1 // Copyright 2015-2016 Brian Smith.
2 //
3 // Permission to use, copy, modify, and/or distribute this software for any
4 // purpose with or without fee is hereby granted, provided that the above
5 // copyright notice and this permission notice appear in all copies.
6 //
7 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
10 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15 //! HMAC is specified in [RFC 2104].
16 //!
17 //! After a `Key` is constructed, it can be used for multiple signing or
18 //! verification operations. Separating the construction of the key from the
19 //! rest of the HMAC operation allows the per-key precomputation to be done
20 //! only once, instead of it being done in every HMAC operation.
21 //!
22 //! Frequently all the data to be signed in a message is available in a single
23 //! contiguous piece. In that case, the module-level `sign` function can be
24 //! used. Otherwise, if the input is in multiple parts, `Context` should be
25 //! used.
26 //!
27 //! # Examples:
28 //!
29 //! ## Signing a value and verifying it wasn't tampered with
30 //!
31 //! ```
32 //! use ring::{hmac, rand};
33 //!
34 //! let rng = rand::SystemRandom::new();
35 //! let key = hmac::Key::generate(hmac::HMAC_SHA256, &rng)?;
36 //!
37 //! let msg = "hello, world";
38 //!
39 //! let tag = hmac::sign(&key, msg.as_bytes());
40 //!
41 //! // [We give access to the message to an untrusted party, and they give it
42 //! // back to us. We need to verify they didn't tamper with it.]
43 //!
44 //! hmac::verify(&key, msg.as_bytes(), tag.as_ref())?;
45 //!
46 //! # Ok::<(), ring::error::Unspecified>(())
47 //! ```
48 //!
49 //! ## Using the one-shot API:
50 //!
51 //! ```
52 //! use ring::{digest, hmac, rand};
53 //! use ring::rand::SecureRandom;
54 //!
55 //! let msg = "hello, world";
56 //!
57 //! // The sender generates a secure key value and signs the message with it.
58 //! // Note that in a real protocol, a key agreement protocol would be used to
59 //! // derive `key_value`.
60 //! let rng = rand::SystemRandom::new();
61 //! let key_value: [u8; digest::SHA256_OUTPUT_LEN] = rand::generate(&rng)?.expose();
62 //!
63 //! let s_key = hmac::Key::new(hmac::HMAC_SHA256, key_value.as_ref());
64 //! let tag = hmac::sign(&s_key, msg.as_bytes());
65 //!
66 //! // The receiver (somehow!) knows the key value, and uses it to verify the
67 //! // integrity of the message.
68 //! let v_key = hmac::Key::new(hmac::HMAC_SHA256, key_value.as_ref());
69 //! hmac::verify(&v_key, msg.as_bytes(), tag.as_ref())?;
70 //!
71 //! # Ok::<(), ring::error::Unspecified>(())
72 //! ```
73 //!
74 //! ## Using the multi-part API:
75 //! ```
76 //! use ring::{digest, hmac, rand};
77 //! use ring::rand::SecureRandom;
78 //!
79 //! let parts = ["hello", ", ", "world"];
80 //!
81 //! // The sender generates a secure key value and signs the message with it.
82 //! // Note that in a real protocol, a key agreement protocol would be used to
83 //! // derive `key_value`.
84 //! let rng = rand::SystemRandom::new();
85 //! let mut key_value: [u8; digest::SHA384_OUTPUT_LEN] = rand::generate(&rng)?.expose();
86 //!
87 //! let s_key = hmac::Key::new(hmac::HMAC_SHA384, key_value.as_ref());
88 //! let mut s_ctx = hmac::Context::with_key(&s_key);
89 //! for part in &parts {
90 //! s_ctx.update(part.as_bytes());
91 //! }
92 //! let tag = s_ctx.sign();
93 //!
94 //! // The receiver (somehow!) knows the key value, and uses it to verify the
95 //! // integrity of the message.
96 //! let v_key = hmac::Key::new(hmac::HMAC_SHA384, key_value.as_ref());
97 //! let mut msg = Vec::<u8>::new();
98 //! for part in &parts {
99 //! msg.extend(part.as_bytes());
100 //! }
101 //! hmac::verify(&v_key, &msg.as_ref(), tag.as_ref())?;
102 //!
