Commit 8ee6f289 authored by Mark Andrews's avatar Mark Andrews

4450. [port] Provide more nuanced HSM support which better matches

                        the specific PKCS11 providers capabilities. [RT #42458]
parent 85342bec
4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
4449. [test] Fix catalog zones test on slower systems. [RT #42997]
4448. [bug] win32: ::1 was not being found when iterating
......
......@@ -25,6 +25,8 @@
#include <isc/result.h>
#include <isc/string.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
......@@ -40,8 +42,10 @@
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return "hmac-md5";
#endif
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
......@@ -66,8 +70,10 @@ alg_fromtext(const char *name) {
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
#endif
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0)
......@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
dst_key_t *key = NULL;
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
......
......@@ -39,6 +39,8 @@
#include <isc/time.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
......@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
......@@ -80,6 +83,23 @@ Usage:\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#else
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-A alg: algorithm (default hmac-sha256)\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#endif
exit (status);
}
......@@ -115,7 +135,11 @@ main(int argc, char **argv) {
progname = program;
keyname = DEFAULT_KEYNAME;
#ifndef PK11_MD5_DISABLE
alg = DST_ALG_HMACMD5;
#else
alg = DST_ALG_HMACSHA256;
#endif
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
......
......@@ -128,7 +128,8 @@
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5.
hmac-sha384 and hmac-sha512. The default is hmac-md5 or
if MD5 was disabled hmac-sha256.
</para>
</listitem>
</varlistentry>
......
......@@ -21,6 +21,8 @@
#include <isc/task.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/masterdump.h>
......@@ -1672,7 +1674,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2;
ptr2 = ptr3;
} else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
digestbits = 0;
}
strncpy(keynametext, ptr, sizeof(keynametext));
......
......@@ -390,7 +390,8 @@
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>.
is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: You should use the <option>-k</option> option and
......
......@@ -82,6 +82,8 @@
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h>
#include <lwres/lwres.h>
......@@ -1142,12 +1144,15 @@ parse_hmac(const char *hmac) {
digestbits = 0;
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
} else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
......@@ -1260,9 +1265,11 @@ setup_file_key(void) {
}
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
......
......@@ -22,6 +22,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
......@@ -404,10 +406,20 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
if (freeit != NULL)
free(freeit);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
#endif
if (freeit != NULL)
free(freeit);
return (1);
......@@ -504,6 +516,11 @@ main(int argc, char **argv) {
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
#ifdef PK11_MD5_DISABLE
if (alg == DST_ALG_RSAMD5)
fatal("Key %s uses disabled RSAMD5", predecessor);
#endif
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
......
......@@ -37,6 +37,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
......@@ -546,15 +548,30 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0)
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
alg = DST_ALG_HMACMD5;
else if (strcasecmp(algname, "HMAC-SHA1") == 0)
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
fprintf(stderr,
"The use of HMAC-MD5 was disabled\n");
return (1);
#endif
} else if (strcasecmp(algname, "HMAC-SHA1") == 0)
alg = DST_ALG_HMACSHA1;
else if (strcasecmp(algname, "HMAC-SHA224") == 0)
alg = DST_ALG_HMACSHA224;
......@@ -574,6 +591,10 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
#ifdef PK11_MD5_DISABLE
INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
#endif
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
......
......@@ -22,6 +22,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h>
#include <dns/fixedname.h>
......@@ -939,9 +941,11 @@ struct keyalgorithms {
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
#ifndef PK11_MD5_DISABLE
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
#endif
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
......@@ -988,7 +992,9 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
if (name != NULL) {
switch (algorithms[i].hmac) {
#ifndef PK11_MD5_DISABLE
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
#endif
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
......
......@@ -40,6 +40,8 @@
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h>
#include <dns/callbacks.h>
......@@ -451,6 +453,7 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
strncpy(buf, hmacstr, len);
buf[len] = 0;
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
*hmac = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
......@@ -459,7 +462,9 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
if (result != ISC_R_SUCCESS || digestbits > 128)
fatal("digest-bits out of range [0..128]");
digestbits = (digestbits +7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
} else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
......@@ -549,7 +554,11 @@ setup_keystr(void) {
secretstr = n + 1;
digestbits = parse_hmac(&hmacname, keystr, s - keystr);
} else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
name = keystr;
n = s;
}
......@@ -683,9 +692,11 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
}
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
......@@ -1541,7 +1552,11 @@ evaluate_key(char *cmdline) {
digestbits = parse_hmac(&hmacname, namestr, n - namestr);
namestr = n + 1;
} else
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr));
......
......@@ -324,7 +324,8 @@
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>.
is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: Use of the <option>-y</option> option is discouraged because the
......@@ -481,7 +482,8 @@
<parameter>keyname</parameter> <parameter>secret</parameter> pair.
If <parameter>hmac</parameter> is specified, then it sets the
signing algorithm in use; the default is
<literal>hmac-md5</literal>. The <command>key</command>
<literal>hmac-md5</literal> or if MD5 was disabled
<literal>hmac-sha256</literal>. The <command>key</command>
command overrides any key specified on the command line via
<option>-y</option> or <option>-k</option>.
</para>
......
......@@ -39,7 +39,7 @@
pkcs11-tokens \- list PKCS#11 available tokens
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-tokens\fR\ 'u
\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-tokens\fR
......@@ -50,6 +50,11 @@ lists the PKCS#11 available tokens with defaults from the slot/token scan perfor
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
.PP
\-e
.RS 4
Make the PKCS#11 libisc initialization verbose\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-destroy\fR(8),
......
