| Subject: | MD5() is broken (truncates binary data) |
The MD5() wrapper in SSLeay.xs uses XSRETURN_PV on the returned 16 byte hash string. The problem is XSRETURN_PV treats the hash data as a normal ASCII null-terminated string; thus, if there are any 0x00 values anywhere in the string, you wind up with a truncated MD5 value being returned to the Perl script. This breaks all manner of fingerprints/verification/hashing the script may implement using Net::SSLeay::MD5() (since I use Net::SSLeay already, I find it convenient to use Net::SSLeay::MD5(), rather than deal with installing Digest::MD5 as well).
Example code to demonstrate problem:
$hash=Net::SSLeay::MD5('38');
print unpack('H32',$hash), "\n";
The output is 'a5771bce93e2', when the actual hash should be 'a5771bce93e200c36f7cd9dfd0e5deaa'. Note the '00' that caused the premature termination.