[Dovecot] HMAC-MD5 / HMAC-MD5-context
Václav Haisman
v.haisman at sh.cvut.cz
Tue Aug 22 16:16:15 EEST 2006
Andrey Panin wrote:
> On 234, 08 22, 2006 at 11:30:07AM +0200, Chris Laif wrote:
>> $ dovecotpw -p testpass
>> {HMAC-MD5}fe8522268d91e485ccac8f36800e4fa6b10363e2a371cfa61731109b450906cd
>>
>> I wonder if the prefix 'HMAC-MD5' is the correct notation here.
>> According to RFC2104 an HMAC is calculated as follows:
>>
>> H(K XOR opad, H(K XOR ipad, text))
>>
>> where H is the cryptographic hash function (MD5 in this case).
>> Therefore the result has to be a 128 bit string, which is obviously
>> not the case in the above shown example. In addition, the input value
>> 'text' is missing if you only have a password K.
>>
>> Maybe it would be better to use {HMAC-MD5-CONTEXT} or {HMAC-MD5-CTX} ?
>
> This change will break existing dovecot installations without any real gain.
>
Correctness is IMO much more important than backward compatibility with
buggy/broken behaviour.
--
VH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20060822/61c2503c/attachment-0001.pgp
More information about the dovecot
mailing list