Fix HMAC() with NULL key

If a NULL key is passed to HMAC_Init_ex(), it tries to reuse the
previous key. This makes no sense inside HMAC() since the HMAC_CTX
has no key set yet. This is hit by HKDF() with NULL salt() via the
EVP API and results in a few Wycheproof test failures. If key is
NULL, use a zero length dummy key.

This was not hit from wycheproof.go since we pass a []byte with a
single NUL from Go.

Matches OpenSSL if key is NULL and key_len is 0. If key_len != 0,
OpenSSL will still fail by passing a NULL key which makes no sense,
so set key_len to 0 instead.

ok beck jsing

1 files changed, 7 insertions, 2 deletions

diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 55989988ad..3421119b7e 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.c,v 1.27 2021/12/12 21:30:14 tb Exp $ */
+/* $OpenBSD: hmac.c,v 1.28 2022/05/05 18:29:34 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -261,11 +261,16 @@ HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d,
 {
         HMAC_CTX c;
         static unsigned char m[EVP_MAX_MD_SIZE];
+        const unsigned char dummy_key[1] = { 0 };
 
         if (md == NULL)
                 md = m;
+        if (key == NULL) {
+                key = dummy_key;
+                key_len = 0;
+        }
         HMAC_CTX_init(&c);
-        if (!HMAC_Init(&c, key, key_len, evp_md))
+        if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL))
                 goto err;
         if (!HMAC_Update(&c, d, n))
                 goto err;