Bug 38604 - HMAC signature verification leaks with OpenSSL
Summary: HMAC signature verification leaks with OpenSSL
Status: RESOLVED FIXED
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: C++ Signature (show other bugs)
Version: unspecified
Hardware: Other All
: P2 normal
Target Milestone: ---
Assignee: XML Security Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-10 10:39 UTC by Steen Kroyer
Modified: 2006-04-16 02:49 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steen Kroyer 2006-02-10 10:39:52 UTC 
* This holds for XML Security C++ 1.2.1 *
(I was unable to choose that version in Bugzilla)
---

In the file OpenSSLCryptoHashHMAC.cpp the destructor should be changed from
simply (line 136):

OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {}

to

OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {
  HMAC_CTX_cleanup(&m_hctx);
}

Otherwise a leak occurs each time an HMAC signed signature is verified.
Comment 1 Berin Lautenbach 2006-04-16 09:49:43 UTC 
This (and a number of other similar lines) have been fixed in the HMAC code.

Thanks!