From: Francis Dupont Date: Wed, 24 Dec 2014 14:28:29 +0000 (+0100) Subject: [master] merge cryptolink API cleanup (trac3606a) X-Git-Tag: trac3504_base~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=55d2df9d78321b3844217055e376ae44ac962d8f;p=thirdparty%2Fkea.git [master] merge cryptolink API cleanup (trac3606a) --- diff --git a/ChangeLog b/ChangeLog index eedc55f364..0d1945f73f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +870. [func] fdupont + Cleanup the cryptolink API (e.g., removing spurious 'magic' + zero length parameters). + (Trac #3606, git ...) + 869. [func] tomek 'mac-sources' configuration parameter added. The DHCPv6 server can now be configured to use various MAC/Hardware address diff --git a/src/lib/cryptolink/botan_hash.cc b/src/lib/cryptolink/botan_hash.cc index d0bd9f1792..78f944ed39 100644 --- a/src/lib/cryptolink/botan_hash.cc +++ b/src/lib/cryptolink/botan_hash.cc @@ -115,7 +115,7 @@ public: try { Botan::SecureVector b_result(hash_->final()); - if (len == 0 || len > b_result.size()) { + if (len > b_result.size()) { len = b_result.size(); } result.writeData(b_result.begin(), len); @@ -146,7 +146,7 @@ public: std::vector final(size_t len) { try { Botan::SecureVector b_result(hash_->final()); - if (len == 0 || len > b_result.size()) { + if (len > b_result.size()) { return (std::vector(b_result.begin(), b_result.end())); } else { return (std::vector(b_result.begin(), &b_result[len])); diff --git a/src/lib/cryptolink/botan_hmac.cc b/src/lib/cryptolink/botan_hmac.cc index bb5b7562a1..dfb43e6359 100644 --- a/src/lib/cryptolink/botan_hmac.cc +++ b/src/lib/cryptolink/botan_hmac.cc @@ -128,7 +128,7 @@ public: try { Botan::SecureVector b_result(hmac_->final()); - if (len == 0 || len > b_result.size()) { + if (len > b_result.size()) { len = b_result.size(); } result.writeData(b_result.begin(), len); @@ -159,7 +159,7 @@ public: std::vector sign(size_t len) { try { Botan::SecureVector b_result(hmac_->final()); - if (len == 0 || len > b_result.size()) { + if (len > b_result.size()) { return (std::vector(b_result.begin(), b_result.end())); } else { return (std::vector(b_result.begin(), &b_result[len])); @@ -180,10 +180,10 @@ public: try { Botan::SecureVector our_mac = hmac_->final(); size_t size = getOutputLength(); - if (len != 0 && (len < 10 || len < size / 2)) { + if (len < 10 || len < size / 2) { return (false); } - if (len == 0 || len > size) { + if (len > size) { len = size; } return (Botan::same_mem(&our_mac[0], diff --git a/src/lib/cryptolink/crypto_hash.cc b/src/lib/cryptolink/crypto_hash.cc index 95f0fadb49..bf4c2a2104 100644 --- a/src/lib/cryptolink/crypto_hash.cc +++ b/src/lib/cryptolink/crypto_hash.cc @@ -30,6 +30,9 @@ digest(const void* data, const size_t data_len, boost::scoped_ptr hash( CryptoLink::getCryptoLink().createHash(hash_algorithm)); hash->update(data, data_len); + if (len == 0) { + len = hash->getOutputLength(); + } hash->final(result, len); } diff --git a/src/lib/cryptolink/crypto_hash.h b/src/lib/cryptolink/crypto_hash.h index ba2fc04ab4..7e950d578c 100644 --- a/src/lib/cryptolink/crypto_hash.h +++ b/src/lib/cryptolink/crypto_hash.h @@ -74,9 +74,9 @@ public: /// \param result The OutputBuffer to append the result to /// \param len The number of bytes from the result to copy. If this /// value is smaller than the algorithms output size, the - /// result will be truncated. If this value is larger, or 0 - /// (the default), it will be ignored - void final(isc::util::OutputBuffer& result, size_t len = 0); + /// result will be truncated. If this value is larger, + /// only output size bytes will be copied + void final(isc::util::OutputBuffer& result, size_t len); /// \brief Calculate the final digest /// @@ -103,10 +103,10 @@ public: /// /// \param len The number of bytes from the result to copy. If