On Fri Jul 26 09:26:23 2013, jake.petrou...@petroules.com wrote: > Hello, > > I've discovered a bug in OpenSSL HMAC handling -- when calling the > HMAC() (http://www.openssl.org/docs/crypto/hmac.html) function, an > incorrect result will be given if the `key` parameter is a NULL > pointer, even when `key_len` is zero. Much easier to notice when > you're not using null terminated strings/buffers. I would expect > that the value of `key` would have no effect if `key_len` is 0 > (CommonCrypto handles this fine). I have attached an example > program demonstrating the problem. >
Passing "NULL" as the key has a special meaning to the OpenSSL APIs: it reuses the existing HMAC key for the context. If there is no HMAC key previously set the result is undefined. If you really want to use a zero length key set key_len to zero and key to non-NULL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org