Web Connection
wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
Gravatar is a globally recognized avatar based on your email address. wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
  Craig Franklin
  All
  Feb 2, 2019 @ 09:29pm

Hi Rick,

I'm looking to integrate Duo MFA with our web app and it appears the results of ComputeHash() using the HMACSHA1 algorithm are incorrect.

I note from this post https://support.west-wind.com/Thread4X20165EC.wwt that there was a problem previously but I'm testing with WWC v 6.21. Here's the code I'm using to test it with that compares the results to those I get from https://www.liavaag.org/English/SHA-Generator/HMAC/.

(START OF CODE)
*!*	wwc-hmacsh1-test.prg
*!*	Craig Frankin 3 Feb 2019
*!*	To test output of wwEncyption.ComputeHash against https://www.liavaag.org/English/SHA-Generator/HMAC/ 

#INCLUDE "wconnect.h"

#DEFINE INPUT_TEXT		"A very approachable Test String with upper ASCII chars:"
#DEFINE KEY_TEXT		"seekrit10!"
#DEFINE CORRECT_RESULT_BASE64	"0n/OzFXW+NO4HpODT8Mh6x/qYYY="
#DEFINE CORRECT_RESULT_HEX	"d27fcecc55d6f8d3b81e93834fc321eb1fea6186"

*!*	The CORRECT_RESULT_BASE64 of "0n/OzFXW+NO4HpODT8Mh6x/qYYY="
*!*	was obtained from https://www.liavaag.org/English/SHA-Generator/HMAC/. 
*!*     Its (HEX) results were verified by:
*!*	https://codebeautify.org/hmac-generator
*!*	https://htmlstrip.com/hmac-generator
*!*	NOTE however, that these sites all return different results when LFs are added!

*	Verify that the base64 result is consistent with the Hex result...
IF STRCONV(STRCONV(CORRECT_RESULT_HEX,16),13) <> CORRECT_RESULT_BASE64
	MESSAGEBOX("Inconsistent Base64 and Hex results!")
ENDIF

SET PROCEDURE TO classes\wwDotNetBridge.prg ADDITIVE
SET PROCEDURE TO classes\wwEncryption.prg ADDITIVE
InitializeDotnetVersion("V4")

loEncrypt = CREATEOBJECT("wwEncryption")

lcResult = loEncrypt.ComputeHash(INPUT_TEXT,"HMACSH1",KEY_TEXT)

MESSAGEBOX( ;
	IIF(lcResult == CORRECT_RESULT_BASE64, 'SUCCESS!', 'FAILED') + CHR(13) + CHR(13) + ;
	'ComputeHash() result:' + CHR(13) + ;
	lcResult + CHR(13) + CHR(13) + ;
	'Correct result:' + CHR(13) + ;
	CORRECT_RESULT_BASE64 )

(END OF CODE)

I can email or upload the wwc-hmacsh1-test.prg if that helps.

This is uncharted territory for me so I'll be grateful for any assistance you can provide.

Thanks, Craig

PS: This isn't urgent as I've now developed a workaround using vfpencryption71.fll - refer http://www.sweetpotatosoftware.com/blog/index.php/2009/08/09/major-vfp-encryption-update/

Gravatar is a globally recognized avatar based on your email address. re: wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
  Rick Strahl
  Craig Franklin
  Feb 3, 2019 @ 02:34pm

So took a look at the tester.

First, the non-HMAC versions (with 1 iteration) all work just fine.

The HMAC version works too but the algorithm names specified is wrong. It needs to be HMACSHA1 not HMACSH1. Once that's switched it matches.

lcResult = loEncrypt.ComputeHash(INPUT_TEXT,"HMACSHA1",KEY_TEXT)

You get:

Looks like there's a problem in the documentation with the algorithm names not being right. The routine probably should throw if an invalid algorithm is used. I've updated the documentation.

The markdown processing in the editor should be working now as well.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
  Craig Franklin
  Rick Strahl
  Feb 3, 2019 @ 02:45pm

Many thanks for looking at that so promptly Rick - especially on a Sunday! Much appreciated, Craig

Gravatar is a globally recognized avatar based on your email address. re: wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
  Rick Strahl
  Craig Franklin
  Feb 3, 2019 @ 03:19pm

I made a few changes to the routine so now:

  • Not specifying a salt for an HMAC algorithm will throw
  • Specifying an invalid HASH algorithm name with throw

This should make sure there's no weird ambiguities due to wrong parameters passed into the function which should avoid problems like what you reported here in the future.

Thanks,

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: wwEncryption - ComputeHash() - HMACSHA1 returning incorrect results?
  Craig Franklin
  Rick Strahl
  Feb 3, 2019 @ 03:24pm

Worthwhile improvements, thanks.

© 1996-2019