You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm working on MAC verification of SQLCipher databases and cannot get consistent verification of multiple database's HMACs. For example, MAC verification will fail on a database and then ten minutes later, with no changes, MAC verification will succeed. The output below is from the same script, running in two different PowerShell windows, trying to verify MACs on the same database. One window passes MAC verification, the other fails. The output, and output type, from both windows are identical. MAC verification fails, and then sometimes doesn't, for over a dozen databases we have tested with, that otherwise work properly in DBrowser for SQLCipher and our other code.
I spent about 3 days and had two colleagues review and test and we've come to the conclusion that the issue is with pycryptodome's HMAC implementation. We rewrote the code to use python's native HMAC "import HMAC" and have no issues. All MAC verification unit tests for multiple databases succeed as expected using python's native HMAC library with hmac.compare_digest(), so that further reinforces our theory that there's some underlying issue with pycrypdome's HMAC implementation.
python 3.12, pycryptodome 3.21.0
## Relevant portion of the code ##
from Crypto.Hash import SHA1, SHA256, SHA512, HMAC
import struct
hmac_type = SHA512 #SHA256 #SHA1
hmac_size = hmac_type.digest_size
hmac_key = #valid derived key, code cut here for brevity
pageno = 1
mac = HMAC.new(hmac_key, digestmod=hmac_type)
mac.update(page[:-.hmac_size])
mac.update(struct.pack("<I", pageno))
try:
print(mac.digest())
print(mac.hexdigest())
m = page[-hmac_size:]
print("type(m)", type(m), "len(m)", len(m))
print(m)
print(m.hex())
mac.verify(m) #raises ValueError if MAC verification fails
except ValueError as e:
error = "Error!" + str(e)
return False
## Output from PowerShell Window #1 that passes the mac.verify(m) check ##
b'c\xfb\x19\xd4\x94\x19r\x91\r\xaa[4A\xfa\xdf\xbfj.\x14\xa5\x8aRal\xf6\xdbaBH\x85ee\xdf\xe7g\x0c\x1b~\xc2\xe8\x1e\x92\xc9\xff\x8e~D\x81\x14\x1b\xbd\xbc\x97p\x00$\xd0\xd2\x18m\xb5\xf9\xb9\xd0'
63fb19d4941972910daa5b3441fadfbf6a2e14a58a52616cf6db614248856565dfe7670c1b7ec2e81e92c9ff8e7e4481141bbdbc97700024d0d2186db5f9b9d0
type(m) <class 'bytes'> len(m) 64
b'c\xfb\x19\xd4\x94\x19r\x91\r\xaa[4A\xfa\xdf\xbfj.\x14\xa5\x8aRal\xf6\xdbaBH\x85ee\xdf\xe7g\x0c\x1b~\xc2\xe8\x1e\x92\xc9\xff\x8e~D\x81\x14\x1b\xbd\xbc\x97p\x00$\xd0\xd2\x18m\xb5\xf9\xb9\xd0'
63fb19d4941972910daa5b3441fadfbf6a2e14a58a52616cf6db614248856565dfe7670c1b7ec2e81e92c9ff8e7e4481141bbdbc97700024d0d2186db5f9b9d0
## Output from PowerShell Window #2 that fails the mac.verify(m) check##
b'c\xfb\x19\xd4\x94\x19r\x91\r\xaa[4A\xfa\xdf\xbfj.\x14\xa5\x8aRal\xf6\xdbaBH\x85ee\xdf\xe7g\x0c\x1b~\xc2\xe8\x1e\x92\xc9\xff\x8e~D\x81\x14\x1b\xbd\xbc\x97p\x00$\xd0\xd2\x18m\xb5\xf9\xb9\xd0'
63fb19d4941972910daa5b3441fadfbf6a2e14a58a52616cf6db614248856565dfe7670c1b7ec2e81e92c9ff8e7e4481141bbdbc97700024d0d2186db5f9b9d0
type(m) <class 'bytes'> len(m) 64
b'c\xfb\x19\xd4\x94\x19r\x91\r\xaa[4A\xfa\xdf\xbfj.\x14\xa5\x8aRal\xf6\xdbaBH\x85ee\xdf\xe7g\x0c\x1b~\xc2\xe8\x1e\x92\xc9\xff\x8e~D\x81\x14\x1b\xbd\xbc\x97p\x00$\xd0\xd2\x18m\xb5\xf9\xb9\xd0'
63fb19d4941972910daa5b3441fadfbf6a2e14a58a52616cf6db614248856565dfe7670c1b7ec2e81e92c9ff8e7e4481141bbdbc97700024d0d2186db5f9b9d0
The text was updated successfully, but these errors were encountered:
I'm working on MAC verification of SQLCipher databases and cannot get consistent verification of multiple database's HMACs. For example, MAC verification will fail on a database and then ten minutes later, with no changes, MAC verification will succeed. The output below is from the same script, running in two different PowerShell windows, trying to verify MACs on the same database. One window passes MAC verification, the other fails. The output, and output type, from both windows are identical. MAC verification fails, and then sometimes doesn't, for over a dozen databases we have tested with, that otherwise work properly in DBrowser for SQLCipher and our other code.
I spent about 3 days and had two colleagues review and test and we've come to the conclusion that the issue is with pycryptodome's HMAC implementation. We rewrote the code to use python's native HMAC "import HMAC" and have no issues. All MAC verification unit tests for multiple databases succeed as expected using python's native HMAC library with hmac.compare_digest(), so that further reinforces our theory that there's some underlying issue with pycrypdome's HMAC implementation.
python 3.12, pycryptodome 3.21.0
The text was updated successfully, but these errors were encountered: