Hi folks,
I need to report a bug in the MD5 calculation, which potentially does not only concern my own software, but others as well.
Background:
Most SW for qmail authentication uses the ‚original‘ RSA modules: global.h, md5.h, md5c.c, hmac-cramd5.c
They are shipped with (my) qmail authentication modules, work well and substitute the OS build-in modules.
Problem statement:
MD5 depends on bit-operations on 32 bit integers. Unfortunately the type used in ‚global.h‘ is unsigned long int — which is 4 byte on 32 machines, but 8 byte on 64 byte architecture. This results in the AMD64 environment in wrong hashsums. CRAM-MD5 is broken; authentication may fail.
Solution:
The following easy solution overcomes this situation and need to be manually inserted in ‚global.h‘:
/* UINT4 defines a four byte word */
#if defined __amd64__ || defined __x86_64__
typedef unsigned int UINT4;
#else
typedef unsigned long int UINT4;
#endif
A modified source code can be found here:
http://www.fehcom.de/sqmail/doxygen/global_8h_source.html
This is part of my forthcoming s/qmail package — were I found the bug calculation hashsums.
regards.
—eh.
---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
I need to report a bug in the MD5 calculation, which potentially does not only concern my own software, but others as well.
Background:
Most SW for qmail authentication uses the ‚original‘ RSA modules: global.h, md5.h, md5c.c, hmac-cramd5.c
They are shipped with (my) qmail authentication modules, work well and substitute the OS build-in modules.
Problem statement:
MD5 depends on bit-operations on 32 bit integers. Unfortunately the type used in ‚global.h‘ is unsigned long int — which is 4 byte on 32 machines, but 8 byte on 64 byte architecture. This results in the AMD64 environment in wrong hashsums. CRAM-MD5 is broken; authentication may fail.
Solution:
The following easy solution overcomes this situation and need to be manually inserted in ‚global.h‘:
/* UINT4 defines a four byte word */
#if defined __amd64__ || defined __x86_64__
typedef unsigned int UINT4;
#else
typedef unsigned long int UINT4;
#endif
A modified source code can be found here:
http://www.fehcom.de/sqmail/doxygen/global_8h_source.html
This is part of my forthcoming s/qmail package — were I found the bug calculation hashsums.
regards.
—eh.
---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Attached Files:
-
signature.asc (0.20 KB)