[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A bug in rfc2104.el



Shuhei KOBAYASHI <shuhei@aqua.ocn.ne.jp> writes:

> It seems that the `hash' argument of `rfc2104-hash' is expected to be
> a hash function which returns a hash value in _hexicadecimal_ form.
> 
> But, in case of "(> (length key) block-length)", `rfc2104-hash' forgets
> to convert HASH(key) to binary form, and returns wrong HMAC value.
> 
> p.s.
> Using hexadecimal form of HMAC-MD5 value is part of CRAM-MD5, not part
> of HMAC. (For example, SCRAM-MD5 uses binary form of HMAC-MD5 value.)

Yes. Hadn't realized that when I wrote the code.

As I don't have a server to test this against, and nnimap will
probably use Cyrus SASL for (S)CRAM-MD5 in a not-so-far-away future, I
don't think I'll be updating the rfc2104 library any more. I'm
accepting patches for it, of course.