103 //! # Ok::<(), ring::error::Unspecified>(())
104 //! ```
105 //!
106 //! [RFC 2104]: https://tools.ietf.org/html/rfc2104
107 //! [code for `ring::pbkdf2`]:
108 //! https://github.com/briansmith/ring/blob/main/src/pbkdf2.rs
109 //! [code for `ring::hkdf`]:
110 //! https://github.com/briansmith/ring/blob/main/src/hkdf.rs
111
112 use crate::{constant_time, digest, error, hkdf, rand};
113
114 /// An HMAC algorithm.
115 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
116 pub struct Algorithm(&'static digest::Algorithm);
117
118 impl Algorithm {
119 /// The digest algorithm this HMAC algorithm is based on.
120 #[inline]
digest_algorithm(&self) -> &'static digest::Algorithm121 pub fn digest_algorithm(&self) -> &'static digest::Algorithm {
122 self.0
123 }
124 }
125
126 /// HMAC using SHA-1. Obsolete.
127 pub static HMAC_SHA1_FOR_LEGACY_USE_ONLY: Algorithm = Algorithm(&digest::SHA1_FOR_LEGACY_USE_ONLY);
128
129 /// HMAC using SHA-256.
130 pub static HMAC_SHA256: Algorithm = Algorithm(&digest::SHA256);
131
132 /// HMAC using SHA-384.
133 pub static HMAC_SHA384: Algorithm = Algorithm(&digest::SHA384);
134
135 /// HMAC using SHA-512.
136 pub static HMAC_SHA512: Algorithm = Algorithm(&digest::SHA512);
137
138 /// A deprecated alias for `Tag`.
139 #[deprecated(note = "`Signature` was renamed to `Tag`. This alias will be removed soon.")]
140 pub type Signature = Tag;
141
142 /// An HMAC tag.
143 ///
144 /// For a given tag `t`, use `t.as_ref()` to get the tag value as a byte slice.
145 #[derive(Clone, Copy, Debug)]
146 pub struct Tag(digest::Digest);
147
148 impl AsRef<[u8]> for Tag {
149 #[inline]
as_ref(&self) -> &[u8]150 fn as_ref(&self) -> &[u8] {
151 self.0.as_ref()
152 }
153 }
154
155 /// A key to use for HMAC signing.
156 #[derive(Clone)]
157 pub struct Key {
158 inner: digest::BlockContext,
159 outer: digest::BlockContext,
160 }
161
162 /// `hmac::SigningKey` was renamed to `hmac::Key`.
163 #[deprecated(note = "Renamed to `hmac::Key`.")]
164 pub type SigningKey = Key;
165
166 /// `hmac::VerificationKey` was merged into `hmac::Key`.
167 #[deprecated(
168 note = "The distinction between verification & signing keys was removed. Use `hmac::Key`."
169 )]
170 pub type VerificationKey = Key;
171
172 impl core::fmt::Debug for Key {
fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error>173 fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
174 f.debug_struct("Key")
175 .field("algorithm", self.algorithm().digest_algorithm())
176 .finish()
177 }
178 }
179
180 impl Key {
181 /// Generate an HMAC signing key using the given digest algorithm with a
182 /// random value generated from `rng`.
183 ///
184 /// The key will be `digest_alg.output_len` bytes long, based on the
185 /// recommendation in [RFC 2104 Section 3].
186 ///
187 /// [RFC 2104 Section 3]: https://tools.ietf.org/html/rfc2104#section-3
generate( algorithm: Algorithm, rng: &dyn rand::SecureRandom, ) -> Result<Self, error::Unspecified>188 pub fn generate(
189 algorithm: Algorithm,
190 rng: &dyn rand::SecureRandom,
191 ) -> Result<Self, error::Unspecified> {
192 Self::construct(algorithm, |buf| rng.fill(buf))
193 }
194
construct<F>(algorithm: Algorithm, fill: F) -> Result<Self, error::Unspecified> where F: FnOnce(&mut [u8]) -> Result<(), error::Unspecified>,195 fn construct<F>(algorithm: Algorithm, fill: F) -> Result<Self, error::Unspecified>
196 where
197 F: FnOnce(&mut [u8]) -> Result<(), error::Unspecified>,
198 {
199 let mut key_bytes = [0; digest::MAX_OUTPUT_LEN];
200 let key_bytes = &mut key_bytes[..algorithm.0.output_len];
201 fill(key_bytes)?;
202 Ok(Self::new(algorithm, key_bytes))
203 }
204
205 /// Construct an HMAC signing key using the given digest algorithm and key
206 /// value.
