HMAC implementation and test vectors.

1 files changed, 173 insertions, 11 deletions

diff --git a/hash.c b/hash.c
index 3680927..2a05150 100644
--- a/hash.c
+++ b/hash.c
@@ -45,8 +45,19 @@
 
 #include "cryptech.h"
 
-/* Longest digest block we support at the moment */
+/*
+ * Longest block and digest we support at the moment.
+ */
+
 #define MAX_BLOCK_LEN           SHA512_BLOCK_LEN
+#define	MAX_DIGEST_LEN		SHA512_DIGEST_LEN
+
+/*
+ * HMAC magic numbers.
+ */
+
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5c
 
 /*
  * Driver.  This encapsulates whatever per-algorithm voodoo we need
@@ -87,10 +98,22 @@ typedef struct {
 } internal_hash_state_t;
 
 /*
- * Drivers and descriptors for known digest algorithms.
+ * HMAC state.
  */
 
-/* Drivers */
+typedef struct {
+  internal_hash_state_t hash_state;     /* Hash state */
+  uint8_t keybuf[MAX_BLOCK_LEN];        /* HMAC key */
+  size_t keylen;                        /* Length of HMAC key */
+} internal_hmac_state_t;
+
+/*
+ * Drivers for known digest algorithms.
+ *
+ * Initialization of the core_name field is not a typo, we're
+ * concatenating two string constants and trusting the compiler to
+ * whine if the resulting string doesn't fit into the field.
+ */
 
 static const driver_t sha1_driver = {
   SHA1_LENGTH_LEN,
@@ -134,41 +157,46 @@ static const driver_t sha512_driver = {
   MODE_SHA_512
 };
 
-/* Descriptors */
+/*
+ * Descriptors.  Yes, the {hash,hmac}_state_length fields are a bit
+ * repetitive given that they (currently) have the same value
+ * regardless of algorithm, but we don't want to wire in that
+ * assumption, so it's simplest to be explicit.
+ */
 
 const hal_hash_descriptor_t hal_hash_sha1 = {
   SHA1_BLOCK_LEN, SHA1_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha1_driver
 };
 
 const hal_hash_descriptor_t hal_hash_sha256 = {
   SHA256_BLOCK_LEN, SHA256_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha256_driver
 };
 
 const hal_hash_descriptor_t hal_hash_sha512_224 = {
   SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha512_224_driver
 };
 
 const hal_hash_descriptor_t hal_hash_sha512_256 = {
   SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha512_256_driver
 };
 
 const hal_hash_descriptor_t hal_hash_sha384 = {
   SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha384_driver
 };
 
 const hal_hash_descriptor_t hal_hash_sha512 = {
   SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
-  sizeof(internal_hash_state_t), 0,
+  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
   &sha512_driver
 };
 
@@ -292,7 +320,7 @@ static hal_error_t hash_read_digest(const driver_t * const driver,
  */
 
 hal_error_t hal_hash_update(hal_hash_state_t opaque_state,      /* Opaque state block */
-                            const uint8_t * const data_buffer,	/* Data to be hashed */
+                            const uint8_t * const data_buffer,  /* Data to be hashed */
                             size_t data_buffer_length)          /* Length of data_buffer */
 {
   internal_hash_state_t *state = opaque_state.state;
@@ -424,6 +452,140 @@ hal_error_t hal_hash_finalize(hal_hash_state_t opaque_state,            /* Opaqu
 }
 
