BIND 10 trac781, updated. 40f4efbbd9f5685147cd1abf19d12c336bc1b8d9 [trac781] Remove TSIGKey from unittests too
BIND 10 source code commits
bind10-changes at lists.isc.org
Sun Apr 17 21:00:32 UTC 2011
The branch, trac781 has been updated
via 40f4efbbd9f5685147cd1abf19d12c336bc1b8d9 (commit)
via a57662d6db020dd0b334472b5bb7ea88aefb6a7d (commit)
from 122d9611bd552c3113eca8aa5e91d2b8a3018210 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 40f4efbbd9f5685147cd1abf19d12c336bc1b8d9
Author: Jelte Jansen <jelte at isc.org>
Date: Sun Apr 17 23:00:16 2011 +0200
[trac781] Remove TSIGKey from unittests too
commit a57662d6db020dd0b334472b5bb7ea88aefb6a7d
Author: Jelte Jansen <jelte at isc.org>
Date: Sun Apr 17 22:31:11 2011 +0200
[trac781] remove TSIGKey from crypto api
-----------------------------------------------------------------------
Summary of changes:
src/lib/crypto/crypto.cc | 77 +++++++-----
src/lib/crypto/crypto.h | 65 +++++++----
src/lib/crypto/tests/crypto_unittests.cc | 193 +++++++++++++++++-------------
src/lib/dns/tsigkey.cc | 2 +
4 files changed, 197 insertions(+), 140 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/lib/crypto/crypto.cc b/src/lib/crypto/crypto.cc
index 9af9863..022d3c5 100644
--- a/src/lib/crypto/crypto.cc
+++ b/src/lib/crypto/crypto.cc
@@ -14,9 +14,6 @@
#include "crypto.h"
-#include <iostream>
-#include <iomanip>
-
#include <botan/botan.h>
#include <botan/hmac.h>
#include <botan/hash.h>
@@ -24,7 +21,6 @@
#include <dns/buffer.h>
#include <dns/name.h>
-#include <dns/tsigkey.h>
#include <dns/util/base64.h>
#include <string>
@@ -33,23 +29,25 @@ using namespace std;
using namespace isc::dns;
namespace {
-Botan::HashFunction*
-getHash(const Name& hash_name) {
- try {
- if (hash_name == TSIGKey::HMACMD5_NAME()) {
- return (Botan::get_hash("MD5"));
- } else if (hash_name == TSIGKey::HMACSHA1_NAME()) {
- return (Botan::get_hash("SHA-1"));
- } else if (hash_name == TSIGKey::HMACSHA256_NAME()) {
- return (Botan::get_hash("SHA-256"));
- } else {
- isc_throw(isc::crypto::UnsupportedAlgorithm,
- "Unknown Hash type " + hash_name.toText());
- }
- } catch (const Botan::Algorithm_Not_Found) {
- isc_throw(isc::crypto::UnsupportedAlgorithm,
- "Algorithm not supported by boost: " + hash_name.toText());
+const char*
+getBotanHashAlgorithmName(isc::crypto::HMAC::HashAlgorithm algorithm) {
+ switch (algorithm) {
+ case isc::crypto::HMAC::MD5:
+ return "MD5";
+ break;
+ case isc::crypto::HMAC::SHA1:
+ return "SHA-1";
+ break;
+ case isc::crypto::HMAC::SHA256:
+ return "SHA-256";
+ break;
+ case isc::crypto::HMAC::UNKNOWN:
+ return "Unknown";
+ break;
}
+ // compiler should have prevented us to reach this, since we have
+ // no default. But we need a return value anyway
+ return "Unknown";
}
// Library needs to have been inited during the entire program
@@ -64,22 +62,31 @@ namespace crypto {
class HMACImpl {
public:
- explicit HMACImpl(const TSIGKey& key) {
- Botan::HashFunction* hash = getHash(key.getAlgorithmName());
+ explicit HMACImpl(const void* secret, size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm) {
+ Botan::HashFunction* hash;
+ try {
+ hash = Botan::get_hash(
+ getBotanHashAlgorithmName(hash_algorithm));
+ } catch (const Botan::Algorithm_Not_Found) {
+ isc_throw(isc::crypto::UnsupportedAlgorithm,
+ "Unknown hash algorithm: " + hash_algorithm);
+ }
+
hmac_ = new Botan::HMAC::HMAC(hash);
// Take the 'secret' from the key
// If the key length is larger than the block size, we hash the
// key itself first.
try {
- if (key.getSecretLength() > hash->HASH_BLOCK_SIZE) {
+ if (secret_len > hash->HASH_BLOCK_SIZE) {
Botan::SecureVector<Botan::byte> hashed_key =
- hash->process(static_cast<const Botan::byte*>(key.getSecret()),
- key.getSecretLength());
+ hash->process(static_cast<const Botan::byte*>(secret),
+ secret_len);
hmac_->set_key(hashed_key.begin(), hashed_key.size());
} else {
- hmac_->set_key(static_cast<const Botan::byte*>(key.getSecret()),
- key.getSecretLength());
+ hmac_->set_key(static_cast<const Botan::byte*>(secret),
+ secret_len);
}
} catch (const Botan::Invalid_Key_Length& ikl) {
delete hmac_;
@@ -110,8 +117,10 @@ private:
Botan::HMAC* hmac_;
};
-HMAC::HMAC(const TSIGKey& key) {
- impl_ = new HMACImpl(key);
+HMAC::HMAC(const void* secret, size_t secret_length,
+ const HashAlgorithm hash_algorithm)
+{
+ impl_ = new HMACImpl(secret, secret_length, hash_algorithm);
}
HMAC::~HMAC() {
@@ -134,20 +143,22 @@ HMAC::verify(const void* sig, const size_t len) {
}
void
-signHMAC(const void* data, size_t data_len, const TSIGKey& key,
+signHMAC(const void* data, size_t data_len, const void* secret,
+ size_t secret_len, const HMAC::HashAlgorithm hash_algorithm,
isc::dns::OutputBuffer& result)
{
- HMAC hmac(key);
+ HMAC hmac(secret, secret_len, hash_algorithm);
hmac.update(data, data_len);
hmac.sign(result);
}
bool
-verifyHMAC(const void* data, const size_t data_len, const TSIGKey& key,
+verifyHMAC(const void* data, const size_t data_len, const void* secret,
+ size_t secret_len, const HMAC::HashAlgorithm hash_algorithm,
const void* sig, const size_t sig_len)
{
- HMAC hmac(key);
+ HMAC hmac(secret, secret_len, hash_algorithm);
hmac.update(data, data_len);
return (hmac.verify(sig, sig_len));
}
diff --git a/src/lib/crypto/crypto.h b/src/lib/crypto/crypto.h
index f01d037..a323a97 100644
--- a/src/lib/crypto/crypto.h
+++ b/src/lib/crypto/crypto.h
@@ -14,7 +14,6 @@
#include <string>
#include <dns/buffer.h>
-#include <dns/tsigkey.h>
#include <exceptions/exceptions.h>
#include <boost/noncopyable.hpp>
@@ -58,19 +57,29 @@ class HMACImpl;
///
class HMAC : public boost::noncopyable {
public:
- /// \brief Constructor from a key
+ enum HashAlgorithm {
+ MD5 = 0,
+ SHA1 = 1,
+ SHA256 = 2,
+ UNKNOWN = 3
+ };
+
+ /// \brief Constructor from a secret and a hash algorithm
///
- /// \exception UnsupportedAlgorithmException if the given key
- /// is for an algorithm that is not supported by the underlying
- /// library
- /// \exception InvalidKeyLength if the given key has a bad length
+ /// \exception UnsupportedAlgorithmException if the given algorithm
+ /// is unknown or not supported by the underlying library
+ /// \exception InvalidKeyLength if the given key secret_len is bad
///
- /// Notes: if the key is longer than the block size of its
+ /// Notes: if the secret is longer than the block size of its
/// algorithm, the constructor will run it through the hash
- /// algorithm, and use the digest as a key for this HMAC operation
+ /// algorithm, and use the digest as the secret for this HMAC
+ /// operation
///
- /// \param key The key to use
- explicit HMAC(const isc::dns::TSIGKey& key);
+ /// \param secret The secret to sign with
+ /// \param len The length of the secret
+ /// \param hash_algorithm The hash algorithm
+ explicit HMAC(const void* secret, size_t secret_len,
+ const HashAlgorithm hash_algorithm);
/// \brief Destructor
~HMAC();
@@ -106,18 +115,26 @@ private:
/// creating an HMAC object, feeding it the data, and calculating the
/// resulting signature.
