/src/botan/src/lib/mac/hmac/hmac.cpp
Line | Count | Source |
1 | | /* |
2 | | * HMAC |
3 | | * (C) 1999-2007,2014,2020 Jack Lloyd |
4 | | * 2007 Yves Jerschow |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/hmac.h> |
10 | | |
11 | | #include <botan/mem_ops.h> |
12 | | #include <botan/internal/ct_utils.h> |
13 | | #include <botan/internal/fmt.h> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | /* |
18 | | * Update a HMAC Calculation |
19 | | */ |
20 | 12.8k | void HMAC::add_data(std::span<const uint8_t> input) { |
21 | 12.8k | assert_key_material_set(); |
22 | 12.8k | m_hash->update(input); |
23 | 12.8k | } |
24 | | |
25 | | /* |
26 | | * Finalize a HMAC Calculation |
27 | | */ |
28 | 2.81k | void HMAC::final_result(std::span<uint8_t> mac) { |
29 | 2.81k | assert_key_material_set(); |
30 | 2.81k | m_hash->final(mac); |
31 | 2.81k | m_hash->update(m_okey); |
32 | 2.81k | m_hash->update(mac.first(m_hash_output_length)); |
33 | 2.81k | m_hash->final(mac); |
34 | 2.81k | m_hash->update(m_ikey); |
35 | 2.81k | } |
36 | | |
37 | 2.09k | Key_Length_Specification HMAC::key_spec() const { |
38 | | // Support very long lengths for things like PBKDF2 and the TLS PRF |
39 | 2.09k | return Key_Length_Specification(0, 8192); |
40 | 2.09k | } |
41 | | |
42 | 3.55k | size_t HMAC::output_length() const { |
43 | 3.55k | return m_hash_output_length; |
44 | 3.55k | } |
45 | | |
46 | 15.6k | bool HMAC::has_keying_material() const { |
47 | 15.6k | return !m_okey.empty(); |
48 | 15.6k | } |
49 | | |
50 | | /* |
51 | | * HMAC Key Schedule |
52 | | */ |
53 | 2.08k | void HMAC::key_schedule(std::span<const uint8_t> key) { |
54 | 2.08k | const uint8_t ipad = 0x36; |
55 | 2.08k | const uint8_t opad = 0x5C; |
56 | | |
57 | 2.08k | m_hash->clear(); |
58 | | |
59 | 2.08k | m_ikey.resize(m_hash_block_size); |
60 | 2.08k | m_okey.resize(m_hash_block_size); |
61 | | |
62 | 2.08k | clear_mem(m_ikey.data(), m_ikey.size()); |
63 | 2.08k | clear_mem(m_okey.data(), m_okey.size()); |
64 | | |
65 | | /* |
66 | | * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it |
67 | | * reveals the length of the passphrase. Make some attempt to hide this to |
68 | | * side channels. Clearly if the secret is longer than the block size then the |
69 | | * branch to hash first reveals that. In addition, counting the number of |
70 | | * compression functions executed reveals the size at the granularity of the |
71 | | * hash function's block size. |
72 | | * |
73 | | * The greater concern is for smaller keys; being able to detect when a |
74 | | * passphrase is say 4 bytes may assist choosing weaker targets. Even though |
75 | | * the loop bounds are constant, we can only actually read key[0..length] so |
76 | | * it doesn't seem possible to make this computation truly constant time. |
77 | | * |
78 | | * We don't mind leaking if the length is exactly zero since that's |
79 | | * trivial to simply check. |
80 | | */ |
81 | | |
82 | 2.08k | if(key.size() > m_hash_block_size) { |
83 | 86 | m_hash->update(key); |
84 | 86 | m_hash->final(m_ikey.data()); |
85 | 1.99k | } else if(key.size() >= 20) { |
86 | | // For long keys we just leak the length either it is a cryptovariable |
87 | | // or a long enough password that just the length is not a useful signal |
88 | 1.86k | copy_mem(std::span{m_ikey}.first(key.size()), key); |
89 | 1.86k | } else if(!key.empty()) { |
90 | 6.93k | for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i) { |
91 | | /* |
92 | | access key[i % length] but avoiding division due to variable |
93 | | time computation on some processors. |
94 | | */ |
95 | 6.84k | auto needs_reduction = CT::Mask<size_t>::is_lte(key.size(), i_mod_length); |
96 | 6.84k | i_mod_length = needs_reduction.select(0, i_mod_length); |
97 | 6.84k | const uint8_t kb = key[i_mod_length]; |
98 | | |
99 | 6.84k | auto in_range = CT::Mask<size_t>::is_lt(i, key.size()); |
100 | 6.84k | m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb)); |
101 | 6.84k | i_mod_length += 1; |
102 | 6.84k | } |
103 | 86 | } |
104 | | |
105 | 139k | for(size_t i = 0; i != m_hash_block_size; ++i) { |
106 | 137k | m_ikey[i] ^= ipad; |
107 | 137k | m_okey[i] = m_ikey[i] ^ ipad ^ opad; |
108 | 137k | } |
109 | | |
110 | 2.08k | m_hash->update(m_ikey); |
111 | 2.08k | } |
112 | | |
113 | | /* |
114 | | * Clear memory of sensitive data |
115 | | */ |
116 | 0 | void HMAC::clear() { |
117 | 0 | m_hash->clear(); |
118 | 0 | zap(m_ikey); |
119 | 0 | zap(m_okey); |
120 | 0 | } |
121 | | |
122 | | /* |
123 | | * Return the name of this type |
124 | | */ |
125 | 15 | std::string HMAC::name() const { |
126 | 15 | return fmt("HMAC({})", m_hash->name()); |
127 | 15 | } |
128 | | |
129 | | /* |
130 | | * Return a new_object of this object |
131 | | */ |
132 | 0 | std::unique_ptr<MessageAuthenticationCode> HMAC::new_object() const { |
133 | 0 | return std::make_unique<HMAC>(m_hash->new_object()); |
134 | 0 | } |
135 | | |
136 | | /* |
137 | | * HMAC Constructor |
138 | | */ |
139 | | HMAC::HMAC(std::unique_ptr<HashFunction> hash) : |
140 | 630 | m_hash(std::move(hash)), |
141 | 630 | m_hash_output_length(m_hash->output_length()), |
142 | 630 | m_hash_block_size(m_hash->hash_block_size()) { |
143 | 630 | BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length, "HMAC is not compatible with this hash function"); |
144 | 630 | } |
145 | | |
146 | | } // namespace Botan |