Author: tack
Date: Mon Nov 27 18:30:15 2006
New Revision: 2098
Modified:
trunk/base/src/rpc.py
Log:
Pad generated auth key to SHA1 block size, as with HMAC.
Modified: trunk/base/src/rpc.py
==============================================================================
--- trunk/base/src/rpc.py (original)
+++ trunk/base/src/rpc.py Mon Nov 27 18:30:15 2006
@@ -655,7 +655,8 @@
Generate a response for the challenge based on the auth secret supplied
to the constructor. This essentially implements CRAM, as defined in
RFC 2195, using SHA-1 as the hash function, however the challenge is
- concatenated with a locally generated 20 byte salt.
+ concatenated with a locally generated 20 byte salt to form the key,
+ and the resulting key is padded to the SHA-1 block size, as with HMAC.
If salt is not None, it is the value generated by the remote end that
was used in computing their response. If it is None, a new 20-byte
@@ -672,7 +673,16 @@
if not salt:
salt = self._get_rand_value()
+ # block size of SHA-1 is 512 bits (64 bytes)
+ B = 64
+ # Key is auth secret concatenated with salt
K = self._auth_secret + salt
+ if len(K) > B:
+ # key is larger than B, so first hash.
+ K = H(K)
+ # Pad K to be of length B
+ K = K + '\x00' * (B - len(K))
+
return H(xor(K, 0x5c) + H(xor(K, 0x36) + challenge)), salt
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Freevo-cvslog mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/freevo-cvslog