this /// value is smaller than the algorithms output size, the - /// result will be truncated. If this value is larger, or 0 - /// (the default), it will be ignored + /// result will be truncated. If this value is larger, + /// only output size bytes will be copied /// \return a vector containing the signature - std::vector final(size_t len = 0); + std::vector final(size_t len); private: HashImpl* impl_; @@ -128,8 +128,9 @@ private: /// \param data_len The length of the data /// \param hash_algorithm The hash algorithm /// \param result The digest will be appended to this buffer -/// \param len If this is non-zero and less than the output size, -/// the result will be truncated to len bytes +/// \param len If this is non-zero and less than the output size, the result +/// will be truncated to len bytes. If greater than output size +/// (or equal to zero) only output size bytes are written void digest(const void* data, const size_t data_len, const HashAlgorithm hash_algorithm, diff --git a/src/lib/cryptolink/crypto_hmac.cc b/src/lib/cryptolink/crypto_hmac.cc index 9887855c41..6e853e7379 100644 --- a/src/lib/cryptolink/crypto_hmac.cc +++ b/src/lib/cryptolink/crypto_hmac.cc @@ -32,6 +32,9 @@ signHMAC(const void* data, const size_t data_len, const void* secret, secret_len, hash_algorithm)); hmac->update(data, data_len); + if (len == 0) { + len = hmac->getOutputLength(); + } hmac->sign(result, len); } @@ -46,7 +49,11 @@ verifyHMAC(const void* data, const size_t data_len, const void* secret, secret_len, hash_algorithm)); hmac->update(data, data_len); - return (hmac->verify(sig, sig_len)); + size_t len = sig_len; + if (len == 0) { + len = hmac->getOutputLength(); + } + return (hmac->verify(sig, len)); } void diff --git a/src/lib/cryptolink/crypto_hmac.h b/src/lib/cryptolink/crypto_hmac.h index 12908372eb..459b59e825 100644 --- a/src/lib/cryptolink/crypto_hmac.h +++ b/src/lib/cryptolink/crypto_hmac.h @@ -84,9 +84,9 @@ public: /// \param result The OutputBuffer to append the result to /// \param len The number of bytes from the result to copy. If this /// value is smaller than the algorithms output size, the - /// result will be truncated. If this value is larger, or 0 - /// (the default), it will be ignored - void sign(isc::util::OutputBuffer& result, size_t len = 0); + /// result will be truncated. If this value is larger, + /// only output size bytes will be copied + void sign(isc::util::OutputBuffer& result, size_t len); /// \brief Calculate the final signature /// @@ -110,10 +110,10 @@ public: /// /// \param len The number of bytes from the result to copy. If this /// value is smaller than the algorithms output size, the - /// result will be truncated. If this value is larger, or 0 - /// (the default), it will be ignored + /// result will be truncated. If this value is larger, + /// only output size bytes will be copied /// \return a vector containing the signature - std::vector sign(size_t len = 0); + std::vector sign(size_t len); /// \brief Verify an existing signature /// @@ -121,8 +121,8 @@ public: /// in the underlying library /// /// \param sig The signature to verify - /// \param len The length of the signature. If this is non-zero, - /// and smaller than the output length of the algorithm, + /// \param len The length of the signature. If this is smaller + /// than the output length of the algorithm, /// only len bytes will be checked /// \return true if the signature is correct, false otherwise /// @@ -136,7 +136,7 @@ private: /// \brief Create an HMAC signature for the given data /// -/// This is a convenience function that calculates the hmac signature, +/// This is a convenience function that calculates the HMAC signature, /// given a fixed amount of data. Internally it does the same as /// creating an HMAC object, feeding