Botan  2.15.0
Crypto and TLS for C++11
hmac.cpp
Go to the documentation of this file.
1 /*
2 * HMAC
3 * (C) 1999-2007,2014,2020 Jack Lloyd
4 * 2007 Yves Jerschow
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/hmac.h>
10 #include <botan/internal/ct_utils.h>
11 
12 namespace Botan {
13 
14 /*
15 * Update a HMAC Calculation
16 */
17 void HMAC::add_data(const uint8_t input[], size_t length)
18  {
19  verify_key_set(m_ikey.empty() == false);
20  m_hash->update(input, length);
21  }
22 
23 /*
24 * Finalize a HMAC Calculation
25 */
26 void HMAC::final_result(uint8_t mac[])
27  {
28  verify_key_set(m_okey.empty() == false);
29  m_hash->final(mac);
30  m_hash->update(m_okey);
31  m_hash->update(mac, m_hash_output_length);
32  m_hash->final(mac);
33  m_hash->update(m_ikey);
34  }
35 
37  {
38  // Support very long lengths for things like PBKDF2 and the TLS PRF
39  return Key_Length_Specification(0, 4096);
40  }
41 
42 size_t HMAC::output_length() const
43  {
44  return m_hash_output_length;
45  }
46 
47 /*
48 * HMAC Key Schedule
49 */
50 void HMAC::key_schedule(const uint8_t key[], size_t length)
51  {
52  const uint8_t ipad = 0x36;
53  const uint8_t opad = 0x5C;
54 
55  m_hash->clear();
56 
57  m_ikey.resize(m_hash_block_size);
58  m_okey.resize(m_hash_block_size);
59 
60  clear_mem(m_ikey.data(), m_ikey.size());
61  clear_mem(m_okey.data(), m_okey.size());
62 
63  /*
64  * Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
65  * reveals the length of the passphrase. Make some attempt to hide this to
66  * side channels. Clearly if the secret is longer than the block size then the
67  * branch to hash first reveals that. In addition, counting the number of
68  * compression functions executed reveals the size at the granularity of the
69  * hash function's block size.
70  *
71  * The greater concern is for smaller keys; being able to detect when a
72  * passphrase is say 4 bytes may assist choosing weaker targets. Even though
73  * the loop bounds are constant, we can only actually read key[0..length] so
74  * it doesn't seem possible to make this computation truly constant time.
75  *
76  * We don't mind leaking if the length is exactly zero since that's
77  * trivial to simply check.
78  */
79 
80  if(length > m_hash_block_size)
81  {
82  m_hash->update(key, length);
83  m_hash->final(m_ikey.data());
84  }
85  else if(length > 0)
86  {
87  for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i)
88  {
89  /*
90  access key[i % length] but avoiding division due to variable
91  time computation on some processors.
92  */
93  auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
94  i_mod_length = needs_reduction.select(0, i_mod_length);
95  const uint8_t kb = key[i_mod_length];
96 
97  auto in_range = CT::Mask<size_t>::is_lt(i, length);
98  m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
99  i_mod_length += 1;
100  }
101  }
102 
103  for(size_t i = 0; i != m_hash_block_size; ++i)
104  {
105  m_ikey[i] ^= ipad;
106  m_okey[i] = m_ikey[i] ^ ipad ^ opad;
107  }
108 
109  m_hash->update(m_ikey);
110  }
111 
112 /*
113 * Clear memory of sensitive data
114 */
116  {
117  m_hash->clear();
118  zap(m_ikey);
119  zap(m_okey);
120  }
121 
122 /*
123 * Return the name of this type
124 */
125 std::string HMAC::name() const
126  {
127  return "HMAC(" + m_hash->name() + ")";
128  }
129 
130 /*
131 * Return a clone of this object
132 */
134  {
135  return new HMAC(m_hash->clone());
136  }
137 
138 /*
139 * HMAC Constructor
140 */
142  m_hash(hash),
143  m_hash_output_length(m_hash->output_length()),
144  m_hash_block_size(m_hash->hash_block_size())
145  {
146  BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length,
147  "HMAC is not compatible with this hash function");
148  }
149 
150 }
Key_Length_Specification key_spec() const override
Definition: hmac.cpp:36
MessageAuthenticationCode * clone() const override
Definition: hmac.cpp:133
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
size_t output_length() const override
Definition: hmac.cpp:42
static Mask< T > is_lte(T x, T y)
Definition: ct_utils.h:173
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
void clear() override
Definition: hmac.cpp:115
HMAC(HashFunction *hash)
Definition: hmac.cpp:141
std::string name() const override
Definition: hmac.cpp:125
MechanismType hash
static Mask< T > is_lt(T x, T y)
Definition: ct_utils.h:157