diff options
| author | Francis Dupont <fdupont@isc.org> | 2019-09-02 14:41:14 +0200 |
|---|---|---|
| committer | Francis Dupont <fdupont@isc.org> | 2019-09-13 16:06:39 +0200 |
| commit | ba028eee986c0da963754c6fcb74790081557bec (patch) | |
| tree | 7d65431f162a5592410a7e3e6465eda8d6a58a13 | |
| parent | [#796,!504] Added ChangeLog entry for #796. (diff) | |
| download | kea-ba028eee986c0da963754c6fcb74790081557bec.tar.xz kea-ba028eee986c0da963754c6fcb74790081557bec.zip | |
[345-drop-botan-1-x-support] Removed Botan 1.x support
| -rw-r--r-- | doc/sphinx/arm/install.rst | 5 | ||||
| -rw-r--r-- | doc/sphinx/arm/intro.rst | 6 | ||||
| -rw-r--r-- | m4macros/ax_crypto.m4 | 147 | ||||
| -rw-r--r-- | src/lib/cryptolink/Makefile.am | 11 | ||||
| -rw-r--r-- | src/lib/cryptolink/botan1_hash.cc | 209 | ||||
| -rw-r--r-- | src/lib/cryptolink/botan1_hmac.cc | 251 | ||||
| -rw-r--r-- | src/lib/cryptolink/botan1_link.cc | 86 |
7 files changed, 16 insertions, 699 deletions
diff --git a/doc/sphinx/arm/install.rst b/doc/sphinx/arm/install.rst index 9660637912..0d8f242595 100644 --- a/doc/sphinx/arm/install.rst +++ b/doc/sphinx/arm/install.rst @@ -69,9 +69,8 @@ the system: versions). The Boost system library must also be installed. Installing a header-only version of Boost is no longer recommended. -- OpenSSL (at least version 1.0.1) or Botan (at least version 1.9). - Note that OpenSSL version 1.0.2 or 1.1.0 or later and Botan version 2 - or later are strongly recommended. +- OpenSSL (at least version 1.0.1) or Botan (at least version 2). + Note that OpenSSL version 1.0.2 or 1.1.0 or later is strongly recommended. - log4cplus (at least version 1.0.3) development include headers. diff --git a/doc/sphinx/arm/intro.rst b/doc/sphinx/arm/intro.rst index 5918ca86c3..f65d21cd75 100644 --- a/doc/sphinx/arm/intro.rst +++ b/doc/sphinx/arm/intro.rst @@ -38,9 +38,9 @@ software separately. (For the build requirements, also see :ref:`build-requireme - Kea supports two cryptographic libraries: Botan and OpenSSL. Only one of them is required to be installed during compilation. Kea uses the - Botan library for C++ (https://botan.randombit.net/), version 1.9 or - later. Note that support for Botan versions earlier than 2.0 will be - removed in Kea 1.6.0 and later. As an alternative to Botan, Kea can + Botan library for C++ (https://botan.randombit.net/), version 2.0 or + later. Note that support for Botan versions earlier than 2.0 was + removed in Kea 1.7.0 and later. As an alternative to Botan, Kea can use the OpenSSL cryptographic library (https://www.openssl.org/), version 1.0.2 or later. diff --git a/m4macros/ax_crypto.m4 b/m4macros/ax_crypto.m4 index fe91b1f939..34cd265110 100644 --- a/m4macros/ax_crypto.m4 +++ b/m4macros/ax_crypto.m4 @@ -24,49 +24,6 @@ AC_DEFUN([ACX_CHECK_PROG_NONCACHE], [ IFS="$IFS_SAVED" ]) -AC_DEFUN([ACX_TRY_BOTAN1_TOOL], [ - TOOL=$1 - TOOL_ARG=$2 - BOTAN1_TOOL="" - ACX_CHECK_PROG_NONCACHE([BOTAN1_TOOL], [${TOOL}]) - AC_MSG_CHECKING([usability of ${TOOL} ${TOOL_ARG}]) - if test "$BOTAN1_TOOL" != "" ; then - if test -x ${BOTAN1_TOOL}; then - CRYPTO_LIBS=`$BOTAN1_TOOL $TOOL_ARG --libs` - LIBS_SAVED=${LIBS} - LIBS="$LIBS $CRYPTO_LIBS" - CRYPTO_INCLUDES=`$BOTAN1_TOOL $TOOL_ARG --cflags` - CPPFLAGS_SAVED=${CPPFLAGS} - CPPFLAGS="$CRYPTO_INCLUDES $CPPFLAGS" - #AC_MSG_RESULT([found]) - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([#include <botan/botan.h> - #include <botan/init.h> - #include <botan/hash.h> - ], - [using namespace Botan; - LibraryInitializer::initialize(); - HashFunction *h = get_hash("MD5"); - ])], - [ AC_MSG_RESULT([ok]) - $3 - ], - [ AC_MSG_RESULT([not usable]) ] - ) - LIBS=${LIBS_SAVED} - CPPFLAGS=${CPPFLAGS_SAVED} - else - AC_MSG_RESULT([not executable]) - fi - else - AC_MSG_RESULT([not found]) - fi - BOTAN1_TOOL="" - AC_SUBST(BOTAN1_TOOL) - ] -) -# End of ACX_TRY_BOTAN1_TOOL - AC_DEFUN([ACX_TRY_BOTAN_TOOL], [ TOOL=$1 TOOL_ARG=$2 @@ -113,7 +70,7 @@ AC_DEFUN([AX_CRYPTO], [ # Unless --with-botan-config is given, we first try to find these config # scripts ourselves. Unfortunately, on some systems, these scripts do not # provide the correct implementation, so for each script found, we try -# a compilation test (ACX_TRY_BOTAN[1]_TOOL). If none are found, or none of +# a compilation test (ACX_TRY_BOTAN_TOOL). If none are found, or none of # them work, we see if pkg-config is available. If so, we try the several # potential pkg-config .pc files. Again, on some systems, these can return # incorrect information as well, so the try-compile test is repeated for @@ -149,70 +106,23 @@ elif test "${botan_config}" != "yes" ; then if test -x "${botan_config}" ; then if test -d "${botan_config}" ; then AC_MSG_ERROR([${botan_config} is a directory]) - else - BOTAN1_CONFIG="${botan_config}" fi else AC_MSG_ERROR([--with-botan-config should point to a botan-config program and not a directory (${botan_config})]) fi - # determine Botan major version - BOTAN_CONFIG="${BOTAN1_CONFIG}" - cat > conftest.cpp << EOF -#include <botan/version.h> -MAJOR_VERSION=BOTAN_VERSION_MAJOR -EOF - CRYPTO_INCLUDES=`$BOTAN1_CONFIG --cflags` - MAJOR_VERSION=`$CXX -E $CXXFLAGS $CRYPTO_INCLUDES conftest.cpp | grep '^MAJOR_VERSION=' | $SED -e 's/MAJOR_VERSION=//' -e 's/[[ ]]//g' -e 's/"//g' 2> /dev/null` - if test "x${MAJOR_VERSION}" = "x2"; then - BOTAN1_CONFIG="" - fi - $RM -f conftest.cpp else BOTAN_CONFIG="" - BOTAN1_CONFIG="" - # first try several possible names of the config script - # (botan-config-1.9 is there just in case, the official name change - # came later) - BOTAN1_CONFIG_VERSIONS="botan-config-1.11 botan-config-1.10 botan-config-1.9 botan-config" - for botan1_config in $BOTAN1_CONFIG_VERSIONS; do - ACX_TRY_BOTAN1_TOOL([$botan1_config],, - [ BOTAN1_CONFIG="$botan1_config" ] - ) - if test "$BOTAN1_CONFIG" != "" ; then - BOTAN_CONFIG="${BOTAN1_CONFIG}" - break - fi - done AC_PATH_PROG([PKG_CONFIG], [pkg-config]) if test "$PKG_CONFIG" != "" ; then - if test "$BOTAN1_CONFIG" = "" ; then - # Ok so no script found, see if pkg-config knows of it. - # Unfortunately, the botan.pc files also have their minor version - # in their name, so we need to try them one by one - BOTAN1_VERSIONS="botan-1.11 botan-1.10 botan-1.9 botan-1.8" - for version in $BOTAN1_VERSIONS; do - ACX_TRY_BOTAN1_TOOL([pkg-config], - ["$version --silence-errors"], - [ BOTAN1_CONFIG="$PKG_CONFIG $version" ] - ) - if test "$BOTAN1_CONFIG" != "" ; then - BOTAN_CONFIG="${BOTAN1_CONFIG}" - break - fi - done - fi - if test "$BOTAN_CONFIG" = "" ; then - # Retry with Botan2 - BOTAN_VERSIONS="botan-2" - for version in $BOTAN_VERSIONS; do - ACX_TRY_BOTAN_TOOL([pkg-config], ["$version --silence-errors"], - [ BOTAN_CONFIG="$PKG_CONFIG $version" ] - ) - if test "$BOTAN_CONFIG" != "" ; then - break - fi - done - fi + BOTAN_VERSIONS="botan-2" + for version in $BOTAN_VERSIONS; do + ACX_TRY_BOTAN_TOOL([pkg-config], ["$version --silence-errors"], + [ BOTAN_CONFIG="$PKG_CONFIG $version" ] + ) + if test "$BOTAN_CONFIG" != "" ; then + break + fi + done fi fi @@ -290,9 +200,6 @@ EOF # (or not even passing the pre-processor phase) and a header file resulting # in compilation failures. HEADER_TO_CHECK=botan/botan.h - if test "BOTAN1_CONFIG" = ""; then - HEADER_TO_CHECK=botan/lookup.h - fi AC_CHECK_HEADERS([${HEADER_TO_CHECK}],,[ CRYPTO_INCLUDES="" CRYPTO_LIBS="" @@ -313,38 +220,7 @@ Boost and Botan that were compiled with the same compiler version.]) LIBS=$LIBS_SAVED fi -if test "x${BOTAN1_CONFIG}" != "x" -then - CPPFLAGS_SAVED=$CPPFLAGS - CPPFLAGS="$CRYPTO_INCLUDES $CPPFLAGS" - LIBS_SAVED="$LIBS" - LIBS="$LIBS $CRYPTO_LIBS" - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([#include <botan/botan.h> - #include <botan/init.h> - #include <botan/hash.h> - ], - [using namespace Botan; - LibraryInitializer::initialize(); - HashFunction *h = get_hash("MD5"); - ])], - [AC_MSG_RESULT([checking for Botan1 library... yes])], - [AC_MSG_RESULT([checking for Botan1 library... no]) - CRYPTO_INCLUDES="" - CRYPTO_LIBS="" - CRYPTO_LDFLAGS="" - CRYPTO_RPATH="" - AC_MSG_RESULT([Needs Botan library 1.9 or higher. On some systems, - the botan package has a few missing dependencies (libbz2 and - libgmp), if libbotan has been installed and you see this message, - try upgrading to a higher version of botan or installing libbz2 - and libgmp.])] - ) - CPPFLAGS=$CPPFLAGS_SAVED - LIBS=$LIBS_SAVED - CRYPTO_NAME="Botan1" - CRYPTO_PACKAGE="botan-1.11" -elif test "x${CRYPTO_LIBS}" != "x" +if test "x${CRYPTO_LIBS}" != "x" then CPPFLAGS_SAVED=$CPPFLAGS CPPFLAGS="$CRYPTO_INCLUDES $CPPFLAGS" @@ -485,7 +361,6 @@ EOF CPPFLAGS=${CPPFLAGS_SAVED} fi -AM_CONDITIONAL(HAVE_BOTAN1, test "$CRYPTO_NAME" = "Botan1") AM_CONDITIONAL(HAVE_BOTAN, test "$CRYPTO_NAME" = "Botan") AM_CONDITIONAL(HAVE_OPENSSL, test "$CRYPTO_NAME" = "OpenSSL") AC_SUBST(CRYPTO_INCLUDES) diff --git a/src/lib/cryptolink/Makefile.am b/src/lib/cryptolink/Makefile.am index 23697e7de8..32156bdc2c 100644 --- a/src/lib/cryptolink/Makefile.am +++ b/src/lib/cryptolink/Makefile.am @@ -12,12 +12,6 @@ libkea_cryptolink_la_SOURCES = cryptolink.h cryptolink.cc libkea_cryptolink_la_SOURCES += crypto_hash.h crypto_hash.cc libkea_cryptolink_la_SOURCES += crypto_hmac.h crypto_hmac.cc libkea_cryptolink_la_SOURCES += crypto_rng.h crypto_rng.cc -if HAVE_BOTAN1 -libkea_cryptolink_la_SOURCES += botan1_link.cc -libkea_cryptolink_la_SOURCES += botan_common.h -libkea_cryptolink_la_SOURCES += botan1_hash.cc -libkea_cryptolink_la_SOURCES += botan1_hmac.cc -endif if HAVE_BOTAN libkea_cryptolink_la_SOURCES += botan_link.cc libkea_cryptolink_la_SOURCES += botan_common.h @@ -46,11 +40,6 @@ libkea_cryptolink_include_HEADERS = \ crypto_rng.h \ cryptolink.h -if HAVE_BOTAN1 -libkea_cryptolink_include_HEADERS += \ - botan_common.h -endif - if HAVE_BOTAN libkea_cryptolink_include_HEADERS += \ botan_common.h diff --git a/src/lib/cryptolink/botan1_hash.cc b/src/lib/cryptolink/botan1_hash.cc deleted file mode 100644 index 222aa45349..0000000000 --- a/src/lib/cryptolink/botan1_hash.cc +++ /dev/null @@ -1,209 +0,0 @@ -// Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC") -// -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -#include <config.h> - -#include <cryptolink.h> -#include <cryptolink/crypto_hash.h> - -#include <boost/scoped_ptr.hpp> - -#include <botan/version.h> -#include <botan/botan.h> -#include <botan/hash.h> -#include <botan/types.h> - -#include <cryptolink/botan_common.h> - -namespace isc { -namespace cryptolink { - -/// @brief Decode the HashAlgorithm enum into a name usable by Botan -/// -/// @param algorithm algorithm to be converted -/// @return text representation of the algorithm name -const std::string -btn::getHashAlgorithmName(HashAlgorithm algorithm) { - switch (algorithm) { - case isc::cryptolink::MD5: - return ("MD5"); - case isc::cryptolink::SHA1: - return ("SHA-1"); - case isc::cryptolink::SHA256: - return ("SHA-256"); - case isc::cryptolink::SHA224: - return ("SHA-224"); - case isc::cryptolink::SHA384: - return ("SHA-384"); - case isc::cryptolink::SHA512: - return ("SHA-512"); - case isc::cryptolink::UNKNOWN_HASH: - return ("Unknown"); - } - // compiler should have prevented us to reach this, since we have - // no default. But we need a return value anyway - return ("Unknown"); -} - -/// @brief Botan implementation of Hash. Each method is the counterpart -/// of the Hash corresponding method. -class HashImpl { -public: - - /// @brief Constructor for specific hash algorithm - /// - /// @param hash_algorithm The hash algorithm - explicit HashImpl(const HashAlgorithm hash_algorithm) - : hash_algorithm_(hash_algorithm), hash_() { - Botan::HashFunction* hash; - try { - const std::string& name = - btn::getHashAlgorithmName(hash_algorithm); - hash = Botan::get_hash(name); - } catch (const Botan::Algorithm_Not_Found&) { - isc_throw(isc::cryptolink::UnsupportedAlgorithm, - "Unknown hash algorithm: " << - static_cast<int>(hash_algorithm)); - } catch (const Botan::Exception& exc) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << exc.what()); - } - - hash_.reset(hash); - } - - /// @brief Destructor - ~HashImpl() { } - - /// @brief Returns the HashAlgorithm of the object - HashAlgorithm getHashAlgorithm() const { - return (hash_algorithm_); - } - - /// @brief Returns the output size of the digest - /// - /// @return output size of the digest - size_t getOutputLength() const { -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,9,0) - return (hash_->output_length()); -#else -#error "Unsupported Botan version (need 1.9 or higher)" - // added to suppress irrelevant compiler errors - return 0; -#endif - } - - /// @brief Adds data to the digest - /// - /// See @ref isc::cryptolink::Hash::update() for details. - void update(const void* data, const size_t len) { - try { - hash_->update(static_cast<const Botan::byte*>(data), len); - } catch (const Botan::Exception& exc) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final digest - /// - /// See @ref isc::cryptolink::Hash::final() for details. - void final(isc::util::OutputBuffer& result, size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hash_->final()); - - if (len > b_result.size()) { - len = b_result.size(); - } - result.writeData(&b_result[0], len); - } catch (const Botan::Exception& exc) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final digest - /// - /// See @ref isc::cryptolink::Hash::final() for details. - void