(nuttx) branch master updated: xtensa/esp32: Fix HMAC-SHA when a long key is used When using a key that is longer than the block size of the hashing algorithm used, the key must be hashed before it is used.

fdcavalcanti Tue, 24 Feb 2026 03:33:09 -0800

This is an automated email from the ASF dual-hosted git repository.

fdcavalcanti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git



The following commit(s) were added to refs/heads/master by this push:
     new 4775f5ba219 xtensa/esp32: Fix HMAC-SHA when a long key is used When 
using a key that is longer than the block size of the hashing algorithm used, 
the key must be hashed before it is used.
4775f5ba219 is described below

commit 4775f5ba219caf7c05f423c7f1a983aa8b3f85e6
Author: Vlad Pruteanu <[email protected]>
AuthorDate: Mon Feb 23 22:50:55 2026 +0200

    xtensa/esp32: Fix HMAC-SHA when a long key is used
    When using a key that is longer than the block size of the hashing
    algorithm used, the key must be hashed before it is used.
    
    Signed-off-by: Vlad Pruteanu <[email protected]>
---
 arch/xtensa/src/esp32/esp32_crypto.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/arch/xtensa/src/esp32/esp32_crypto.c 
b/arch/xtensa/src/esp32/esp32_crypto.c
index 4859df6dfe0..3b831c751c1 100644
--- a/arch/xtensa/src/esp32/esp32_crypto.c
+++ b/arch/xtensa/src/esp32/esp32_crypto.c
@@ -98,7 +98,7 @@ const struct auth_hash g_auth_hash_sha2_512_esp32 =
 const struct auth_hash g_auth_hash_hmac_sha1_esp32 =
 {
   CRYPTO_SHA1_HMAC, "HMAC-SHA1",
-  20, 20, 12, sizeof(struct esp32_sha_context_s),
+  HMAC_SHA1_BLOCK_LEN, 20, 12, sizeof(struct esp32_sha_context_s),
   HMAC_SHA1_BLOCK_LEN,
   sha1_init, NULL, NULL,
   sha_update,
@@ -108,7 +108,7 @@ const struct auth_hash g_auth_hash_hmac_sha1_esp32 =
 const struct auth_hash g_auth_hash_hmac_sha256_esp32 =
 {
   CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
-  32, 32, 16, sizeof(struct esp32_sha_context_s),
+  HMAC_SHA2_256_BLOCK_LEN, 32, 16, sizeof(struct esp32_sha_context_s),
   HMAC_SHA2_256_BLOCK_LEN,
   sha256_init, NULL, NULL,
   sha_update,
@@ -495,6 +495,19 @@ static int esp32_newsession(uint32_t *sid, struct 
cryptoini *cri)
                 return -ENOBUFS;
               }
 
+            /* If the key is too long, hash it first using ictx */
+
+            if (cri->cri_klen / 8 > axf->keysize)
+              {
+                axf->init(data->hw_ictx);
+                axf->update(data->hw_ictx,
+                            (FAR uint8_t *)cri->cri_key,
+                            cri->cri_klen / 8);
+                axf->final((unsigned char *)cri->cri_key,
+                           data->hw_ictx);
+                cri->cri_klen = axf->hashsize * 8;
+              }
+
             for (k = 0; k < cri->cri_klen / 8; k++)
               {
                 cri->cri_key[k] ^= HMAC_IPAD_VAL;

(nuttx) branch master updated: xtensa/esp32: Fix HMAC-SHA when a long key is used When using a key that is longer than the block size of the hashing algorithm used, the key must be hashed before it is used.

Reply via email to