HMAC-SHA384/HMAC-SHA512 testng?
Brad Hards
bradh at frogmouth.net
Tue Apr 19 04:48:37 CEST 2005
On Sat, 16 Apr 2005 11:22 am, Brad Hards wrote:
> Has anyone tested HMAC with SHA384 and SHA512?
>
> I've tried the test vectors in
> http://www.ietf.org/internet-drafts/draft-nystrom-smime-hmac-sha-00.txt
> and they work for SHA-256, but almost identical code fails for SHA-384 and
> SHA-512.
>
> I contacted Magnus Nystrom, and he asked:
> "Did you use blocksize = 128 for SHA-384 and SHA-512? It affects the key
> padding."
OK, I'm pretty confident that gcrypt is doing it wrong.
FIPS 180-2 section 5.1.2 says the blocksize is 128 bytes.
RFC2104 says that the padding should be blocksize.
src/md.c:prepare_macpads() is pretty much hardwired to 64byte blocks.
Similarly, md_open() and md_copy both malloc a fixed 128 bytes (for ipad and
opad).
I'm considering two options - an intrusive patch that adds a blocksize
function pointer to gcry_md_spec_t, and then working in terms of the
ctx->blocksize(), or alternatively a less intrusive, but much uglier special
casing (if algo == GCRY_MD_SHA384 || algo == GCRY_MD_SHA512). I'd prefer to
do the first, but the concern I have is that there might be external modules,
and if I change the size of gcry_md_spec_t, then they might break.
Thoughts? Help?
Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050419/120cd567/attachment.pgp
More information about the Gcrypt-devel
mailing list