Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 95012 invoked from network); 10 Feb 2006 09:40:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Feb 2006 09:40:16 -0000 Received: (qmail 27574 invoked by uid 500); 10 Feb 2006 09:40:15 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 27550 invoked by uid 500); 10 Feb 2006 09:40:14 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 27539 invoked by uid 99); 10 Feb 2006 09:40:14 -0000 X-ASF-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME,UPPERCASE_25_50 X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Feb 2006 01:40:14 -0800 Received: by ajax.apache.org (Postfix, from userid 99) id 4C801DD; Fri, 10 Feb 2006 10:39:53 +0100 (CET) From: bugzilla@apache.org To: security-dev@xml.apache.org Subject: DO NOT REPLY [Bug 38604] New: - HMAC signature verification leaks with OpenSSL Message-ID: X-Bugzilla-Reason: AssignedTo Date: Fri, 10 Feb 2006 10:39:53 +0100 (CET) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38604 Summary: HMAC signature verification leaks with OpenSSL Product: Security Version: unspecified Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: C++ Signature AssignedTo: security-dev@xml.apache.org ReportedBy: steen.kroyer@cryptomathic.com * This holds for XML Security C++ 1.2.1 * (I was unable to choose that version in Bugzilla) --- In the file OpenSSLCryptoHashHMAC.cpp the destructor should be changed from simply (line 136): OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() {} to OpenSSLCryptoHashHMAC::~OpenSSLCryptoHashHMAC() { HMAC_CTX_cleanup(&m_hctx); } Otherwise a leak occurs each time an HMAC signed signature is verified. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.