1_final(&sha1ctx, ctx->key); 214 } else 215 memcpy(ctx->key, key, len); 216 217 isc_sha1_init(&ctx->sha1ctx); 218 memset(ipad, IPAD, sizeof(ipad)); 219 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) 220 ipad[i] ^= ctx->key[i]; 221 isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad)); 222} 223 224void 225isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { 226 isc_sha1_invalidate(&ctx->sha1ctx); 227 memset(ctx, 0, sizeof(*ctx)); 228} 229 230/* 231 * Update context to reflect the concatenation of another buffer full 232 * of bytes. 233 */ 234void 235isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, 236 unsigned int len) 237{ 238 isc_sha1_update(&ctx->sha1ctx, buf, len); 239} 240 241/* 242 * Compute signature - finalize SHA1 operation and reapply SHA1. 243 */ 244void 245isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { 246 unsigned char opad[ISC_SHA1_BLOCK_LENGTH]; 247 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; 248 unsigned int i; 249 250 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); 251 isc_sha1_final(&ctx->sha1ctx, newdigest); 252 253 memset(opad, OPAD, sizeof(opad)); 254 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) 255 opad[i] ^= ctx->key[i]; 256 257 isc_sha1_init(&ctx->sha1ctx); 258 isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad)); 259 isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH); 260 isc_sha1_final(&ctx->sha1ctx, newdigest); 261 isc_hmacsha1_invalidate(ctx); 262 memcpy(digest, newdigest, len); 263 memset(newdigest, 0, sizeof(newdigest)); 264} 265 266/* 267 * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key. 268 */ 269void 270isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, 271 unsigned int len) 272{ 273 unsigned char ipad[ISC_SHA224_BLOCK_LENGTH]; 274 unsigned int i; 275 276 memset(ctx->key, 0, sizeof(ctx->key)); 277 if (len > sizeof(ctx->key)) { 278 isc_sha224_t sha224ctx; 279 isc_sha224_init(&sha224ctx); 280 isc_sha224_update(&sha224ctx, key, len); 281 isc_sha224_final(ctx->key, &sha224ctx); 282 } else 283 memcpy(ctx->key, key, len); 284 285 isc_sha224_init(&ctx->sha224ctx); 286 memset(ipad, IPAD, sizeof(ipad)); 287 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) 288 ipad[i] ^= ctx->key[i]; 289 isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad)); 290} 291 292void 293isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { 294 memset(ctx, 0, sizeof(*ctx)); 295} 296 297/* 298 * Update context to reflect the concatenation of another buffer full 299 * of bytes. 300 */ 301void 302isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, 303 unsigned int len) 304{ 305 isc_sha224_update(&ctx->sha224ctx, buf, len); 306} 307 308/* 309 * Compute signature - finalize SHA224 operation and reapply SHA224. 310 */ 311void 312isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { 313 unsigned char opad[ISC_SHA224_BLOCK_LENGTH]; 314 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH]; 315 unsigned int i; 316 317 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); 318 isc_sha224_final(newdigest, &ctx->sha224ctx); 319 320 memset(opad, OPAD, sizeof(opad)); 321 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) 322 opad[i] ^= ctx->key[i]; 323 324 isc_sha224_init(&ctx->sha224ctx); 325 isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad)); 326 isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH); 327 isc_sha224_final(newdigest, &ctx->sha224ctx); 328 memcpy(digest, newdigest, len); 329 memset(newdigest, 0, sizeof(newdigest)); 330} 331 332/* 333 * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key. 334 */ 335void 336isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, 337 unsigned int len) 338{ 339 unsigned char ipad[ISC_SHA256_BLOCK_LENGTH]; 340 unsigned int i; 341 342 memset(ctx->key, 0, sizeof(ctx->key)); 343 if (len > sizeof(ctx->key)) { 344 isc_sha256_t sha256ctx; 345 isc_sha256_init(&sha256ctx); 346 isc_sha256_update(&sha256ctx, key, len); 347 isc_sha256_final(ctx->key, &sha256ctx); 348 } else 349 memcpy(ctx->key, key, len); 350 351 isc_sha256_init(&ctx->sha256ctx); 352 memset(ipad, IPAD, sizeof(ipad)); 353 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) 354 ipad[i] ^= ctx->key[i]; 355 isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad)); 356} 357 358void 359isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { 360 memset(ctx, 0, sizeof(*ctx)); 361} 362 363/* 364 * Update context to reflect the concatenation of another buffer full 365 * of bytes. 366 */ 367void 368isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, 369 unsigned int len) 370{ 371 isc_sha256_update(&ctx->sha256ctx, buf, len); 372} 373 374/* 375 * Compute signature - finalize SHA256 operation and reapply SHA256. 376 */ 377void 378isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { 379 unsigned char opad[ISC_SHA256_BLOCK_LENGTH]; 380 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH]; 381 unsigned int i; 382 383 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); 384 isc_sha256_final(newdigest, &ctx->sha256ctx); 385 386 memset(opad, OPAD, sizeof(opad)); 387 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) 388 opad[i] ^= ctx->key[i]; 389 390 isc_sha256_init(&ctx->sha256ctx); 391 isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad)); 392 isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH); 393 isc_sha256_final(newdigest, &ctx->sha256ctx); 394 memcpy(digest, newdigest, len); 395 memset(newdigest, 0, sizeof(newdigest)); 396} 397 398/* 399 * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key. 400 */ 401void 402isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, 403 unsigned int len) 404{ 405 unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; 406 unsigned int i; 407 408 memset(ctx->key, 0, sizeof(ctx->key)); 409 if (len > sizeof(ctx->key)) { 410 isc_sha384_t sha384ctx; 411 isc_sha384_init(&sha384ctx); 412 isc_sha384_update(&sha384ctx, key, len); 413 isc_sha384_final(ctx->key, &sha384ctx); 414 } else 415 memcpy(ctx->key, key, len); 416 417 isc_sha384_init(&ctx->sha384ctx); 418 memset(ipad, IPAD, sizeof(ipad)); 419 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) 420 ipad[i] ^= ctx->key[i]; 421 isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad)); 422} 423 424void 425isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { 426 memset(ctx, 0, sizeof(*ctx)); 427} 428 429/* 430 * Update context to reflect the concatenation of another buffer full 431 * of bytes. 