Details
-
Bug
-
Resolution: Fixed
-
P3: Somewhat important
-
6.6.1
-
None
-
21eeef83f (dev), ac0e037f9 (6.6), b7d849b57 (tqtc/lts-6.5)
Description
From a security report:
Moreover, it was found that the documentation for the QMesssageAuthenticationCode class [...] does not list the type of MAC algorithm used. Looking at the padding bytes used in the implementation, 0x36 and 0x5c, it can be assumed that the secure HMAC algorithm is used. Hence, the algorithm is not susceptible to length extension attacks, as was mentioned in the interview. However, this is not mentioned in the documentation, which may lead developers to believe that the algorithm is unsafe to use with hash functions, which rely on the Merkle-Damgård construction.
The class documentation says 'hash-based message authentication code' though, which is - according to wikipedia - one valid expanded version of HMAC..
But it might be good to include the word 'HMAC" nevertheless, for clarity and SEO purposes?