/src/botan/src/lib/mac/hmac/hmac.cpp

Source (jump to first uncovered line)
/*
* HMAC
* (C) 1999-2007,2014,2020 Jack Lloyd
*     2007 Yves Jerschow
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/hmac.h>

#include <botan/internal/ct_utils.h>
#include <botan/internal/fmt.h>

namespace Botan {

/*
* Update a HMAC Calculation
*/
void HMAC::add_data(const uint8_t input[], size_t length) {
   assert_key_material_set();
   m_hash->update(input, length);
}

/*
* Finalize a HMAC Calculation
*/
void HMAC::final_result(uint8_t mac[]) {
   assert_key_material_set();
   m_hash->final(mac);
   m_hash->update(m_okey);
   m_hash->update(mac, m_hash_output_length);
   m_hash->final(mac);
   m_hash->update(m_ikey);
}

Key_Length_Specification HMAC::key_spec() const {
   // Support very long lengths for things like PBKDF2 and the TLS PRF
   return Key_Length_Specification(0, 4096);
}

size_t HMAC::output_length() const { return m_hash_output_length; }

bool HMAC::has_keying_material() const { return !m_okey.empty(); }

/*
* HMAC Key Schedule
*/
void HMAC::key_schedule(const uint8_t key[], size_t length) {
   const uint8_t ipad = 0x36;
   const uint8_t opad = 0x5C;

   m_hash->clear();

   m_ikey.resize(m_hash_block_size);
   m_okey.resize(m_hash_block_size);

   clear_mem(m_ikey.data(), m_ikey.size());
   clear_mem(m_okey.data(), m_okey.size());

   /*
   * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
   * reveals the length of the passphrase. Make some attempt to hide this to
   * side channels. Clearly if the secret is longer than the block size then the
   * branch to hash first reveals that. In addition, counting the number of
   * compression functions executed reveals the size at the granularity of the
   * hash function's block size.
   *
   * The greater concern is for smaller keys; being able to detect when a
   * passphrase is say 4 bytes may assist choosing weaker targets. Even though
   * the loop bounds are constant, we can only actually read key[0..length] so
   * it doesn't seem possible to make this computation truly constant time.
   *
   * We don't mind leaking if the length is exactly zero since that's
   * trivial to simply check.
   */

   if(length > m_hash_block_size) {
      m_hash->update(key, length);
      m_hash->final(m_ikey.data());
   } else if(length > 0) {
      for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i) {
         /*
         access key[i % length] but avoiding division due to variable
         time computation on some processors.
         */
         auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
         i_mod_length = needs_reduction.select(0, i_mod_length);
         const uint8_t kb = key[i_mod_length];

         auto in_range = CT::Mask<size_t>::is_lt(i, length);
         m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
         i_mod_length += 1;
      }
   }

   for(size_t i = 0; i != m_hash_block_size; ++i) {
      m_ikey[i] ^= ipad;
      m_okey[i] = m_ikey[i] ^ ipad ^ opad;
   }

   m_hash->update(m_ikey);
}

/*
* Clear memory of sensitive data
*/
void HMAC::clear() {
   m_hash->clear();
   zap(m_ikey);
   zap(m_okey);
}

/*
* Return the name of this type
*/
std::string HMAC::name() const { return fmt("HMAC({})", m_hash->name()); }

/*
* Return a new_object of this object
*/
std::unique_ptr<MessageAuthenticationCode> HMAC::new_object() const {
   return std::make_unique<HMAC>(m_hash->new_object());
}

/*
* HMAC Constructor
*/
HMAC::HMAC(std::unique_ptr<HashFunction> hash) :
      m_hash(std::move(hash)),
      m_hash_output_length(m_hash->output_length()),
      m_hash_block_size(m_hash->hash_block_size()) {
   BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length, "HMAC is not compatible with this hash function");
}

