After reviewing the documentation I see this behavior mentioned - easy to miss.
However I'd argue that this behavior is wrong, given that there is no context to
potentially re-use with the single shot function.
Wouldn't it make more sense to simply treat a NULL pointer to key the same as
passing a valid pointer, when key_len is 0, for the single-shot function?
--
Jake Petroules
Chief Technology Officer
Petroules Corporation · www.petroules.com
Email: jake.petrou...@petroules.com
On Jul 26, 2013, at 8:46 AM, Stephen Henson via RT r...@openssl.org wrote:
On Fri Jul 26 09:26:23 2013, jake.petrou...@petroules.com wrote:
Hello,
I've discovered a bug in OpenSSL HMAC handling -- when calling the
HMAC() (http://www.openssl.org/docs/crypto/hmac.html) function, an
incorrect result will be given if the `key` parameter is a NULL
pointer, even when `key_len` is zero. Much easier to notice when
you're not using null terminated strings/buffers. I would expect
that the value of `key` would have no effect if `key_len` is 0
(CommonCrypto handles this fine). I have attached an example
program demonstrating the problem.
Passing NULL as the key has a special meaning to the OpenSSL APIs: it reuses
the existing HMAC key for the context. If there is no HMAC key previously set
the result is undefined. If you really want to use a zero length key set
key_len to zero and key to non-NULL.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
