Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. gcrypt
HMAC-SHA384/HMAC-SHA512 testng?
bradh at frogmouth
Apr 15, 2005, 6:22 PM
Post #1 of 6 (2607 views)
Permalink
Has anyone tested HMAC with SHA384 and SHA512?

I've tried the test vectors in
http://www.ietf.org/internet-drafts/draft-nystrom-smime-hmac-sha-00.txt
and they work for SHA-256, but almost identical code fails for SHA-384 and
SHA-512.

I contacted Magnus Nystrom, and he asked:
"Did you use blocksize = 128 for SHA-384 and SHA-512? It affects the key
padding."

I am passing the key data and actual length to gcry_md_setkey(). Is that
correct operation of HMAC within libgcrypt?

Brad
Re: HMAC-SHA384/HMAC-SHA512 testng? [ In reply to ]
bradh at frogmouth
Apr 18, 2005, 7:48 PM
Post #2 of 6 (2560 views)
Permalink
On Sat, 16 Apr 2005 11:22 am, Brad Hards wrote:
> Has anyone tested HMAC with SHA384 and SHA512?
>
> I've tried the test vectors in
> http://www.ietf.org/internet-drafts/draft-nystrom-smime-hmac-sha-00.txt
> and they work for SHA-256, but almost identical code fails for SHA-384 and
> SHA-512.
>
> I contacted Magnus Nystrom, and he asked:
> "Did you use blocksize = 128 for SHA-384 and SHA-512? It affects the key
> padding."
OK, I'm pretty confident that gcrypt is doing it wrong.

FIPS 180-2 section 5.1.2 says the blocksize is 128 bytes.

RFC2104 says that the padding should be blocksize.

src/md.c:prepare_macpads() is pretty much hardwired to 64byte blocks.
Similarly, md_open() and md_copy both malloc a fixed 128 bytes (for ipad and
opad).

I'm considering two options - an intrusive patch that adds a blocksize
function pointer to gcry_md_spec_t, and then working in terms of the
ctx->blocksize(), or alternatively a less intrusive, but much uglier special
casing (if algo == GCRY_MD_SHA384 || algo == GCRY_MD_SHA512). I'd prefer to
do the first, but the concern I have is that there might be external modules,
and if I change the size of gcry_md_spec_t, then they might break.

Thoughts? Help?

Brad
Re: HMAC-SHA384/HMAC-SHA512 testng? [ In reply to ]
mo at g10code
Apr 19, 2005, 8:05 AM
Post #3 of 6 (2552 views)
Permalink
Hello Brad,

thanks for your research; it will be fixed one way or another.

Moritz

--
Moritz Schulte
Re: HMAC-SHA384/HMAC-SHA512 testng? [ In reply to ]
bradh at frogmouth
Apr 19, 2005, 1:21 PM
Post #4 of 6 (2555 views)
Permalink
On Wed, 20 Apr 2005 01:05 am, Moritz Schulte wrote:
> thanks for your research; it will be fixed one way or another.
Is there any thing else I can do for this? For example, write a test case?

Brad
Re: HMAC-SHA384/HMAC-SHA512 testng? [ In reply to ]
wk at gnupg
Apr 20, 2005, 2:40 AM
Post #5 of 6 (2558 views)
Permalink
On Tue, 19 Apr 2005 17:05:35 +0200, Moritz Schulte said:

> thanks for your research; it will be fixed one way or another.

Thanks for your work. However to include this into libgcrypt the FSf
requires a copyright assignment or a disclaimer. If you can do so,
please contact me by private mail.

Thanks,

Werner
Re: HMAC-SHA384/HMAC-SHA512 testng? [ In reply to ]
wk at gnupg
Apr 20, 2005, 2:44 AM
Post #6 of 6 (2552 views)
Permalink
On Tue, 19 Apr 2005 12:48:37 +1000, Brad Hards said:

> OK, I'm pretty confident that gcrypt is doing it wrong.

Very likley. At the time I implemented the HMAC thing the SHA-2
algorithms were not known.

> I'm considering two options - an intrusive patch that adds a blocksize
> function pointer to gcry_md_spec_t, and then working in terms of the

We can't do this because it breaks the ABI.

ctx-> blocksize(), or alternatively a less intrusive, but much uglier special
> casing (if algo == GCRY_MD_SHA384 || algo == GCRY_MD_SHA512). I'd prefer to
> do the first, but the concern I have is that there might be external modules,
Yes, we need to do this hack. Which also means that external modules
requiring a blocksize other that 64 can't be used.


Shalom-Salam,

Werner

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal