hmacsha.c revision 290001 
1/*
2 * Copyright (C) 2005-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
3 *
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $Id$ */
18
19/*
20 * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
21 * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
22 * draft-ietf-dnsext-tsig-sha-01.txt.
23 */
24
25#include "config.h"
26
27#include <isc/assertions.h>
28#include <isc/hmacsha.h>
29#include <isc/platform.h>
30#include <isc/sha1.h>
31#include <isc/sha2.h>
32#include <isc/string.h>
33#include <isc/types.h>
34#include <isc/util.h>
35
36#ifdef ISC_PLATFORM_OPENSSLHASH
37
38void
39isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
40		  unsigned int len)
41{
42	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
43}
44
45void
46isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
47	HMAC_CTX_cleanup(ctx);
48}
49
50void
51isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
52		   unsigned int len)
53{
54	HMAC_Update(ctx, buf, (int) len);
55}
56
57void
58isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
59	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
60
61	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
62
63	HMAC_Final(ctx, newdigest, NULL);
64	HMAC_CTX_cleanup(ctx);
65	memcpy(digest, newdigest, len);
66	memset(newdigest, 0, sizeof(newdigest));
67}
68
69void
70isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
71		    unsigned int len)
72{
73	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
74}
75
76void
77isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
78	HMAC_CTX_cleanup(ctx);
79}
80
81void
82isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
83		   unsigned int len)
84{
85	HMAC_Update(ctx, buf, (int) len);
86}
87
88void
89isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
90	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
91
92	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
93
94	HMAC_Final(ctx, newdigest, NULL);
95	HMAC_CTX_cleanup(ctx);
96	memcpy(digest, newdigest, len);
97	memset(newdigest, 0, sizeof(newdigest));
98}
99
100void
101isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
102		    unsigned int len)
103{
104	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
105}
106
107void
108isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
109	HMAC_CTX_cleanup(ctx);
110}
111
112void
113isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
114		   unsigned int len)
115{
116	HMAC_Update(ctx, buf, (int) len);
117}
118
119void
120isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
121	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
122
123	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
124
125	HMAC_Final(ctx, newdigest, NULL);
126	HMAC_CTX_cleanup(ctx);
127	memcpy(digest, newdigest, len);
128	memset(newdigest, 0, sizeof(newdigest));
129}
130
131void
132isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
133		    unsigned int len)
134{
135	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
136}
137
138void
139isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
140	HMAC_CTX_cleanup(ctx);
141}
142
143void
144isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
145		   unsigned int len)
146{
147	HMAC_Update(ctx, buf, (int) len);
148}
149
150void
151isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
152	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
153
154	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
155
156	HMAC_Final(ctx, newdigest, NULL);
157	HMAC_CTX_cleanup(ctx);
158	memcpy(digest, newdigest, len);
159	memset(newdigest, 0, sizeof(newdigest));
160}
161
162void
163isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
164		    unsigned int len)
165{
166	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
167}
168
169void
170isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
171	HMAC_CTX_cleanup(ctx);
172}
173
174void
175isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
176		   unsigned int len)
177{
178	HMAC_Update(ctx, buf, (int) len);
179}
180
181void
182isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
183	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
184
185	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
186
187	HMAC_Final(ctx, newdigest, NULL);
188	HMAC_CTX_cleanup(ctx);
189	memcpy(digest, newdigest, len);
190	memset(newdigest, 0, sizeof(newdigest));
191}
192
193#else
194
195#define IPAD 0x36
196#define OPAD 0x5C
197
198/*
199 * Start HMAC-SHA1 process.  Initialize an sha1 context and digest the key.
200 */
201void
202isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
203		  unsigned int len)
204{
205	unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
206	unsigned int i;
207
208	memset(ctx->key, 0, sizeof(ctx->key));
209	if (len > sizeof(ctx->key)) {
210		isc_sha1_t sha1ctx;
211		isc_sha1_init(&sha1ctx);
212		isc_sha1_update(&sha1ctx, key, len);
213		isc_sha1_final(&sha1ctx, ctx->key);
214	} else
215		memcpy(ctx->key, key, len);
216
217	isc_sha1_init(&ctx->sha1ctx);
218	memset(ipad, IPAD, sizeof(ipad));
219	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
220		ipad[i] ^= ctx->key[i];
221	isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
222}
223
224void
225isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
226	isc_sha1_invalidate(&ctx->sha1ctx);
227	memset(ctx, 0, sizeof(*ctx));
228}
229
230/*
231 * Update context to reflect the concatenation of another buffer full
232 * of bytes.
