Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Design for support of HMAC precomputed keys #1574

Merged
merged 31 commits into from
Jul 19, 2024
Merged

Conversation

fabrice102
Copy link
Contributor

@fabrice102 fabrice102 commented May 2, 2024

Issues:

N/A

Description of changes:

This commit implements an optimization of HMAC described in NIST-FIPS-198-1 (Section 6) and in RFC2104 (Section 4).

Instead of using the original key, it is possible to use a precomputed key consisting of two intermediate hashing results. Using this precomputed key removes at least two calls to the hash compression function when computing a HMAC value.

The first commit from May 06, 2024 is an initial design. As such, only SHA-256 is supported and all other hashes are disabled from HMAC. This makes some unit tests fail. Once this design is validated, we will add back the other hash functions in additional commits.

Changes:

Call-outs:

  • This commit adds a few fields to the methods field of the HMAC context. This slightly increases the size of the HMAC_context (by 24 bytes on a 64-bit architecture).

Testing:

Testing was added in two places:

  • the C++ test harness based on Google Test (file crypto/hmac_extra/hmac_test.cc)
  • the ACVP harness (file util/fipstools/acvp/modulewrapper/modulewrapper.cc)

To allow partial testing, we updated hmac_tests.txt to only contain the HMAC-SHA256 tests. The original file is hmac_tests_full.txt

Testing can be done in the CMake build folder using:

  • crypto/crypto_test --gtest_filter='*InitAndGetStateSHA256*:HMACTest.TestVectors' for the new/changed unit tests
  • ninja acvp_tests for the ACVP tests (failure is expected for anything using HMAC-xx where xx is not SHA-256)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

fabrice102 pushed a commit to fabrice102/aws-lc that referenced this pull request May 6, 2024
This commit provides a building block to implement HMAC with precomputed
keys from aws#1574.

It adds internal functions to export the state of SHA-256 and use such
exported state to initialize a SHA-256 context.

Once the design is reviewed and approved, we will similar functions to
the other Merkle-Damgard hash functions (MD4, MD5, SHA-1, SHA-2).
fabrice102 pushed a commit to fabrice102/aws-lc that referenced this pull request May 6, 2024
This commit provides a building block to implement HMAC with precomputed
keys from aws#1574.

It adds internal functions to export the state of SHA-256 and use such
exported state to initialize a SHA-256 context.

Once the design is reviewed and approved, we will similar functions to
the other Merkle-Damgard hash functions (MD4, MD5, SHA-1, SHA-2).
fabrice102 pushed a commit to fabrice102/aws-lc that referenced this pull request May 6, 2024
This commit provides a building block to implement HMAC with precomputed
keys from aws#1574.

It adds internal functions to export the state of SHA-256 and use such
exported state to initialize a SHA-256 context.

Once the design is reviewed and approved, we will similar functions to
the other Merkle-Damgard hash functions (MD4, MD5, SHA-1, SHA-2).
Fabrice Benhamouda added 2 commits May 6, 2024 13:09
This commit provides a building block to implement HMAC with precomputed
keys from aws#1574.

It adds internal functions to export the state of SHA-256 and use such
exported state to initialize a SHA-256 context.

Once the design is reviewed and approved, we will similar functions to
the other Merkle-Damgard hash functions (MD4, MD5, SHA-1, SHA-2).
This commit implements an optimization of HMAC described in
NIST-FIPS-198-1 (Section 6) and in RFC2104 (Section 4).

Instead of using the original key, it is possible to use a precomputed
key consisting of two intermediate hashing results. Using this
precomputed key removes at least two calls to the hash compression
function when computing a HMAC value.

As an initial design, only SHA-256 is supported and all other hashes are
disabled from HMAC. This makes some unit tests fail. Once this design is
validated, we will add back the other hash functions.

To allow partial testing, we updated hmac_tests.txt to only contain the
HMAC-SHA256 tests. The original file is hmac_tests_full.txt

Testing can be done in the CMake build folder using:

* `crypto/crypto_test --gtest_filter='HMACTest.TestVectors'`
  for the changed unit tests.
* `ninja acvp_tests` for the ACVP tests (failure is expected for
  anything using HMAC-xx where xx is not SHA-256).
Copy link
Contributor

@nebeid nebeid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments on the header files. Will continue reviewing the implementation.

include/openssl/digest.h Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
Copy link
Contributor

@nebeid nebeid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm continuing to review hmac.c; I was focused on the state transition and will continue reviewing the new functions.

include/openssl/digest.h Show resolved Hide resolved
include/openssl/hmac.h Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/internal.h Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Show resolved Hide resolved
Copy link
Contributor

@nebeid nebeid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After you make changes, Fabrice, I'll spend more time on the new implementations in sha256.c and the tests.

crypto/fipsmodule/hmac/hmac.c Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Outdated Show resolved Hide resolved
include/openssl/digest.h Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Show resolved Hide resolved
crypto/fipsmodule/sha/internal.h Outdated Show resolved Hide resolved
crypto/fipsmodule/sha/internal.h Outdated Show resolved Hide resolved
crypto/fipsmodule/sha/sha256.c Outdated Show resolved Hide resolved
Copy link
Contributor

@nebeid nebeid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will review the tests shortly.

include/openssl/hmac.h Outdated Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In many external API calls here, we're directly accessing ctx->state or other members of ctx without checking it's not null. I think we should handle this as was done in #1398. This can be its own PR.

