HMAC bug

[MiquelFire]

Just downloaded the Konfabulator Widget today to get that a whirl for a desktop app. As a test, I used the online version (which I downloaded) and the Firefox extension 0.7.3 (the Firefox updater is being slow it seems...) to see if I can make a matching configuration. Thing is, it seems there's a bug with the url line and HMAC generation. Not sure on why this is, but the widget comes up with a different password than the other two. As of now, this puts me in a position where I can't switch (I need a desktop app that starts quick for my use)

[Eric H. Jung]

Hi MiquelFire,

(I need a desktop app that starts quick for my use)

Firstly, let me tell you that there will shortly be other desktop options beside the Konfabulator widget and downloaded HTML page.

Thing is, it seems there's a bug with the url line and HMAC generation. Not sure on why this is, but the widget comes up with a different password than the other two

Do you happen to be using HMAC-MD5? If not, can you tell me which HMAC you are using? Also you mentioned a bug in the URL line. What do you mean by that (besides not getting the right password)? What kind of bug?

Looking forward to your reply,
Eric

[Guest]

I tested with all (I plan on using the MD5 one) but it seems the HMAC part of all methods seems broken somehow. The only time I seem to get the correct password is if the url box is completely blank. I was able to look at the code and I didn't see anything right away that would be an issue.

[Miquel 'Fire' Burns]

Whoops, fastreply didn't have a name field. I just signed up for e-mail notification anyway

[Eric H. Jung]

Ok, I will take a look this weekend and post back here. Thanks for the heads-up. If you plan on using MD5, I recommend the 0.6 version, which retains leading zeros. The other version may shortly be removed because it's not "true MD5".

[Eric H. Jung]

Hi, miquelfire,
I cannot reproduce this. Can you provide a screenshot? Here's are screenshots I took showing all the HMACs. Click on one to see a larger image. Are you sure password length isn't zero?


 

 

 


Regards,
Eric

[quixin]

Eric,  I see the same problem.  See this screenshot.  On all HMAC Hash Algs.

[Eric H. Jung]

Oh, I thought he said he didn't get any values at all for HMAC... now I see he's saying he's getting values, but they aren't correct. Thanks for the clarification. I'm on it.

[Eric H. Jung]

Hi,
This has been fixed in PasswordMaker for Konfabulator version 1.1. You can download it here.

Regards,
Eric

[Miquel 'Fire' Burns]

Thanks.