Fix HMAC() with NULL key

If a NULL key is passed to HMAC_Init_ex(), it tries to reuse the
previous key. This makes no sense inside HMAC() since the HMAC_CTX
has no key set yet. This is hit by HKDF() with NULL salt() via the
EVP API and results in a few Wycheproof test failures. If key is
NULL, use a zero length dummy key.

This was not hit from wycheproof.go since we pass a []byte with a
single NUL from Go.

Matches OpenSSL if key is NULL and key_len is 0. If key_len != 0,
OpenSSL will still fail by passing a NULL key which makes no sense,
so set key_len to 0 instead.

ok beck jsing

1 files changed, 7 insertions, 2 deletions

diff --git a/lib/libcrypto/hmac/hmac.c b/lib/libcrypto/hmac/hmac.c
index 55989988add..3421119b7e6 100644
--- a/lib/libcrypto/hmac/hmac.c
+++ b/lib/libcrypto/hmac/hmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.c,v 1.27 2021/12/12 21:30:14 tb Exp $ */
+/* $OpenBSD: hmac.c,v 1.28 2022/05/05 18:29:34 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -261,11 +261,16 @@ HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d,
 {
 	HMAC_CTX c;
 	static unsigned char m[EVP_MAX_MD_SIZE];
+	const unsigned char dummy_key[1] = { 0 };
 
 	if (md == NULL)
 		md = m;
+	if (key == NULL) {
+		key = dummy_key;
+		key_len = 0;
+	}
 	HMAC_CTX_init(&c);
-	if (!HMAC_Init(&c, key, key_len, evp_md))
+	if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL))
 		goto err;
 	if (!HMAC_Update(&c, d, n))
 		goto err;