I posted this last week and nobody commented on it yet. This seems like a
major bug that I want to be sure does not get overlooked for the next
release. Can anybody verify that what I have found is a problem? When I
fixed it as I explain below, the problem I was seeing went away.
----------- William H. Yost, Thomson Consumer Electronics ------------
. Home of RCA, GE, and Proscan (317) 587-4816 [EMAIL PROTECTED] .
.Survival tip: Moss grows on the north side of trees, Satellite dishes
point south .
> -----Original Message-----
> From: Yost William
> Sent: Friday, March 24, 2000 1:35 PM
> To: '[EMAIL PROTECTED]'
> Subject: Patch for hmac.c
>
> I found a problem in hmac.c. If you give a key greater than 64 bytes long
> to HMAC_Init( ) then it hashes the key into a short key (20 bytes for SHA,
> for example). But it fails to zero the buffer after the end of the hashed
> key. I have attached a file named hmac.c with 2 inserted lines (Marked
> yostw 032400) that do the necessary zeroing. Also see the code fragment
> below...
>
> I found this problem by comparing the output of the HMAC function with one
> supplied by Epilogue software.
>
> // See the two lines marked with comments //yostw 032400
> HMAC_Init( ... )
> ...
>
> if (j < len)
> {
> EVP_DigestInit(&ctx->md_ctx,md);
> EVP_DigestUpdate(&ctx->md_ctx,key,len);
> EVP_DigestFinal(&(ctx->md_ctx),ctx->key,
> &ctx->key_length);
> // Following are the 2 inserted
> lines to zero after the hashed key
> i = ctx->key_length;
> //yostw 032400
> memset(&(ctx->key[i]),0,sizeof(ctx->key)-i);
> //yostw 032400
> }
>
>
> << File: hmac.c >>
>
> ----------- William H. Yost, Thomson Consumer Electronics ------------
> . Home of RCA, GE, and Proscan (317) 587-4816 [EMAIL PROTECTED] .
> .Survival tip: Moss grows on the north side of trees, Satellite dishes
> point south .
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
