Hello, I've discovered a bug in OpenSSL HMAC handling -- when calling the HMAC() (http://www.openssl.org/docs/crypto/hmac.html) function, an incorrect result will be given if the `key` parameter is a NULL pointer, even when `key_len` is zero. Much easier to notice when you're not using null terminated strings/buffers. I would expect that the value of `key` would have no effect if `key_len` is 0 (CommonCrypto handles this fine). I have attached an example program demonstrating the problem.
Please post the eventual bug tracker link on the mailing list if possible. Thanks, -- Jake Petroules Chief Technology Officer Petroules Corporation · www.petroules.com Email: [email protected]
| Hello, I've discovered a bug in OpenSSL HMAC handling -- when calling the HMAC() (http://www.openssl.org/docs/crypto/hmac.html) function, an incorrect result will be given if the `key` parameter is a NULL pointer, even when `key_len` is zero. Much easier to notice when you're not using null terminated strings/buffers. I would expect that the value of `key` would have no effect if `key_len` is 0 (CommonCrypto handles this fine). I have attached an example program demonstrating the problem. Please post the eventual bug tracker link on the mailing list if possible. Thanks, -- Jake Petroules Chief Technology Officer Petroules Corporation · www.petroules.com Email: [email protected] |
openssl-hmac-bug.c
Description: Binary data
