Merge pull request #137 from mwpastore/hmac-sha512

Expose HMAC-SHA512 (with 64-byte keys)
RubyCrypto · May 7, 2016 · eb00790 · eb00790
2 parents dc1e8d1 + dfa0c1f
commit eb00790
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 9 deletions.
diff --git a/lib/rbnacl.rb b/lib/rbnacl.rb
@@ -67,9 +67,10 @@ class BadAuthenticatorError < CryptoError; end
   require "rbnacl/password_hash"
   require "rbnacl/password_hash/scrypt"
 
-  # HMAC: SHA256 and SHA512256
+  # HMAC: SHA256/512 and SHA512256
   require "rbnacl/hmac/sha256"
   require "rbnacl/hmac/sha512256"
+  require "rbnacl/hmac/sha512"
 
   #
   # Bind aliases used by the public API

diff --git a/lib/rbnacl/hmac/sha512.rb b/lib/rbnacl/hmac/sha512.rb
@@ -0,0 +1,42 @@
+# encoding: binary
+module RbNaCl
+  module HMAC
+    # Computes an authenticator as HMAC-SHA-512
+    #
+    # The authenticator can be used at a later time to verify the provenance of
+    # the message by recomputing the HMAC over the message and then comparing it to
+    # the provided authenticator.  The class provides methods for generating
+    # signatures and also has a constant-time implementation for checking them.
+    #
+    # This is a secret key authenticator, i.e. anyone who can verify signatures
+    # can also create them.
+    #
+    # @see http://nacl.cr.yp.to/auth.html
+    class SHA512 < Auth
+      extend Sodium
+
+      sodium_type :auth
+      sodium_primitive :hmacsha512
+      sodium_constant :BYTES
+      sodium_constant :KEYBYTES
+
+      sodium_function :auth_hmacsha512,
+                      :crypto_auth_hmacsha512,
+                      [:pointer, :pointer, :ulong_long, :pointer]
+
+      sodium_function :auth_hmacsha512_verify,
+                      :crypto_auth_hmacsha512_verify,
+                      [:pointer, :pointer, :ulong_long, :pointer]
+
+      private
+
+      def compute_authenticator(authenticator, message)
+        self.class.auth_hmacsha512(authenticator, message, message.bytesize, key)
+      end
+
+      def verify_message(authenticator, message)
+        self.class.auth_hmacsha512_verify(authenticator, message, message.bytesize, key)
+      end
+    end
+  end
+end
diff --git a/lib/rbnacl/self_test.rb b/lib/rbnacl/self_test.rb
@@ -91,7 +91,7 @@ def sha256_test
     end
 
     def hmac_test(klass, tag)
-      authenticator = klass.new(vector(:auth_key))
+      authenticator = klass.new(vector("auth_key_#{klass.key_bytes}".to_sym))
 
       message = vector :auth_message
 

diff --git a/lib/rbnacl/test_vectors.rb b/lib/rbnacl/test_vectors.rb
@@ -122,7 +122,9 @@ module RbNaCl
     # Auth test vectors
     # Taken from NaCl distribution
     #
-    auth_key:     "eea6a7251c1e72916d11c2cb214d3c252539121d8e234e652d651fa4c8cff880",
+    auth_key_32:  "eea6a7251c1e72916d11c2cb214d3c252539121d8e234e652d651fa4c8cff880",
+    auth_key_64:  "eaaa4c73ef13e7e9a53011304c5be141da9c3713b5ca822037ed57aded31b70a" \
+                  "50a0dd80843d580fe5b57e470bb534333e907a624cf02873c6b9eaba70e0fc7e",
     auth_message: "8e993b9f48681273c29650ba32fc76ce48332ea7164d96a4476fb8c531a1186a" \
                   "c0dfc17c98dce87b4da7f011ec48c97271d2c20f9b928fe2270d6fb863d51738" \
                   "b48eeee314a7cc8ab932164548e526ae90224368517acfeabd6bb3732bc0e9da" \
@@ -131,6 +133,8 @@ module RbNaCl
     auth_onetime: "f3ffc7703f9400e52a7dfb4b3d3305d9",
     # self-created (FIXME: find standard test vectors)
     auth_hmacsha256:    "7f7b9b707e8790ca8620ff94df5e6533ddc8e994060ce310c9d7de04d44aabc3",
-    auth_hmacsha512256: "b2a31b8d4e01afcab2ee545b5caf4e3d212a99d7b3a116a97cec8e83c32e107d"
+    auth_hmacsha512256: "b2a31b8d4e01afcab2ee545b5caf4e3d212a99d7b3a116a97cec8e83c32e107d",
+    auth_hmacsha512:    "b2a31b8d4e01afcab2ee545b5caf4e3d212a99d7b3a116a97cec8e83c32e107d" \
+                        "270e3921f69016c267a63ab4b226449a0dee0dc7dcb897a9bce9d27d788f8e8d"
   }.freeze
 end
diff --git a/spec/rbnacl/hmac/sha512_spec.rb b/spec/rbnacl/hmac/sha512_spec.rb
@@ -0,0 +1,8 @@
+# encoding: binary
+require "spec_helper"
+
+RSpec.describe RbNaCl::HMAC::SHA512 do
+  let(:tag) { vector :auth_hmacsha512 }
+
+  include_examples "authenticator"
+end
diff --git a/spec/shared/authenticator.rb b/spec/shared/authenticator.rb
@@ -1,6 +1,6 @@
 # encoding: binary
 RSpec.shared_examples "authenticator" do
-  let(:key)     { vector :auth_key }
+  let(:key)     { vector "auth_key_#{described_class.key_bytes}".to_sym }
   let(:message) { vector :auth_message }
 
   context ".new" do
@@ -17,11 +17,11 @@
     end
 
     it "raises ArgumentError on a key which is too long" do
-      expect { described_class.new("\0" * 33) }.to raise_error(ArgumentError)
+      expect { described_class.new("\0" * described_class.key_bytes.succ) }.to raise_error(ArgumentError)
     end
 
     it "raises ArgumentError on a key which is too short" do
-      expect { described_class.new("\0" * 31) }.to raise_error(ArgumentError)
+      expect { described_class.new("\0" * described_class.key_bytes.pred) }.to raise_error(ArgumentError)
     end
   end
 
@@ -35,7 +35,7 @@
     end
 
     it "raises ArgumentError on a key which is too long" do
-      expect { described_class.auth("\0" * 33, message) }.to raise_error(ArgumentError)
+      expect { described_class.auth("\0" * described_class.key_bytes.succ, message) }.to raise_error(ArgumentError)
     end
   end
 
@@ -49,7 +49,7 @@
     end
 
     it "raises ArgumentError on a key which is too long" do
-      expect { described_class.verify("\0" * 33, tag, message) }.to raise_error(ArgumentError)
+      expect { described_class.verify("\0" * described_class.key_bytes.succ, tag, message) }.to raise_error(ArgumentError)
     end
 
     it "fails to validate an invalid authenticator" do