Wrong hmac values from crypto_data_hash

jinwoo · February 21, 2024, 2:23am

Posting here to get attentions to the issue that I filed : Wrong hmac values when the key contains "null" bytes · Issue #170 · SWI-Prolog/packages-ssl · GitHub.

When crypto_data_hash is called with the hmac(Key) option, and when Key contains null bytes, the resulting value is wrong. That’s because the underlying C code treats the key as a C-string and uses strlen to calculate the key length. strlen thinks the key is terminated by the null byte.

The key can contain null bytes when the key is a binary data, especially when the key is derived from key-derivation-functions such as scrypt, bcrypt, etc.

Would anyone familiar with the code base be kind enough to fix this?

jan · February 21, 2024, 8:48am

Pushed a fix. I don’t know much about the crypto predicates. The code suggests the key is expected to be a normal key without 0-bytes. Anyway, it works fine with 0-bytes now. The choice was between supporting them or raising an error when the key contains 0-bytes. Just returning the wrong result is not an option

jinwoo · February 21, 2024, 2:35pm

Woohoo! It was quick! Thank you, Jan.

Topic		Replies	Views
Upgrade to 8.3.1 from 8.0.3 breaks crypto lib call General	9	428	June 19, 2020
SSL 3.0 : deprecation notices General	7	2582	November 14, 2022
Log in to web site for help page annotation? Help!	3	380	May 21, 2019
What kind of error? General how-to	5	128	November 20, 2023
Nitpick on the documentation of `length/2` Request For Comments bug	0	446	May 3, 2020

Wrong hmac values from crypto_data_hash

Related Topics