#include #include #include #include #include #include namespace { const char* getBotanHashAlgorithmName(isc::cryptolink::HMAC::HashAlgorithm algorithm) { switch (algorithm) { case isc::cryptolink::HMAC::MD5: return ("MD5"); break; case isc::cryptolink::HMAC::SHA1: return ("SHA-1"); break; case isc::cryptolink::HMAC::SHA256: return ("SHA-256"); break; case isc::cryptolink::HMAC::UNKNOWN: return ("Unknown"); break; } // compiler should have prevented us to reach this, since we have // no default. But we need a return value anyway return ("Unknown"); } } // local namespace namespace isc { namespace cryptolink { class HMACImpl { public: explicit HMACImpl(const void* secret, size_t secret_len, const HMAC::HashAlgorithm hash_algorithm) { Botan::HashFunction* hash; try { hash = Botan::get_hash( getBotanHashAlgorithmName(hash_algorithm)); } catch (const Botan::Algorithm_Not_Found&) { isc_throw(isc::cryptolink::UnsupportedAlgorithm, "Unknown hash algorithm: " + hash_algorithm); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } hmac_.reset(new Botan::HMAC::HMAC(hash)); // If the key length is larger than the block size, we hash the // key itself first. try { if (secret_len > hash->HASH_BLOCK_SIZE) { Botan::SecureVector hashed_key = hash->process(static_cast(secret), secret_len); hmac_->set_key(hashed_key.begin(), hashed_key.size()); } else { hmac_->set_key(static_cast(secret), secret_len); } } catch (const Botan::Invalid_Key_Length& ikl) { isc_throw(BadKey, ikl.what()); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } ~HMACImpl() { } size_t getOutputLength() const { return (hmac_->OUTPUT_LENGTH); } void update(const void* data, const size_t len) { try { hmac_->update(static_cast(data), len); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } void sign(isc::dns::OutputBuffer& result, size_t len) { try { Botan::SecureVector b_result(hmac_->final()); if (len == 0 || len > b_result.size()) { len = b_result.size(); } result.writeData(b_result.begin(), len); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } void sign(void* result, size_t len) { try { Botan::SecureVector b_result(hmac_->final()); size_t output_size = getOutputLength(); if (output_size > len) { output_size = len; } memcpy(result, b_result.begin(), output_size); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } std::vector sign(size_t len) { try { Botan::SecureVector b_result(hmac_->final()); if (len == 0 || len > b_result.size()) { return (std::vector(b_result.begin(), b_result.end())); } else { return (std::vector(b_result.begin(), &b_result[len])); } } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } bool verify(const void* sig, size_t len) { // Botan's verify_mac checks if len matches the output_length, // which causes it to fail for truncated signatures, so we do // the check ourselves try { Botan::SecureVector our_mac = hmac_->final(); if (len == 0 || len > getOutputLength()) { len = getOutputLength(); } return (Botan::same_mem(&our_mac[0], static_cast(sig), len)); } catch (const Botan::Exception& exc) { isc_throw(isc::cryptolink::LibraryError, exc.what()); } } private: boost::scoped_ptr hmac_; }; HMAC::HMAC(const void* secret, size_t secret_length, const HashAlgorithm hash_algorithm) { impl_ = new HMACImpl(secret, secret_length, hash_algorithm); } HMAC::~HMAC() { delete impl_; } size_t HMAC::getOutputLength() const { return (impl_->getOutputLength()); } void HMAC::update(const void* data, const size_t len) { impl_->update(data, len); } void HMAC::sign(isc::dns::OutputBuffer& result, size_t len) { impl_->sign(result, len); } void HMAC::sign(void* result, size_t len) { impl_->sign(result, len); } std::vector HMAC::sign(size_t len) { return impl_->sign(len); } bool HMAC::verify(const void* sig, const size_t len) { return (impl_->verify(sig, len)); } void signHMAC(const void* data, size_t data_len, const void* secret, size_t secret_len, const HMAC::HashAlgorithm hash_algorithm, isc::dns::OutputBuffer& result, size_t len) { boost::scoped_ptr hmac( CryptoLink::getCryptoLink().createHMAC(secret, secret_len, hash_algorithm)); hmac->update(data, data_len); hmac->sign(result, len); } bool verifyHMAC(const void* data, const size_t data_len, const void* secret, size_t secret_len, const HMAC::HashAlgorithm hash_algorithm, const void* sig, const size_t sig_len) { boost::scoped_ptr hmac( CryptoLink::getCryptoLink().createHMAC(secret, secret_len, hash_algorithm)); hmac->update(data, data_len); return (hmac->verify(sig, sig_len)); } } // namespace cryptolink } // namespace isc