.
Any PHP gurus on the loose? - Grin with cat attached — LiveJournal
Previous Entry Next Entry
Any PHP gurus on the loose? Aug. 7th, 2005 07:42 pm
As posted to PHP-London:

Another very weird edge-case bug here:
http://www.ch3.org.uk/hmac.phps

HMAC hashing is defined in RFC 2104, and required for OpenID "smart" mode

The seven tests from RFC 2202 pass (in PHP5.x).
The 8th, discovered when trying to implement an OpenID client, fails (I get 0xc1699572cf4dbb2735e232f354448ebb2030d417).
Anyone fancy debugging this and telling me why? Pints to anyone solving it ;)

Feel free to run the tests in other languages to confirm the correct value for test 8.

The catch - PHP needs to be compiled with --with-gmp. Expect pack() warnings in most forms of PHP.

TIA,
Wechsler

From: deliberateblank
Date: August 7th, 2005 - 07:20 pm (Link)
Since the other tests work, I'd be inclined to believe the HMAC is working, but your expectations of the final output are wrong.

Test 8 uses a string with embedded linefeeds, the others aren't. Is there a possibility of any oddity here? Are you absolutely sure you know exactly what's going *into* the HMAC in all environments you've tested it under?
From: deliberateblank
Date: August 7th, 2005 - 07:24 pm (Link)
(Of course, the same could apply to the expectations of the person who wrote the OpenID spec...)
From: wechsler
Date: August 7th, 2005 - 07:28 pm (Link)
The code works for about 95% of OpenID logins (these tests all have linefeeds), and the expected value for test 8 have been provided by LJ's OpenID server and confirmed by a third party. The "wrong" value in test 8 was provided both by this stand-alone test and debug output from OpenID login attempts.

However, the more people can validate the expected value, the more confident I'll be.