compute SHA-1 HMAC over libstrongswan TEXT segment for the time being

3 files changed, 61 insertions, 38 deletions

diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
index 1e8950d02..d97e51c1c 100644
--- a/src/libstrongswan/fips/fips.c
+++ b/src/libstrongswan/fips/fips.c
@@ -24,58 +24,79 @@
 #include <debug.h>
 #include <crypto/signers/hmac_signer.h>
 
-extern const unsigned char FIPS_rodata_start[];
-extern const unsigned char FIPS_rodata_end[];
+extern const u_char FIPS_rodata_start[];
+extern const u_char FIPS_rodata_end[];
 extern const void *FIPS_text_start();
 extern const void *FIPS_text_end();
 
 /**
  * Described in header
  */
-char* fips_compute_hmac_signature(const char *key)
+bool fips_compute_hmac_signature(const char *key, char *signature)
 {
-	chunk_t hmac_key = { key, strlen(key) };
-
-    hmac_signer_t *signer = hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1);
+	u_char *text_start = (u_char *)FIPS_text_start();
+	u_char *text_end   = (u_char *)FIPS_text_end();
+	size_t text_len;
+	size_t rodata_len;
+	signer_t *signer;
 
+	if (text_start > text_end)
+	{
+		DBG1("  TEXT start (%p) > TEXT end (%p",
+				text_start, text_end);
+		return FALSE;
+	}
+	text_len = (size_t)text_end - (size_t)text_start;
     DBG1("  TEXT:   %p + %6d = %p",
-		 FIPS_text_start(),
-		 (int)( (size_t)FIPS_text_end() - (size_t)FIPS_text_start() ),
-		 FIPS_text_end());
+			text_start, (int)text_len, text_end);
+
+	if (FIPS_rodata_start > FIPS_rodata_end)
+	{
+		DBG1("  RODATA start (%p) > RODATA end (%p",
+				FIPS_rodata_start, FIPS_rodata_end);
+		return FALSE;
+	}
+	rodata_len = (size_t)FIPS_rodata_end - (size_t)FIPS_rodata_start;
     DBG1("  RODATA: %p + %6d = %p",
-		 FIPS_rodata_start,
-		 (int)( (size_t)FIPS_rodata_end - (size_t)FIPS_rodata_start ),
-		 FIPS_rodata_end);
+			FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
 
+    signer = (signer_t *)hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1);
 	if (signer == NULL)
 	{
-	    DBG1("  sha-1 hmac_signer could not be created");
-		return NULL;
+	    DBG1("  SHA-1 HMAC signer could not be created");
+		return FALSE;
 	}
-	signer->signer_interface.set_key((signer_t *)signer, hmac_key);
-	signer->signer_interface.destroy((signer_t *)signer);
+	else
+	{
+		chunk_t hmac_key = { key, strlen(key) };
+		chunk_t text_chunk = { text_start, text_len };
+		chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
+		chunk_t signature_chunk = chunk_empty;
+
+		signer->set_key(signer, hmac_key);
+		/* TODO include rodata_chunk in HMAC */
+		signer->allocate_signature(signer, text_chunk, &signature_chunk);
+		signer->destroy(signer);
 
-	/* TODO compute a HMAC over two separate chunks */
-	return strdup("01020304050607080901011121314151617181920");
+		sprintf(signature, "%#B", &signature_chunk);
+		DBG1("  SHA-1 HMAC key: %s", key);
+		DBG1("  SHA-1 HMAC sig: %s", signature);
+		free(signature_chunk.ptr);
+		return TRUE;
+	}
 }
 
 /**
  * Described in header
  */
-status_t fips_verify_hmac_signature(const char *key,
-									const char *signature)
+bool fips_verify_hmac_signature(const char *key,
+								const char *signature)
 {
-	status_t status;
-	char *current_signature = fips_compute_hmac_signature(key);
+	char current_signature[BUF_LEN];
 
-	if (current_signature == NULL)
-	{
-		status = FAILED;
-	}
-	else
+	if (!fips_compute_hmac_signature(key, current_signature))
 	{
-		status = streq(signature, current_signature)? SUCCESS:VERIFY_ERROR;
-		free(current_signature);
+		return FALSE;
 	}
-	return status;
+	return streq(signature, current_signature);
 }
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
index e91d5e4bc..decf73bfd 100644
--- a/src/libstrongswan/fips/fips.h
+++ b/src/libstrongswan/fips/fips.h
@@ -30,17 +30,18 @@
  * @brief compute HMAC signature over RODATA and TEXT sections of libstrongswan
  *
  * @param  key		key used for HMAC signature in ASCII string format
- * @return 		HMAC signature in HEX string format
+ * @param  signature	HMAC signature in HEX string format
+ * @return 		TRUE if HMAC signature computation was successful
  */
-char* fips_compute_hmac_signature(const char *key);
+bool fips_compute_hmac_signature(const char *key, char *signature);
 
 /**
  * @brief verify HMAC signature over RODATA and TEXT sections of libstrongswan
  *
  * @param  key		key used for HMAC signature in ASCII string format
  * @param  signature	signature value from fips_signature.h in HEX string format
- * @return		SUCCESS if signatures agree
+ * @return		TRUE if signatures agree
  */
-status_t fips_verify_hmac_signature(const char *key, const char *signature);
+bool fips_verify_hmac_signature(const char *key, const char *signature);
 
 #endif /*FIPS_H_*/
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
index 36e2ffb42..9c4193691 100644
--- a/src/libstrongswan/fips/fips_signer.c
+++ b/src/libstrongswan/fips/fips_signer.c
@@ -21,19 +21,21 @@
  */
 
 #include <stdio.h>
+
+#include <crypto/hashers/hasher.h>
 #include "fips.h"
 
 int main(int argc, char* argv[])
 {
 	FILE *f;
 	char *hmac_key = "strongSwan Version " VERSION;
-	char *hmac_signature = fips_compute_hmac_signature(hmac_key);
+	char  hmac_signature[BUF_LEN];
 
-	if (hmac_signature == NULL)
+	if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
 	{
 		exit(1);
 	}
-
+	
 	/**
      * write computed HMAC signature to fips_signature.h
 	 */
@@ -57,6 +59,5 @@ int main(int argc, char* argv[])
 	fprintf(f, "\n");
 	fprintf(f, "#endif /* FIPS_SIGNATURE_H_ */\n");
 	fclose(f);
-	free(hmac_signature);
 	exit(0);
 }