from the OpenSSL documentation:
It places the result in md (which must have space for the output of the hash function, which is no more than EVP_MAX_MD_SIZE bytes). If md is NULL, the digest is placed in a static array. The size of the output is placed in md_len, unless it is NULL. Note: passing a NULL value for md to use the static array is not thread safe.
We are calling HMAC() as follows:
Given that this code does not run inside a process, race conditions could occur.