2 * Copyright (C) 2005-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
17 /* $Id: hmacsha.c,v 1.10 2009-02-06 23:47:42 tbox Exp $ */
20 * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
21 * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
22 * draft-ietf-dnsext-tsig-sha-01.txt.
27 #include <isc/assertions.h>
28 #include <isc/hmacsha.h>
29 #include <isc/platform.h>
32 #include <isc/string.h>
33 #include <isc/types.h>
36 #ifdef ISC_PLATFORM_OPENSSLHASH
39 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
42 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
46 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
47 HMAC_CTX_cleanup(ctx);
51 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
54 HMAC_Update(ctx, buf, (int) len);
58 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
59 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
61 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
63 HMAC_Final(ctx, newdigest, NULL);
64 HMAC_CTX_cleanup(ctx);
65 memcpy(digest, newdigest, len);
66 memset(newdigest, 0, sizeof(newdigest));
70 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
73 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
77 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
78 HMAC_CTX_cleanup(ctx);
82 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
85 HMAC_Update(ctx, buf, (int) len);
89 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
90 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
92 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
94 HMAC_Final(ctx, newdigest, NULL);
95 HMAC_CTX_cleanup(ctx);
96 memcpy(digest, newdigest, len);
97 memset(newdigest, 0, sizeof(newdigest));
101 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
104 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
108 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
109 HMAC_CTX_cleanup(ctx);
113 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
116 HMAC_Update(ctx, buf, (int) len);
120 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
121 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
123 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
125 HMAC_Final(ctx, newdigest, NULL);
126 HMAC_CTX_cleanup(ctx);
127 memcpy(digest, newdigest, len);
128 memset(newdigest, 0, sizeof(newdigest));
132 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
135 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
139 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
140 HMAC_CTX_cleanup(ctx);
144 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
147 HMAC_Update(ctx, buf, (int) len);
151 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
152 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
154 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
156 HMAC_Final(ctx, newdigest, NULL);
157 HMAC_CTX_cleanup(ctx);
158 memcpy(digest, newdigest, len);
159 memset(newdigest, 0, sizeof(newdigest));
163 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
166 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
170 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
171 HMAC_CTX_cleanup(ctx);
175 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
178 HMAC_Update(ctx, buf, (int) len);
182 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
183 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
185 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
187 HMAC_Final(ctx, newdigest, NULL);
188 HMAC_CTX_cleanup(ctx);
189 memcpy(digest, newdigest, len);
190 memset(newdigest, 0, sizeof(newdigest));
199 * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key.
202 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
205 unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
208 memset(ctx->key, 0, sizeof(ctx->key));
209 if (len > sizeof(ctx->key)) {
211 isc_sha1_init(&sha1ctx);
212 isc_sha1_update(&sha1ctx, key, len);
213 isc_sha1_final(&sha1ctx, ctx->key);
215 memcpy(ctx->key, key, len);
217 isc_sha1_init(&ctx->sha1ctx);
218 memset(ipad, IPAD, sizeof(ipad));
219 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
220 ipad[i] ^= ctx->key[i];
221 isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
225 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
226 isc_sha1_invalidate(&ctx->sha1ctx);
227 memset(ctx->key, 0, sizeof(ctx->key));
228 memset(ctx, 0, sizeof(ctx));
232 * Update context to reflect the concatenation of another buffer full
236 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
239 isc_sha1_update(&ctx->sha1ctx, buf, len);
243 * Compute signature - finalize SHA1 operation and reapply SHA1.
246 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
247 unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
248 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
251 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
252 isc_sha1_final(&ctx->sha1ctx, newdigest);
254 memset(opad, OPAD, sizeof(opad));
255 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
256 opad[i] ^= ctx->key[i];
258 isc_sha1_init(&ctx->sha1ctx);
259 isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
260 isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
261 isc_sha1_final(&ctx->sha1ctx, newdigest);
262 isc_hmacsha1_invalidate(ctx);
263 memcpy(digest, newdigest, len);
264 memset(newdigest, 0, sizeof(newdigest));
268 * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key.
271 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
274 unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
277 memset(ctx->key, 0, sizeof(ctx->key));
278 if (len > sizeof(ctx->key)) {
279 isc_sha224_t sha224ctx;
280 isc_sha224_init(&sha224ctx);
281 isc_sha224_update(&sha224ctx, key, len);
282 isc_sha224_final(ctx->key, &sha224ctx);
284 memcpy(ctx->key, key, len);
286 isc_sha224_init(&ctx->sha224ctx);
287 memset(ipad, IPAD, sizeof(ipad));
288 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
289 ipad[i] ^= ctx->key[i];
290 isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
294 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
295 memset(ctx->key, 0, sizeof(ctx->key));
296 memset(ctx, 0, sizeof(ctx));
300 * Update context to reflect the concatenation of another buffer full
304 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
307 isc_sha224_update(&ctx->sha224ctx, buf, len);
311 * Compute signature - finalize SHA224 operation and reapply SHA224.
314 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
315 unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
316 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
319 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
320 isc_sha224_final(newdigest, &ctx->sha224ctx);
322 memset(opad, OPAD, sizeof(opad));
323 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
324 opad[i] ^= ctx->key[i];
326 isc_sha224_init(&ctx->sha224ctx);
327 isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
328 isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
329 isc_sha224_final(newdigest, &ctx->sha224ctx);
330 memcpy(digest, newdigest, len);
331 memset(newdigest, 0, sizeof(newdigest));
335 * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key.