///
-/// \exception UnsupportedAlgorithm if we do not support the given
-/// algorithm.
-/// \exception BadKey if the underlying library cannot handle the
-/// given TSIGKey (for instance if it has a bad length).
+/// \exception UnsupportedAlgorithm if the given algorithm is unknown
+/// or not supported by the underlying library
+/// \exception BadKey if the given key secret_len is bad
+///
+/// Notes: if the secret is longer than the block size of its
+/// algorithm, the constructor will run it through the hash
+/// algorithm, and use the digest as the secret for this HMAC
+/// operation
///
/// \param data The data to sign
/// \param data_len The length of the data
-/// \param key The TSIGKey to sign with
+/// \param secret The secret to sign with
+/// \param secret_len The length of the secret
+/// \param hash_algorithm The hash algorithm
/// \param result The signature will be appended to this buffer
void signHMAC(const void* data,
const size_t data_len,
- const isc::dns::TSIGKey& key,
+ const void* secret,
+ size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm,
isc::dns::OutputBuffer& result);
/// \brief Verify an HMAC signature for the given data
@@ -127,10 +144,14 @@ void signHMAC(const void* data,
/// creating an HMAC object, feeding it the data, and checking the
/// resulting signature.
///
-/// \exception UnsupportedAlgorithm if we do not support the given
-/// algorithm.
-/// \exception BadKey exception if the underlying library cannot
-/// handle the given TSIGKey (for instance if it has a bad length).
+/// \exception UnsupportedAlgorithm if the given algorithm is unknown
+/// or not supported by the underlying library
+/// \exception BadKey if the given key secret_len is bad
+///
+/// Notes: if the secret is longer than the block size of its
+/// algorithm, the constructor will run it through the hash
+/// algorithm, and use the digest as the secret for this HMAC
+/// operation
///
/// \param data The data to verify
/// \param data_len The length of the data
@@ -139,7 +160,9 @@ void signHMAC(const void* data,
/// \return True if the signature verifies, false if not
bool verifyHMAC(const void* data,
const size_t data_len,
- const isc::dns::TSIGKey& key,
+ const void* secret,
+ size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm,
const void* sig,
const size_t sig_len);
diff --git a/src/lib/crypto/tests/crypto_unittests.cc b/src/lib/crypto/tests/crypto_unittests.cc
index 00d42f2..3cd8613 100644
--- a/src/lib/crypto/tests/crypto_unittests.cc
+++ b/src/lib/crypto/tests/crypto_unittests.cc
@@ -17,13 +17,13 @@
#include <crypto/crypto.h>
#include <dns/buffer.h>
-#include <dns/name.h>
#include <exceptions/exceptions.h>
using namespace isc::dns;
using namespace isc::crypto;
namespace {
+
void checkBuffer(const OutputBuffer& buf, uint8_t *data, size_t len) {
ASSERT_EQ(len, buf.getLength());
const uint8_t* buf_d = static_cast<const uint8_t*>(buf.getData());
@@ -34,48 +34,50 @@ namespace {
// Sign and verify with the convenience functions
void doHMACTestConv(const std::string& data,
- const std::string& key_str,
+ const void* secret,
+ size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm,
uint8_t* expected_hmac,
size_t hmac_len) {
OutputBuffer data_buf(data.size());
data_buf.writeData(data.c_str(), data.size());
OutputBuffer hmac_sig(1);
- TSIGKey key(key_str);
-
// Sign it
- signHMAC(data_buf.getData(), data_buf.getLength(), key,
- hmac_sig);