 /*
+ * Initialize HMAC state.
+ */
+
+hal_error_t hal_hmac_initialize(const hal_hash_descriptor_t * const descriptor,
+                                hal_hmac_state_t *opaque_state,
+                                void *state_buffer, const size_t state_length,
+                                const uint8_t * const key, const size_t key_length)
+{
+  const driver_t * const driver = check_driver(descriptor);
+  internal_hmac_state_t *state = state_buffer;
+  internal_hash_state_t *h = &state->hash_state;
+  hal_hash_state_t oh;
+  hal_error_t err;
+  int i;
+
+  if (descriptor == NULL || driver == NULL || state == NULL || opaque_state == NULL ||
+      state_length < descriptor->hmac_state_length)
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  /*
+   * RFC 2104 frowns upon keys shorter than the digest length.
+   */
+
+  if (key_length < descriptor->digest_length)
+    return HAL_ERROR_UNSUPPORTED_KEY;
+
+  if ((err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h))) != HAL_OK)
+    return err;
+
+  memset(state->keybuf, 0, sizeof(state->keybuf));
+
+  /*
+   * If the supplied HMAC key is longer than the hash block length, we
+   * need to hash the supplied HMAC key to get the real HMAC key.
+   * Otherwise, we just use the supplied HMAC key directly.
+   */
+
+  if (key_length > descriptor->block_length) {
+    if ((err = hal_hash_update(oh, key, key_length))                        != HAL_OK ||
+        (err = hal_hash_finalize(oh, state->keybuf, sizeof(state->keybuf))) != HAL_OK ||
+        (err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h)))         != HAL_OK)
+      return err;
+    state->keylen = descriptor->digest_length;
+  }
+
+  else {
+    memcpy(state->keybuf, key, key_length);
+    state->keylen = key_length;
+  }
+
+  /*
+   * XOR the key with the IPAD value, then start the inner hash.
+   */
+
+  for (i = 0; i < state->keylen; i++)
+    state->keybuf[i] ^= HMAC_IPAD;
+
+  if ((err = hal_hash_update(oh, state->keybuf, state->keylen)) != HAL_OK)
+    return err;
+
+  /*
+   * Prepare the key for the final hash.  Since we just XORed key with
+   * IPAD, we need to XOR with both IPAD and OPAD to get key XOR OPAD.
+   */
+
+  for (i = 0; i < state->keylen; i++)
+    state->keybuf[i] ^= HMAC_IPAD ^ HMAC_OPAD;
+
+  /*
+   * If we had some good way of saving all of our state (including
+   * state internal to the hash core), this would be a good place to
+   * do it, since it might speed up algorithms like PBKDF2 which do
+   * repeated HMAC operations using the same key.  Revisit this if and
+   * when the hash cores support such a thing.
+   */
+
+  opaque_state->state = state;
+
+  return HAL_OK;
+}
+
+/*
+ * Add data to HMAC.
+ */
+
+hal_error_t hal_hmac_update(const hal_hmac_state_t opaque_state,
+                            const uint8_t * data, const size_t length)
+{
+  internal_hmac_state_t *state = opaque_state.state;
+  internal_hash_state_t *h = &state->hash_state;
+  hal_hash_state_t oh = { h };
+
+  if (state == NULL || data == NULL)
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  return hal_hash_update(oh, data, length);
+}
+
+/*
+ * Finish and return HMAC.
+ */
+
+hal_error_t hal_hmac_finalize(const hal_hmac_state_t opaque_state,
+                              uint8_t *hmac, const size_t length)
+{
+  internal_hmac_state_t *state = opaque_state.state;
+  internal_hash_state_t *h = &state->hash_state;
+  const hal_hash_descriptor_t *descriptor;
+  hal_hash_state_t oh = { h };
+  uint8_t d[MAX_DIGEST_LEN];
+  hal_error_t err;
+
+  if (state == NULL || hmac == NULL)
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  descriptor = h->descriptor;
+  assert(descriptor != NULL && descriptor->digest_length <= sizeof(d));
+
+  /*
+   * Finish up inner hash and extract digest, then perform outer hash
+   * to get HMAC.  Key was prepared for this in hal_hmac_initialize().
+   */
+
+  if ((err = hal_hash_finalize(oh, d, sizeof(d)))                 != HAL_OK ||
+      (err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h))) != HAL_OK ||
+      (err = hal_hash_update(oh, state->keybuf, state->keylen))   != HAL_OK ||
+      (err = hal_hash_update(oh, d, descriptor->digest_length))   != HAL_OK ||
+      (err = hal_hash_finalize(oh, hmac, length))                 != HAL_OK)
+    return err;
+
+  return HAL_OK;
+}
+
+/*
  * "Any programmer who fails to comply with the standard naming, formatting,
  *  or commenting conventions should be shot.  If it so happens that it is
  *  inconvenient to shoot him, then he is to be politely requested to recode