crypto/fipsmodule/hmac/internal.h Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
include/openssl/hmac.h Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Show resolved Hide resolved
Fabrice Benhamouda added 2 commits June 14, 2024 16:14
1. Improve error management: add `OPENSSL_PUT_ERROR` when appropriate.
2. Change behaviour of `out_len` from `HMAC_get_precomputed_key` as per
review.
include/openssl/hmac.h Outdated Show resolved Hide resolved
util/fipstools/acvp/modulewrapper/modulewrapper.cc Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/internal.h Show resolved Hide resolved
crypto/hmac_extra/hmac_test.cc Outdated Show resolved Hide resolved
crypto/hmac_extra/hmac_test.cc Outdated Show resolved Hide resolved
fabrice102 and others added 5 commits June 14, 2024 18:38
Previous commits in this PR/branch were restricted to SHA-256 to verify
the design.

Restore the full HMAC tests, which were restricted to HMAC-SHA-256 in
a previous commit from this PR/branch.
@fabrice102 fabrice102 marked this pull request as ready for review July 11, 2024 20:17
@fabrice102 fabrice102 requested a review from a team as a code owner July 11, 2024 20:17
`crypto/err/hmac.errordata` generated using
`go run ./util/make_errors.go hmac`

CMakeLists file updated to add the errordata file.
crypto/fipsmodule/sha/internal.h Outdated Show resolved Hide resolved
crypto/fipsmodule/hmac/hmac.c Show resolved Hide resolved
pennyannn pushed a commit to awslabs/aws-lc-verification that referenced this pull request Jul 19, 2024
* Update HMAC proofs for PR aws/aws-lc#1574

HMAC precomputed keys PR aws/aws-lc#1574 adds fields to
`hmac_methods_st`, which made the original proof failed.

This commit updates the proof.

This is a breaking change: the updated proof only works
after PR aws/aws-lc#1574 is merged.

* Fix .gitmodules src to point to github.com/fabrice102/aws-lc

---------

Co-authored-by: Fabrice Benhamouda <[email protected]>
@nebeid nebeid merged commit 98ccf4a into aws:main Jul 19, 2024
101 of 103 checks passed
sgmenda-aws pushed a commit to sgmenda-aws/aws-lc that referenced this pull request Jul 23, 2024
This commit implements an optimization of HMAC described in NIST-FIPS-198-1 (Section 6) and in RFC2104 (Section 4).

Instead of using the original key, it is possible to use a precomputed key consisting of two intermediate hashing results. Using this precomputed key removes at least two calls to the hash compression function when computing a HMAC value.

Call-outs:
This commit adds a few fields to the methods field of the HMAC context. This slightly increases the size of the HMAC_context (by 24 bytes on a 64-bit architecture).
skmcgrail added a commit that referenced this pull request Aug 1, 2024
## What's Changed
* Added options to x509 tool by @ecdeye in
#1696
* Add support to detect Neoverse V2 cores by @andrewhop in
#1706
* Move OCSP functions for Ruby out of internal.h by @samuel40791765 in
#1704
* Add aes-256-xts to EVP_get_cipherbyname by @torben-hansen in
#1707
* Match using CMAKE_SYSTEM_PROCESSOR_LOWER by @justsmth in
#1709
* Update MySQL to 9.0.0 by @skmcgrail in
#1685
* [EC] Unify scalar multiplication for P-256/384/521 by @dkostic in
#1693
* Adds const qualifier to ciphertext parameter in EVP_PKEY_decapsulate
by @maddeleine in #1713
* Upstream merge 2024 06 24 by @nebeid in
#1661
* NIST SP 800-108r1-upd1: KDF Counter Implementation by @skmcgrail in
#1644
* Upstream merge 2024 07 09 by @nebeid in
#1694
* Design for support of HMAC precomputed keys by @fabrice102 in
#1574
* Fix for select point from table in ec_nistp scalar_mul by @dkostic in
#1719
* X509toolcomparison by @ecdeye in
#1714
* AWS-LC s2n-bignum update 2024-07-22 by @dkostic in
#1718
* Add OpenVPN to CI by @smittals2 in
#1705
* Lower required Go version, add CI test for specific version by
@andrewhop in #1717
* ec2-test-framework enhancements and graviton 4 testing by
@samuel40791765 in #1715
* sha + chacha: Move AArch64/X86-64 dispatching to C. by @justsmth in
#1625
* Show number of pruned ec2 instances in dashboard by @samuel40791765 in
#1728
* rsa and md5 tools by @ecdeye in
#1722
* FIPS 203 IPD update: ML-KEM-IPD-768 and ML-KEM-IPD-1024 by @jakemas in
#1724
* bump mysql CI to 9.0.1 by @samuel40791765 in
#1727
* Support utility OCSP request functions by @samuel40791765 in
#1708
* add support for OCSP_SINGLERESP functions by @samuel40791765 in
#1703
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 7, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574

This commit uses branch `hmac-precomputed-key-size-define` from
https://github.com/fabrice102/aws-lc
and thus cannot be merged as is.
It can only be merged once the above branch is merged to AWS-LC.
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 28, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 28, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 28, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 28, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574
fabrice102 pushed a commit to fabrice102/amazon-corretto-crypto-provider that referenced this pull request Aug 28, 2024
This commit adds support for HMAC Precomputed Keys in ACCP.
See aws/aws-lc#1574
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants