2 * Copyright (C) 2005-2007, 2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
20 * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
21 * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
22 * draft-ietf-dnsext-tsig-sha-01.txt.
27 #include <isc/assertions.h>
28 #include <isc/hmacsha.h>
29 #include <isc/platform.h>
33 #include <isc/string.h>
34 #include <isc/types.h>
37 #ifdef ISC_PLATFORM_OPENSSLHASH
40 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
43 #ifdef HMAC_RETURN_INT
44 RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
45 (int) len, EVP_sha1()) == 1);
47 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
52 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
53 HMAC_CTX_cleanup(ctx);
57 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
60 #ifdef HMAC_RETURN_INT
61 RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
63 HMAC_Update(ctx, buf, (int) len);
68 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
69 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
71 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
73 #ifdef HMAC_RETURN_INT
74 RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
76 HMAC_Final(ctx, newdigest, NULL);
78 HMAC_CTX_cleanup(ctx);
79 memmove(digest, newdigest, len);
80 memset(newdigest, 0, sizeof(newdigest));
84 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
87 #ifdef HMAC_RETURN_INT
88 RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
89 (int) len, EVP_sha224()) == 1);
91 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
96 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
97 HMAC_CTX_cleanup(ctx);
101 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
104 #ifdef HMAC_RETURN_INT
105 RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
107 HMAC_Update(ctx, buf, (int) len);
112 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
113 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
115 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
117 #ifdef HMAC_RETURN_INT
118 RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
120 HMAC_Final(ctx, newdigest, NULL);
122 HMAC_CTX_cleanup(ctx);
123 memmove(digest, newdigest, len);
124 memset(newdigest, 0, sizeof(newdigest));
128 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
131 #ifdef HMAC_RETURN_INT
132 RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
133 (int) len, EVP_sha256()) == 1);
135 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
140 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
141 HMAC_CTX_cleanup(ctx);
145 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
148 #ifdef HMAC_RETURN_INT
149 RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
151 HMAC_Update(ctx, buf, (int) len);
156 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
157 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
159 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
161 #ifdef HMAC_RETURN_INT
162 RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
164 HMAC_Final(ctx, newdigest, NULL);
166 HMAC_CTX_cleanup(ctx);
167 memmove(digest, newdigest, len);
168 memset(newdigest, 0, sizeof(newdigest));
172 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
175 #ifdef HMAC_RETURN_INT
176 RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
177 (int) len, EVP_sha384()) == 1);
179 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
184 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
185 HMAC_CTX_cleanup(ctx);
189 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
192 #ifdef HMAC_RETURN_INT
193 RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
195 HMAC_Update(ctx, buf, (int) len);
200 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
201 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
203 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
205 #ifdef HMAC_RETURN_INT
206 RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
208 HMAC_Final(ctx, newdigest, NULL);
210 HMAC_CTX_cleanup(ctx);
211 memmove(digest, newdigest, len);
212 memset(newdigest, 0, sizeof(newdigest));
216 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
219 #ifdef HMAC_RETURN_INT
220 RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
221 (int) len, EVP_sha512()) == 1);
223 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
228 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
229 HMAC_CTX_cleanup(ctx);
233 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
236 #ifdef HMAC_RETURN_INT
237 RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
239 HMAC_Update(ctx, buf, (int) len);
244 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
245 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
247 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
249 #ifdef HMAC_RETURN_INT
250 RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
252 HMAC_Final(ctx, newdigest, NULL);
254 HMAC_CTX_cleanup(ctx);
255 memmove(digest, newdigest, len);
256 memset(newdigest, 0, sizeof(newdigest));
265 * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key.
