HMAC-SHA384/HMAC-SHA512 testng?

Brad Hards bradh at frogmouth.net
Tue Apr 19 04:48:37 CEST 2005


On Sat, 16 Apr 2005 11:22 am, Brad Hards wrote:
> Has anyone tested HMAC with SHA384 and SHA512?
>
> I've tried the test vectors in
> http://www.ietf.org/internet-drafts/draft-nystrom-smime-hmac-sha-00.txt
> and they work for SHA-256, but almost identical code fails for SHA-384 and
> SHA-512.
>
> I contacted Magnus Nystrom, and he asked:
> "Did you use blocksize = 128 for SHA-384 and SHA-512? It affects the key
> padding."
OK, I'm pretty confident that gcrypt is doing it wrong.

FIPS 180-2 section 5.1.2 says the blocksize is 128 bytes.

RFC2104 says that the padding should be blocksize.

src/md.c:prepare_macpads() is pretty much hardwired to 64byte blocks. 
Similarly, md_open() and md_copy both malloc a fixed 128 bytes (for ipad and 
opad).

I'm considering two options - an intrusive patch that adds a blocksize 
function pointer to gcry_md_spec_t, and then working in terms of the 
ctx->blocksize(), or alternatively a less intrusive, but much uglier special 
casing (if algo == GCRY_MD_SHA384 || algo == GCRY_MD_SHA512). I'd prefer to 
do the first, but the concern I have is that there might be external modules, 
and if I change the size of gcry_md_spec_t, then they might break.

Thoughts? Help?

Brad

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050419/120cd567/attachment.pgp


More information about the Gcrypt-devel mailing list