2 * Copyright (C) 2005-2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
20 * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
21 * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
22 * draft-ietf-dnsext-tsig-sha-01.txt.
27 #include <isc/assertions.h>
28 #include <isc/hmacsha.h>
29 #include <isc/platform.h>
32 #include <isc/string.h>
33 #include <isc/types.h>
36 #ifdef ISC_PLATFORM_OPENSSLHASH
39 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
42 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
46 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
47 HMAC_CTX_cleanup(ctx);
51 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
54 HMAC_Update(ctx, buf, (int) len);
58 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
59 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
61 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
63 HMAC_Final(ctx, newdigest, NULL);
64 HMAC_CTX_cleanup(ctx);
65 memcpy(digest, newdigest, len);
66 memset(newdigest, 0, sizeof(newdigest));
70 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
73 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
77 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
78 HMAC_CTX_cleanup(ctx);
82 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
85 HMAC_Update(ctx, buf, (int) len);
89 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
90 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
92 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
94 HMAC_Final(ctx, newdigest, NULL);
95 HMAC_CTX_cleanup(ctx);
96 memcpy(digest, newdigest, len);
97 memset(newdigest, 0, sizeof(newdigest));
101 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
104 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
108 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
109 HMAC_CTX_cleanup(ctx);
113 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
116 HMAC_Update(ctx, buf, (int) len);
120 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
121 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
123 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
125 HMAC_Final(ctx, newdigest, NULL);
126 HMAC_CTX_cleanup(ctx);
127 memcpy(digest, newdigest, len);
128 memset(newdigest, 0, sizeof(newdigest));
132 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
135 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
139 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
140 HMAC_CTX_cleanup(ctx);
144 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
147 HMAC_Update(ctx, buf, (int) len);
151 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
152 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
154 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
156 HMAC_Final(ctx, newdigest, NULL);
157 HMAC_CTX_cleanup(ctx);
158 memcpy(digest, newdigest, len);
159 memset(newdigest, 0, sizeof(newdigest));
163 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
166 HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
170 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
171 HMAC_CTX_cleanup(ctx);
175 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
178 HMAC_Update(ctx, buf, (int) len);
182 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
183 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
185 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
187 HMAC_Final(ctx, newdigest, NULL);
188 HMAC_CTX_cleanup(ctx);
189 memcpy(digest, newdigest, len);
190 memset(newdigest, 0, sizeof(newdigest));
199 * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key.
202 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
205 unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
208 memset(ctx->key, 0, sizeof(ctx->key));
209 if (len > sizeof(ctx->key)) {
211 isc_sha1_init(&sha1ctx);
212 isc_sha1_update(&sha1ctx, key, len);
213 isc_sha1_final(&sha1ctx, ctx->key);
215 memcpy(ctx->key, key, len);
217 isc_sha1_init(&ctx->sha1ctx);
218 memset(ipad, IPAD, sizeof(ipad));
219 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
220 ipad[i] ^= ctx->key[i];
221 isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
225 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
226 isc_sha1_invalidate(&ctx->sha1ctx);
227 memset(ctx, 0, sizeof(*ctx));
231 * Update context to reflect the concatenation of another buffer full
235 isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
238 isc_sha1_update(&ctx->sha1ctx, buf, len);
242 * Compute signature - finalize SHA1 operation and reapply SHA1.
245 isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
246 unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
247 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
250 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
251 isc_sha1_final(&ctx->sha1ctx, newdigest);
253 memset(opad, OPAD, sizeof(opad));
254 for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
255 opad[i] ^= ctx->key[i];
257 isc_sha1_init(&ctx->sha1ctx);
258 isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
259 isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
260 isc_sha1_final(&ctx->sha1ctx, newdigest);
261 isc_hmacsha1_invalidate(ctx);
262 memcpy(digest, newdigest, len);
263 memset(newdigest, 0, sizeof(newdigest));
267 * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key.
270 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
273 unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
276 memset(ctx->key, 0, sizeof(ctx->key));
277 if (len > sizeof(ctx->key)) {
278 isc_sha224_t sha224ctx;
279 isc_sha224_init(&sha224ctx);
280 isc_sha224_update(&sha224ctx, key, len);
281 isc_sha224_final(ctx->key, &sha224ctx);
283 memcpy(ctx->key, key, len);
285 isc_sha224_init(&ctx->sha224ctx);
286 memset(ipad, IPAD, sizeof(ipad));
287 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
288 ipad[i] ^= ctx->key[i];
289 isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
293 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
294 memset(ctx, 0, sizeof(*ctx));
298 * Update context to reflect the concatenation of another buffer full
302 isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
305 isc_sha224_update(&ctx->sha224ctx, buf, len);
309 * Compute signature - finalize SHA224 operation and reapply SHA224.
312 isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
313 unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
314 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
317 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
318 isc_sha224_final(newdigest, &ctx->sha224ctx);
320 memset(opad, OPAD, sizeof(opad));
321 for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
322 opad[i] ^= ctx->key[i];
324 isc_sha224_init(&ctx->sha224ctx);
325 isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
326 isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
327 isc_sha224_final(newdigest, &ctx->sha224ctx);
328 memcpy(digest, newdigest, len);
329 memset(newdigest, 0, sizeof(newdigest));
333 * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key.
