dcrypt-algorithms 1.2.3

Cryptographic primitives for the dcrypt library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

//! HMAC (Hash-based Message Authentication Code) – constant-time & allocation-free
//!
//! • RFC 2104 / FIPS 198-1 compliant  
//! • Secret-dependent work happens on stack-fixed buffers (≤ 144 bytes)  
//! • Error paths burn the same CPU cycles as success paths

use crate::error::{Error, Result};
use crate::hash::HashFunction;
use dcrypt_common::security::{SecretBuffer, SecureZeroingType};
use subtle::ConstantTimeEq;
use zeroize::{Zeroize, ZeroizeOnDrop};

const MAX_BLOCK: usize = 144; // SHA3-224 block size (largest among SHA-2 and SHA-3)

/// Constant-time HMAC implementation.
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
pub struct Hmac<H: HashFunction + Clone> {
    #[zeroize(skip)] // hash state contains no secrets
    hash: H,
    ipad: SecretBuffer<MAX_BLOCK>,
    opad: SecretBuffer<MAX_BLOCK>,
    block_size: usize,
    is_finalized: bool,
}

impl<H> Hmac<H>
where
    H: HashFunction + Clone,
    H::Output: AsRef<[u8]> + Clone,
{
    const IPAD_BYTE: u8 = 0x36;
    const OPAD_BYTE: u8 = 0x5c;

    /* ------------------------------------------------------------------ */
    /*                         Construction helpers                       */
    /* ------------------------------------------------------------------ */

    /// Create a new HMAC instance from `key`.
    pub fn new(key: &[u8]) -> Result<Self> {
        let bs = H::block_size();
        debug_assert!(bs <= MAX_BLOCK);

        /* --- Derive K′ in constant-time --- */
        // Hash the key unconditionally so the running time
        // depends only on the public key length.
        let mut hk = H::new();
        hk.update(key)?;
        let hashed = hk.finalize()?; // ≤ bs bytes

        // Select either `key` or `hashed` per byte with a mask.
        let mut k_prime = [0u8; MAX_BLOCK];
        let long = (key.len() > bs) as u8; // 1 if key > bs
        let mask = long.wrapping_neg(); // 0xFF when long else 0x00
        #[allow(clippy::needless_range_loop)] // We need the index for multiple arrays
        for i in 0..bs {
            let k = *key.get(i).unwrap_or(&0);
            let hk = hashed.as_ref().get(i).copied().unwrap_or(0);
            k_prime[i] = (hk & mask) | (k & !mask);
        }

        /* --- Build inner / outer paddings --- */
        let mut ipad_bytes = [0u8; MAX_BLOCK];
        let mut opad_bytes = [0u8; MAX_BLOCK];
        #[allow(clippy::needless_range_loop)] // We need to index multiple arrays
        for i in 0..bs {
            ipad_bytes[i] = k_prime[i] ^ Self::IPAD_BYTE;
            opad_bytes[i] = k_prime[i] ^ Self::OPAD_BYTE;
        }

        // Zero K′ early
        for b in k_prime.iter_mut().take(bs) {
            *b = 0;
        }

        /* --- Initialise inner hash --- */
        let mut hash = H::new();
        hash.update(&ipad_bytes[..bs])?;

        Ok(Self {
            hash,
            ipad: SecretBuffer::new(ipad_bytes),
            opad: SecretBuffer::new(opad_bytes),
            block_size: bs,
            is_finalized: false,
        })
    }

    /* ------------------------------------------------------------------ */
    /*                            Streaming API                           */
    /* ------------------------------------------------------------------ */

    /// Feed additional `data` into the MAC.
    pub fn update(&mut self, data: &[u8]) -> Result<()> {
        if self.is_finalized {
            /* ----------------------------------------------------------
             * Equal-cost dummy path: hash the input into a fresh hasher
             * and discard the result so error & success match timings.
             * -------------------------------------------------------- */
            let mut dummy = H::new();
            dummy.update(data)?;
            let _ = dummy.finalize();
            return Err(Error::param(
                "hmac_state",
                "Cannot update after finalization",
            ));
        }

        self.hash.update(data).map(|_| ())
    }

    /// Finalise and return the tag.
    pub fn finalize(&mut self) -> Result<Vec<u8>> {
        if self.is_finalized {
            // Equal-cost burn: mimic normal finalisation cost.
            let inner_dummy = [0u8; 64]; // max SHA-512 output
            let mut outer = H::new();
            outer.update(&self.opad.as_ref()[..self.block_size])?;
            outer.update(&inner_dummy[..H::output_size()])?;
            let _ = outer.finalize();
            return Err(Error::param("hmac_state", "HMAC already finalized"));
        }

        self.is_finalized = true;

        let inner_hash = self.hash.finalize()?;

        let mut outer = H::new();
        outer.update(&self.opad.as_ref()[..self.block_size])?;
        outer.update(inner_hash.as_ref())?;

        outer.finalize().map(|out| out.as_ref().to_vec())
    }

    /* ------------------------------------------------------------------ */
    /*                        Convenience wrappers                         */
    /* ------------------------------------------------------------------ */

    /// One-shot MAC helper.
    pub fn mac(key: &[u8], data: &[u8]) -> Result<Vec<u8>> {
        let mut h = Self::new(key)?;
        h.update(data)?;
        h.finalize()
    }

    /// Constant-time verification of `tag` against `key` / `data`.
    pub fn verify(key: &[u8], data: &[u8], tag: &[u8]) -> Result<bool> {
        let expected = Self::mac(key, data)?;

        // Always iterate over the fixed, public digest length to avoid
        // timing variation when the caller supplies a shorter tag.
        let mut diff = 0u8;
        #[allow(clippy::needless_range_loop)] // Accessing both arrays with same index
        for i in 0..H::output_size() {
            let a = expected.get(i).copied().unwrap_or(0);
            let b = tag.get(i).copied().unwrap_or(0);
            diff |= a ^ b;
        }
        // Fold any length mismatch into the diff in a single operation.
        diff |= (tag.len() ^ H::output_size()) as u8;

        Ok(diff.ct_eq(&0u8).unwrap_u8() == 1)
    }
}

impl<H> SecureZeroingType for Hmac<H>
where
    H: HashFunction + Default + Clone,
{
    fn zeroed() -> Self {
        Self {
            hash: H::default(),
            ipad: SecretBuffer::zeroed(),
            opad: SecretBuffer::zeroed(),
            block_size: 0,
            is_finalized: false,
        }
    }

    fn secure_clone(&self) -> Self {
        Self {
            hash: self.hash.clone(),
            ipad: self.ipad.secure_clone(),
            opad: self.opad.secure_clone(),
            block_size: self.block_size,
            is_finalized: self.is_finalized,
        }
    }
}

#[cfg(test)]
mod tests;