[squeak-dev] MD5 is broken (Cryptography)

Nicolas Cellier nicolas.cellier.aka.nice at gmail.com
Wed Jun 7 21:28:10 UTC 2017


OK,  so which MC version exactly, which image, which VM, which OS, and what
step to reproduce? Is it from SqueakMap? a ConfigurationOfCryptography?

If I load in up-to-date trunk spur 32 bits image, for example
Cryptography-rww.55 (because it has reasonnable log message),
then test this snippet:

    MD5NonPrimitive hashStream: 'foobar' readStream.

I get a ByteArray answer without failure:

    #[56 88 246 34 48 172 60 145 95 48 12 102 67 18 198 63]

same for
    MD5 new hashMessage: 'foo'

same with latest Cryptography-rww.71...




2017-06-07 22:26 GMT+02:00 casimiro barreto <casimiro.barreto at gmail.com>:

> From MonticelloBrowser: http://www.squeaksource.com/Cryptography package
> Cryptography
>
> 2017-06-07 17:14 GMT-03:00 Nicolas Cellier <nicolas.cellier.aka.nice@
> gmail.com>:
>
>>
>>
>> 2017-06-07 21:40 GMT+02:00 casimiro barreto <casimiro.barreto at gmail.com>:
>>
>>> MD5 (non primitive and with primitive) is broken because it relies on
>>> the conversion of Character to SmallInteger so the method shiftBits:
>>>
>>> Problem happens at ThirthyTwoBitRegister>>reverseLoadFrom:at:
>>>
>>> which is called from MD5NonPrimitive>>proccessBuffer:
>>>
>>> Error is: Instance of Character did not understand #bitShift and
>>> happened at:
>>>
>>> reverseLoadFrom: aByteArray at: index
>>>     "Load my 32-bit value from the four bytes of the given ByteArray
>>> starting at the given index. Consider the first byte to contain the most
>>> significant bits of the word (i.e., use big-endian byte ordering)."
>>>
>>>     hi := ((aByteArray at: index + 3) bitShift: 8) + ( aByteArray at:
>>> index + 2).
>>>     low := ((aByteArray at: index + 1) bitShift: 8) + ( aByteArray at:
>>> index).
>>>
>>>
>> Thanks for reporting. Obviously, the code expects a ByteArray, not a
>> String, so there is some contract broken.
>>
>> Could you remind me where to find/load which package?
>>
>>
>>> --
>>> The information contained in this message is confidential and
>>> intended to the recipients specified in the headers. If you received
>>> this message by error, notify the sender immediately. The
>>> unauthorized use, disclosure, copy or alteration of this message
>>> are strictly forbidden and subjected to civil and criminal sanctions.
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
> --
> The information contained in this message is confidential and
> intended to the recipients specified in the headers. If you received
> this message by error, notify the sender immediately. The
> unauthorized use, disclosure, copy or alteration of this message
> are strictly forbidden and subjected to civil and criminal sanctions.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20170607/d0cb094f/attachment.html>


More information about the Squeak-dev mailing list