233 */
234void
235isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
236		   unsigned int len)
237{
238	isc_sha1_update(&ctx->sha1ctx, buf, len);
239}
240
241/*
242 * Compute signature - finalize SHA1 operation and reapply SHA1.
243 */
244void
245isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
246	unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
247	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
248	unsigned int i;
249
250	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
251	isc_sha1_final(&ctx->sha1ctx, newdigest);
252
253	memset(opad, OPAD, sizeof(opad));
254	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
255		opad[i] ^= ctx->key[i];
256
257	isc_sha1_init(&ctx->sha1ctx);
258	isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
259	isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
260	isc_sha1_final(&ctx->sha1ctx, newdigest);
261	isc_hmacsha1_invalidate(ctx);
262	memcpy(digest, newdigest, len);
263	memset(newdigest, 0, sizeof(newdigest));
264}
265
266/*
267 * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
268 */
269void
270isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
271		    unsigned int len)
272{
273	unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
274	unsigned int i;
275
276	memset(ctx->key, 0, sizeof(ctx->key));
277	if (len > sizeof(ctx->key)) {
278		isc_sha224_t sha224ctx;
279		isc_sha224_init(&sha224ctx);
280		isc_sha224_update(&sha224ctx, key, len);
281		isc_sha224_final(ctx->key, &sha224ctx);
282	} else
283		memcpy(ctx->key, key, len);
284
285	isc_sha224_init(&ctx->sha224ctx);
286	memset(ipad, IPAD, sizeof(ipad));
287	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
288		ipad[i] ^= ctx->key[i];
289	isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
290}
291
292void
293isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
294	memset(ctx, 0, sizeof(*ctx));
295}
296
297/*
298 * Update context to reflect the concatenation of another buffer full
299 * of bytes.
300 */
301void
302isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
303		   unsigned int len)
304{
305	isc_sha224_update(&ctx->sha224ctx, buf, len);
306}
307
308/*
309 * Compute signature - finalize SHA224 operation and reapply SHA224.
310 */
311void
312isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
313	unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
314	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
315	unsigned int i;
316
317	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
318	isc_sha224_final(newdigest, &ctx->sha224ctx);
319
320	memset(opad, OPAD, sizeof(opad));
321	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
322		opad[i] ^= ctx->key[i];
323
324	isc_sha224_init(&ctx->sha224ctx);
325	isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
326	isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
327	isc_sha224_final(newdigest, &ctx->sha224ctx);
328	memcpy(digest, newdigest, len);
329	memset(newdigest, 0, sizeof(newdigest));
330}
331
332/*
333 * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
334 */
335void
336isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
337		    unsigned int len)
338{
339	unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
340	unsigned int i;
341
342	memset(ctx->key, 0, sizeof(ctx->key));
343	if (len > sizeof(ctx->key)) {
344		isc_sha256_t sha256ctx;
345		isc_sha256_init(&sha256ctx);
346		isc_sha256_update(&sha256ctx, key, len);
347		isc_sha256_final(ctx->key, &sha256ctx);
348	} else
349		memcpy(ctx->key, key, len);
350
351	isc_sha256_init(&ctx->sha256ctx);
352	memset(ipad, IPAD, sizeof(ipad));
353	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
354		ipad[i] ^= ctx->key[i];
355	isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
356}
357
358void
359isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
360	memset(ctx, 0, sizeof(*ctx));
361}
362
363/*
364 * Update context to reflect the concatenation of another buffer full
365 * of bytes.
366 */
367void
368isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
369		   unsigned int len)
370{
371	isc_sha256_update(&ctx->sha256ctx, buf, len);
372}
373
374/*
375 * Compute signature - finalize SHA256 operation and reapply SHA256.