432 */ 433void 434isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, 435 unsigned int len) 436{ 437 isc_sha384_update(&ctx->sha384ctx, buf, len); 438} 439 440/* 441 * Compute signature - finalize SHA384 operation and reapply SHA384. 442 */ 443void 444isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { 445 unsigned char opad[ISC_SHA384_BLOCK_LENGTH]; 446 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; 447 unsigned int i; 448 449 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); 450 isc_sha384_final(newdigest, &ctx->sha384ctx); 451 452 memset(opad, OPAD, sizeof(opad)); 453 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) 454 opad[i] ^= ctx->key[i]; 455 456 isc_sha384_init(&ctx->sha384ctx); 457 isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad)); 458 isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH); 459 isc_sha384_final(newdigest, &ctx->sha384ctx); 460 memcpy(digest, newdigest, len); 461 memset(newdigest, 0, sizeof(newdigest)); 462} 463 464/* 465 * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key. 466 */ 467void 468isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, 469 unsigned int len) 470{ 471 unsigned char ipad[ISC_SHA512_BLOCK_LENGTH]; 472 unsigned int i; 473 474 memset(ctx->key, 0, sizeof(ctx->key)); 475 if (len > sizeof(ctx->key)) { 476 isc_sha512_t sha512ctx; 477 isc_sha512_init(&sha512ctx); 478 isc_sha512_update(&sha512ctx, key, len); 479 isc_sha512_final(ctx->key, &sha512ctx); 480 } else 481 memcpy(ctx->key, key, len); 482 483 isc_sha512_init(&ctx->sha512ctx); 484 memset(ipad, IPAD, sizeof(ipad)); 485 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) 486 ipad[i] ^= ctx->key[i]; 487 isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad)); 488} 489 490void 491isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { 492 memset(ctx, 0, sizeof(*ctx)); 493} 494 495/* 496 * Update context to reflect the concatenation of another buffer full 497 * of bytes. 498 */ 499void 500isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, 501 unsigned int len) 502{ 503 isc_sha512_update(&ctx->sha512ctx, buf, len); 504} 505 506/* 507 * Compute signature - finalize SHA512 operation and reapply SHA512. 508 */ 509void 510isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { 511 unsigned char opad[ISC_SHA512_BLOCK_LENGTH]; 512 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH]; 513 unsigned int i; 514 515 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); 516 isc_sha512_final(newdigest, &ctx->sha512ctx); 517 518 memset(opad, OPAD, sizeof(opad)); 519 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) 520 opad[i] ^= ctx->key[i]; 521 522 isc_sha512_init(&ctx->sha512ctx); 523 isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad)); 524 isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH); 525 isc_sha512_final(newdigest, &ctx->sha512ctx); 526 memcpy(digest, newdigest, len); 527 memset(newdigest, 0, sizeof(newdigest)); 528} 529#endif /* !ISC_PLATFORM_OPENSSLHASH */ 530 531/* 532 * Verify signature - finalize SHA1 operation and reapply SHA1, then 533 * compare to the supplied digest. 534 */ 535isc_boolean_t 536isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { 537 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; 538 539 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); 540 isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH); 541 return (ISC_TF(memcmp(digest, newdigest, len) == 0)); 542} 543 544/* 545 * Verify signature - finalize SHA224 operation and reapply SHA224, then 546 * compare to the supplied digest. 547 */ 548isc_boolean_t 549isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { 550 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH]; 551 552 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); 553 isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH); 554 return (ISC_TF(memcmp(digest, newdigest, len) == 0)); 555} 556 557/* 558 * Verify signature - finalize SHA256 operation and reapply SHA256, then 559 * compare to the supplied digest. 560 */ 561isc_boolean_t 562isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { 563 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH]; 564 565 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); 566 isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH); 567 return (ISC_TF(memcmp(digest, newdigest, len) == 0)); 568} 569 570/* 571 * Verify signature - finalize SHA384 operation and reapply SHA384, then 572 * compare to the supplied digest. 573 */ 574isc_boolean_t 575isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { 576 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; 577 578 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); 579 isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH); 580 return (ISC_TF(memcmp(digest, newdigest, len) == 0)); 581} 582 583/* 584 * Verify signature - finalize SHA512 operation and reapply SHA512, then 585 * compare to the supplied digest. 586 */ 587isc_boolean_t 588isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { 589 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH]; 590 591 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); 592 isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH); 593 return (ISC_TF(memcmp(digest, newdigest, len) == 0)); 594} 595