[openssl-dev] [openssl.org #3942] Patch to fix issue with HMAC_init_ex in 1.0.1

[Matthew A. Brannigan via RT]

During testing with strongswan 5.1.3, an issue with openssl 1.0.1o was
found.  Openssl 1.0.1o has added code in HMAC_Init_ex() to detect
changing of message digest function. But that does not work when the
context has just been initialized with HMAC_CTX_init(). In this case,
ctx->md will be NULL after initialization and will not equal to the
function returned by EVP_sha256() and passed to HMAC_Init_ex().

Enclosed is a patch and test case.

-------------- next part --------------
diff -urN openssl-1.0.1p.orig/crypto/hmac/hmac.c openssl-1.0.1p/crypto/hmac/hmac.c
--- openssl-1.0.1p.orig/crypto/hmac/hmac.c	2015-07-09 08:21:24.000000000 -0400
+++ openssl-1.0.1p/crypto/hmac/hmac.c	2015-07-14 11:15:21.754743504 -0400
@@ -88,7 +88,7 @@
     }
 #endif
     /* If we are changing MD then we must have a key */
-    if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+    if (md != NULL && md != ctx->md && ctx->md != NULL && (key == NULL || len < 0))
         return 0;
 
     if (md != NULL) {
-------------- next part --------------
#include <openssl/engine.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <stdio.h>

int main(int argc, char ** argv)
{
    HMAC_CTX ctx;
    int ret;

    HMAC_CTX_init(&ctx);
    ret = HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL);

    if (ret == 0)
    {
        printf("Failed\n");
        return 1;
    }

    printf("Success\n");

    return 0;
}

-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod