[Swan-dev] HMAC_BUFSIZE

Andrew Cagney andrew.cagney at gmail.com
Thu Jul 23 19:53:42 EEST 2015 

Did you consider deleting most of the macros (and instead in-lining
the values used to constructing 'struct hash_desc' entries)?
It would help take away some of the temptation to use those macros
when code should be using 'struct hash_desc' fields.

I guess MAX_HMAC_BLOCKSIZE (paired with passert(hash_desc->xxx <=
MAX_HMAC_BLOCKSIZE)) is a convenience we live with.

BTW,  I've only found one case where a specific hash algorithm is
called for: when detecting NAT.  In IKEv1 MD5 is specified, in IKEv2
it's SHA1.  But even there 'struct hash_desc' can be used (and from
memory it is).

Either way, a definite improvement.

On 19 July 2015 at 00:08, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> There is a macro called HMAC_BUFSIZE, defined to be 64.  It is a number of
> bytes to be used somehow in HMAC.  The comment before its definition says
> to see RFC 2104.
>
> In RFC 2104, the 64-byte size is used as "B" for all of the listed hashing
> functions (but nothing constrains future hashing functions).  B is
> described here:
>
> 2. Definition of HMAC
>
>    The definition of HMAC requires a cryptographic hash function, which
>    we denote by H, and a secret key K. We assume H to be a cryptographic
>    hash function where data is hashed by iterating a basic compression
>    function on blocks of data.   We denote by B the byte-length of such
>    blocks (B=64 for all the above mentioned examples of hash functions),
>    and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
>    SHA-1).  The authentication key K can be of any length up to B, the
>    block length of the hash function.  Applications that use keys longer
>    than B bytes will first hash the key using H and then use the
>    resultant L byte string as the actual key to HMAC. In any case the
>    minimal recommended length for K is L bytes (as the hash output
>    length). See section 3 for more information on keys.
>
> HMAC_BUFSIZE seems to be a bad name for B.  It should be HMAC_BLOCKSIZE.
>
> But it is incorrect for some SHA2 HMACs defined in RFC 4868.
> For those, our code used HMAC_BUFSIZE * 2 -- pretty odd.
> These were introduced in commit 6ed03ba7959f5c224a07866ab55f5f6f41280636.
>
> I've replaced each use of HMAC_BUFSIZE with one of
>         HMAC_RFC2104_BLOCKSIZE,
>         HMAC_SHA256_BLOCKSIZE, or
>         HMAC_SHA512_BLOCKSIZE.
>
> The one other use is include/secrets.h:61:
>         unsigned char ckaid[HMAC_BUFSIZE];      /* ckaid for use in NSS */
> I've used HMAC_RFC2104_BLOCKSIZE but have no idea how to figure out if
> that is a reasonable bound.  I've put in passerts to check for buffer
> overrun.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list