Santuario
  1. Santuario
  2. SANTUARIO-68

HMAC signature verification leaks with OpenSSL

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: C++ 1.6.0
    • Component/s: C++
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: Other

      Description

      • This holds for XML Security C++ 1.2.1 *
        (I was unable to choose that version in Bugzilla)

      In the file OpenSSLCryptoHashHMAC.cpp the destructor should be changed from
      simply (line 136):

      OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {}

      to

      OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {
      HMAC_CTX_cleanup(&m_hctx);
      }

      Otherwise a leak occurs each time an HMAC signed signature is verified.

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Steen Kroyer
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development