Botan 2.19.3
Crypto and TLS for C&
hmac.cpp
Go to the documentation of this file.
1/*
2* HMAC
3* (C) 1999-2007,2014,2020 Jack Lloyd
4* 2007 Yves Jerschow
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/hmac.h>
10#include <botan/internal/ct_utils.h>
11
12namespace Botan {
13
14/*
15* Update a HMAC Calculation
16*/
17void HMAC::add_data(const uint8_t input[], size_t length)
18 {
19 verify_key_set(m_ikey.empty() == false);
20 m_hash->update(input, length);
21 }
22
23/*
24* Finalize a HMAC Calculation
25*/
26void HMAC::final_result(uint8_t mac[])
27 {
28 verify_key_set(m_okey.empty() == false);
29 m_hash->final(mac);
30 m_hash->update(m_okey);
31 m_hash->update(mac, m_hash_output_length);
32 m_hash->final(mac);
33 m_hash->update(m_ikey);
34 }
35
37 {
38 // Support very long lengths for things like PBKDF2 and the TLS PRF
39 return Key_Length_Specification(0, 4096);
40 }
41
42size_t HMAC::output_length() const
43 {
44 return m_hash_output_length;
45 }
46
47/*
48* HMAC Key Schedule
49*/
50void HMAC::key_schedule(const uint8_t key[], size_t length)
51 {
52 const uint8_t ipad = 0x36;
53 const uint8_t opad = 0x5C;
54
55 m_hash->clear();
56
57 m_ikey.resize(m_hash_block_size);
58 m_okey.resize(m_hash_block_size);
59
60 clear_mem(m_ikey.data(), m_ikey.size());
61 clear_mem(m_okey.data(), m_okey.size());
62
63 /*
64 * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
65 * reveals the length of the passphrase. Make some attempt to hide this to
66 * side channels. Clearly if the secret is longer than the block size then the
67 * branch to hash first reveals that. In addition, counting the number of
68 * compression functions executed reveals the size at the granularity of the
69 * hash function's block size.
70 *
71 * The greater concern is for smaller keys; being able to detect when a
72 * passphrase is say 4 bytes may assist choosing weaker targets. Even though
73 * the loop bounds are constant, we can only actually read key[0..length] so
74 * it doesn't seem possible to make this computation truly constant time.
75 *
76 * We don't mind leaking if the length is exactly zero since that's
77 * trivial to simply check.
78 */
79
80 if(length > m_hash_block_size)
81 {
82 m_hash->update(key, length);
83 m_hash->final(m_ikey.data());
84 }
85 else if(length > 0)
86 {
87 for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i)
88 {
89 /*
90 access key[i % length] but avoiding division due to variable
91 time computation on some processors.
92 */
93 auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
94 i_mod_length = needs_reduction.select(0, i_mod_length);
95 const uint8_t kb = key[i_mod_length];
96
97 auto in_range = CT::Mask<size_t>::is_lt(i, length);
98 m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
99 i_mod_length += 1;
100 }
101 }
102
103 for(size_t i = 0; i != m_hash_block_size; ++i)
104 {
105 m_ikey[i] ^= ipad;
106 m_okey[i] = m_ikey[i] ^ ipad ^ opad;
107 }
108
109 m_hash->update(m_ikey);
110 }
111
112/*
113* Clear memory of sensitive data
114*/
116 {
117 m_hash->clear();
118 zap(m_ikey);
119 zap(m_okey);
120 }
121
122/*
123* Return the name of this type
124*/
125std::string HMAC::name() const
126 {
127 return "HMAC(" + m_hash->name() + ")";
128 }
129
130/*
131* Return a clone of this object
132*/
134 {
135 return new HMAC(m_hash->clone());
136 }
137
138/*
139* HMAC Constructor
140*/
142 m_hash(hash),
143 m_hash_output_length(m_hash->output_length()),
144 m_hash_block_size(m_hash->hash_block_size())
145 {
146 BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length,
147 "HMAC is not compatible with this hash function");
148 }
149
150}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:37
static Mask< T > is_lt(T x, T y)
Definition ct_utils.h:157
static Mask< T > is_lte(T x, T y)
Definition ct_utils.h:173
size_t output_length() const override
Definition hmac.cpp:42
std::string name() const override
Definition hmac.cpp:125
MessageAuthenticationCode * clone() const override
Definition hmac.cpp:133
Key_Length_Specification key_spec() const override
Definition hmac.cpp:36
HMAC(HashFunction *hash)
Definition hmac.cpp:141
void clear() override
Definition hmac.cpp:115
void verify_key_set(bool cond) const
Definition sym_algo.h:171
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:124
void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:115
MechanismType hash