+ signHMAC(data_buf.getData(), data_buf.getLength(),
+ secret, secret_len, hash_algorithm, hmac_sig);
// Check if the signature is what we expect
checkBuffer(hmac_sig, expected_hmac, hmac_len);
// Check whether we can verify it ourselves
EXPECT_TRUE(verifyHMAC(data_buf.getData(), data_buf.getLength(),
- key, hmac_sig.getData(),
+ secret, secret_len, hash_algorithm,
+ hmac_sig.getData(),
hmac_sig.getLength()));
// Change the sig by flipping the first octet, and check
// whether verification fails then
hmac_sig.writeUint8At(~hmac_sig[0], 0);
EXPECT_FALSE(verifyHMAC(data_buf.getData(), data_buf.getLength(),
- key, hmac_sig.getData(),
+ secret, secret_len, hash_algorithm,
+ hmac_sig.getData(),
hmac_sig.getLength()));
}
// Sign and verify with an instantiation of an HMAC object
void doHMACTestDirect(const std::string& data,
- const std::string& key_str,
+ const void* secret,
+ size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm,
uint8_t* expected_hmac,
size_t hmac_len) {
OutputBuffer data_buf(data.size());
data_buf.writeData(data.c_str(), data.size());
OutputBuffer hmac_sig(1);
- TSIGKey key(key_str);
-
// Sign it
- HMAC hmac_sign(key);
+ HMAC hmac_sign(secret, secret_len, hash_algorithm);
hmac_sign.update(data_buf.getData(), data_buf.getLength());
hmac_sign.sign(hmac_sig);
@@ -83,7 +85,7 @@ namespace {
checkBuffer(hmac_sig, expected_hmac, hmac_len);
// Check whether we can verify it ourselves
- HMAC hmac_verify(key);
+ HMAC hmac_verify(secret, secret_len, hash_algorithm);
hmac_verify.update(data_buf.getData(), data_buf.getLength());
EXPECT_TRUE(hmac_verify.verify(hmac_sig.getData(),
hmac_sig.getLength()));
@@ -96,11 +98,15 @@ namespace {
}
void doHMACTest(const std::string& data,
- const std::string& key_str,
+ const void* secret,
+ size_t secret_len,
+ const HMAC::HashAlgorithm hash_algorithm,
uint8_t* expected_hmac,
size_t hmac_len) {
- doHMACTestConv(data, key_str, expected_hmac, hmac_len);
- doHMACTestDirect(data, key_str, expected_hmac, hmac_len);
+ doHMACTestConv(data, secret, secret_len, hash_algorithm,
+ expected_hmac, hmac_len);
+ doHMACTestDirect(data, secret, secret_len, hash_algorithm,
+ expected_hmac, hmac_len);
}
}
@@ -108,156 +114,165 @@ namespace {
// Test values taken from RFC 2202
//
TEST(CryptoTest, HMAC_MD5_RFC2202_SIGN) {
+ uint8_t secret[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b };
uint8_t hmac_expected[] = { 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38,
0xbb, 0x1c, 0x13, 0xf4, 0x8e, 0xf8,
0x15, 0x8b, 0xfc, 0x9d };
- doHMACTest("Hi There",
- "test.example:CwsLCwsLCwsLCwsLCwsLCw==:hmac-md5.sig-alg.reg.int",
- hmac_expected, 16);
+ doHMACTest("Hi There", secret, 16, HMAC::MD5, hmac_expected, 16);
+
uint8_t hmac_expected2[] = { 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0,
0xb5, 0x03, 0xea, 0xa8, 0x6e, 0x31,
0x0a, 0x5d, 0xb7, 0x38 };
- doHMACTest("what do ya want for nothing?",
- "test.example:SmVmZQ==:hmac-md5.sig-alg.reg.int",
+ doHMACTest("what do ya want for nothing?", "Jefe", 4, HMAC::MD5,
hmac_expected2, 16);
std::string data3;
for (int i = 0; i < 50; ++i) {
data3.push_back(0xdd);
}
+ uint8_t secret3[] = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa };
uint8_t hmac_expected3[] = { 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14,
0x4c, 0x88, 0xdb, 0xb8, 0xc7, 0x33,
0xf0, 0xe8, 0xb3, 0xf6};
- doHMACTest(data3,
- "test.example:qqqqqqqqqqqqqqqqqqqqqg==:hmac-md5.sig-alg.reg.int",
- hmac_expected3, 16);
