[squeak-dev] MD5 is broken (Cryptography)

casimiro barreto casimiro.barreto at gmail.com
Thu Jun 8 20:07:18 UTC 2017


WebUtils not in latest Pharo... I guess it does not exist since Pharo 5
because it was discussed in this thread:
http://forum.world.st/Parsing-SQL-in-a-Pharo-system-td4781777.html

2017-06-08 15:13 GMT-03:00 Levente Uzonyi <leves at caesar.elte.hu>:

> On Thu, 8 Jun 2017, casimiro barreto wrote:
>
> I loaded it in Squeak 6.0 (trunk), Pharo 6.0 (32), Squeak 5.1 all in one,
>> Pharo 5 all in one... All the last versions. Not from
>> ConfigurationOfCryptography (which does not exist in the
>> repository) but http://www.squeaksource.com/Cryptography package is
>> Cryptography-rww.71.mcz but same error is present in
>> Cryptography-acp.70.mcz and olders. Assume it worked in squeak 3.9 &
>> 4 (because I used it at that point with no problems). To reproduce the
>> error just do:
>>
>> md5hash := MD5 new.
>> md5hash initializeState.
>> md5hash processBuffer: 'Casimiro de Almeida Barreto'.
>>
>
> #processBuffer: is a private method, which expects a ByteArray of size 64.
> A ByteString, or a smaller collection should not and will not work.
> The following is expected to produce the correct output:
>
> (MD5 hashMessage: 'Casimiro de Almeida Barreto') hex
>
> In recent images, there's WebUtils, which uses a different MD5
> implementation:
>
> WebUtils md5Digest: 'Casimiro de Almeida Barreto'
>
> It uses a plugin shipped with the released VMs, so it's at least 10x
> faster.
>
> Levente
>
>
> hc := sha256hash finalHash.
>>
>> and you´ll get the corresponding error & debug needed.
>>
>> It is not an urgent problem (since nobody is using MD5 anymore) but I
>> just recovered old code that used it and the error appeared. I´m using
>> SHA256 instead and it runs OK. But it is bad to
>> have broken code in the repository.
>>
>> Best regards,
>>
>> Casimiro
>>
>> 2017-06-07 18:28 GMT-03:00 Nicolas Cellier <nicolas.cellier.aka.nice at gmai
>> l.com>:
>>       OK,  so which MC version exactly, which image, which VM, which OS,
>> and what step to reproduce? Is it from SqueakMap? a
>> ConfigurationOfCryptography?
>>
>> If I load in up-to-date trunk spur 32 bits image, for example
>> Cryptography-rww.55 (because it has reasonnable log message),
>> then test this snippet:
>>
>>     MD5NonPrimitive hashStream: 'foobar' readStream.
>>
>> I get a ByteArray answer without failure:
>>
>>     #[56 88 246 34 48 172 60 145 95 48 12 102 67 18 198 63]
>>
>> same for
>>     MD5 new hashMessage: 'foo'
>>
>> same with latest Cryptography-rww.71...
>>
>>
>>
>>
>> 2017-06-07 22:26 GMT+02:00 casimiro barreto <casimiro.barreto at gmail.com>:
>>       From MonticelloBrowser: http://www.squeaksource.com/Cryptography
>> package Cryptography
>>
>> 2017-06-07 17:14 GMT-03:00 Nicolas Cellier <nicolas.cellier.aka.nice at gmai
>> l.com>:
>>
>>
>>       2017-06-07 21:40 GMT+02:00 casimiro barreto <
>> casimiro.barreto at gmail.com>:
>>             MD5 (non primitive and with primitive) is broken because it
>> relies on the conversion of Character to SmallInteger so the method
>> shiftBits:
>>
>> Problem happens at ThirthyTwoBitRegister>>reverseLoadFrom:at:
>>
>> which is called from MD5NonPrimitive>>proccessBuffer:
>>
>> Error is: Instance of Character did not understand #bitShift and happened
>> at:
>>
>> reverseLoadFrom: aByteArray at: index
>>     "Load my 32-bit value from the four bytes of the given ByteArray
>> starting at the given index. Consider the first byte to contain the most
>> significant bits of the word (i.e., use big-endian byte ordering)."
>>
>>     hi := ((aByteArray at: index + 3) bitShift: 8) + ( aByteArray at:
>> index + 2).
>>     low := ((aByteArray at: index + 1) bitShift: 8) + ( aByteArray at:
>> index).
>>
>>
>> Thanks for reporting. Obviously, the code expects a ByteArray, not a
>> String, so there is some contract broken.
>>
>> Could you remind me where to find/load which package?
>>
>>       --
>>       The information contained in this message is confidential and
>>       intended to the recipients specified in the headers. If you received
>>       this message by error, notify the sender immediately. The
>>       unauthorized use, disclosure, copy or alteration of this message
>>       are strictly forbidden and subjected to civil and criminal
>> sanctions.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> The information contained in this message is confidential and
>> intended to the recipients specified in the headers. If you received
>> this message by error, notify the sender immediately. The
>> unauthorized use, disclosure, copy or alteration of this message
>> are strictly forbidden and subjected to civil and criminal sanctions.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> The information contained in this message is confidential and
>> intended to the recipients specified in the headers. If you received
>> this message by error, notify the sender immediately. The
>> unauthorized use, disclosure, copy or alteration of this message
>> are strictly forbidden and subjected to civil and criminal sanctions.
>>
>>
>
>
>


-- 
The information contained in this message is confidential and
intended to the recipients specified in the headers. If you received
this message by error, notify the sender immediately. The
unauthorized use, disclosure, copy or alteration of this message
are strictly forbidden and subjected to civil and criminal sanctions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20170608/a8cf571d/attachment.html>


More information about the Squeak-dev mailing list