it the data, and calculating the /// resulting signature. @@ -158,8 +158,9 @@ private: /// \param secret_len The length of the secret /// \param hash_algorithm The hash algorithm /// \param result The signature will be appended to this buffer -/// \param len If this is non-zero and less than the output size, -/// the result will be truncated to len bytes +/// \param len If this is non-zero and less than the output size, the result +/// will be truncated to len bytes. If greater than output size +/// (or equal to zero) only output size bytes are written void signHMAC(const void* data, const size_t data_len, const void* secret, @@ -173,7 +174,8 @@ void signHMAC(const void* data, /// This is a convenience function that verifies an hmac signature, /// given a fixed amount of data. Internally it does the same as /// creating an HMAC object, feeding it the data, and checking the -/// resulting signature. +/// resulting signature at the exception a zero sig_len is +/// internally replaced by the output size. /// /// \exception UnsupportedAlgorithm if the given algorithm is unknown /// or not supported by the underlying library diff --git a/src/lib/cryptolink/openssl_hash.cc b/src/lib/cryptolink/openssl_hash.cc index 483a61fde2..120abc5a82 100644 --- a/src/lib/cryptolink/openssl_hash.cc +++ b/src/lib/cryptolink/openssl_hash.cc @@ -105,7 +105,7 @@ public: size_t size = getOutputLength(); std::vector digest(size); EVP_DigestFinal_ex(md_.get(), &digest[0], NULL); - if (len == 0 || len > size) { + if (len > size) { len = size; } result.writeData(&digest[0], len); @@ -131,7 +131,7 @@ public: size_t size = getOutputLength(); std::vector digest(size); EVP_DigestFinal_ex(md_.get(), &digest[0], NULL); - if (len != 0 && len < size) { + if (len < size) { digest.resize(len); } return (std::vector(digest.begin(), digest.end())); diff --git a/src/lib/cryptolink/openssl_hmac.cc b/src/lib/cryptolink/openssl_hmac.cc index 711cc44a89..831b33d5d0 100644 --- a/src/lib/cryptolink/openssl_hmac.cc +++ b/src/lib/cryptolink/openssl_hmac.cc @@ -89,7 +89,7 @@ public: size_t size = getOutputLength(); ossl::SecBuf digest(size); HMAC_Final(md_.get(), &digest[0], NULL); - if (len == 0 || len > size) { + if (len > size) { len = size; } result.writeData(&digest[0], len); @@ -115,7 +115,7 @@ public: size_t size = getOutputLength(); ossl::SecBuf digest(size); HMAC_Final(md_.get(), &digest[0], NULL); - if (len != 0 && len < size) { + if (len < size) { digest.resize(len); } return (std::vector(digest.begin(), digest.end())); @@ -126,12 +126,12 @@ public: /// See @ref isc::cryptolink::HMAC::verify() for details. bool verify(const void* sig, size_t len) { size_t size = getOutputLength(); - if (len != 0 && (len < 10 || len < size / 2)) { + if (len < 10 || len < size / 2) { return (false); } ossl::SecBuf digest(size); HMAC_Final(md_.get(), &digest[0], NULL); - if (len == 0 || len > size) { + if (len > size) { len = size; } return (digest.same(sig, len)); diff --git a/src/lib/cryptolink/tests/hash_unittests.cc b/src/lib/cryptolink/tests/hash_unittests.cc index 5185377e3c..4c122d1e6d 100644 --- a/src/lib/cryptolink/tests/hash_unittests.cc +++ b/src/lib/cryptolink/tests/hash_unittests.cc @@ -130,7 +130,7 @@ namespace { // note: this is not exception-safe, and can leak, but // if there is an unexpected exception in the code below we // have more important things to fix. - boost::scoped_array result(new uint8_t[hash_len]); + boost::scoped_array result(new uint8_t[hash_len]); hash_digest->final(result.get(), hash_len); checkData(result.get(), expected_hash, hash_len); @@ -562,37 +562,31 @@ namespace { TEST(HashTest, HashLength) { std::vector result; - EXPECT_EQ(16, digestVectorLength(MD5, 0)); EXPECT_EQ(8, digestVectorLength(MD5, 8)); EXPECT_EQ(16, digestVectorLength(MD5, 