+ doHMACTest(data3, secret3, 16, HMAC::MD5, hmac_expected3, 16);
std::string data4;
for (int i = 0; i < 50; ++i) {
data4.push_back(0xcd);
}
+ uint8_t secret4[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
+ 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19 };
uint8_t hmac_expected4[] = { 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a,
0x3a, 0xea, 0x3a, 0x75, 0x16, 0x47,
0x46, 0xff, 0xaa, 0x79 };
- doHMACTest(data4,
- "test.example:AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGQ==:hmac-md5.sig-alg.reg.int",
- hmac_expected4, 16);
+ doHMACTest(data4, secret4, 25, HMAC::MD5, hmac_expected4, 16);
+ uint8_t secret5[] = { 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c };
uint8_t hmac_expected5[] = { 0x56, 0x46, 0x1e, 0xf2, 0x34, 0x2e,
0xdc, 0x00, 0xf9, 0xba, 0xb9, 0x95,
0x69, 0x0e, 0xfd, 0x4c };
- doHMACTest("Test With Truncation",
- "test.example:DAwMDAwMDAwMDAwMDAwMDA==:hmac-md5.sig-alg.reg.int",
+ doHMACTest("Test With Truncation", secret5, 16, HMAC::MD5,
hmac_expected5, 16);
+ std::string secret6;
+ for (int i = 0; i < 80; ++i) {
+ secret6.push_back(0xaa);
+ }
uint8_t hmac_expected6[] = { 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7,
0xbf, 0x8f, 0x0b, 0x62, 0xe6, 0xce,
0x61, 0xb9, 0xd0, 0xcd };
doHMACTest("Test Using Larger Than Block-Size Key - Hash Key First",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqo=:hmac-md5.sig-alg.reg.int",
- hmac_expected6, 16);
+ secret6.c_str(), 80, HMAC::MD5, hmac_expected6, 16);
+ // same secret as for test 6
uint8_t hmac_expected7[] = { 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd,
0xa0, 0xee, 0x1f, 0xb1, 0xf5, 0x62,
0xdb, 0x3a, 0xa5, 0x3e };
doHMACTest("Test Using Larger Than Block-Size Key and Larger Than "
"One Block-Size Data",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqo=:hmac-md5.sig-alg.reg.int",
- hmac_expected7, 16);
-
+ secret6.c_str(), 80, HMAC::MD5, hmac_expected7, 16);
}
//
// Test values taken from RFC 2202
//
TEST(CryptoTest, HMAC_SHA1_RFC2202_SIGN) {
+ uint8_t secret[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
uint8_t hmac_expected[] = { 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05,
0x72, 0x64, 0xe2, 0x8b, 0xc0, 0xb6,
0xfb, 0x37, 0x8c, 0x8e, 0xf1, 0x46,
0xbe, 0x00 };
- doHMACTest("Hi There",
- "test.example:CwsLCwsLCwsLCwsLCwsLCwsLCws=:hmac-sha1",
- hmac_expected, 20);
+ doHMACTest("Hi There", secret, 20, HMAC::SHA1, hmac_expected, 20);
uint8_t hmac_expected2[] = { 0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb,
0x2f, 0xa2, 0xd2, 0x74, 0x16, 0xd5,
0xf1, 0x84, 0xdf, 0x9c, 0x25, 0x9a,
0x7c, 0x79 };
- doHMACTest("what do ya want for nothing?",
- "test.example:SmVmZQ==:hmac-sha1",
+ doHMACTest("what do ya want for nothing?", "Jefe", 4, HMAC::SHA1,
hmac_expected2, 20);
std::string data3;
for (int i = 0; i < 50; ++i) {
data3.push_back(0xdd);
}
+ uint8_t secret3[] = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
uint8_t hmac_expected3[] = { 0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac,
0x11, 0xcd, 0x91, 0xa3, 0x9a, 0xf4,
0x8a, 0xa1, 0x7b, 0x4f, 0x63, 0xf1,
0x75, 0xd3 };
- doHMACTest(data3,
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqo=:hmac-sha1",
- hmac_expected3, 20);
+ doHMACTest(data3, secret3, 20, HMAC::SHA1, hmac_expected3, 20);
std::string data4;
for (int i = 0; i < 50; ++i) {
data4.push_back(0xcd);
}
+ uint8_t secret4[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
