124372 2013-11-14 11:41:05 -0800 [Mac] HMAC sign/verify crashes when key is empty 2013-11-14 11:54:36 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 122679 1 ap ap oldest_to_newest 950781 0 ap 2013-11-14 11:41:05 -0800 Even when key length is 0, CommonCrypto still requires a non-null key data pointer. 950782 1 216965 ap 2013-11-14 11:45:49 -0800 Created attachment 216965 proposed fix 950785 2 ap 2013-11-14 11:54:36 -0800 Committed <http://trac.webkit.org/r159299>. 216965 2013-11-14 11:45:49 -0800 2013-11-14 11:51:12 -0800 proposed fix HMACNullKey.txt text/plain 5696 ap SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE1OTI5OCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBACisyMDEzLTExLTE0ICBBbGV4ZXkg UHJvc2t1cnlha292ICA8YXBAYXBwbGUuY29tPgorCisgICAgICAgIFtNYWNdIEhNQUMgc2lnbi92 ZXJpZnkgY3Jhc2hlcyB3aGVuIGtleSBpcyBlbXB0eQorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTI0MzcyCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDogY3J5cHRvL3N1YnRsZS9obWFjLXNpZ24tdmVy aWZ5LWVtcHR5LWtleS5odG1sCisKKyAgICAgICAgKiBjcnlwdG8vbWFjL0NyeXB0b0FsZ29yaXRo bUhNQUNNYWMuY3BwOiAoV2ViQ29yZTo6Y2FsY3VsYXRlU2lnbmF0dXJlKTogR2l2ZSBpdAorICAg ICAgICBhIG5vbi1udWxsIHBvaW50ZXIgdGhlbi4KKwogMjAxMy0xMS0xNCAgQWxleGV5IFByb3Nr dXJ5YWtvdiAgPGFwQGFwcGxlLmNvbT4KIAogICAgICAgICBJbXBsZW1lbnQgUlNBU1NBLVBLQ1Mx LXYxXzUgc2lnbi92ZXJpZnkKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2NyeXB0by9tYWMvQ3J5cHRv QWxnb3JpdGhtSE1BQ01hYy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvY3J5cHRv L21hYy9DcnlwdG9BbGdvcml0aG1ITUFDTWFjLmNwcAkocmV2aXNpb24gMTU5Mjk1KQorKysgU291 cmNlL1dlYkNvcmUvY3J5cHRvL21hYy9DcnlwdG9BbGdvcml0aG1ITUFDTWFjLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtODMsNyArODMsOCBAQCBzdGF0aWMgVmVjdG9yPHVuc2lnbmVkIGNoYXI+IGNh bGN1bGF0ZVNpCiAgICAgfQogCiAgICAgQ0NIbWFjQ29udGV4dCBjb250ZXh0OwotICAgIENDSG1h Y0luaXQoJmNvbnRleHQsIGFsZ29yaXRobSwga2V5LmRhdGEoKSwga2V5LnNpemUoKSk7CisgICAg Y29uc3QgY2hhcioga2V5RGF0YSA9IGtleS5kYXRhKCkgPyBrZXkuZGF0YSgpIDogIiI7IC8vIDxy ZGFyOi8vcHJvYmxlbS8xNTQ2NzQyNT4gSE1BQyBjcmFzaGVzIHdoZW4ga2V5IHBvaW50ZXIgaXMg bnVsbC4KKyAgICBDQ0htYWNJbml0KCZjb250ZXh0LCBhbGdvcml0aG0sIGtleURhdGEsIGtleS5z aXplKCkpOwogICAgIGZvciAoc2l6ZV90IGkgPSAwLCBzaXplID0gZGF0YS5zaXplKCk7IGkgPCBz aXplOyArK2kpCiAgICAgICAgIENDSG1hY1VwZGF0ZSgmY29udGV4dCwgZGF0YVtpXS5maXJzdCwg ZGF0YVtpXS5zZWNvbmQpOwogCkluZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCShyZXZpc2lvbiAxNTkyOTgpCisrKyBMYXlvdXRU ZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxMyBAQAorMjAxMy0xMS0x NCAgQWxleGV5IFByb3NrdXJ5YWtvdiAgPGFwQGFwcGxlLmNvbT4KKworICAgICAgICBbTWFjXSBI