doxygen/hmac_8cpp_source.html

/*

* HMAC

* (C) 1999-2007,2014,2020 Jack Lloyd

*     2007 Yves Jerschow

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/hmac.h>


#include <botan/mem_ops.h>

#include <botan/internal/ct_utils.h>

#include <botan/internal/fmt.h>


namespace Botan {


/*

* Update a HMAC Calculation

*/

void HMAC::add_data(std::span<const uint8_t> input) {

   assert_key_material_set();

   m_hash->update(input);

}


/*

* Finalize a HMAC Calculation

*/

void HMAC::final_result(std::span<uint8_t> mac) {

   assert_key_material_set();

   m_hash->final(mac);

   m_hash->update(m_okey);

   m_hash->update(mac.first(m_hash_output_length));

   m_hash->final(mac);

   m_hash->update(m_ikey);

}


Key_Length_Specification HMAC::key_spec() const {

   // Support very long lengths for things like PBKDF2 and the TLS PRF

   return Key_Length_Specification(0, 4096);

}


size_t HMAC::output_length() const {

   return m_hash_output_length;

}


bool HMAC::has_keying_material() const {

   return !m_okey.empty();

}


/*

* HMAC Key Schedule

*/

void HMAC::key_schedule(std::span<const uint8_t> key) {

   const uint8_t ipad = 0x36;

   const uint8_t opad = 0x5C;


   m_hash->clear();


   m_ikey.resize(m_hash_block_size);

   m_okey.resize(m_hash_block_size);


   clear_mem(m_ikey.data(), m_ikey.size());

   clear_mem(m_okey.data(), m_okey.size());


   /*

   * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it

   * reveals the length of the passphrase. Make some attempt to hide this to

   * side channels. Clearly if the secret is longer than the block size then the

   * branch to hash first reveals that. In addition, counting the number of

   * compression functions executed reveals the size at the granularity of the

   * hash function's block size.

   *

   * The greater concern is for smaller keys; being able to detect when a

   * passphrase is say 4 bytes may assist choosing weaker targets. Even though

   * the loop bounds are constant, we can only actually read key[0..length] so

   * it doesn't seem possible to make this computation truly constant time.

   *

   * We don't mind leaking if the length is exactly zero since that's

   * trivial to simply check.

   */


   if(key.size() > m_hash_block_size) {

      m_hash->update(key);

      m_hash->final(m_ikey.data());

   } else if(key.size() >= 20) {

      // For long keys we just leak the length either it is a cryptovariable

      // or a long enough password that just the length is not a useful signal

      copy_mem(std::span{m_ikey}.first(key.size()), key);

   } else if(!key.empty()) {

      for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i) {

         /*

         access key[i % length] but avoiding division due to variable

         time computation on some processors.

         */

         auto needs_reduction = CT::Mask<size_t>::is_lte(key.size(), i_mod_length);

         i_mod_length = needs_reduction.select(0, i_mod_length);

         const uint8_t kb = key[i_mod_length];


         auto in_range = CT::Mask<size_t>::is_lt(i, key.size());

         m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));

         i_mod_length += 1;

      }

   }


   for(size_t i = 0; i != m_hash_block_size; ++i) {

      m_ikey[i] ^= ipad;

      m_okey[i] = m_ikey[i] ^ ipad ^ opad;

   }


   m_hash->update(m_ikey);

}


/*

* Clear memory of sensitive data

*/


void HMAC::clear() {

   m_hash->clear();

   zap(m_ikey);

   zap(m_okey);

}


/*

* Return the name of this type

*/


std::string HMAC::name() const {

   return fmt("HMAC({})", m_hash->name());

}


/*

* Return a new_object of this object

*/


std::unique_ptr<MessageAuthenticationCode> HMAC::new_object() const {

   return std::make_unique<HMAC>(m_hash->new_object());

}


/*

* HMAC Constructor

*/


HMAC::HMAC(std::unique_ptr<HashFunction> hash) :

      m_hash(std::move(hash)),

      m_hash_output_length(m_hash->output_length()),

      m_hash_block_size(m_hash->hash_block_size()) {

   BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length, "HMAC is not compatible with this hash function");

}


}  // namespace Botan

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:31

Botan::CT::Mask::is_lte
static constexpr Mask< T > is_lte(T x, T y)
Definition ct_utils.h:475

Botan::CT::Mask::is_lt
static constexpr Mask< T > is_lt(T x, T y)
Definition ct_utils.h:462

Botan::HMAC::has_keying_material
bool has_keying_material() const override
Definition hmac.cpp:46

Botan::HMAC::output_length
size_t output_length() const override
Definition hmac.cpp:42

Botan::HMAC::name
std::string name() const override
Definition hmac.cpp:125

Botan::HMAC::new_object
std::unique_ptr< MessageAuthenticationCode > new_object() const override
Definition hmac.cpp:132

Botan::HMAC::key_spec
Key_Length_Specification key_spec() const override
Definition hmac.cpp:37

Botan::HMAC::HMAC
HMAC(std::unique_ptr< HashFunction > hash)
Definition hmac.cpp:139

Botan::HMAC::clear
void clear() override
Definition hmac.cpp:116

Botan::Key_Length_Specification
Definition sym_algo.h:23

Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:141

Botan
Definition alg_id.cpp:13

Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:124

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:149

Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:123