+ 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19 };
uint8_t hmac_expected4[] = { 0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62,
0x50, 0xc6, 0xbc, 0x84, 0x14, 0xf9,
0xbf, 0x50, 0xc8, 0x6c, 0x2d, 0x72,
0x35, 0xda };
- doHMACTest(data4,
- "test.example:AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGQ==:hmac-sha1",
- hmac_expected4, 20);
+ doHMACTest(data4, secret4, 25, HMAC::SHA1, hmac_expected4, 20);
+ uint8_t secret5[] = { 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c };
uint8_t hmac_expected5[] = { 0x4c, 0x1a, 0x03, 0x42, 0x4b, 0x55,
0xe0, 0x7f, 0xe7, 0xf2, 0x7b, 0xe1,
0xd5, 0x8b, 0xb9, 0x32, 0x4a, 0x9a,
0x5a, 0x04 };
- doHMACTest("Test With Truncation",
- "test.example:DAwMDAwMDAwMDAwMDAwMDAwMDAw=:hmac-sha1",
+ doHMACTest("Test With Truncation", secret5, 20, HMAC::SHA1,
hmac_expected5, 20);
+ std::string secret6;
+ for (int i = 0; i < 80; ++i) {
+ secret6.push_back(0xaa);
+ }
uint8_t hmac_expected6[] = { 0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72,
0xd0, 0x0e, 0x95, 0x70, 0x56, 0x37,
0xce, 0x8a, 0x3b, 0x55, 0xed, 0x40,
0x21, 0x12 };
doHMACTest("Test Using Larger Than Block-Size Key - Hash Key First",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqo=:hmac-sha1",
- hmac_expected6, 20);
+ secret6.c_str(), 80, HMAC::SHA1, hmac_expected6, 20);
+ // same secret as for test 6
uint8_t hmac_expected7[] = { 0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23,
0x7d, 0x78, 0x6d, 0x6b, 0xba, 0xa7,
0x96, 0x5c, 0x78, 0x08, 0xbb, 0xff,
0x1a, 0x91 };
doHMACTest("Test Using Larger Than Block-Size Key and Larger Than "
"One Block-Size Data",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqo=:hmac-sha1",
- hmac_expected7, 20);
+ secret6.c_str(), 80, HMAC::SHA1, hmac_expected7, 20);
}
//
// Test values taken from RFC 4231
//
TEST(CryptoTest, HMAC_SHA256_RFC2202_SIGN) {
+ uint8_t secret[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
uint8_t hmac_expected[] = { 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb,
0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce,
0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d,
0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7,
0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32,
0xcf, 0xf7 };
- doHMACTest("Hi There",
- "test.example:CwsLCwsLCwsLCwsLCwsLCwsLCws=:hmac-sha256",
- hmac_expected, 32);
+ doHMACTest("Hi There", secret, 20, HMAC::SHA256, hmac_expected, 32);
uint8_t hmac_expected2[] = { 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60,
0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26,
@@ -265,38 +280,44 @@ TEST(CryptoTest, HMAC_SHA256_RFC2202_SIGN) {
0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec,
0x38, 0x43 };
- doHMACTest("what do ya want for nothing?",
- "test.example:SmVmZQ==:hmac-sha256",
+ doHMACTest("what do ya want for nothing?", "Jefe", 4, HMAC::SHA256,
hmac_expected2, 32);
std::string data3;
for (int i = 0; i < 50; ++i) {
data3.push_back(0xdd);
}
+ uint8_t secret3[] = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
uint8_t hmac_expected3[] = { 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80,
0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb,
0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59,
0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22,
0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5,
0x65, 0xfe };
- doHMACTest(data3,
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqo=:hmac-sha256",
