security: accept HMAC keys shorter than the hash function's output length

Refs: #3075
Change-Id: Id4798a420f2f75cbc3269e3629c397b8fb729d21
diff --git a/ndn-cxx/security/key-params.cpp b/ndn-cxx/security/key-params.cpp
index e1f38b8..2b50519 100644
--- a/ndn-cxx/security/key-params.cpp
+++ b/ndn-cxx/security/key-params.cpp
@@ -48,7 +48,6 @@
 const uint32_t DEFAULT_EC_KEY_SIZE = 256;
 const uint32_t AES_KEY_SIZES[] = {128, 192, 256};
 const uint32_t DEFAULT_AES_KEY_SIZE = 128;
-const uint32_t MIN_HMAC_KEY_SIZE = 224;
 const uint32_t DEFAULT_HMAC_KEY_SIZE = 256;
 
 uint32_t
@@ -100,10 +99,7 @@
 uint32_t
 HmacKeyParamsInfo::checkKeySize(uint32_t size)
 {
-  // the minimum key size depends on the exact digest algorithm used in the HMAC, so we
-  // only do a basic sanity check here and postpone stricter checking until the actual
-  // HMAC computation in SignerFilter/VerifierFilter, where the digest algorithm is known
-  if (size < MIN_HMAC_KEY_SIZE || size % 8 != 0)
+  if (size == 0 || size % 8 != 0)
     NDN_THROW(KeyParams::Error("Unsupported HMAC key size " + to_string(size)));
   return size;
 }
diff --git a/ndn-cxx/security/transform/signer-filter.cpp b/ndn-cxx/security/transform/signer-filter.cpp
index 3c0535d..33f380f 100644
--- a/ndn-cxx/security/transform/signer-filter.cpp
+++ b/ndn-cxx/security/transform/signer-filter.cpp
@@ -44,13 +44,6 @@
     NDN_THROW(Error(getIndex(), "Unsupported digest algorithm " +
                     boost::lexical_cast<std::string>(algo)));
 
-  if (key.getKeyType() == KeyType::HMAC) {
-    size_t mdSize = static_cast<size_t>(EVP_MD_size(md)) * 8;
-    if (key.getKeySize() < mdSize)
-      NDN_THROW(Error(getIndex(), "HMAC key is shorter than the digest output (" +
-                      to_string(key.getKeySize()) + " < " + to_string(mdSize) + " bits)"));
-  }
-
   if (EVP_DigestSignInit(m_impl->ctx, nullptr, md, nullptr,
                          reinterpret_cast<EVP_PKEY*>(key.getEvpPkey())) != 1)
     NDN_THROW(Error(getIndex(), "Failed to initialize signing context with " +
diff --git a/tests/unit/security/key-params.t.cpp b/tests/unit/security/key-params.t.cpp
index 78f3a4e..b2dafcd 100644
--- a/tests/unit/security/key-params.t.cpp
+++ b/tests/unit/security/key-params.t.cpp
@@ -124,7 +124,7 @@
   BOOST_CHECK_EQUAL(params2.getKeyIdType(), KeyIdType::USER_SPECIFIED);
   BOOST_CHECK_EQUAL(params2.getKeyId(), keyId);
 
-  BOOST_CHECK_THROW(HmacKeyParams(keyId, 192), KeyParams::Error); // too short
+  BOOST_CHECK_THROW(HmacKeyParams(keyId, 0), KeyParams::Error);
   BOOST_CHECK_THROW(HmacKeyParams(keyId, 300), KeyParams::Error); // not a multiple of 8
 
   HmacKeyParams params3;
diff --git a/tests/unit/security/transform/signer-filter.t.cpp b/tests/unit/security/transform/signer-filter.t.cpp
index 4c75204..4f3fa04 100644
--- a/tests/unit/security/transform/signer-filter.t.cpp
+++ b/tests/unit/security/transform/signer-filter.t.cpp
@@ -131,34 +131,111 @@
   BOOST_CHECK(verifySignature(DATA, sizeof(DATA), sig->data(), sig->size(), pubKey->data(), pubKey->size()));
 }
 
-BOOST_AUTO_TEST_CASE(Hmac)
+BOOST_AUTO_TEST_SUITE(Hmac)
+
+// Test vectors from RFC 4231
+// https://tools.ietf.org/html/rfc4231#section-4
+BOOST_AUTO_TEST_CASE(Rfc4231Test1)
 {
-  auto sKey = generatePrivateKey(HmacKeyParams());
+  // Test case 1
+  const uint8_t rawKey[] = {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                            0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b};
+  const std::string data("Hi There");
+  const uint8_t hmacSha224[] = {0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32,
+                                0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16,
+                                0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22};
+  const uint8_t hmacSha256[] = {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8,
+                                0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00,
+                                0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32,
+                                0xcf, 0xf7};
+  const uint8_t hmacSha384[] = {0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08,
+                                0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb,
+                                0xe4, 0x10, 0x1e, 0xc6, 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb,
+                                0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f,
+                                0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6};
+  const uint8_t hmacSha512[] = {0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0,
+                                0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2,
+                                0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1,
+                                0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02,
+                                0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d,
+                                0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20,
+                                0x3a, 0x12, 0x68, 0x54};
 