16)); EXPECT_EQ(16, digestVectorLength(MD5, 40)); EXPECT_EQ(16, digestVectorLength(MD5, 2000)); - EXPECT_EQ(20, digestBufferLength(SHA1, 0)); EXPECT_EQ(8, digestBufferLength(SHA1, 8)); EXPECT_EQ(20, digestBufferLength(SHA1, 20)); EXPECT_EQ(20, digestBufferLength(SHA1, 40)); EXPECT_EQ(20, digestBufferLength(SHA1, 2000)); - EXPECT_EQ(32, digestBufferLength(SHA256, 0)); EXPECT_EQ(8, digestBufferLength(SHA256, 8)); EXPECT_EQ(32, digestBufferLength(SHA256, 32)); EXPECT_EQ(32, digestBufferLength(SHA256, 40)); EXPECT_EQ(32, digestBufferLength(SHA256, 3200)); - EXPECT_EQ(16, digestBufferLength(MD5, 0)); EXPECT_EQ(8, digestBufferLength(MD5, 8)); EXPECT_EQ(16, digestBufferLength(MD5, 16)); EXPECT_EQ(16, digestBufferLength(MD5, 40)); EXPECT_EQ(16, digestBufferLength(MD5, 2000)); - EXPECT_EQ(20, digestBufferLength(SHA1, 0)); EXPECT_EQ(8, digestBufferLength(SHA1, 8)); EXPECT_EQ(20, digestBufferLength(SHA1, 20)); EXPECT_EQ(20, digestBufferLength(SHA1, 40)); EXPECT_EQ(20, digestBufferLength(SHA1, 2000)); - EXPECT_EQ(32, digestBufferLength(SHA256, 0)); EXPECT_EQ(8, digestBufferLength(SHA256, 8)); EXPECT_EQ(32, digestBufferLength(SHA256, 32)); EXPECT_EQ(32, digestBufferLength(SHA256, 40)); diff --git a/src/lib/cryptolink/tests/hmac_unittests.cc b/src/lib/cryptolink/tests/hmac_unittests.cc index 00d20252c6..fe597f03d2 100644 --- a/src/lib/cryptolink/tests/hmac_unittests.cc +++ b/src/lib/cryptolink/tests/hmac_unittests.cc @@ -602,37 +602,31 @@ namespace { TEST(HMACTest, HMACSigLengthArgument) { std::vector sig; - EXPECT_EQ(16, sigVectorLength(MD5, 0)); EXPECT_EQ(8, sigVectorLength(MD5, 8)); EXPECT_EQ(16, sigVectorLength(MD5, 16)); EXPECT_EQ(16, sigVectorLength(MD5, 40)); EXPECT_EQ(16, sigVectorLength(MD5, 2000)); - EXPECT_EQ(20, sigBufferLength(SHA1, 0)); EXPECT_EQ(8, sigBufferLength(SHA1, 8)); EXPECT_EQ(20, sigBufferLength(SHA1, 20)); EXPECT_EQ(20, sigBufferLength(SHA1, 40)); EXPECT_EQ(20, sigBufferLength(SHA1, 2000)); - EXPECT_EQ(32, sigBufferLength(SHA256, 0)); EXPECT_EQ(8, sigBufferLength(SHA256, 8)); EXPECT_EQ(32, sigBufferLength(SHA256, 32)); EXPECT_EQ(32, sigBufferLength(SHA256, 40)); EXPECT_EQ(32, sigBufferLength(SHA256, 3200)); - EXPECT_EQ(16, sigBufferLength(MD5, 0)); EXPECT_EQ(8, sigBufferLength(MD5, 8)); EXPECT_EQ(16, sigBufferLength(MD5, 16)); EXPECT_EQ(16, sigBufferLength(MD5, 40)); EXPECT_EQ(16, sigBufferLength(MD5, 2000)); - EXPECT_EQ(20, sigBufferLength(SHA1, 0)); EXPECT_EQ(8, sigBufferLength(SHA1, 8)); EXPECT_EQ(20, sigBufferLength(SHA1, 20)); EXPECT_EQ(20, sigBufferLength(SHA1, 40)); EXPECT_EQ(20, sigBufferLength(SHA1, 2000)); - EXPECT_EQ(32, sigBufferLength(SHA256, 0)); EXPECT_EQ(8, sigBufferLength(SHA256, 8)); EXPECT_EQ(32, sigBufferLength(SHA256, 32)); EXPECT_EQ(32, sigBufferLength(SHA256, 40)); diff --git a/src/lib/dns/nsec3hash.cc b/src/lib/dns/nsec3hash.cc index a01e06e418..eefa5991b6 100644 --- a/src/lib/dns/nsec3hash.cc +++ b/src/lib/dns/nsec3hash.cc @@ -1,4 +1,4 @@ -// Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +// Copyright (C) 2012,2014 Internet Systems Consortium, Inc. ("ISC") // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above @@ -120,7 +120,7 @@ iterateSHA1(const uint8_t* input, size_t inlength, boost::scoped_ptr hash(CryptoLink::getCryptoLink().createHash(SHA1)); hash->update(input, inlength); hash->update(salt, saltlen); // this works whether saltlen == or > 0 - hash->final(output); + hash->final(output, hash->getOutputLength()); } string diff --git a/src/lib/dns/tsig.cc b/src/lib/dns/tsig.cc index ceb39f4bfa..30dde1cb2a 100644 --- a/src/lib/dns/tsig.cc +++ b/src/lib/dns/tsig.cc @@ -78,7 +78,7 @@ struct TSIGContext::TSIGContextImpl { hmac_.reset(CryptoLink::getCryptoLink().createHMAC( key_.getSecret(), key_.getSecretLength(), key_.getAlgorithm()), - deleteHMAC); + deleteHMAC); } catch (const isc::Exception&) { return; }