}  // namespace Botan

Line	Count	Source (jump to first uncovered line)
1		/*
2		* HMAC
3		* (C) 1999-2007,2014,2020 Jack Lloyd
4		* 2007 Yves Jerschow
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/internal/hmac.h>
10
11		#include <botan/internal/ct_utils.h>
12		#include <botan/internal/fmt.h>
13
14		namespace Botan {
15
16		/*
17		* Update a HMAC Calculation
18		*/
19	0	void HMAC::add_data(const uint8_t input[], size_t length) {
20	0	assert_key_material_set();
21	0	m_hash->update(input, length);
22	0	}
23
24		/*
25		* Finalize a HMAC Calculation
26		*/
27	0	void HMAC::final_result(uint8_t mac[]) {
28	0	assert_key_material_set();
29	0	m_hash->final(mac);
30	0	m_hash->update(m_okey);
31	0	m_hash->update(mac, m_hash_output_length);
32	0	m_hash->final(mac);
33	0	m_hash->update(m_ikey);
34	0	}
35
36	0	Key_Length_Specification HMAC::key_spec() const {
37		// Support very long lengths for things like PBKDF2 and the TLS PRF
38	0	return Key_Length_Specification(0, 4096);
39	0	}
40
41	0	size_t HMAC::output_length() const { return m_hash_output_length; }
42
43	0	bool HMAC::has_keying_material() const { return !m_okey.empty(); }
44
45		/*
46		* HMAC Key Schedule
47		*/
48	0	void HMAC::key_schedule(const uint8_t key[], size_t length) {
49	0	const uint8_t ipad = 0x36;
50	0	const uint8_t opad = 0x5C;
51
52	0	m_hash->clear();
53
54	0	m_ikey.resize(m_hash_block_size);
55	0	m_okey.resize(m_hash_block_size);
56
57	0	clear_mem(m_ikey.data(), m_ikey.size());
58	0	clear_mem(m_okey.data(), m_okey.size());
59
60		/*
61		* Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
62		* reveals the length of the passphrase. Make some attempt to hide this to
63		* side channels. Clearly if the secret is longer than the block size then the
64		* branch to hash first reveals that. In addition, counting the number of
65		* compression functions executed reveals the size at the granularity of the
66		* hash function's block size.
67		*
68		* The greater concern is for smaller keys; being able to detect when a
69		* passphrase is say 4 bytes may assist choosing weaker targets. Even though
70		* the loop bounds are constant, we can only actually read key[0..length] so
71		* it doesn't seem possible to make this computation truly constant time.
72		*
73		* We don't mind leaking if the length is exactly zero since that's
74		* trivial to simply check.
75		*/
76
77	0	if(length > m_hash_block_size) {
78	0	m_hash->update(key, length);
79	0	m_hash->final(m_ikey.data());
80	0	} else if(length > 0) {
81	0	for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i) {
82		/*
83		access key[i % length] but avoiding division due to variable
84		time computation on some processors.
85		*/
86	0	auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
87	0	i_mod_length = needs_reduction.select(0, i_mod_length);
88	0	const uint8_t kb = key[i_mod_length];
89
90	0	auto in_range = CT::Mask<size_t>::is_lt(i, length);
91	0	m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
92	0	i_mod_length += 1;
93	0	}
94	0	}
95
96	0	for(size_t i = 0; i != m_hash_block_size; ++i) {
97	0	m_ikey[i] ^= ipad;
98	0	m_okey[i] = m_ikey[i] ^ ipad ^ opad;
99	0	}
100
101	0	m_hash->update(m_ikey);
102	0	}
103
104		/*
105		* Clear memory of sensitive data
106		*/
107	0	void HMAC::clear() {
108	0	m_hash->clear();
109	0	zap(m_ikey);
110	0	zap(m_okey);
111	0	}
112
113		/*
114		* Return the name of this type
115		*/
116	0	std::string HMAC::name() const { return fmt("HMAC({})", m_hash->name()); }
117
118		/*
119		* Return a new_object of this object
120		*/
121	0	std::unique_ptr<MessageAuthenticationCode> HMAC::new_object() const {
122	0	return std::make_unique<HMAC>(m_hash->new_object());
123	0	}
124
125		/*
126		* HMAC Constructor
127		*/
128		HMAC::HMAC(std::unique_ptr<HashFunction> hash) :
129		m_hash(std::move(hash)),
130		m_hash_output_length(m_hash->output_length()),
131	0	m_hash_block_size(m_hash->hash_block_size()) {
132	0	BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length, "HMAC is not compatible with this hash function");
133	0	}
134
135		} // namespace Botan

Coverage Report

Created: 2023-06-07 06:59