TUFDIHNpZ24vdmVyaWZ5IGNyYXNoZXMgd2hlbiBrZXkgaXMgZW1wdHkKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEyNDM3MgorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogY3J5cHRvL3N1YnRsZS9obWFjLXNp Z24tdmVyaWZ5LWVtcHR5LWtleS1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGNyeXB0 by9zdWJ0bGUvaG1hYy1zaWduLXZlcmlmeS1lbXB0eS1rZXkuaHRtbDogQWRkZWQuCisKIDIwMTMt MTEtMTQgIFNhbXVlbCBXaGl0ZSAgPHNhbXVlbF93aGl0ZUBhcHBsZS5jb20+CiAKICAgICAgICAg QVg6IENhbGxpbmcgTlNBY2Nlc3NpYmlsaXR5Q29sdW1uc0F0dHJpYnV0ZSBhbmQgTlNBY2Nlc3Np YmlsaXR5Um93c0F0dHJpYnV0ZSBzaW1wbHkgdG8gZ2V0IGNvbHVtbi9yb3cgY291bnQgY2FuIGJl IHZlcnkgZXhwZW5zaXZlLgpJbmRleDogTGF5b3V0VGVzdHMvY3J5cHRvL3N1YnRsZS9obWFjLXNp Z24tdmVyaWZ5LWVtcHR5LWtleS1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVz dHMvY3J5cHRvL3N1YnRsZS9obWFjLXNpZ24tdmVyaWZ5LWVtcHR5LWtleS1leHBlY3RlZC50eHQJ KHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9jcnlwdG8vc3VidGxlL2htYWMtc2lnbi12ZXJp ZnktZW1wdHkta2V5LWV4cGVjdGVkLnR4dAkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDIwIEBA CitUZXN0IEhNQUMgc2lnbiBhbmQgdmVyaWZ5IGZ1bmN0aW9ucyB3aXRoIGFuIGVtcHR5IGtleS4K KworT24gc3VjY2VzcywgeW91IHdpbGwgc2VlIGEgc2VyaWVzIG9mICJQQVNTIiBtZXNzYWdlcywg Zm9sbG93ZWQgYnkgIlRFU1QgQ09NUExFVEUiLgorCisKK0ltcG9ydGluZyBhIHJhdyBITUFDIGtl eSBmcm9tIHN0cmluZyBsaXRlcmFsLi4uCitQQVNTIGtleS50eXBlIGlzICdzZWNyZXQnCitQQVNT IGtleS5leHRyYWN0YWJsZSBpcyB0cnVlCitQQVNTIGtleS5hbGdvcml0aG0ubmFtZSBpcyAnaG1h YycKK1BBU1Mga2V5LmFsZ29yaXRobS5sZW5ndGggaXMgMAorUEFTUyBrZXkuYWxnb3JpdGhtLmhh c2gubmFtZSBpcyAnc2hhLTEnCitQQVNTIGtleS51c2FnZXMgaXMgWydzaWduJywgJ3ZlcmlmeSdd CitVc2luZyB0aGUga2V5IHRvIHNpZ24gJ2ZvbycuLi4KK1BBU1MgYnl0ZUFycmF5VG9IZXhTdHJp bmcobmV3IFVpbnQ4QXJyYXkoc2lnbmF0dXJlKSkgaXMgJ1thMyBjYyA3NyAwZiBjMCAzMyBlMiBj YiA0MSA5ZCA0MiBiNiA0ZSAwMCA4MSBhMyBiZCAzYiBlMyAwZV0nCitWZXJpZnlpbmcgdGhlIHNp Z25hdHVyZS4uLgorUEFTUyB2ZXJpZmljYXRpb25SZXN1bHQgaXMgdHJ1ZQorUEFTUyBzdWNjZXNz ZnVsbHlQYXJzZWQgaXMgdHJ1ZQorCitURVNUIENPTVBMRVRFCisKClByb3BlcnR5IGNoYW5nZXMg b246IExheW91dFRlc3RzL2NyeXB0by9zdWJ0bGUvaG1hYy1zaWduLXZlcmlmeS1lbXB0eS1rZXkt ZXhwZWN0ZWQudHh0Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KQWRkZWQ6IHN2bjptaW1lLXR5cGUKIyMgLTAsMCArMSAj IwordGV4dC9wbGFpbgpcIE5vIG5ld2xpbmUgYXQgZW5kIG9mIHByb3BlcnR5CkFkZGVkOiBzdm46 ZW9sLXN0eWxlCiMjIC0wLDAgKzEgIyMKK25hdGl2ZQpcIE5vIG5ld2xpbmUgYXQgZW5kIG9mIHBy b3BlcnR5CkluZGV4OiBMYXlvdXRUZXN0cy9jcnlwdG8vc3VidGxlL2htYWMtc2lnbi12ZXJpZnkt ZW1wdHkta2V5Lmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvY3J5cHRvL3N1YnRsZS9o bWFjLXNpZ24tdmVyaWZ5LWVtcHR5LWtleS5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVz dHMvY3J5cHRvL3N1YnRsZS9obWFjLXNpZ24tdmVyaWZ5LWVtcHR5LWtleS5odG1sCSh3b3JraW5n