376 */
377void
378isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
379	unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
380	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
381	unsigned int i;
382
383	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
384	isc_sha256_final(newdigest, &ctx->sha256ctx);
385
386	memset(opad, OPAD, sizeof(opad));
387	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
388		opad[i] ^= ctx->key[i];
389
390	isc_sha256_init(&ctx->sha256ctx);
391	isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
392	isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
393	isc_sha256_final(newdigest, &ctx->sha256ctx);
394	memcpy(digest, newdigest, len);
395	memset(newdigest, 0, sizeof(newdigest));
396}
397
398/*
399 * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
400 */
401void
402isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
403		    unsigned int len)
404{
405	unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
406	unsigned int i;
407
408	memset(ctx->key, 0, sizeof(ctx->key));
409	if (len > sizeof(ctx->key)) {
410		isc_sha384_t sha384ctx;
411		isc_sha384_init(&sha384ctx);
412		isc_sha384_update(&sha384ctx, key, len);
413		isc_sha384_final(ctx->key, &sha384ctx);
414	} else
415		memcpy(ctx->key, key, len);
416
417	isc_sha384_init(&ctx->sha384ctx);
418	memset(ipad, IPAD, sizeof(ipad));
419	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
420		ipad[i] ^= ctx->key[i];
421	isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
422}
423
424void
425isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
426	memset(ctx, 0, sizeof(*ctx));
427}
428
429/*
430 * Update context to reflect the concatenation of another buffer full
431 * of bytes.
432 */
433void
434isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
435		   unsigned int len)
436{
437	isc_sha384_update(&ctx->sha384ctx, buf, len);
438}
439
440/*
441 * Compute signature - finalize SHA384 operation and reapply SHA384.
442 */
443void
444isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
445	unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
446	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
447	unsigned int i;
448
449	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
450	isc_sha384_final(newdigest, &ctx->sha384ctx);
451
452	memset(opad, OPAD, sizeof(opad));
453	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
454		opad[i] ^= ctx->key[i];
455
456	isc_sha384_init(&ctx->sha384ctx);
457	isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
458	isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
459	isc_sha384_final(newdigest, &ctx->sha384ctx);
460	memcpy(digest, newdigest, len);
461	memset(newdigest, 0, sizeof(newdigest));
462}
463
464/*
465 * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
466 */
467void
468isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
469		    unsigned int len)
470{
471	unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
472	unsigned int i;
473
474	memset(ctx->key, 0, sizeof(ctx->key));
475	if (len > sizeof(ctx->key)) {
476		isc_sha512_t sha512ctx;
477		isc_sha512_init(&sha512ctx);
478		isc_sha512_update(&sha512ctx, key, len);
479		isc_sha512_final(ctx->key, &sha512ctx);
480	} else
481		memcpy(ctx->key, key, len);
482
483	isc_sha512_init(&ctx->sha512ctx);
484	memset(ipad, IPAD, sizeof(ipad));
485	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
486		ipad[i] ^= ctx->key[i];
487	isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
488}
489
490void
491isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
492	memset(ctx, 0, sizeof(*ctx));
493}
494
495/*
496 * Update context to reflect the concatenation of another buffer full
497 * of bytes.
498 */
499void
500isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
501		   unsigned int len)
502{
503	isc_sha512_update(&ctx->sha512ctx, buf, len);
504}
505
506/*
507 * Compute signature - finalize SHA512 operation and reapply SHA512.
508 */
509void
510isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
511	unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
512	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
513	unsigned int i;
514
515	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
516	isc_sha512_final(newdigest, &ctx->sha512ctx);
517
518	memset(opad, OPAD, sizeof(opad));
519	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
520		opad[i] ^= ctx->key[i];
521
522	isc_sha512_init(&ctx->sha512ctx);
523	isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
524	isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
525	isc_sha512_final(newdigest, &ctx->sha512ctx);
526	memcpy(digest, newdigest, len);
527	memset(newdigest, 0, sizeof(newdigest));
528}
529#endif /* !ISC_PLATFORM_OPENSSLHASH */
530
531/*
532 * Verify signature - finalize SHA1 operation and reapply SHA1, then
533 * compare to the supplied digest.
534 */
535isc_boolean_t
536isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
537	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
538
539	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
540	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
541	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
542}
543
544/*
545 * Verify signature - finalize SHA224 operation and reapply SHA224, then
546 * compare to the supplied digest.
547 */
548isc_boolean_t
549isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
550	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
551
552	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
553	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
554	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
555}
556
557/*
558 * Verify signature - finalize SHA256 operation and reapply SHA256, then
559 * compare to the supplied digest.
560 */
561isc_boolean_t
562isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
563	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
564
565	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
566	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
567	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
568}
569
570/*
571 * Verify signature - finalize SHA384 operation and reapply SHA384, then
572 * compare to the supplied digest.
573 */
574isc_boolean_t
575isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
576	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
577
578	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
579	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
580	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
581}
582
583/*
584 * Verify signature - finalize SHA512 operation and reapply SHA512, then
585 * compare to the supplied digest.
586 */
587isc_boolean_t
588isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
589	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
590
591	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
592	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
593	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
594}
595