1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
/*
* HMAC
* (C) 1999-2007,2014,2020 Jack Lloyd
* 2007 Yves Jerschow
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include <botan/hmac.h>
#include <botan/internal/ct_utils.h>
namespace Botan {
/*
* Update a HMAC Calculation
*/
void HMAC::add_data(const uint8_t input[], size_t length)
{
verify_key_set(m_ikey.empty() == false);
m_hash->update(input, length);
}
/*
* Finalize a HMAC Calculation
*/
void HMAC::final_result(uint8_t mac[])
{
verify_key_set(m_okey.empty() == false);
m_hash->final(mac);
m_hash->update(m_okey);
m_hash->update(mac, m_hash_output_length);
m_hash->final(mac);
m_hash->update(m_ikey);
}
Key_Length_Specification HMAC::key_spec() const
{
// Support very long lengths for things like PBKDF2 and the TLS PRF
return Key_Length_Specification(0, 4096);
}
size_t HMAC::output_length() const
{
return m_hash_output_length;
}
/*
* HMAC Key Schedule
*/
void HMAC::key_schedule(const uint8_t key[], size_t length)
{
const uint8_t ipad = 0x36;
const uint8_t opad = 0x5C;
m_hash->clear();
m_ikey.resize(m_hash_block_size);
m_okey.resize(m_hash_block_size);
clear_mem(m_ikey.data(), m_ikey.size());
clear_mem(m_okey.data(), m_okey.size());
/*
* Sometimes the HMAC key length itself is sensitive, as with PBKDF2 where it
* reveals the length of the passphrase. Make some attempt to hide this to
* side channels. Clearly if the secret is longer than the block size then the
* branch to hash first reveals that. In addition, counting the number of
* compression functions executed reveals the size at the granularity of the
* hash function's block size.
*
* The greater concern is for smaller keys; being able to detect when a
* passphrase is say 4 bytes may assist choosing weaker targets. Even though
* the loop bounds are constant, we can only actually read key[0..length] so
* it doesn't seem possible to make this computation truly constant time.
*
* We don't mind leaking if the length is exactly zero since that's
* trivial to simply check.
*/
if(length > m_hash_block_size)
{
m_hash->update(key, length);
m_hash->final(m_ikey.data());
}
else if(length > 0)
{
for(size_t i = 0, i_mod_length = 0; i != m_hash_block_size; ++i)
{
/*
access key[i % length] but avoiding division due to variable
time computation on some processors.
*/
auto needs_reduction = CT::Mask<size_t>::is_lte(length, i_mod_length);
i_mod_length = needs_reduction.select(0, i_mod_length);
const uint8_t kb = key[i_mod_length];
auto in_range = CT::Mask<size_t>::is_lt(i, length);
m_ikey[i] = static_cast<uint8_t>(in_range.if_set_return(kb));
i_mod_length += 1;
}
}
for(size_t i = 0; i != m_hash_block_size; ++i)
{
m_ikey[i] ^= ipad;
m_okey[i] = m_ikey[i] ^ ipad ^ opad;
}
m_hash->update(m_ikey);
}
/*
* Clear memory of sensitive data
*/
void HMAC::clear()
{
m_hash->clear();
zap(m_ikey);
zap(m_okey);
}
/*
* Return the name of this type
*/
std::string HMAC::name() const
{
return "HMAC(" + m_hash->name() + ")";
}
/*
* Return a clone of this object
*/
MessageAuthenticationCode* HMAC::clone() const
{
return new HMAC(m_hash->clone());
}
/*
* HMAC Constructor
*/
HMAC::HMAC(HashFunction* hash) :
m_hash(hash),
m_hash_output_length(m_hash->output_length()),
m_hash_block_size(m_hash->hash_block_size())
{
BOTAN_ARG_CHECK(m_hash_block_size >= m_hash_output_length,
"HMAC is not compatible with this hash function");
}
}
|