207 ///
208 /// `key_value` should be a value generated using a secure random number
209 /// generator (e.g. the `key_value` output by
210 /// `SealingKey::generate_serializable()`) or derived from a random key by
211 /// a key derivation function (e.g. `ring::hkdf`). In particular,
212 /// `key_value` shouldn't be a password.
213 ///
214 /// As specified in RFC 2104, if `key_value` is shorter than the digest
215 /// algorithm's block length (as returned by `digest::Algorithm::block_len`,
216 /// not the digest length returned by `digest::Algorithm::output_len`) then
217 /// it will be padded with zeros. Similarly, if it is longer than the block
218 /// length then it will be compressed using the digest algorithm.
219 ///
220 /// You should not use keys larger than the `digest_alg.block_len` because
221 /// the truncation described above reduces their strength to only
222 /// `digest_alg.output_len * 8` bits. Support for such keys is likely to be
223 /// removed in a future version of *ring*.
new(algorithm: Algorithm, key_value: &[u8]) -> Self224 pub fn new(algorithm: Algorithm, key_value: &[u8]) -> Self {
225 let digest_alg = algorithm.0;
226 let mut key = Self {
227 inner: digest::BlockContext::new(digest_alg),
228 outer: digest::BlockContext::new(digest_alg),
229 };
230
231 let key_hash;
232 let key_value = if key_value.len() <= digest_alg.block_len {
233 key_value
234 } else {
235 key_hash = digest::digest(digest_alg, key_value);
236 key_hash.as_ref()
237 };
238
239 const IPAD: u8 = 0x36;
240
241 let mut padded_key = [IPAD; digest::MAX_BLOCK_LEN];
242 let padded_key = &mut padded_key[..digest_alg.block_len];
243
244 // If the key is shorter than one block then we're supposed to act like
245 // it is padded with zero bytes up to the block length. `x ^ 0 == x` so
246 // we can just leave the trailing bytes of `padded_key` untouched.
247 for (padded_key, key_value) in padded_key.iter_mut().zip(key_value.iter()) {
248 *padded_key ^= *key_value;
249 }
250 key.inner.update(&padded_key);
251
252 const OPAD: u8 = 0x5C;
253
254 // Remove the `IPAD` masking, leaving the unmasked padded key, then
255 // mask with `OPAD`, all in one step.
256 for b in padded_key.iter_mut() {
257 *b ^= IPAD ^ OPAD;
258 }
259 key.outer.update(&padded_key);
260
261 key
262 }
263
264 /// The digest algorithm for the key.
265 #[inline]
algorithm(&self) -> Algorithm266 pub fn algorithm(&self) -> Algorithm {
267 Algorithm(self.inner.algorithm)
268 }
269 }
270
271 impl hkdf::KeyType for Algorithm {
len(&self) -> usize272 fn len(&self) -> usize {
273 self.digest_algorithm().output_len
274 }
275 }
276
277 impl From<hkdf::Okm<'_, Algorithm>> for Key {
from(okm: hkdf::Okm<Algorithm>) -> Self278 fn from(okm: hkdf::Okm<Algorithm>) -> Self {
279 Key::construct(*okm.len(), |buf| okm.fill(buf)).unwrap()
280 }
281 }
282
283 /// A context for multi-step (Init-Update-Finish) HMAC signing.
284 ///
285 /// Use `sign` for single-step HMAC signing.
286 #[derive(Clone)]
287 pub struct Context {
288 inner: digest::Context,
289 outer: digest::BlockContext,
290 }
291
292 /// `hmac::SigningContext` was renamed to `hmac::Context`.
