ANN: happstack-util-6.0.3: SECURITY issue with Happstack.Crypto.SHA1 and GHC 7.4rc1 (possible others)

5 views
Skip to first unread message

Jeremy Shaw

unread,
Jan 31, 2012, 9:51:48 PM1/31/12
to HAppS
Hello,

Happstack.Crypto.SHA1.sha1 may return incorrect results on some platforms/versions of GHC.

Happstack does *not* actually use the Happstack.Crypto.* functions at all. So, you will only be affected if your application explicitly imports those functions.

So far the only place I have seen the bug is in GHC 7.4rc1.

The specific issue is the sha1 implementation is passing a negative offset to shiftL, which, according to the docs, is not allowed. But, until recently, it produced the expected value.

I have uploaded happstack-util-6.0.3 which uses shiftR instead of a negative offset to shiftL.

You can see if your system is affect by running the following in GHCi:

> shiftL (0xf :: Data.Word.Word32) (-1)

If it returns '7' then your SHA1 is fine (but you should upgrade anyway).
If it returns '0' then SHA1 has been giving you bogus results.

happstack-util will be deprecated in the upcoming Happstack 7 release, so you might also consider switching to an actively maintained crypto library if you are currently using Happstack.Crypto.*.

- jeremy
Reply all
Reply to author
Forward
0 new messages