1*12720SWyllys.Ingersoll@Sun.COM /* 2*12720SWyllys.Ingersoll@Sun.COM * CDDL HEADER START 3*12720SWyllys.Ingersoll@Sun.COM * 4*12720SWyllys.Ingersoll@Sun.COM * The contents of this file are subject to the terms of the 5*12720SWyllys.Ingersoll@Sun.COM * Common Development and Distribution License (the "License"). 6*12720SWyllys.Ingersoll@Sun.COM * You may not use this file except in compliance with the License. 7*12720SWyllys.Ingersoll@Sun.COM * 8*12720SWyllys.Ingersoll@Sun.COM * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*12720SWyllys.Ingersoll@Sun.COM * or http://www.opensolaris.org/os/licensing. 10*12720SWyllys.Ingersoll@Sun.COM * See the License for the specific language governing permissions 11*12720SWyllys.Ingersoll@Sun.COM * and limitations under the License. 12*12720SWyllys.Ingersoll@Sun.COM * 13*12720SWyllys.Ingersoll@Sun.COM * When distributing Covered Code, include this CDDL HEADER in each 14*12720SWyllys.Ingersoll@Sun.COM * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*12720SWyllys.Ingersoll@Sun.COM * If applicable, add the following below this CDDL HEADER, with the 16*12720SWyllys.Ingersoll@Sun.COM * fields enclosed by brackets "[]" replaced with your own identifying 17*12720SWyllys.Ingersoll@Sun.COM * information: Portions Copyright [yyyy] [name of copyright owner] 18*12720SWyllys.Ingersoll@Sun.COM * 19*12720SWyllys.Ingersoll@Sun.COM * CDDL HEADER END 20*12720SWyllys.Ingersoll@Sun.COM */ 21*12720SWyllys.Ingersoll@Sun.COM 22*12720SWyllys.Ingersoll@Sun.COM /* 23*12720SWyllys.Ingersoll@Sun.COM * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 24*12720SWyllys.Ingersoll@Sun.COM */ 25*12720SWyllys.Ingersoll@Sun.COM 26*12720SWyllys.Ingersoll@Sun.COM /** 27*12720SWyllys.Ingersoll@Sun.COM * \file KMSAgentChallenge.h 28*12720SWyllys.Ingersoll@Sun.COM */ 29*12720SWyllys.Ingersoll@Sun.COM 30*12720SWyllys.Ingersoll@Sun.COM #ifndef KMSAagentChallenge_H 31*12720SWyllys.Ingersoll@Sun.COM #define KMSAagentChallenge_H 32*12720SWyllys.Ingersoll@Sun.COM 33*12720SWyllys.Ingersoll@Sun.COM /** 34*12720SWyllys.Ingersoll@Sun.COM * computes the response to the KMA's challenge using 35*12720SWyllys.Ingersoll@Sun.COM * HMAC-SHA1( RootCACertificate || AuthenticationChallenge, 36*12720SWyllys.Ingersoll@Sun.COM * AuthenticationSecret ). The AuthenticationSecret is 37*12720SWyllys.Ingersoll@Sun.COM * used as the key in the HMAC-SHA1 computation. 38*12720SWyllys.Ingersoll@Sun.COM * 39*12720SWyllys.Ingersoll@Sun.COM * @param i_pAuthenticationSecret 40*12720SWyllys.Ingersoll@Sun.COM * @param i_iAuthenticationSecretLength 41*12720SWyllys.Ingersoll@Sun.COM * @param i_pRootCACertificate 42*12720SWyllys.Ingersoll@Sun.COM * @param i_iRootCACertificateLength 43*12720SWyllys.Ingersoll@Sun.COM * @param i_pAuthenticationChallenge 44*12720SWyllys.Ingersoll@Sun.COM * @param i_iAuthenticationChallengeLength 45*12720SWyllys.Ingersoll@Sun.COM * @param o_pAuthenticationChallengeResponse 46*12720SWyllys.Ingersoll@Sun.COM * @param i_iAuthenticationChallengeResponseLength 47*12720SWyllys.Ingersoll@Sun.COM * 48*12720SWyllys.Ingersoll@Sun.COM * @return boolean success indicator 49*12720SWyllys.Ingersoll@Sun.COM */ 50*12720SWyllys.Ingersoll@Sun.COM bool ComputeChallengeResponse( 51*12720SWyllys.Ingersoll@Sun.COM const unsigned char* i_pAuthenticationSecret, 52*12720SWyllys.Ingersoll@Sun.COM int i_iAuthenticationSecretLength, 53*12720SWyllys.Ingersoll@Sun.COM const unsigned char* i_pRootCACertificate, 54*12720SWyllys.Ingersoll@Sun.COM int i_iRootCACertificateLength, 55*12720SWyllys.Ingersoll@Sun.COM const unsigned char* i_pAuthenticationChallenge, 56*12720SWyllys.Ingersoll@Sun.COM int i_iAuthenticationChallengeLength, 57*12720SWyllys.Ingersoll@Sun.COM unsigned char* o_pAuthenticationChallengeResponse, 58*12720SWyllys.Ingersoll@Sun.COM int i_iAuthenticationChallengeResponseLength ); 59*12720SWyllys.Ingersoll@Sun.COM 60*12720SWyllys.Ingersoll@Sun.COM /** 61*12720SWyllys.Ingersoll@Sun.COM * computes the SHA1 hash of the specified passphrase. 62*12720SWyllys.Ingersoll@Sun.COM * The number of SHA1 iterations 63*12720SWyllys.Ingersoll@Sun.COM * is recorded in <code>o_iAuthenticationHashIterationCount</code> and the result 64*12720SWyllys.Ingersoll@Sun.COM * stored in o_sHexAuthenticationSecret as a UTF8 hex string. 65*12720SWyllys.Ingersoll@Sun.COM * HexAuthenticationSecret is SHA1( SHA1( ... ( SHA1( HashedPassphrase ) ) ) 66*12720SWyllys.Ingersoll@Sun.COM * The number of iterations is time bounded at 1/10 of a second, and also 67*12720SWyllys.Ingersoll@Sun.COM * bounded by fixed minimum and maximum values (to prevent too weak of a 68*12720SWyllys.Ingersoll@Sun.COM * computation and to prevent a DoS, respectively). 69*12720SWyllys.Ingersoll@Sun.COM * This value is used as the shared secret in challenge-response 70*12720SWyllys.Ingersoll@Sun.COM * authentication exchanges. 71*12720SWyllys.Ingersoll@Sun.COM 72*12720SWyllys.Ingersoll@Sun.COM * @param i_sPassphrase the passphrase to be hashed 73*12720SWyllys.Ingersoll@Sun.COM * @param o_sHexHashedPassphrase the hashed passphrase 74*12720SWyllys.Ingersoll@Sun.COM * returned in UTF8 hexadecimal, this 75*12720SWyllys.Ingersoll@Sun.COM * buffer should be at least 76*12720SWyllys.Ingersoll@Sun.COM * 2*HASH_LENGTH+1 bytes 77*12720SWyllys.Ingersoll@Sun.COM * @param o_iAuthenticationHashIterationCount 78*12720SWyllys.Ingersoll@Sun.COM * @param o_sHexAuthenticationSecret 79*12720SWyllys.Ingersoll@Sun.COM * 80*12720SWyllys.Ingersoll@Sun.COM * @return boolean success indicator 81*12720SWyllys.Ingersoll@Sun.COM */ 82*12720SWyllys.Ingersoll@Sun.COM bool ComputeEntityHashedPassphraseAndAuthenticationSecret( 83*12720SWyllys.Ingersoll@Sun.COM const char* const i_sPassphrase, 84*12720SWyllys.Ingersoll@Sun.COM char* const o_sHexHashedPassphrase, 85*12720SWyllys.Ingersoll@Sun.COM int* const o_piAuthenticationHashIterationCount, 86*12720SWyllys.Ingersoll@Sun.COM char* const o_sHexAuthenticationSecret ); 87*12720SWyllys.Ingersoll@Sun.COM 88*12720SWyllys.Ingersoll@Sun.COM /** 89*12720SWyllys.Ingersoll@Sun.COM * computes the SHA1 hash of the specified passphrase. The SHA1 is 90*12720SWyllys.Ingersoll@Sun.COM * performed a "fixed" number of times as specified by 91*12720SWyllys.Ingersoll@Sun.COM * <code>i_iAuthenticationHashIterationCount</code>. 92*12720SWyllys.Ingersoll@Sun.COM * 93*12720SWyllys.Ingersoll@Sun.COM * @param i_sPassphrase the passprhase to be SHA1 hashed 94*12720SWyllys.Ingersoll@Sun.COM * @param o_sHexHashedPassphrase the SHA1 hash 95*12720SWyllys.Ingersoll@Sun.COM * of i_sPassphrase stored as a UTF8 hex string 96*12720SWyllys.Ingersoll@Sun.COM * @param i_iAuthenticationHashIterationCount the number 97*12720SWyllys.Ingersoll@Sun.COM * of times to SHA1 hash the passphrase 98*12720SWyllys.Ingersoll@Sun.COM * @param o_sHexAuthenticationSecret the passphrase hashed 99*12720SWyllys.Ingersoll@Sun.COM * the fixed number of times and stored as a UTF8 100*12720SWyllys.Ingersoll@Sun.COM * hex string 101*12720SWyllys.Ingersoll@Sun.COM * 102*12720SWyllys.Ingersoll@Sun.COM * @return boolean success indicator 103*12720SWyllys.Ingersoll@Sun.COM */ 104*12720SWyllys.Ingersoll@Sun.COM bool ComputeFixedEntityHashedPassphraseAndAuthenticationSecret( 105*12720SWyllys.Ingersoll@Sun.COM const char* i_sPassphrase, 106*12720SWyllys.Ingersoll@Sun.COM char* const o_sHexHashedPassphrase, 107*12720SWyllys.Ingersoll@Sun.COM int i_iAuthenticationHashIterationCount, 108*12720SWyllys.Ingersoll@Sun.COM char* const o_sHexAuthenticationSecret ); 109*12720SWyllys.Ingersoll@Sun.COM 110*12720SWyllys.Ingersoll@Sun.COM #endif /* KMSAagentChallenge_H */ 111*12720SWyllys.Ingersoll@Sun.COM 112