338 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
341 unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
344 memset(ctx->key, 0, sizeof(ctx->key));
345 if (len > sizeof(ctx->key)) {
346 isc_sha256_t sha256ctx;
347 isc_sha256_init(&sha256ctx);
348 isc_sha256_update(&sha256ctx, key, len);
349 isc_sha256_final(ctx->key, &sha256ctx);
351 memcpy(ctx->key, key, len);
353 isc_sha256_init(&ctx->sha256ctx);
354 memset(ipad, IPAD, sizeof(ipad));
355 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
356 ipad[i] ^= ctx->key[i];
357 isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
361 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
362 memset(ctx->key, 0, sizeof(ctx->key));
363 memset(ctx, 0, sizeof(ctx));
367 * Update context to reflect the concatenation of another buffer full
371 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
374 isc_sha256_update(&ctx->sha256ctx, buf, len);
378 * Compute signature - finalize SHA256 operation and reapply SHA256.
381 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
382 unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
383 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
386 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
387 isc_sha256_final(newdigest, &ctx->sha256ctx);
389 memset(opad, OPAD, sizeof(opad));
390 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
391 opad[i] ^= ctx->key[i];
393 isc_sha256_init(&ctx->sha256ctx);
394 isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
395 isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
396 isc_sha256_final(newdigest, &ctx->sha256ctx);
397 memcpy(digest, newdigest, len);
398 memset(newdigest, 0, sizeof(newdigest));
402 * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key.
405 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
408 unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
411 memset(ctx->key, 0, sizeof(ctx->key));
412 if (len > sizeof(ctx->key)) {
413 isc_sha384_t sha384ctx;
414 isc_sha384_init(&sha384ctx);
415 isc_sha384_update(&sha384ctx, key, len);
416 isc_sha384_final(ctx->key, &sha384ctx);
418 memcpy(ctx->key, key, len);
420 isc_sha384_init(&ctx->sha384ctx);
421 memset(ipad, IPAD, sizeof(ipad));
422 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
423 ipad[i] ^= ctx->key[i];
424 isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
428 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
429 memset(ctx->key, 0, sizeof(ctx->key));
430 memset(ctx, 0, sizeof(ctx));
434 * Update context to reflect the concatenation of another buffer full
438 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
441 isc_sha384_update(&ctx->sha384ctx, buf, len);
445 * Compute signature - finalize SHA384 operation and reapply SHA384.
448 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
449 unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
450 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
453 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
454 isc_sha384_final(newdigest, &ctx->sha384ctx);
456 memset(opad, OPAD, sizeof(opad));
457 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
458 opad[i] ^= ctx->key[i];
460 isc_sha384_init(&ctx->sha384ctx);
461 isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
462 isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
463 isc_sha384_final(newdigest, &ctx->sha384ctx);
464 memcpy(digest, newdigest, len);
465 memset(newdigest, 0, sizeof(newdigest));
469 * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key.
472 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
475 unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
478 memset(ctx->key, 0, sizeof(ctx->key));
479 if (len > sizeof(ctx->key)) {
480 isc_sha512_t sha512ctx;
481 isc_sha512_init(&sha512ctx);
482 isc_sha512_update(&sha512ctx, key, len);
483 isc_sha512_final(ctx->key, &sha512ctx);
485 memcpy(ctx->key, key, len);
487 isc_sha512_init(&ctx->sha512ctx);
488 memset(ipad, IPAD, sizeof(ipad));
489 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
490 ipad[i] ^= ctx->key[i];
491 isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
495 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
496 memset(ctx->key, 0, sizeof(ctx->key));
497 memset(ctx, 0, sizeof(ctx));
501 * Update context to reflect the concatenation of another buffer full
505 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
508 isc_sha512_update(&ctx->sha512ctx, buf, len);
512 * Compute signature - finalize SHA512 operation and reapply SHA512.
515 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
516 unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
517 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
520 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
521 isc_sha512_final(newdigest, &ctx->sha512ctx);
523 memset(opad, OPAD, sizeof(opad));
524 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
525 opad[i] ^= ctx->key[i];
527 isc_sha512_init(&ctx->sha512ctx);
528 isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
529 isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
530 isc_sha512_final(newdigest, &ctx->sha512ctx);
531 memcpy(digest, newdigest, len);
532 memset(newdigest, 0, sizeof(newdigest));
534 #endif /* !ISC_PLATFORM_OPENSSLHASH */
537 * Verify signature - finalize SHA1 operation and reapply SHA1, then
538 * compare to the supplied digest.
541 isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
542 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
544 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
545 isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
546 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
550 * Verify signature - finalize SHA224 operation and reapply SHA224, then
551 * compare to the supplied digest.
554 isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
555 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
557 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
558 isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
559 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
563 * Verify signature - finalize SHA256 operation and reapply SHA256, then
564 * compare to the supplied digest.
567 isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
568 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
570 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
571 isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
572 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
576 * Verify signature - finalize SHA384 operation and reapply SHA384, then
577 * compare to the supplied digest.
580 isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
581 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
583 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
584 isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
585 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
589 * Verify signature - finalize SHA512 operation and reapply SHA512, then
590 * compare to the supplied digest.
593 isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
594 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
596 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
597 isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
598 return (ISC_TF(memcmp(digest, newdigest, len) == 0));