268 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
271 unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
274 memset(ctx->key, 0, sizeof(ctx->key));
275 if (len > sizeof(ctx->key)) {
277 isc_sha1_init(&sha1ctx);
278 isc_sha1_update(&sha1ctx, key, len);
279 isc_sha1_final(&sha1ctx, ctx->key);
281 memmove(ctx->key, key, len);
283 isc_sha1_init(&ctx->sha1ctx);
284 memset(ipad, IPAD, sizeof(ipad));
285 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
286 ipad[i] ^= ctx->key[i];
287 isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
291 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
292 isc_sha1_invalidate(&ctx->sha1ctx);
293 memset(ctx, 0, sizeof(*ctx));
297 * Update context to reflect the concatenation of another buffer full
301 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
304 isc_sha1_update(&ctx->sha1ctx, buf, len);
308 * Compute signature - finalize SHA1 operation and reapply SHA1.
311 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
312 unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
313 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
316 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
317 isc_sha1_final(&ctx->sha1ctx, newdigest);
319 memset(opad, OPAD, sizeof(opad));
320 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
321 opad[i] ^= ctx->key[i];
323 isc_sha1_init(&ctx->sha1ctx);
324 isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
325 isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
326 isc_sha1_final(&ctx->sha1ctx, newdigest);
327 isc_hmacsha1_invalidate(ctx);
328 memmove(digest, newdigest, len);
329 memset(newdigest, 0, sizeof(newdigest));
333 * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key.
336 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
339 unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
342 memset(ctx->key, 0, sizeof(ctx->key));
343 if (len > sizeof(ctx->key)) {
344 isc_sha224_t sha224ctx;
345 isc_sha224_init(&sha224ctx);
346 isc_sha224_update(&sha224ctx, key, len);
347 isc_sha224_final(ctx->key, &sha224ctx);
349 memmove(ctx->key, key, len);
351 isc_sha224_init(&ctx->sha224ctx);
352 memset(ipad, IPAD, sizeof(ipad));
353 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
354 ipad[i] ^= ctx->key[i];
355 isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
359 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
360 memset(ctx, 0, sizeof(*ctx));
364 * Update context to reflect the concatenation of another buffer full
368 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
371 isc_sha224_update(&ctx->sha224ctx, buf, len);
375 * Compute signature - finalize SHA224 operation and reapply SHA224.
378 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
379 unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
380 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
383 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
384 isc_sha224_final(newdigest, &ctx->sha224ctx);
386 memset(opad, OPAD, sizeof(opad));
387 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
388 opad[i] ^= ctx->key[i];
390 isc_sha224_init(&ctx->sha224ctx);
391 isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
392 isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
393 isc_sha224_final(newdigest, &ctx->sha224ctx);
394 memmove(digest, newdigest, len);
395 memset(newdigest, 0, sizeof(newdigest));
399 * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key.
402 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
405 unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
408 memset(ctx->key, 0, sizeof(ctx->key));
409 if (len > sizeof(ctx->key)) {
410 isc_sha256_t sha256ctx;
411 isc_sha256_init(&sha256ctx);
412 isc_sha256_update(&sha256ctx, key, len);
413 isc_sha256_final(ctx->key, &sha256ctx);
415 memmove(ctx->key, key, len);
417 isc_sha256_init(&ctx->sha256ctx);
418 memset(ipad, IPAD, sizeof(ipad));
419 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
420 ipad[i] ^= ctx->key[i];
421 isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
425 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
426 memset(ctx, 0, sizeof(*ctx));
430 * Update context to reflect the concatenation of another buffer full
434 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
437 isc_sha256_update(&ctx->sha256ctx, buf, len);
441 * Compute signature - finalize SHA256 operation and reapply SHA256.
444 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
445 unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
446 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
449 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
450 isc_sha256_final(newdigest, &ctx->sha256ctx);
452 memset(opad, OPAD, sizeof(opad));
453 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
454 opad[i] ^= ctx->key[i];
456 isc_sha256_init(&ctx->sha256ctx);
457 isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
458 isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
459 isc_sha256_final(newdigest, &ctx->sha256ctx);
460 memmove(digest, newdigest, len);
461 memset(newdigest, 0, sizeof(newdigest));
465 * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key.
