I found a problem in hmac.c. If you give a key greater than 64 bytes long
to HMAC_Init( ) then it hashes the key into a short key (20 bytes for SHA,
for example). But it fails to zero the buffer after the end of the hashed
key. I have attached a file named hmac.c with 2 inserted lines (Marked
yostw 032400) that do the necessary zeroing. Also see the code fragment
below...
I found this problem by comparing the output of the HMAC function with one
supplied by Epilogue software.
// See the two lines marked with comments //yostw 032400
HMAC_Init( ... )
...
if (j < len)
{
EVP_DigestInit(&ctx->md_ctx,md);
EVP_DigestUpdate(&ctx->md_ctx,key,len);
EVP_DigestFinal(&(ctx->md_ctx),ctx->key,
&ctx->key_length);
// Following are the 2 inserted
lines to zero after the hashed key
i = ctx->key_length;
//yostw 032400
memset(&(ctx->key[i]),0,sizeof(ctx->key)-i);
//yostw 032400
}
<<hmac.c>>
----------- William H. Yost, Thomson Consumer Electronics ------------
. Home of RCA, GE, and Proscan (317) 587-4816 [EMAIL PROTECTED] .
.Survival tip: Moss grows on the north side of trees, Satellite dishes
point south .
hmac.c
