#include <debug.h>
#include <crypto/signers/hmac_signer.h>
-extern const unsigned char FIPS_rodata_start[];
-extern const unsigned char FIPS_rodata_end[];
+extern const u_char FIPS_rodata_start[];
+extern const u_char FIPS_rodata_end[];
extern const void *FIPS_text_start();
extern const void *FIPS_text_end();
/**
* Described in header
*/
-char* fips_compute_hmac_signature(const char *key)
+bool fips_compute_hmac_signature(const char *key, char *signature)
{
- chunk_t hmac_key = { key, strlen(key) };
-
- hmac_signer_t *signer = hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1);
+ u_char *text_start = (u_char *)FIPS_text_start();
+ u_char *text_end = (u_char *)FIPS_text_end();
+ size_t text_len;
+ size_t rodata_len;
+ signer_t *signer;
+ if (text_start > text_end)
+ {
+ DBG1(" TEXT start (%p) > TEXT end (%p",
+ text_start, text_end);
+ return FALSE;
+ }
+ text_len = (size_t)text_end - (size_t)text_start;
DBG1(" TEXT: %p + %6d = %p",
- FIPS_text_start(),
- (int)( (size_t)FIPS_text_end() - (size_t)FIPS_text_start() ),
- FIPS_text_end());
+ text_start, (int)text_len, text_end);
+
+ if (FIPS_rodata_start > FIPS_rodata_end)
+ {
+ DBG1(" RODATA start (%p) > RODATA end (%p",
+ FIPS_rodata_start, FIPS_rodata_end);
+ return FALSE;
+ }
+ rodata_len = (size_t)FIPS_rodata_end - (size_t)FIPS_rodata_start;
DBG1(" RODATA: %p + %6d = %p",
- FIPS_rodata_start,
- (int)( (size_t)FIPS_rodata_end - (size_t)FIPS_rodata_start ),
- FIPS_rodata_end);
+ FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
+ signer = (signer_t *)hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1);
if (signer == NULL)
{
- DBG1(" sha-1 hmac_signer could not be created");
- return NULL;
+ DBG1(" SHA-1 HMAC signer could not be created");
+ return FALSE;
}
- signer->signer_interface.set_key((signer_t *)signer, hmac_key);
- signer->signer_interface.destroy((signer_t *)signer);
+ else
+ {
+ chunk_t hmac_key = { key, strlen(key) };
+ chunk_t text_chunk = { text_start, text_len };
+ chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
+ chunk_t signature_chunk = chunk_empty;
+
+ signer->set_key(signer, hmac_key);
+ /* TODO include rodata_chunk in HMAC */
+ signer->allocate_signature(signer, text_chunk, &signature_chunk);
+ signer->destroy(signer);
- /* TODO compute a HMAC over two separate chunks */
- return strdup("01020304050607080901011121314151617181920");
+ sprintf(signature, "%#B", &signature_chunk);
+ DBG1(" SHA-1 HMAC key: %s", key);
+ DBG1(" SHA-1 HMAC sig: %s", signature);
+ free(signature_chunk.ptr);
+ return TRUE;
+ }
}
/**
* Described in header
*/
-status_t fips_verify_hmac_signature(const char *key,
- const char *signature)
+bool fips_verify_hmac_signature(const char *key,
+ const char *signature)
{
- status_t status;
- char *current_signature = fips_compute_hmac_signature(key);
+ char current_signature[BUF_LEN];
- if (current_signature == NULL)
- {
- status = FAILED;
- }
- else
+ if (!fips_compute_hmac_signature(key, current_signature))
{
- status = streq(signature, current_signature)? SUCCESS:VERIFY_ERROR;
- free(current_signature);
+ return FALSE;
}
- return status;
+ return streq(signature, current_signature);
}
* @brief compute HMAC signature over RODATA and TEXT sections of libstrongswan
*
* @param key key used for HMAC signature in ASCII string format
- * @return HMAC signature in HEX string format
+ * @param signature HMAC signature in HEX string format
+ * @return TRUE if HMAC signature computation was successful
*/
-char* fips_compute_hmac_signature(const char *key);
+bool fips_compute_hmac_signature(const char *key, char *signature);
/**
* @brief verify HMAC signature over RODATA and TEXT sections of libstrongswan
*
* @param key key used for HMAC signature in ASCII string format
* @param signature signature value from fips_signature.h in HEX string format
- * @return SUCCESS if signatures agree
+ * @return TRUE if signatures agree
*/
-status_t fips_verify_hmac_signature(const char *key, const char *signature);
+bool fips_verify_hmac_signature(const char *key, const char *signature);
#endif /*FIPS_H_*/