"+" bug in mac_key?

Michael 'hacker' Krelin hacker at klever.net
Tue Aug 2 14:34:34 PDT 2005

Can't tell you much about PHP, but when I've been doing it in C++ using
OpenSSL, I had to prepend zero to any bigint in binary form that has the
high bit set. i.e. if(bigintbin[0]&0x80) { prepend zero };

Maybe that helps.

> Long shot:
> I've got a smart mode consumer, written in PHP, that seems to be working 
> in the main, but every so often the HMAC_SHA1 signature from the server 
> won't match the one I generate.
> Every time this has happened, the raw openid mac_key I've received by 
> association has a plus (+) in it. This key is stored in a MySQL database 
> (could this corrupt in in any way?), and the ones that have failed are:
> PF+MFObP6aGEMA1hul5Y7WY+4Jo=
> VJjofcv5SHf/LYSo6lPdZtkD+PU=
> X+WsOnVw+u+audJ4K5o/WRV90Ck=
> The code uses GMP support for the HMAC and DH code, and uses PHP's 
> pack() function (which I've seen to be flaky in the past). If anyone 
> knows of any flaws with these, I'd love to hear about it. Equally, if 
> anyone wants to see the (still somewhat clunky) code, let me know.
> Now, I appreciate that this is a bit of a weird bug, but I thought I'd 
> throw it into the mix and see if it meant anything to anyone.
> TIA,
> 	Wechsler

More information about the yadis mailing list