-  BOOST_CHECK_THROW(SignerFilter(DigestAlgorithm::NONE, *sKey), Error);
+  PrivateKey key;
+  key.loadRaw(KeyType::HMAC, rawKey, sizeof(rawKey));
 
-  OBufferStream os;
-  bufferSource(DATA, sizeof(DATA)) >> signerFilter(DigestAlgorithm::SHA256, *sKey) >> streamSink(os);
-  auto sig = os.buf();
+  BOOST_CHECK_THROW(SignerFilter(DigestAlgorithm::NONE, key), Error);
 
-  BOOST_CHECK_EQUAL(sig->size(), 32);
+  OBufferStream os224;
+  bufferSource(data) >> signerFilter(DigestAlgorithm::SHA224, key) >> streamSink(os224);
+  auto sig = os224.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha224, hmacSha224 + sizeof(hmacSha224));
+
+  OBufferStream os256;
+  bufferSource(data) >> signerFilter(DigestAlgorithm::SHA256, key) >> streamSink(os256);
+  sig = os256.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha256, hmacSha256 + sizeof(hmacSha256));
+
+  OBufferStream os384;
+  bufferSource(data) >> signerFilter(DigestAlgorithm::SHA384, key) >> streamSink(os384);
+  sig = os384.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha384, hmacSha384 + sizeof(hmacSha384));
+
+  OBufferStream os512;
+  bufferSource(data) >> signerFilter(DigestAlgorithm::SHA512, key) >> streamSink(os512);
+  sig = os512.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha512, hmacSha512 + sizeof(hmacSha512));
 }
 
-BOOST_AUTO_TEST_CASE(HmacKeyTooShort)
+BOOST_AUTO_TEST_CASE(Rfc4231Test2)
 {
-  auto sKey = generatePrivateKey(HmacKeyParams(256));
+  // Test case 2 (HMAC-SHA-256 only)
+  const char rawKey[] = "Jefe";
+  const std::string data("what do ya want for nothing?");
+  const uint8_t hmacSha256[] = {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04,
+                                0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08,
+                                0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec,
+                                0x38, 0x43};
 
-  OBufferStream os;
-  BOOST_CHECK_THROW(bufferSource(DATA, sizeof(DATA)) >>
-                    signerFilter(DigestAlgorithm::SHA512, *sKey) >>
-                    streamSink(os),
-                    Error);
+  PrivateKey key;
+  key.loadRaw(KeyType::HMAC, reinterpret_cast<const uint8_t*>(rawKey), std::strlen(rawKey));
+
+  OBufferStream os256;
+  bufferSource(data) >> signerFilter(DigestAlgorithm::SHA256, key) >> streamSink(os256);
+  auto sig = os256.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha256, hmacSha256 + sizeof(hmacSha256));
 }
 
+BOOST_AUTO_TEST_CASE(Rfc4231Test3)
+{
+  // Test case 3 (HMAC-SHA-256 only)
+  const uint8_t rawKey[] = {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+                            0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa};
+  const uint8_t data[] = {0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+                          0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+                          0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+                          0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+                          0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd};
+  const uint8_t hmacSha256[] = {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d,
+                                0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b,
+                                0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5,
+                                0x65, 0xfe};
+
+  PrivateKey key;
+  key.loadRaw(KeyType::HMAC, rawKey, sizeof(rawKey));
+
+  OBufferStream os256;
+  bufferSource(data, sizeof(data)) >> signerFilter(DigestAlgorithm::SHA256, key) >> streamSink(os256);
+  auto sig = os256.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sig->begin(), sig->end(), hmacSha256, hmacSha256 + sizeof(hmacSha256));
+}
+
+BOOST_AUTO_TEST_SUITE_END() // Hmac
+
 BOOST_AUTO_TEST_CASE(InvalidKey)
 {
-  PrivateKey sKey;
-  BOOST_CHECK_THROW(SignerFilter(DigestAlgorithm::SHA256, sKey), Error);
+  PrivateKey key;
+  BOOST_CHECK_THROW(SignerFilter(DigestAlgorithm::SHA256, key), Error);
 }
 
 BOOST_AUTO_TEST_SUITE_END() // TestSignerFilter