......@@ -38,11 +38,14 @@ main(int argc, char *argv[]) {
isc_mem_t *mctx = NULL;
pk11_context_t pctx;
while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 'v':
pk11_verbose_init = ISC_TRUE;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
......@@ -58,7 +61,7 @@ main(int argc, char *argv[]) {
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
exit(1);
}
......@@ -73,7 +76,7 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
......@@ -81,7 +84,7 @@ main(int argc, char *argv[]) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n\n");
} else if (result != ISC_R_SUCCESS) {
} else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
......
......@@ -40,6 +40,7 @@
<cmdsynopsis sepchar=" ">
<command>pkcs11-tokens</command>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -65,6 +66,15 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Make the PKCS#11 libisc initialization verbose.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
......
<!--
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<html>
<head>
......@@ -19,7 +27,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
......@@ -38,6 +46,10 @@
path to a shared library object implementing the PKCS#11 API
for the device.
</p></dd>
<dt><span class="term">-e</span></dt>
<dd><p>
Make the PKCS#11 libisc initialization verbose.
</p></dd>
</dl></div>
</div>
<div class="refsection">
......
......@@ -32,6 +32,8 @@
#include <isc/thread.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h>
#include <isccc/alist.h>
......@@ -628,9 +630,12 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
secretstr = cfg_obj_asstring(secretobj);
algorithmstr = cfg_obj_asstring(algorithmobj);
#ifndef PK11_MD5_DISABLE
if (strcasecmp(algorithmstr, "hmac-md5") == 0)
algorithm = ISCCC_ALG_HMACMD5;
else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
else
#endif
if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
algorithm = ISCCC_ALG_HMACSHA1;
else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
algorithm = ISCCC_ALG_HMACSHA224;
......
......@@ -22,6 +22,8 @@
#include <isc/print.h>
#include <isc/string.h>
#include <pk11/site.h>
static void
print_digest(const char *s, const char *hash, unsigned char *d,
unsigned int words)
......@@ -41,8 +43,10 @@ int
main(int argc, char **argv) {
isc_sha1_t sha1;
isc_sha224_t sha224;
#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
isc_hmacmd5_t hmacmd5;
#endif
isc_hmacsha1_t hmacsha1;
isc_hmacsha224_t hmacsha224;
isc_hmacsha256_t hmacsha256;
......@@ -84,6 +88,7 @@ main(int argc, char **argv) {
isc_sha224_final(digest, &sha224);
print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
#ifndef PK11_MD5_DISABLE
s = "abc";
isc_md5_init(&md5);
memmove(buffer, s, strlen(s));
......@@ -121,6 +126,7 @@ main(int argc, char **argv) {
isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
isc_hmacmd5_sign(&hmacmd5, digest);
print_digest(s, "hmacmd5", digest, 4);
#endif
/*
* The 3 HMAC-SHA1 examples from RFC4634.
......
......@@ -24,6 +24,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <tests/t_api.h>
......@@ -47,7 +49,9 @@ typedef struct {
union {
unsigned char b[1024];
#ifndef PK11_MD5_DISABLE
unsigned char md5[16];
#endif
unsigned char sha1[ISC_SHA1_DIGESTLENGTH];
unsigned char sha224[ISC_SHA224_DIGESTLENGTH];
unsigned char sha256[ISC_SHA256_DIGESTLENGTH];
......@@ -72,9 +76,11 @@ static OUT_ abc_sha1 = {
static OUT_ abc_sha224 = {
"23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
ISC_SHA224_DIGESTLENGTH};
#ifndef PK11_MD5_DISABLE
static OUT_ abc_md5 = {
"900150983cd24fb0d6963f7d28e17f72",
16};
#endif
static IN_ abc_blah = { "\"abcdbc...\"", NULL, 0,
STR_INIT("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")};
......@@ -84,6 +90,7 @@ static OUT_ abc_blah_sha1 = {
static OUT_ abc_blah_sha224 = {
"75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
ISC_SHA224_DIGESTLENGTH};
#ifndef PK11_MD5_DISABLE
static OUT_ abc_blah_md5 = {
"8215ef0796a20bcaaae116d3876c664a",
16};
......@@ -122,6 +129,7 @@ static IN_ rfc2104_3 = {"RFC 2104 #3", rfc2104_3_key, sizeof(rfc2104_3_key),
static OUT_ rfc2104_3_hmac = {
"56be34521d144c88dbb8c733f0e8b3f6",
16};
#endif
/*
* four three HMAC-SHA tests cut-and-pasted from RFC 4634 starting on page 86
......@@ -309,7 +317,9 @@ t_hash(const char *hname, HASH_INIT init, UPDATE update, FINAL final,
union {
unsigned char b[1024];
isc_sha1_t sha1;
#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
#endif
} ctx;
init(&ctx);
......@@ -340,17 +350,23 @@ t_sha224(IN_ *in, OUT_ *out)
static void
#ifndef PK11_MD5_DISABLE
t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224, OUT_ *out_md5)
#else
t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224)
#endif
{
t_hash("SHA1", (HASH_INIT)isc_sha1_init, (UPDATE)isc_sha1_update,
(FINAL)isc_sha1_final, in, out_sha1);
t_sha224(in, out_sha224);
#ifndef PK11_MD5_DISABLE
t_hash("md5", (HASH_INIT)isc_md5_init, (UPDATE)isc_md5_update,
(FINAL)isc_md5_final, in, out_md5);
#endif
}