/* * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key. */ void isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, unsigned int len) { unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); if (len > sizeof(ctx->key)) { isc_sha384_t sha384ctx; isc_sha384_init(&sha384ctx); isc_sha384_update(&sha384ctx, key, len); isc_sha384_final(ctx->key, &sha384ctx); } else memcpy(ctx->key, key, len); isc_sha384_init(&ctx->sha384ctx); memset(ipad, IPAD, sizeof(ipad)); for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad)); }
/* * Compute signature - finalize SHA384 operation and reapply SHA384. */ void isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { unsigned char opad[ISC_SHA384_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; unsigned int i; REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); isc_sha384_final(newdigest, &ctx->sha384ctx); memset(opad, OPAD, sizeof(opad)); for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha384_init(&ctx->sha384ctx); isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad)); isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH); isc_sha384_final(newdigest, &ctx->sha384ctx); memcpy(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); }
isc_result_t dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, unsigned int digest_type, unsigned char *buffer, dns_rdata_t *rdata) { dns_fixedname_t fname; dns_name_t *name; unsigned char digest[ISC_SHA384_DIGESTLENGTH]; isc_region_t r; isc_buffer_t b; dns_rdata_ds_t ds; isc_sha1_t sha1; isc_sha256_t sha256; isc_sha384_t sha384; #if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) isc_gost_t gost; #endif REQUIRE(key != NULL); REQUIRE(key->type == dns_rdatatype_dnskey); if (!dst_ds_digest_supported(digest_type)) return (ISC_R_NOTIMPLEMENTED); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); (void)dns_name_downcase(owner, name, NULL); memset(buffer, 0, DNS_DS_BUFFERSIZE); isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE); switch (digest_type) { case DNS_DSDIGEST_SHA1: isc_sha1_init(&sha1); dns_name_toregion(name, &r); isc_sha1_update(&sha1, r.base, r.length); dns_rdata_toregion(key, &r); INSIST(r.length >= 4); isc_sha1_update(&sha1, r.base, r.length); isc_sha1_final(&sha1, digest); break; #if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) #define RETERR(x) do { \ isc_result_t ret = (x); \ if (ret != ISC_R_SUCCESS) { \ isc_gost_invalidate(&gost); \ return (ret); \ } \ } while (/*CONSTCOND*/0) case DNS_DSDIGEST_GOST: RETERR(isc_gost_init(&gost)); dns_name_toregion(name, &r); RETERR(isc_gost_update(&gost, r.base, r.length)); dns_rdata_toregion(key, &r); INSIST(r.length >= 4); RETERR(isc_gost_update(&gost, r.base, r.length)); RETERR(isc_gost_final(&gost, digest)); break; #endif case DNS_DSDIGEST_SHA384: isc_sha384_init(&sha384); dns_name_toregion(name, &r); isc_sha384_update(&sha384, r.base, r.length); dns_rdata_toregion(key, &r); INSIST(r.length >= 4); isc_sha384_update(&sha384, r.base, r.length); isc_sha384_final(digest, &sha384); break; case DNS_DSDIGEST_SHA256: default: isc_sha256_init(&sha256); dns_name_toregion(name, &r); isc_sha256_update(&sha256, r.base, r.length); dns_rdata_toregion(key, &r); INSIST(r.length >= 4); isc_sha256_update(&sha256, r.base, r.length); isc_sha256_final(digest, &sha256); break; } ds.mctx = NULL; ds.common.rdclass = key->rdclass; ds.common.rdtype = dns_rdatatype_ds; ds.algorithm = r.base[3]; ds.key_tag = dst_region_computeid(&r, ds.algorithm); ds.digest_type = digest_type; switch (digest_type) { case DNS_DSDIGEST_SHA1: ds.length = ISC_SHA1_DIGESTLENGTH; break; #if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) case DNS_DSDIGEST_GOST: ds.length = ISC_GOST_DIGESTLENGTH; break; #endif case DNS_DSDIGEST_SHA384: ds.length = ISC_SHA384_DIGESTLENGTH; break; case DNS_DSDIGEST_SHA256: default: ds.length = ISC_SHA256_DIGESTLENGTH; break; } ds.digest = digest; return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds, &ds, &b)); }
int main(int argc, char **argv) { isc_buffer_t buf; unsigned char key[1024]; char secret[1024]; char base64[(1024*4)/3]; isc_region_t r; isc_result_t result; if (argc != 3) { fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]); fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | " "SHA256 | SHA384 | SHA512)\n"); return (1); } isc_buffer_init(&buf, secret, sizeof(secret)); result = isc_base64_decodestring(argv[2], &buf); if (result != ISC_R_SUCCESS) { fprintf(stderr, "error: %s\n", isc_result_totext(result)); return (1); } isc__buffer_usedregion(&buf, &r); if (!strcasecmp(argv[1], "md5") || !strcasecmp(argv[1], "hmac-md5")) { if (r.length > HMAC_LEN) { isc_md5_t md5ctx; isc_md5_init(&md5ctx); isc_md5_update(&md5ctx, r.base, r.length); isc_md5_final(&md5ctx, key); r.base = key; r.length = ISC_MD5_DIGESTLENGTH; } } else if (!strcasecmp(argv[1], "sha1") || !strcasecmp(argv[1], "hmac-sha1")) { if (r.length > ISC_SHA1_DIGESTLENGTH) { isc_sha1_t sha1ctx; isc_sha1_init(&sha1ctx); isc_sha1_update(&sha1ctx, r.base, r.length); isc_sha1_final(&sha1ctx, key); r.base = key; r.length = ISC_SHA1_DIGESTLENGTH; } } else if (!strcasecmp(argv[1], "sha224") || !strcasecmp(argv[1], "hmac-sha224")) { if (r.length > ISC_SHA224_DIGESTLENGTH) { isc_sha224_t sha224ctx; isc_sha224_init(&sha224ctx); isc_sha224_update(&sha224ctx, r.base, r.length); isc_sha224_final(key, &sha224ctx); r.base = key; r.length = ISC_SHA224_DIGESTLENGTH; } } else if (!strcasecmp(argv[1], "sha256") || !strcasecmp(argv[1], "hmac-sha256")) { if (r.length > ISC_SHA256_DIGESTLENGTH) { isc_sha256_t sha256ctx; isc_sha256_init(&sha256ctx); isc_sha256_update(&sha256ctx, r.base, r.length); isc_sha256_final(key, &sha256ctx); r.base = key; r.length = ISC_SHA256_DIGESTLENGTH; } } else if (!strcasecmp(argv[1], "sha384") || !strcasecmp(argv[1], "hmac-sha384")) { if (r.length > ISC_SHA384_DIGESTLENGTH) { isc_sha384_t sha384ctx; isc_sha384_init(&sha384ctx); isc_sha384_update(&sha384ctx, r.base, r.length); isc_sha384_final(key, &sha384ctx); r.base = key; r.length = ISC_SHA384_DIGESTLENGTH; } } else if (!strcasecmp(argv[1], "sha512") || !strcasecmp(argv[1], "hmac-sha512")) { if (r.length > ISC_SHA512_DIGESTLENGTH) { isc_sha512_t sha512ctx; isc_sha512_init(&sha512ctx); isc_sha512_update(&sha512ctx, r.base, r.length); isc_sha512_final(key, &sha512ctx); r.base = key; r.length = ISC_SHA512_DIGESTLENGTH; } } else { fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]); return (1); } isc_buffer_init(&buf, base64, sizeof(base64)); result = isc_base64_totext(&r, 0, "", &buf); if (result != ISC_R_SUCCESS) { fprintf(stderr, "error: %s\n", isc_result_totext(result)); return (1); } fprintf(stdout, "%.*s\n", (int)isc_buffer_usedlength(&buf), base64); return (0); }