PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Bugs => Topic started by: Miquel 'Fire' Burns on July 23, 2007, 03:15:11 AM

Title: Possible bug with Fingerprint storage
Post by: Miquel 'Fire' Burns on July 23, 2007, 03:15:11 AM

I installed the lastest beta offered for download (that I downloaded anyway) to test some RDF stuff to see if anything the editions I maintain might need to be updated, but to figure out how the hash function worked, I looked at the code and noticed this line:

Code: [Select]

var hash = PasswordMaker_SHA256.rstr_sha256(clearTextMasterPassword, salt);
Yea, it's fine by itself, but look at the prototype of the function it calls:

Code: [Select]

rstr_sha256 : function(s)
That salt is just wasting space it seems. So either remove the salt stuff, or use HMAC (and try to use the any_hmac_sha256: function(k, d, e) instead (Actually, it would reduce this one function to one line, which could remove the function for now.)

[edit] There's a possible localiztion bug as well. I'll look into more later, but the "Quit/Exit" option is missing it's label, just the keyboard shortcut is there. Advance options I believe.

Title: Re: Possible bug with Fingerprint storage
Post by: Eric H. Jung on August 26, 2007, 09:26:39 PM

Quote from: miquelfire on July 23, 2007, 03:15:11 AM

I looked at the code and noticed this line:

Code: [Select]

var hash = PasswordMaker_SHA256.rstr_sha256(clearTextMasterPassword, salt);
Yea, it's fine by itself, but look at the prototype of the function it calls:

Code: [Select]

rstr_sha256 : function(s)
That salt is just wasting space it seems. So either remove the salt stuff, or use HMAC (and try to use the any_hmac_sha256: function(k, d, e) instead (Actually, it would reduce this one function to one line, which could remove the function for now.)

[edit] There's a possible localiztion bug as well. I'll look into more later, but the "Quit/Exit" option is missing it's label, just the keyboard shortcut is there. Advance options I believe.

Both of these are now fixed. The "Close" button was fixed in a previous beta, but the other bug with the salt not being used was just fixed today. I had to change the name of the RDF subjects used in passwordmaker.rdf for mpwHash and mpwSalt (changed to mpwHash2 and mpwSalt2) because the new algorithm to calculate the hashes isn't compatible with the old version (i.e., the non-salted version that was used before I fixed this problem)