293 #[deprecated(note = "Renamed to `hmac::Context`.")]
294 pub type SigningContext = Context;
295
296 impl core::fmt::Debug for Context {
fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error>297 fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
298 f.debug_struct("Context")
299 .field("algorithm", self.inner.algorithm())
300 .finish()
301 }
302 }
303
304 impl Context {
305 /// Constructs a new HMAC signing context using the given digest algorithm
306 /// and key.
with_key(signing_key: &Key) -> Self307 pub fn with_key(signing_key: &Key) -> Self {
308 Self {
309 inner: digest::Context::clone_from(&signing_key.inner),
310 outer: signing_key.outer.clone(),
311 }
312 }
313
314 /// Updates the HMAC with all the data in `data`. `update` may be called
315 /// zero or more times until `finish` is called.
update(&mut self, data: &[u8])316 pub fn update(&mut self, data: &[u8]) {
317 self.inner.update(data);
318 }
319
320 /// Finalizes the HMAC calculation and returns the HMAC value. `sign`
321 /// consumes the context so it cannot be (mis-)used after `sign` has been
322 /// called.
323 ///
324 /// It is generally not safe to implement HMAC verification by comparing
325 /// the return value of `sign` to a tag. Use `verify` for verification
326 /// instead.
sign(self) -> Tag327 pub fn sign(self) -> Tag {
328 let algorithm = self.inner.algorithm();
329 let mut pending = [0u8; digest::MAX_BLOCK_LEN];
330 let pending = &mut pending[..algorithm.block_len];
331 let num_pending = algorithm.output_len;
332 pending[..num_pending].copy_from_slice(self.inner.finish().as_ref());
333 Tag(self.outer.finish(pending, num_pending))
334 }
335 }
336
337 /// Calculates the HMAC of `data` using the key `key` in one step.
338 ///
339 /// Use `Context` to calculate HMACs where the input is in multiple parts.
340 ///
341 /// It is generally not safe to implement HMAC verification by comparing the
342 /// return value of `sign` to a tag. Use `verify` for verification instead.
sign(key: &Key, data: &[u8]) -> Tag343 pub fn sign(key: &Key, data: &[u8]) -> Tag {
344 let mut ctx = Context::with_key(key);
345 ctx.update(data);
346 ctx.sign()
347 }
348
349 /// Calculates the HMAC of `data` using the signing key `key`, and verifies
350 /// whether the resultant value equals `tag`, in one step.
351 ///
352 /// This is logically equivalent to, but more efficient than, constructing a
353 /// `Key` with the same value as `key` and then using `verify`.
354 ///
355 /// The verification will be done in constant time to prevent timing attacks.
verify(key: &Key, data: &[u8], tag: &[u8]) -> Result<(), error::Unspecified>356 pub fn verify(key: &Key, data: &[u8], tag: &[u8]) -> Result<(), error::Unspecified> {
357 constant_time::verify_slices_are_equal(sign(key, data).as_ref(), tag)
358 }
359
360 #[cfg(test)]
361 mod tests {
362 use crate::{hmac, rand};
363
364 // Make sure that `Key::generate` and `verify_with_own_key` aren't
365 // completely wacky.
366 #[test]
hmac_signing_key_coverage()367 pub fn hmac_signing_key_coverage() {
368 let rng = rand::SystemRandom::new();
369
370 const HELLO_WORLD_GOOD: &[u8] = b"hello, world";
371 const HELLO_WORLD_BAD: &[u8] = b"hello, worle";
372
373 for algorithm in &[
374 hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY,
375 hmac::HMAC_SHA256,
376 hmac::HMAC_SHA384,
377 hmac::HMAC_SHA512,
378 ] {
379 let key = hmac::Key::generate(*algorithm, &rng).unwrap();
380 let tag = hmac::sign(&key, HELLO_WORLD_GOOD);
381 assert!(hmac::verify(&key, HELLO_WORLD_GOOD, tag.as_ref()).is_ok());
382 assert!(hmac::verify(&key, HELLO_WORLD_BAD, tag.as_ref()).is_err())
383 }
384 }
385 }
386