final(void* result, size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hash_->final()); - size_t output_size = getOutputLength(); - if (output_size > len) { - output_size = len; - } - std::memcpy(result, &b_result[0], output_size); - } catch (const Botan::Exception& exc) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final digest - /// - /// See @ref isc::cryptolink::Hash::final() for details. - std::vector<uint8_t> final(size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hash_->final()); - if (len > b_result.size()) { - len = b_result.size(); - } - return (std::vector<uint8_t>(&b_result[0], &b_result[len])); - } catch (const Botan::Exception& exc) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << exc.what()); - } - } - -private: - /// @brief The hash algorithm - HashAlgorithm hash_algorithm_; - - /// @brief The protected pointer to the Botan HashFunction object - boost::scoped_ptr<Botan::HashFunction> hash_; -}; - -Hash::Hash(const HashAlgorithm hash_algorithm) -{ - impl_ = new HashImpl(hash_algorithm); -} - -Hash::~Hash() { - delete impl_; -} - -HashAlgorithm -Hash::getHashAlgorithm() const { - return (impl_->getHashAlgorithm()); -} - -size_t -Hash::getOutputLength() const { - return (impl_->getOutputLength()); -} - -void -Hash::update(const void* data, const size_t len) { - impl_->update(data, len); -} - -void -Hash::final(isc::util::OutputBuffer& result, size_t len) { - impl_->final(result, len); -} - -void -Hash::final(void* result, size_t len) { - impl_->final(result, len); -} - -std::vector<uint8_t> -Hash::final(size_t len) { - return impl_->final(len); -} - -} // namespace cryptolink -} // namespace isc diff --git a/src/lib/cryptolink/botan1_hmac.cc b/src/lib/cryptolink/botan1_hmac.cc deleted file mode 100644 index cebf23f037..0000000000 --- a/src/lib/cryptolink/botan1_hmac.cc +++ /dev/null @@ -1,251 +0,0 @@ -// Copyright (C) 2011-2018 Internet Systems Consortium, Inc. ("ISC") -// -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -#include <config.h> - -#include <cryptolink.h> -#include <cryptolink/crypto_hmac.h> - -#include <boost/scoped_ptr.hpp> - -#include <botan/version.h> -#include <botan/botan.h> -#include <botan/hmac.h> -#include <botan/hash.h> -#include <botan/types.h> - -#include <cryptolink/botan_common.h> - -namespace isc { -namespace cryptolink { - -/// @brief Botan implementation of HMAC. Each method is the counterpart -/// of the HMAC corresponding method. -class HMACImpl { -public: - /// @brief Constructor from a secret and a hash algorithm - /// - /// See constructor of the @ref isc::cryptolink::HMAC class for details. - /// - /// @param secret The secret to sign with - /// @param secret_len The length of the secret - /// @param hash_algorithm The hash algorithm - explicit HMACImpl(const void* secret, size_t secret_len, - const HashAlgorithm hash_algorithm) - : hash_algorithm_(hash_algorithm), hmac_() { - Botan::HashFunction* hash; - try { - const std::string& name = - btn::getHashAlgorithmName(hash_algorithm); - hash = Botan::get_hash(name); - } catch (const Botan::Algorithm_Not_Found&) { - isc_throw(UnsupportedAlgorithm, - "Unknown hash algorithm: " << - static_cast<int>(hash_algorithm)); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - - hmac_.reset(new Botan::HMAC(hash)); - - // If the key length is larger than the block size, we hash the - // key itself first. - try { - // use a temp var so we don't have blocks spanning - // preprocessor directives -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,9,0) - size_t block_length = hash->hash_block_size(); -#else -#error "Unsupported Botan version (need 1.9 or higher)" - // added to suppress irrelevant compiler errors - size_t block_length = 0; -#endif - if (secret_len > block_length) { - Botan::SecureVector<Botan::byte> hashed_key = - hash->process(static_cast<const Botan::byte*>(secret), - secret_len); - hmac_->set_key(&hashed_key[0], hashed_key.size()); - } else { - // Botan 1.8 considers len 0 a bad key. 1.9 does not, - // but we won't accept it anyway, and fail early - if (secret_len == 0) { - isc_throw(BadKey, "Bad HMAC secret length: 0"); - } - hmac_->set_key(static_cast<const Botan::byte*>(secret), - secret_len); - } - } catch (const Botan::Invalid_Key_Length& ikl) { - isc_throw(BadKey, ikl.what()); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - - /// @brief Destructor - ~HMACImpl() { - } - - /// @brief Returns the HashAlgorithm of the object - HashAlgorithm getHashAlgorithm() const { - return (hash_algorithm_); - } - - /// @brief Returns the output size of the digest - /// - /// @return output size of the digest - size_t getOutputLength() const { -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,9,0) - return (hmac_->output_length()); -#else -#error "Unsupported Botan version (need 1.9 or higher)" - // added to suppress irrelevant compiler errors - return 0; -#endif - } - - /// @brief Add data to digest - /// - /// See @ref isc::cryptolink::HMAC::update() for details. - void update(const void* data, const size_t len) { - try { - hmac_->update(static_cast<const Botan::byte*>(data), len); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final signature - /// - /// See @ref isc::cryptolink::HMAC::sign() for details. - void sign(isc::util::OutputBuffer& result, size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hmac_->final()); - - if (len > b_result.size()) { - len = b_result.size(); - } - result.writeData(&b_result[0], len); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final signature - /// - /// See @ref isc::cryptolink::HMAC::sign() for details. - void sign(void* result, size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hmac_->final()); - size_t output_size = getOutputLength(); - if (output_size > len) { - output_size = len; - } - std::memcpy(result, &b_result[0], output_size); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - - /// @brief Calculate the final signature - /// - /// See @ref isc::cryptolink::HMAC::sign() for details. - std::vector<uint8_t> sign(size_t len) { - try { - Botan::SecureVector<Botan::byte> b_result(hmac_->final()); - if (len > b_result.size()) { - len = b_result.size(); - } - return (std::vector<uint8_t>(&b_result[0], &b_result[len])); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - - - /// @brief Verify an existing signature - /// - /// See @ref isc::cryptolink::HMAC::verify() for details. - bool verify(const void* sig, size_t len) { - // Botan's verify_mac checks if len matches the output_length, - // which causes it to fail for truncated signatures, so we do - // the check ourselves - try { - size_t size = getOutputLength(); - if (len < 10 || len < size / 2) { - return (false); - } - if (len > size) { - len = size; - } - if (digest_.size() == 0) { - digest_ = hmac_->final(); - } - return (Botan::same_mem(&digest_[0], - static_cast<const unsigned char*>(sig), - len)); - } catch (const Botan::Exception& exc) { - isc_throw(LibraryError, "Botan error: " << exc.what()); - } - } - -private: - /// @brief The hash algorithm - HashAlgorithm hash_algorithm_; - - /// @brief The protected pointer to the Botan HMAC object - boost::scoped_ptr<Botan::HMAC> hmac_; - - /// @brief The digest cache for multiple verify - Botan::SecureVector<Botan::byte> digest_; -}; - -HMAC::HMAC(const void* secret, size_t secret_length, - const HashAlgorithm hash_algorithm) -{ - impl_ = new HMACImpl(secret, secret_length, hash_algorithm); -} - -HMAC::~HMAC() { - delete impl_; -} - -HashAlgorithm -HMAC::getHashAlgorithm() const { - return (impl_->getHashAlgorithm()); -} - -size_t -HMAC::getOutputLength() const { - return (impl_->getOutputLength()); -} - -void -HMAC::update(const void* data, const size_t len) { - impl_->update(data, len); -} - -void -HMAC::sign(isc::util::OutputBuffer& result, size_t len) { - impl_->sign(result, len); -} - -void -HMAC::sign(void* result, size_t len) { - impl_->sign(result, len); -} - -std::vector<uint8_t> -HMAC::sign(size_t len) { - return impl_->sign(len); -} - -bool -HMAC::verify(const void* sig, const size_t len) { - return (impl_->verify(sig, len)); -} - -} // namespace cryptolink -} // namespace isc diff --git a/src/lib/cryptolink/botan1_link.cc b/src/lib/cryptolink/botan1_link.cc deleted file mode 100644 index ce6bd8d6fa..0000000000 --- a/src/lib/cryptolink/botan1_link.cc +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright (C) 2011-2018 Internet Systems Consortium, Inc. ("ISC") -// -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -#include <config.h> - -#include <cryptolink/cryptolink.h> -#include <cryptolink/crypto_hash.h> -#include <cryptolink/crypto_hmac.h> -#include <cryptolink/crypto_rng.h> - -#include <botan/botan.h> -#include <botan/init.h> -#include <botan/auto_rng.h> - -namespace isc { -namespace cryptolink { - -// For Botan, we use the CryptoLink class object in RAII style -class CryptoLinkImpl { -private: - Botan::LibraryInitializer botan_init_; -}; - -CryptoLink::~CryptoLink() { - rng_.reset(); - delete impl_; -} - -/// \brief Botan implementation of RNG. -class RNGImpl : public RNG { -public: - RNGImpl() { - rng.reset(new Botan::AutoSeeded_RNG()); - } - - ~RNGImpl() { - } - -private: - std::vector<uint8_t> random(size_t len) { - std::vector<uint8_t> data; - if (len > 0) { - data.resize(len); - try { - rng->randomize(&data[0], len); - } catch (const Botan::Exception& ex) { - isc_throw(isc::cryptolink::LibraryError, - "Botan error: " << ex.what()); - } - } - return (data); - } - - boost::shared_ptr<Botan::RandomNumberGenerator> rng; -}; - -void -CryptoLink::initialize() { - CryptoLink& c = getCryptoLinkInternal(); - if (!c.impl_) { - try { - c.impl_ = new CryptoLinkImpl(); - } catch (const Botan::Exception& ex) { - isc_throw(InitializationError, "Botan error: " << ex.what()); - } - } - if (!c.rng_) { - try { - c.rng_.reset(new RNGImpl()); - } catch (const Botan::Exception& ex) { - isc_throw(InitializationError, "Botan error: " << ex.what()); - } - } -} - -std::string -CryptoLink::getVersion() { - return (Botan::version_string()); -} - -} // namespace cryptolink -} // namespace isc - |