Wrong hmac values from crypto_data_hash

jinwoo · February 21, 2024, 2:23am

Posting here to get attentions to the issue that I filed : Wrong hmac values when the key contains "null" bytes · Issue #170 · SWI-Prolog/packages-ssl · GitHub.

When crypto_data_hash is called with the hmac(Key) option, and when Key contains null bytes, the resulting value is wrong. That’s because the underlying C code treats the key as a C-string and uses strlen to calculate the key length. strlen thinks the key is terminated by the null byte.

The key can contain null bytes when the key is a binary data, especially when the key is derived from key-derivation-functions such as scrypt, bcrypt, etc.

Would anyone familiar with the code base be kind enough to fix this?

jan · February 21, 2024, 8:48am

Pushed a fix. I don’t know much about the crypto predicates. The code suggests the key is expected to be a normal key without 0-bytes. Anyway, it works fine with 0-bytes now. The choice was between supporting them or raising an error when the key contains 0-bytes. Just returning the wrong result is not an option

jinwoo · February 21, 2024, 2:35pm

Woohoo! It was quick! Thank you, Jan.

Topic		Replies	Views
Issue with crypto HMAC Hash General bug	3	413	May 8, 2020
Creating terms with binary value Help! bug	2	290	December 27, 2022
Upgrade to 8.3.1 from 8.0.3 breaks crypto lib call General	9	515	June 19, 2020
SSL 3.0 : deprecation notices General	7	3484	November 14, 2022
Sha1 different results Help!	1	132	March 1, 2024

Wrong hmac values from crypto_data_hash

Related topics