/src/botan/src/lib/mac/hmac/hmac.cpp

Source (jump to first uncovered line)
/*
* HMAC
* (C) 1999-2007,2014,2020 Jack Lloyd
*     2007 Yves Jerschow
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/hmac.h>
#include <botan/internal/ct_utils.h>

namespace Botan {

/*
* Update a HMAC Calculation
*/
void HMAC::add_data(const uint8_t input[], size_t length)
   {
   verify_key_set(m_ikey.empty() == false);
   m_hash->update(input, length);
   }

/*
* Finalize a HMAC Calculation
*/
void HMAC::final_result(uint8_t mac[])
   {
   verify_key_set(m_okey.empty() == false);
   m_hash->final(mac);
   m_hash->update(m_okey);
   m_hash->update(mac, m_hash_output_length);
   m_hash->final(mac);
   m_hash->update(m_ikey);
   }

Key_Length_Specification HMAC::key_spec() const
   {
   // Support very long lengths for things like PBKDF2 and the TLS PRF
   return Key_Length_Specification(0, 4096);
   }

size_t HMAC::output_length() const
   {
   return m_hash_output_length;
   }

/*
* HMAC Key Schedule
*/
void HMAC::key_schedule(const uint8_t key[], size_t length)
   {
   const uint8_t ipad = 0x36;
   const uint8_t opad = 0x5C;

   m_hash->clear();

   m_ikey.resize(m_hash_block_size);
   m_okey.resize(m_hash_block_size);

   clear_mem(m_ikey.data(), m_ikey.size());
   clear_mem(m_okey.data(), m_okey.size());

   /*
   * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
   * reveals the length of the passphrase. Make some attempt to hide this to
   * side channels. Clearly if the secret is longer than the block size then the
   * branch to hash first reveals that. In addition, counting the number of
   * compression functions executed reveals the size at the granularity of the
   * hash function's block size.
   *
   * The greater concern is for smaller keys; being able to detect when a
   * passphrase is say 4 bytes may assist choosing weaker targets. Even though
   * the loop bounds are constant, we can only actually read key[0..length] so
   * it doesn't seem possible to make this computation truly constant time.
   *
   * We don't mind leaking if the length is exactly zero since that's
   * trivial to simply check.
   */

   if(length > m_hash_block_size)
      {
      m_hash->update(key, length);
      m_hash->final(m_ikey.data());
      }
   else if(length > 0)
      {
      for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i)
         {
         /*
         access key[i % length] but avoiding division due to variable
         time computation on some processors.
         */
         auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
         i_mod_length = needs_reduction.select(0, i_mod_length);
         const uint8_t kb = key[i_mod_length];

         auto in_range = CT::Mask<size_t>::is_lt(i, length);
         m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
         i_mod_length += 1;
         }
      }

   for(size_t i = 0; i != m_hash_block_size; ++i)
      {
      m_ikey[i] ^= ipad;
      m_okey[i] = m_ikey[i] ^ ipad ^ opad;
      }

   m_hash->update(m_ikey);
   }

/*
* Clear memory of sensitive data
*/
void HMAC::clear()
   {
   m_hash->clear();
   zap(m_ikey);
   zap(m_okey);
   }

/*
* Return the name of this type
*/
std::string HMAC::name() const
   {
   return "HMAC(" + m_hash->name() + ")";
   }

/*
* Return a clone of this object
*/
MessageAuthenticationCode* HMAC::clone() const
   {
   return new HMAC(m_hash->clone());
   }

