Bug in HMAC-SHA-256

[asgeirn]

I've discovered a small copy/paste bug in the rstr_hmac_sha256 function in sha256.js from the passwordmaker.zip downloadable version.

At the end of the function, where the opad is mixed with the ipad hash, the code reads:

Code:

return PasswordMaker_HashUtils.binb2rstr(this.binb_sha256(opad.concat(hash), 512 + 160));

However, since SHA-256 is 256 bits, the line should read:

Code:

return PasswordMaker_HashUtils.binb2rstr(this.binb_sha256(opad.concat(hash), 512 + 256));

I've confirmed this by comparing Paul Johnston's HMAC-MD5 and HMAC-SHA-1 versions.

-- Asgeir

[Eric H. Jung]

Hi asgeirn,

Thanks for reporting this. Pedro Gimeno also reported this in IRC chat about a week ago. However, it exists in all PasswordMaker editions -- not just the passwordmaker.zip downloadable version. So although it's a bug, the consistency of the bug means password generation is also consistent across all editions.

Very shortly, PasswordMaker versions will be released which fix the bug and give users the option of selecting the old SHA-256 (buggy) algorithm or the new one. This was also done with MD-5, so you'll see "MD-5" and "MD-5 Version 0.6" in the algorithm list. Eventually, the buggy algorithms will be removed altogether.

Thanks again,
Eric