crypto.h 4.91 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

Jelte Jansen's avatar
Jelte Jansen committed
15
16
#include <string>
#include <dns/buffer.h>
Jelte Jansen's avatar
Jelte Jansen committed
17
#include <dns/tsigkey.h>
18
#include <exceptions/exceptions.h>
Jelte Jansen's avatar
Jelte Jansen committed
19

20
21
22
23
24
25
#ifndef _ISC_CRYPTO_H
#define _ISC_CRYPTO_H

namespace isc {
namespace crypto {

Jelte Jansen's avatar
Jelte Jansen committed
26
27
/// General exception class that is the base for all crypto-related
/// exceptions
28
29
30
31
32
33
class CryptoError : public Exception {
public:
    CryptoError(const char* file, size_t line, const char* what) :
        isc::Exception(file, line, what) {}
};

Jelte Jansen's avatar
Jelte Jansen committed
34
35
/// This exception is thrown when a cryptographic action is requested
/// for an algorithm that is not supported by the underlying algorithm.
36
37
38
39
40
41
class UnsupportedAlgorithm : public CryptoError {
public:
    UnsupportedAlgorithm(const char* file, size_t line, const char* what) :
        CryptoError(file, line, what) {}
};

Jelte Jansen's avatar
Jelte Jansen committed
42
43
/// This exception is thrown when the underlying library could not
/// handle this key
44
45
46
47
48
49
class BadKey : public CryptoError {
public:
    BadKey(const char* file, size_t line, const char* what) :
        CryptoError(file, line, what) {}
};

50
/// Forward declaration, pimpl style
51
52
class HMACImpl;

53
54
55
56
/// \brief HMAC support
///
/// This class is used to create and verify HMAC signatures
///
57
58
class HMAC {
public:
59
60
61
62
63
64
65
66
67
68
69
70
    /// \brief Constructor from a key
    ///
    /// Raises an UnsupportedAlgorithmException if the given key
    /// is for an algorithm that is not supported by the underlying
    /// library
    /// Raises an InvalidKeyLength if the given key has a bad length
    ///
    /// Notes: if the key is longer than the block size of its
    /// algorithm, the constructor will run it through the hash
    /// algorithm, and use the digest as a key for this HMAC operation
    /// 
    /// \param key The key to use
71
    explicit HMAC(const isc::dns::TSIGKey& key);
72
73

    /// \brief Destructor
74
    ~HMAC();
75
76
77
78
79

    /// \brief Add data to digest
    ///
    /// \param data The data to add
    /// \param len The size of the data
80
    void update(const void* data, size_t len);
81
82
83
84
85
86

    /// \brief Calculate the final signature
    ///
    /// The result will be appended to the given outputbuffer
    ///
    /// \param result The OutputBuffer to append the result to
87
    void sign(isc::dns::OutputBuffer& result);
88
89
90
91
92
93

    /// \brief Verify an existing signature
    ///
    /// \param sig The signature to verify
    /// \param len The length of the sig
    /// \return true if the signature is correct, false otherwise
94
    bool verify(const void* sig, size_t len);
95

96
97
98
99
private:
    HMACImpl* impl_;
};

100
101
/// \brief Create an HMAC signature for the given data
///
102
103
104
105
106
/// This is a convenience function that calculates the hmac signature,
/// given a fixed amount of data. Internally it does the same as
/// creating an HMAC object, feeding it the data, and calculating the
/// resulting signature.
///
107
108
109
110
111
112
/// Raises an UnsupportedAlgorithm if we do not support the given
/// algorithm. Raises a BadKey exception if the underlying library
/// cannot handle the given TSIGKey (for instance if it has a bad
/// length).
///
/// \param data The data to sign
113
/// \param data_len The length of the data
114
/// \param key The TSIGKey to sign with
115
116
117
/// \param result The signature will be appended to this buffer
void signHMAC(const void* data,
              size_t data_len,
118
119
              isc::dns::TSIGKey key,
              isc::dns::OutputBuffer& result);
Jelte Jansen's avatar
Jelte Jansen committed
120

121
122
/// \brief Verify an HMAC signature for the given data
///
123
124
125
126
127
/// This is a convenience function that verifies an hmac signature,
/// given a fixed amount of data. Internally it does the same as
/// creating an HMAC object, feeding it the data, and checking the
/// resulting signature.
///
128
129
130
131
132
133
/// Raises an UnsupportedAlgorithm if we do not support the given
/// algorithm. Raises a BadKey exception if the underlying library
/// cannot handle the given TSIGKey (for instance if it has a bad
/// length).
///
/// \param data The data to verify
134
/// \param data_len The length of the data
135
136
137
/// \param key The TSIGKey to verify with
/// \param mac The signature to verify
/// \return True if the signature verifies, false if not
138
139
bool verifyHMAC(const void* data,
                size_t data_len,
140
                isc::dns::TSIGKey key,
141
142
                const void* sig,
                size_t sig_len);
Jelte Jansen's avatar
Jelte Jansen committed
143

144
145
146
147
} // namespace crypto
} // namespace isc

#endif // _ISC_CRYPTO_H