santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38604] New: - HMAC signature verification leaks with OpenSSL
Date Fri, 10 Feb 2006 09:39:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38604>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38604

           Summary: HMAC signature verification leaks with OpenSSL
           Product: Security
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: C++ Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: steen.kroyer@cryptomathic.com


* This holds for XML Security C++ 1.2.1 *
(I was unable to choose that version in Bugzilla)
---

In the file OpenSSLCryptoHashHMAC.cpp the destructor should be changed from
simply (line 136):

OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {}

to

OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {
  HMAC_CTX_cleanup(&m_hctx);
}

Otherwise a leak occurs each time an HMAC signed signature is verified.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Mime
View raw message