/src/botan/src/lib/mac/hmac/hmac.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * HMAC |
3 | | * (C) 1999-2007,2014,2020 Jack Lloyd |
4 | | * 2007 Yves Jerschow |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/hmac.h> |
10 | | #include <botan/internal/ct_utils.h> |
11 | | |
12 | | namespace Botan { |
13 | | |
14 | | /* |
15 | | * Update a HMAC Calculation |
16 | | */ |
17 | | void HMAC::add_data(const uint8_t input[], size_t length) |
18 | 236k | { |
19 | 236k | verify_key_set(m_ikey.empty() == false); |
20 | 236k | m_hash->update(input, length); |
21 | 236k | } |
22 | | |
23 | | /* |
24 | | * Finalize a HMAC Calculation |
25 | | */ |
26 | | void HMAC::final_result(uint8_t mac[]) |
27 | 146k | { |
28 | 146k | verify_key_set(m_okey.empty() == false); |
29 | 146k | m_hash->final(mac); |
30 | 146k | m_hash->update(m_okey); |
31 | 146k | m_hash->update(mac, m_hash_output_length); |
32 | 146k | m_hash->final(mac); |
33 | 146k | m_hash->update(m_ikey); |
34 | 146k | } |
35 | | |
36 | | Key_Length_Specification HMAC::key_spec() const |
37 | 39.5k | { |
38 | 39.5k | // Support very long lengths for things like PBKDF2 and the TLS PRF |
39 | 39.5k | return Key_Length_Specification(0, 4096); |
40 | 39.5k | } |
41 | | |
42 | | size_t HMAC::output_length() const |
43 | 146k | { |
44 | 146k | return m_hash_output_length; |
45 | 146k | } |
46 | | |
47 | | /* |
48 | | * HMAC Key Schedule |
49 | | */ |
50 | | void HMAC::key_schedule(const uint8_t key[], size_t length) |
51 | 39.5k | { |
52 | 39.5k | const uint8_t ipad = 0x36; |
53 | 39.5k | const uint8_t opad = 0x5C; |
54 | 39.5k | |
55 | 39.5k | m_hash->clear(); |
56 | 39.5k | |
57 | 39.5k | m_ikey.resize(m_hash_block_size); |
58 | 39.5k | m_okey.resize(m_hash_block_size); |
59 | 39.5k | |
60 | 39.5k | clear_mem(m_ikey.data(), m_ikey.size()); |
61 | 39.5k | clear_mem(m_okey.data(), m_okey.size()); |
62 | 39.5k | |
63 | 39.5k | /* |
64 | 39.5k | * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it |
65 | 39.5k | * reveals the length of the passphrase. Make some attempt to hide this to |
66 | 39.5k | * side channels. Clearly if the secret is longer than the block size then the |
67 | 39.5k | * branch to hash first reveals that. In addition, counting the number of |
68 | 39.5k | * compression functions executed reveals the size at the granularity of the |
69 | 39.5k | * hash function's block size. |
70 | 39.5k | * |
71 | 39.5k | * The greater concern is for smaller keys; being able to detect when a |
72 | 39.5k | * passphrase is say 4 bytes may assist choosing weaker targets. Even though |
73 | 39.5k | * the loop bounds are constant, we can only actually read key[0..length] so |
74 | 39.5k | * it doesn't seem possible to make this computation truly constant time. |
75 | 39.5k | * |
76 | 39.5k | * We don't mind leaking if the length is exactly zero since that's |
77 | 39.5k | * trivial to simply check. |
78 | 39.5k | */ |
79 | 39.5k | |
80 | 39.5k | if(length > m_hash_block_size) |
81 | 9.77k | { |
82 | 9.77k | m_hash->update(key, length); |
83 | 9.77k | m_hash->final(m_ikey.data()); |
84 | 9.77k | } |
85 | 29.8k | else if(length > 0) |
86 | 29.8k | { |
87 | 2.55M | for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i) |
88 | 2.52M | { |
89 | 2.52M | /* |
90 | 2.52M | access key[i % length] but avoiding division due to variable |
91 | 2.52M | time computation on some processors. |
92 | 2.52M | */ |
93 | 2.52M | auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length); |
94 | 2.52M | i_mod_length = needs_reduction.select(0, i_mod_length); |
95 | 2.52M | const uint8_t kb = key[i_mod_length]; |
96 | 2.52M | |
97 | 2.52M | auto in_range = CT::Mask<size_t>::is_lt(i, length); |
98 | 2.52M | m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb)); |
99 | 2.52M | i_mod_length += 1; |
100 | 2.52M | } |
101 | 29.8k | } |
102 | 39.5k | |
103 | 3.39M | for(size_t i = 0; i != m_hash_block_size; ++i) |
104 | 3.35M | { |
105 | 3.35M | m_ikey[i] ^= ipad; |
106 | 3.35M | m_okey[i] = m_ikey[i] ^ ipad ^ opad; |
107 | 3.35M | } |
108 | 39.5k | |
109 | 39.5k | m_hash->update(m_ikey); |
110 | 39.5k | } |
111 | | |
112 | | /* |
113 | | * Clear memory of sensitive data |
114 | | */ |
115 | | void HMAC::clear() |
116 | 0 | { |
117 | 0 | m_hash->clear(); |
118 | 0 | zap(m_ikey); |
119 | 0 | zap(m_okey); |
120 | 0 | } |
121 | | |
122 | | /* |
123 | | * Return the name of this type |
124 | | */ |
125 | | std::string HMAC::name() const |
126 | 1.30k | { |
127 | 1.30k | return "HMAC(" + m_hash->name() + ")"; |
128 | 1.30k | } |
129 | | |
130 | | /* |
131 | | * Return a clone of this object |
132 | | */ |
133 | | MessageAuthenticationCode* HMAC::clone() const |
134 | 0 | { |
135 | 0 | return new HMAC(m_hash->clone()); |
136 | 0 | } |
137 | | |
138 | | /* |
139 | | * HMAC Constructor |
140 | | */ |
141 | | HMAC::HMAC(HashFunction* hash) : |
142 | | m_hash(hash), |
143 | | m_hash_output_length(m_hash->output_length()), |
144 | | m_hash_block_size(m_hash->hash_block_size()) |
145 | 24.7k | { |
146 | 24.7k | BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length, |
147 | 24.7k | "HMAC is not compatible with this hash function"); |
148 | 24.7k | } |
149 | | |
150 | | } |