The Hash Two Fields command provides for two fields to be input and
returns a 10 byte hash value. The command can be used for any
purpose where a hash value is needed.
A HASH command in a CL would appear as:
DCL &INPUT1 *CHAR LEN(256)
DCL &INPUT2 *CHAR LEN(10) VALUE('...')
DCL &OUTPUT *CHAR LEN(10)
.
HASH INPUT1(&INPUT1) INPUT2(&INPUT2) +
OUTPUT(&OUTPUT)
Typical use
-----------
Hash values can be an effective security measure. For example, if
you are passing a value to a program that needs to be available to
the *PUBLIC and you are concerned about a misuse of the program, you
may also pass a hash value that can be checked by the non-secure
program.
Assume PGMA develops some data that needs to be executed by the
non-secure PGMB. PGMA would generate a hash value based on a secret
code known only to PGMA and PGMB. The code would look as follows:
/* PGMA which develops the function to be performed and the hash */
.
DCL &INPUT1 *CHAR LEN(256)
DCL &INPUT2 *CHAR LEN(10) VALUE('secret....')
DCL &HASH *CHAR LEN(10)
.
CHGVAR &INPUT1 'The function to be performed ...')
HASH INPUT1(&INPUT1) INPUT2(&INPUT2) +
OUTPUT(&HASH)
CALL PGMB PARM(&INPUT1 &HASH)
/* PGMB checks the hash value and performs the function */
PGM PARM(&INPUT1 &HASH)
DCL &INPUT1 *CHAR LEN(256)
DCL &INPUT2 *CHAR LEN(10) VALUE('secret....')
DCL &HASH *CHAR LEN(10)
DCL &OUTPUT *CHAR LEN(10)
DCL &JOB *CHAR LEN(10)
DCL &USER *CHAR LEN(10)
DCL &NBR *CHAR LEN(6)
HASH INPUT1(&INPUT1) INPUT2(&INPUT2) +
OUTPUT(&OUTPUT)
IF (&HASH *NE &OUTPUT) DO /* Not same hash */
RTVJOBA JOB(&JOB) USER(&USER) NBR(&JOBNBR)
/* Send a message to a security */
/* officer message queue */
SNDPGMMSG MSG('Invalid attempt was made to +
use PGMB by ' *CAT &JOBNBR *TCAT +
'/' *CAT &USER *TCAT '/' *CAT +
&JOB) TOMSGQ(xxxx)
SNDESCMSG MSG('An invalid value was passed +
to PGMB')
ENDDO /* Not same hash */
/* Good hash value - Do normal processing */
To prevent improper use of the HASH command, a few checks are made:
** Neither &INPUT1 nor &INPUT2 can be all blanks or all X'00'.
** &INPUT1 must have at least 25 non-blank values. You must pad
out the value if you are passing less than 25 characters.
** &INPUT2 (the secret field) must have at least 7 non-blank
values.
Calling the CPP directly
------------------------
For better protection, you may call the CPP TAACLQGR in TAATOOL
directly with the following parameters:
INPUT1 *CHAR LEN(256)
INPUT2 *CHAR LEN(10)
OUTPUT *CHAR LEN(10)
Security considerations
-----------------------
The intent of the HASH command is for security sensitive programs.
The algorithm used to develop the hash value is designed so that a
slight change in either the INPUT1 or INPUT2 values tends to produce
a totally different hash value. Because of the technique used, it
should be difficult for a user to break the hashing technique and
determine the secret code.
As with any such technique, it is never failsafe and you must
consider the use.
Demonstration command
---------------------
A demonstration command (DMOHASH) exists that will allow you to try
various values to check how the HASH command will react.
DMOHASH INPUT1(xxxx) INPUT2(xxxx)
A message will be sent displaying the generated hash value in hex.
HASH Command parameters *CMD
-----------------------
INPUT1 The first value to be hashed. It can be up to 256
bytes in length. It must not be all blank, all
X'00', and must contain at least 25 non-blank or non
X'00' characters.
This is normally the field that contains some
function to be performed.
If you are calling a program that does not require
data to be passed to it, pass any string of 25
bytes.
If you are passing data that is less than 25 bytes,
you must pad it out to 25 bytes of data.
If you are passing a command string to be executed
using QCMDEXC and it is shorter than 25 bytes, add a
comment (/* .. */) to pad out to at least 25 bytes.
INPUT2 The second value to be hashed. It can be up to 10
bytes in length. It must not be all blank, all
X'00', and must contain at least 7 non-blank or non
X'00' characters.
This is normally the field that contains a secret
code that is only known between two or more valid
programs.
OUTPUT The hash field that is returned. It must be
specified as *CHAR LEN(10) and the bytes may contain
values that are non-displayable.
DMOHASH Command parameters *CMD
--------------------------
INPUT1 The value to be hashed. It must not be all blank,
all X'00', and must contain at least 25 non-blank or
non X'00' characters.
INPUT2 The second value to be hashed. It must not be all
blank, all X'00', and must contain at least 7
non-blank or non X'00' characters.
Restrictions
------------
** Because the command returns a variable, it can only be used in
a CL program.
** See the previous restrictions for INPUT1 and INPUT2.
Prerequisites
-------------
The following TAA Tools must be on your system:
CVTHEX Convert hex
SNDESCMSG Send escape message
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
HASH *CMD TAACLQG QATTCMD
DMOHASH *CMD TAACLQG2 QATTCMD
TAACLQGC2 *PGM CLP TAACLQGC2 QATTCL
TAACLQGR *PGM RPG TAACLQGR QATTRPG
Note that the RPG program is the CPP for HASH.
Structure
---------
HASH Cmd
TAACLQGR RPG
DMOHASH Cmd
TAACLQGC2 CL
|
