RFC Errata
RFC 4634, "US Secure Hash Algorithms (SHA and HMAC-SHA)", July 2006
Note: This RFC has been obsoleted by RFC 6234
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 2435
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Alfred Hoenes
Date Reported: 2006-08-13
Held for Document Update by: Sean Turner
Date Held: 2010-08-06
Section 8.2.3 says:
Within the '#ifdef USE_32BIT_ONLY' macro definition branch of the file, on mid-page 50 the RFC says: /* * add "length" to the length */ static uint32_t addTemp[4] = { 0, 0, 0, 0 }; #define SHA384_512AddLength(context, length) ( \ addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ (context)->Corrupted = (((context)->Length[3] == 0) && \ ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ ((context)->Length[0] < 8)) ? 1 : 0 ) It should say: /* * add "length" to the length */ static uint32_t addTemp[4] = { 0, 0, 0, 0 }; #define SHA384_512AddLength(context, length) ( \ addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ (context)->Corrupted = (((context)->Length[0] < addTemp[3]) && \ ((context)->Length[1] == 0) && ((context)->Length[1] == 0) && \ ((context)->Length[0] == 0)) ? shaInputTooLong : shaSuccess ) Rationale: The context words Lenght[0] ... Length[3] represent the unsigned 128-bit-wide running (bit-)length of the message text hash so far, in most-significant word first order. The code fragment above is intended to add to this value the unsigned 32-bit value (uint32_t) length, and to detect overflow (to 2^128 and above). The given code is wrong. (Apparently it has never been tested with messages long enough to exhibit this misbehaviour.) Other parts of the sample code show how this can be done correctly in the case of long accumulators consisting of two 32-bit words -- cf. the code snippits in item (7) and (14) above, and item (27) below, as well, The replacement code corrects this issue. Furthermore, the original code suffers from the same problem as in item (7) and (14) above; this has been corrected accordingly, as well.