468 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
471 unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
474 memset(ctx->key, 0, sizeof(ctx->key));
475 if (len > sizeof(ctx->key)) {
476 isc_sha384_t sha384ctx;
477 isc_sha384_init(&sha384ctx);
478 isc_sha384_update(&sha384ctx, key, len);
479 isc_sha384_final(ctx->key, &sha384ctx);
481 memmove(ctx->key, key, len);
483 isc_sha384_init(&ctx->sha384ctx);
484 memset(ipad, IPAD, sizeof(ipad));
485 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
486 ipad[i] ^= ctx->key[i];
487 isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
491 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
492 memset(ctx, 0, sizeof(*ctx));
496 * Update context to reflect the concatenation of another buffer full
500 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
503 isc_sha384_update(&ctx->sha384ctx, buf, len);
507 * Compute signature - finalize SHA384 operation and reapply SHA384.
510 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
511 unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
512 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
515 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
516 isc_sha384_final(newdigest, &ctx->sha384ctx);
518 memset(opad, OPAD, sizeof(opad));
519 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
520 opad[i] ^= ctx->key[i];
522 isc_sha384_init(&ctx->sha384ctx);
523 isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
524 isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
525 isc_sha384_final(newdigest, &ctx->sha384ctx);
526 memmove(digest, newdigest, len);
527 memset(newdigest, 0, sizeof(newdigest));
531 * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key.
534 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
537 unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
540 memset(ctx->key, 0, sizeof(ctx->key));
541 if (len > sizeof(ctx->key)) {
542 isc_sha512_t sha512ctx;
543 isc_sha512_init(&sha512ctx);
544 isc_sha512_update(&sha512ctx, key, len);
545 isc_sha512_final(ctx->key, &sha512ctx);
547 memmove(ctx->key, key, len);
549 isc_sha512_init(&ctx->sha512ctx);
550 memset(ipad, IPAD, sizeof(ipad));
551 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
552 ipad[i] ^= ctx->key[i];
553 isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
557 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
558 memset(ctx, 0, sizeof(*ctx));
562 * Update context to reflect the concatenation of another buffer full
566 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
569 isc_sha512_update(&ctx->sha512ctx, buf, len);
573 * Compute signature - finalize SHA512 operation and reapply SHA512.
576 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
577 unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
578 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
581 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
582 isc_sha512_final(newdigest, &ctx->sha512ctx);
584 memset(opad, OPAD, sizeof(opad));
585 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
586 opad[i] ^= ctx->key[i];
588 isc_sha512_init(&ctx->sha512ctx);
589 isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
590 isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
591 isc_sha512_final(newdigest, &ctx->sha512ctx);
592 memmove(digest, newdigest, len);
593 memset(newdigest, 0, sizeof(newdigest));
595 #endif /* !ISC_PLATFORM_OPENSSLHASH */
598 * Verify signature - finalize SHA1 operation and reapply SHA1, then
599 * compare to the supplied digest.
602 isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
603 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
605 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
606 isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
607 return (isc_safe_memequal(digest, newdigest, len));
611 * Verify signature - finalize SHA224 operation and reapply SHA224, then
612 * compare to the supplied digest.
615 isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
616 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
618 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
619 isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
620 return (isc_safe_memequal(digest, newdigest, len));
624 * Verify signature - finalize SHA256 operation and reapply SHA256, then
625 * compare to the supplied digest.
628 isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
629 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
631 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
632 isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
633 return (isc_safe_memequal(digest, newdigest, len));
637 * Verify signature - finalize SHA384 operation and reapply SHA384, then
638 * compare to the supplied digest.
641 isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
642 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
644 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
645 isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
646 return (isc_safe_memequal(digest, newdigest, len));
650 * Verify signature - finalize SHA512 operation and reapply SHA512, then
651 * compare to the supplied digest.
654 isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
655 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
657 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
658 isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
659 return (isc_safe_memequal(digest, newdigest, len));