/*
* HMAC Constructor
*/
HMAC::HMAC(HashFunction* hash) :
   m_hash(hash),
   m_hash_output_length(m_hash->output_length()),
   m_hash_block_size(m_hash->hash_block_size())
   {
   BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length,
                   "HMAC is not compatible with this hash function");
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* HMAC
3		* (C) 1999-2007,2014,2020 Jack Lloyd
4		* 2007 Yves Jerschow
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/hmac.h>
10		#include <botan/internal/ct_utils.h>
11
12		namespace Botan {
13
14		/*
15		* Update a HMAC Calculation
16		*/
17		void HMAC::add_data(const uint8_t input[], size_t length)
18	249k	{
19	249k	verify_key_set(m_ikey.empty() == false);
20	249k	m_hash->update(input, length);
21	249k	}
22
23		/*
24		* Finalize a HMAC Calculation
25		*/
26		void HMAC::final_result(uint8_t mac[])
27	154k	{
28	154k	verify_key_set(m_okey.empty() == false);
29	154k	m_hash->final(mac);
30	154k	m_hash->update(m_okey);
31	154k	m_hash->update(mac, m_hash_output_length);
32	154k	m_hash->final(mac);
33	154k	m_hash->update(m_ikey);
34	154k	}
35
36		Key_Length_Specification HMAC::key_spec() const
37	40.9k	{
38		// Support very long lengths for things like PBKDF2 and the TLS PRF
39	40.9k	return Key_Length_Specification(0, 4096);
40	40.9k	}
41
42		size_t HMAC::output_length() const
43	154k	{
44	154k	return m_hash_output_length;
45	154k	}
46
47		/*
48		* HMAC Key Schedule
49		*/
50		void HMAC::key_schedule(const uint8_t key[], size_t length)
51	40.9k	{
52	40.9k	const uint8_t ipad = 0x36;
53	40.9k	const uint8_t opad = 0x5C;
54	40.9k
55	40.9k	m_hash->clear();
56	40.9k
57	40.9k	m_ikey.resize(m_hash_block_size);
58	40.9k	m_okey.resize(m_hash_block_size);
59	40.9k
60	40.9k	clear_mem(m_ikey.data(), m_ikey.size());
61	40.9k	clear_mem(m_okey.data(), m_okey.size());
62	40.9k
63		/*
64		* Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
65		* reveals the length of the passphrase. Make some attempt to hide this to
66		* side channels. Clearly if the secret is longer than the block size then the
67		* branch to hash first reveals that. In addition, counting the number of
68		* compression functions executed reveals the size at the granularity of the
69		* hash function's block size.
70		*
71		* The greater concern is for smaller keys; being able to detect when a
72		* passphrase is say 4 bytes may assist choosing weaker targets. Even though
73		* the loop bounds are constant, we can only actually read key[0..length] so
74		* it doesn't seem possible to make this computation truly constant time.
75		*
76		* We don't mind leaking if the length is exactly zero since that's
77		* trivial to simply check.
78		*/
79	40.9k
80	40.9k	if(length > m_hash_block_size)
81	9.68k	{
82	9.68k	m_hash->update(key, length);
83	9.68k	m_hash->final(m_ikey.data());
84	9.68k	}
85	31.2k	else if(length > 0)
86	31.2k	{
87	2.68M	for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i)
88	2.65M	{
89		/*
90		access key[i % length] but avoiding division due to variable
91		time computation on some processors.
92		*/
93	2.65M	auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
94	2.65M	i_mod_length = needs_reduction.select(0, i_mod_length);
95	2.65M	const uint8_t kb = key[i_mod_length];
96	2.65M
97	2.65M	auto in_range = CT::Mask<size_t>::is_lt(i, length);
98	2.65M	m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
99	2.65M	i_mod_length += 1;
100	2.65M	}
101	31.2k	}
102	40.9k
103	3.50M	for(size_t i = 0; i != m_hash_block_size; ++i)
104	3.46M	{
105	3.46M	m_ikey[i] ^= ipad;
106	3.46M	m_okey[i] = m_ikey[i] ^ ipad ^ opad;
107	3.46M	}
108	40.9k
109	40.9k	m_hash->update(m_ikey);
110	40.9k	}
111
112		/*
113		* Clear memory of sensitive data
114		*/
115		void HMAC::clear()
116	0	{
117	0	m_hash->clear();
118	0	zap(m_ikey);
119	0	zap(m_okey);
120	0	}
121
122		/*
123		* Return the name of this type
124		*/
125		std::string HMAC::name() const
126	1.75k	{
127	1.75k	return "HMAC(" + m_hash->name() + ")";
128	1.75k	}
129
130		/*
131		* Return a clone of this object
132		*/
133		MessageAuthenticationCode* HMAC::clone() const
134	0	{
135	0	return new HMAC(m_hash->clone());
136	0	}
137
138		/*
139		* HMAC Constructor
140		*/
141		HMAC::HMAC(HashFunction* hash) :
142		m_hash(hash),
143		m_hash_output_length(m_hash->output_length()),
144		m_hash_block_size(m_hash->hash_block_size())
145	25.8k	{
146	25.8k	BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length,
147	25.8k	"HMAC is not compatible with this hash function");
148	25.8k	}
149
150		}

Coverage Report

Created: 2020-09-16 07:52