IGNvcHkpCkBAIC0wLDAgKzEsNDkgQEAKKzwhRE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4K KzxzY3JpcHQgc3JjPSIuLi8uLi9yZXNvdXJjZXMvanMtdGVzdC1wcmUuanMiPjwvc2NyaXB0Pgor PHNjcmlwdCBzcmM9InJlc291cmNlcy9jb21tb24uanMiPjwvc2NyaXB0PgorPC9oZWFkPgorPGJv ZHk+Cis8cCBpZD0iZGVzY3JpcHRpb24iPjwvcD4KKzxkaXYgaWQ9ImNvbnNvbGUiPjwvZGl2Pgor Cis8c2NyaXB0PgorZGVzY3JpcHRpb24oIlRlc3QgSE1BQyBzaWduIGFuZCB2ZXJpZnkgZnVuY3Rp b25zIHdpdGggYW4gZW1wdHkga2V5LiIpOworCitqc1Rlc3RJc0FzeW5jID0gdHJ1ZTsKKworaWYg KCF3aW5kb3cuc3VidGxlKQorICAgIHdpbmRvdy5jcnlwdG8uc3VidGxlID0gd2luZG93LmNyeXB0 by53ZWJraXRTdWJ0bGU7CisKK3ZhciBobWFjS2V5ID0gYXNjaWlUb0FycmF5QnVmZmVyKCcnKTsK K3ZhciBleHRyYWN0YWJsZSA9IHRydWU7CisKK2RlYnVnKCJJbXBvcnRpbmcgYSByYXcgSE1BQyBr ZXkgZnJvbSBzdHJpbmcgbGl0ZXJhbC4uLiIpOworY3J5cHRvLnN1YnRsZS5pbXBvcnRLZXkoInJh dyIsIGhtYWNLZXksIHtuYW1lOiAnaG1hYycsIGhhc2g6IHtuYW1lOiAnc2hhLTEnfX0sIGV4dHJh Y3RhYmxlLCBbInNpZ24iLCAidmVyaWZ5Il0pLnRoZW4oZnVuY3Rpb24ocmVzdWx0KSB7CisgICAg a2V5ID0gcmVzdWx0OworICAgIHNob3VsZEJlKCJrZXkudHlwZSIsICInc2VjcmV0JyIpOworICAg IHNob3VsZEJlKCJrZXkuZXh0cmFjdGFibGUiLCAidHJ1ZSIpOworICAgIHNob3VsZEJlKCJrZXku YWxnb3JpdGhtLm5hbWUiLCAiJ2htYWMnIik7CisgICAgc2hvdWxkQmUoImtleS5hbGdvcml0aG0u bGVuZ3RoIiwgIjAiKTsgLy8gU2VlIDxodHRwczovL3d3dy53My5vcmcvQnVncy9QdWJsaWMvc2hv d19idWcuY2dpP2lkPTIzMDk4Pi4KKyAgICBzaG91bGRCZSgia2V5LmFsZ29yaXRobS5oYXNoLm5h bWUiLCAiJ3NoYS0xJyIpOworICAgIHNob3VsZEJlKCJrZXkudXNhZ2VzIiwgIlsnc2lnbicsICd2 ZXJpZnknXSIpOworCisgICAgZGVidWcoIlVzaW5nIHRoZSBrZXkgdG8gc2lnbiAnZm9vJy4uLiIp OworICAgIHJldHVybiBjcnlwdG8uc3VidGxlLnNpZ24oa2V5LmFsZ29yaXRobSwga2V5LCBbYXNj aWlUb0FycmF5QnVmZmVyKCdmb28nKV0pOworfSkudGhlbihmdW5jdGlvbihyZXN1bHQpIHsKKyAg ICBzaWduYXR1cmUgPSByZXN1bHQ7CisgICAgc2hvdWxkQmUoImJ5dGVBcnJheVRvSGV4U3RyaW5n KG5ldyBVaW50OEFycmF5KHNpZ25hdHVyZSkpIiwgIidbYTMgY2MgNzcgMGYgYzAgMzMgZTIgY2Ig NDEgOWQgNDIgYjYgNGUgMDAgODEgYTMgYmQgM2IgZTMgMGVdJyIpOworCisgICAgZGVidWcoIlZl cmlmeWluZyB0aGUgc2lnbmF0dXJlLi4uIik7CisgICAgcmV0dXJuIGNyeXB0by5zdWJ0bGUudmVy aWZ5KGtleS5hbGdvcml0aG0sIGtleSwgcmVzdWx0LCBbYXNjaWlUb0FycmF5QnVmZmVyKCdmb28n KV0pOworfSkudGhlbihmdW5jdGlvbihyZXN1bHQpIHsKKyAgICB2ZXJpZmljYXRpb25SZXN1bHQg PSByZXN1bHQ7CisgICAgc2hvdWxkQmUoInZlcmlmaWNhdGlvblJlc3VsdCIsICJ0cnVlIik7Cisg ICAgZmluaXNoSlNUZXN0KCk7Cit9KTsKKzwvc2NyaXB0PgorCis8c2NyaXB0IHNyYz0iLi4vLi4v cmVzb3VyY2VzL2pzLXRlc3QtcG9zdC5qcyI+PC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0bWw+CgpQ cm9wZXJ0eSBjaGFuZ2VzIG9uOiBMYXlvdXRUZXN0cy9jcnlwdG8vc3VidGxlL2htYWMtc2lnbi12 ZXJpZnktZW1wdHkta2V5Lmh0bWwKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpBZGRlZDogc3ZuOm1pbWUtdHlwZQojIyAt MCwwICsxICMjCit0ZXh0L2h0bWwKXCBObyBuZXdsaW5lIGF0IGVuZCBvZiBwcm9wZXJ0eQo=