336 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
339 unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
342 memset(ctx->key, 0, sizeof(ctx->key));
343 if (len > sizeof(ctx->key)) {
344 isc_sha256_t sha256ctx;
345 isc_sha256_init(&sha256ctx);
346 isc_sha256_update(&sha256ctx, key, len);
347 isc_sha256_final(ctx->key, &sha256ctx);
349 memcpy(ctx->key, key, len);
351 isc_sha256_init(&ctx->sha256ctx);
352 memset(ipad, IPAD, sizeof(ipad));
353 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
354 ipad[i] ^= ctx->key[i];
355 isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
359 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
360 memset(ctx, 0, sizeof(*ctx));
364 * Update context to reflect the concatenation of another buffer full
368 isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
371 isc_sha256_update(&ctx->sha256ctx, buf, len);
375 * Compute signature - finalize SHA256 operation and reapply SHA256.
378 isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
379 unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
380 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
383 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
384 isc_sha256_final(newdigest, &ctx->sha256ctx);
386 memset(opad, OPAD, sizeof(opad));
387 for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
388 opad[i] ^= ctx->key[i];
390 isc_sha256_init(&ctx->sha256ctx);
391 isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
392 isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
393 isc_sha256_final(newdigest, &ctx->sha256ctx);
394 memcpy(digest, newdigest, len);
395 memset(newdigest, 0, sizeof(newdigest));
399 * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key.
402 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
405 unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
408 memset(ctx->key, 0, sizeof(ctx->key));
409 if (len > sizeof(ctx->key)) {
410 isc_sha384_t sha384ctx;
411 isc_sha384_init(&sha384ctx);
412 isc_sha384_update(&sha384ctx, key, len);
413 isc_sha384_final(ctx->key, &sha384ctx);
415 memcpy(ctx->key, key, len);
417 isc_sha384_init(&ctx->sha384ctx);
418 memset(ipad, IPAD, sizeof(ipad));
419 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
420 ipad[i] ^= ctx->key[i];
421 isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
425 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
426 memset(ctx, 0, sizeof(*ctx));
430 * Update context to reflect the concatenation of another buffer full
434 isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
437 isc_sha384_update(&ctx->sha384ctx, buf, len);
441 * Compute signature - finalize SHA384 operation and reapply SHA384.
444 isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
445 unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
446 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
449 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
450 isc_sha384_final(newdigest, &ctx->sha384ctx);
452 memset(opad, OPAD, sizeof(opad));
453 for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
454 opad[i] ^= ctx->key[i];
456 isc_sha384_init(&ctx->sha384ctx);
457 isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
458 isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
459 isc_sha384_final(newdigest, &ctx->sha384ctx);
460 memcpy(digest, newdigest, len);
461 memset(newdigest, 0, sizeof(newdigest));
465 * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key.
468 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
471 unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
474 memset(ctx->key, 0, sizeof(ctx->key));
475 if (len > sizeof(ctx->key)) {
476 isc_sha512_t sha512ctx;
477 isc_sha512_init(&sha512ctx);
478 isc_sha512_update(&sha512ctx, key, len);
479 isc_sha512_final(ctx->key, &sha512ctx);
481 memcpy(ctx->key, key, len);
483 isc_sha512_init(&ctx->sha512ctx);
484 memset(ipad, IPAD, sizeof(ipad));
485 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
486 ipad[i] ^= ctx->key[i];
487 isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
491 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
492 memset(ctx, 0, sizeof(*ctx));
496 * Update context to reflect the concatenation of another buffer full
500 isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
503 isc_sha512_update(&ctx->sha512ctx, buf, len);
507 * Compute signature - finalize SHA512 operation and reapply SHA512.
510 isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
511 unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
512 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
515 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
516 isc_sha512_final(newdigest, &ctx->sha512ctx);
518 memset(opad, OPAD, sizeof(opad));
519 for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
520 opad[i] ^= ctx->key[i];
522 isc_sha512_init(&ctx->sha512ctx);
523 isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
524 isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
525 isc_sha512_final(newdigest, &ctx->sha512ctx);
526 memcpy(digest, newdigest, len);
527 memset(newdigest, 0, sizeof(newdigest));
529 #endif /* !ISC_PLATFORM_OPENSSLHASH */
532 * Verify signature - finalize SHA1 operation and reapply SHA1, then
533 * compare to the supplied digest.
536 isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
537 unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
539 REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
540 isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
541 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
545 * Verify signature - finalize SHA224 operation and reapply SHA224, then
546 * compare to the supplied digest.
549 isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
550 unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
552 REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
553 isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
554 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
558 * Verify signature - finalize SHA256 operation and reapply SHA256, then
559 * compare to the supplied digest.
562 isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
563 unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
565 REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
566 isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
567 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
571 * Verify signature - finalize SHA384 operation and reapply SHA384, then
572 * compare to the supplied digest.
575 isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
576 unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
578 REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
579 isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
580 return (ISC_TF(memcmp(digest, newdigest, len) == 0));
584 * Verify signature - finalize SHA512 operation and reapply SHA512, then
585 * compare to the supplied digest.
588 isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
589 unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
591 REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
592 isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
593 return (ISC_TF(memcmp(digest, newdigest, len) == 0));