- hmac_expected3, 32);
+ doHMACTest(data3, secret3, 20, HMAC::SHA256, hmac_expected3, 32);
std::string data4;
for (int i = 0; i < 50; ++i) {
data4.push_back(0xcd);
}
+ uint8_t secret4[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
+ 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19 };
uint8_t hmac_expected4[] = { 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44,
0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98,
0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0,
0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07,
0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29,
0x66, 0x5b };
- doHMACTest(data4,
- "test.example:AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGQ==:hmac-sha256",
- hmac_expected4, 32);
+ doHMACTest(data4, secret4, 25, HMAC::SHA256, hmac_expected4, 32);
+ std::string secret6;
+ for (int i = 0; i < 131; ++i) {
+ secret6.push_back(0xaa);
+ }
uint8_t hmac_expected6[] = { 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0,
0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa,
0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b,
@@ -304,12 +325,9 @@ TEST(CryptoTest, HMAC_SHA256_RFC2202_SIGN) {
0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3,
0x7f, 0x54 };
doHMACTest("Test Using Larger Than Block-Size Key - Hash Key First",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqo=:hmac-sha256",
- hmac_expected6, 32);
+ secret6.c_str(), 131, HMAC::SHA256, hmac_expected6, 32);
+ // Same secret as test 6
uint8_t hmac_expected7[] = { 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94,
0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc,
0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc,
@@ -319,24 +337,27 @@ TEST(CryptoTest, HMAC_SHA256_RFC2202_SIGN) {
doHMACTest("This is a test using a larger than block-size key and a"
" larger than block-size data. The key needs to be hashe"
"d before being used by the HMAC algorithm.",
- "test.example:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
- "qqqqqqqqqqqqqqqqqqqqqqo=:hmac-sha256",
- hmac_expected7, 32);
+ secret6.c_str(), 131, HMAC::SHA256, hmac_expected7, 32);
}
TEST(CryptoTest, BadKey) {
- TSIGKey bad_key = TSIGKey(Name("test.example."), Name("hmac-sha1."),
- NULL, 0);
-
OutputBuffer data_buf(0);
OutputBuffer hmac_sig(0);
- EXPECT_THROW(new HMAC(bad_key), BadKey);
+ EXPECT_THROW(new HMAC(NULL, 0, HMAC::MD5), BadKey);
+ EXPECT_THROW(new HMAC(NULL, 0, HMAC::UNKNOWN), UnsupportedAlgorithm);
+
+ EXPECT_THROW(signHMAC(data_buf.getData(), data_buf.getLength(),
+ NULL, 0, HMAC::MD5, hmac_sig), BadKey);
EXPECT_THROW(signHMAC(data_buf.getData(), data_buf.getLength(),
- bad_key, hmac_sig), BadKey);
+ NULL, 0, HMAC::UNKNOWN, hmac_sig),
+ UnsupportedAlgorithm);
+
EXPECT_THROW(verifyHMAC(data_buf.getData(), data_buf.getLength(),
- bad_key, hmac_sig.getData(),
+ NULL, 0, HMAC::MD5, hmac_sig.getData(),
hmac_sig.getLength()), BadKey);
+ EXPECT_THROW(verifyHMAC(data_buf.getData(), data_buf.getLength(),
+ NULL, 0, HMAC::UNKNOWN, hmac_sig.getData(),
+ hmac_sig.getLength()),
+ UnsupportedAlgorithm);
}
diff --git a/src/lib/dns/tsigkey.cc b/src/lib/dns/tsigkey.cc
index 74d21af..85bc22c 100644
--- a/src/lib/dns/tsigkey.cc
+++ b/src/lib/dns/tsigkey.cc
@@ -18,6 +18,8 @@
#include <exceptions/exceptions.h>
+#include <crypto/crypto.h>
+
#include <dns/name.h>
#include <dns/util/base64.h>
#include <dns/tsigkey.h>
More information about the bind10-changes
mailing list