DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38604>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38604 Summary: HMAC signature verification leaks with OpenSSL Product: Security Version: unspecified Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: C++ Signature AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] * This holds for XML Security C++ 1.2.1 * (I was unable to choose that version in Bugzilla) --- In the file OpenSSLCryptoHashHMAC.cpp the destructor should be changed from simply (line 136): OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {} to OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() { HMAC_CTX_cleanup(&m_hctx); } Otherwise a leak occurs each time an HMAC signed signature is verified. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
