[openssl-dev] HMAC ABI fix.
Scott Harrison
scott.opensshdev.2015 at scottrix.co.uk
Fri Jun 19 06:53:34 UTC 2015
Matt,
Thanks for the clarification.
Scott.
On Fri, Jun 19, 2015 at 01:04:08AM +0100, Matt Caswell wrote:
>
>
>On 18/06/15 23:55, scott.opensshdev.2015 at scottrix.co.uk wrote:
>> Hi,
>>
>> We use openssl extensively in our product, today we upgraded from
>> openssl 1.0.2b to 1.0.2c (we build everything from source so the ABI
>> change from 1.0.2a to 1.0.2b didn't affect us), and are seeing issues.
>> I think I have tracked it down to the lines below from HMAC_init_ex,
>> which were introduced as part of the HMAC ABI fix
>> (1030f89f5ea238820645e3d34049eb1bd30e81c4):
>>
>> + /* If we are changing MD then we must have a key */
>> + if (md != NULL && md != ctx->md && (key == NULL || len < 0))
>> + return 0;
>>
>> previously you could call HMAC_init_ex with an evp_md and a NULL key,
>> this would save the evp_md in the HMAC_ctx and return, now it just
>> returns and on first call you need to provide both a key and an evp_md.
>> Before I go and modify our code, is this change intentional ?
>
>Yes. The previous code was quite broken in this area - this change
>seemed the least impact option without breaking the ABI and resolving
>the issues.
>
>> The docs (http://www.openssl.org/docs/crypto/hmac.html) state:
>>
>> HMAC_Init_ex() initialises or reuses a HMAC_CTX structure to use the
>> function evp_md and key key. Either can be NULL, in which case the
>> existing one will be reused. HMAC_CTX_init() must have been called
>> before the first use of an HMAC_CTX in this function.
>
>In order to reuse an existing one there has to be something there in the
>first place to reuse - so whilst what you were doing worked, I don't
>think that was guaranteed by the documentation! Although actually the
>docs probably need updating because I don't think it ever makes sense to
>change the MD and reuse the key (the previous code wouldn't have worked
>doing this anyway).
>
>Matt
>
>_______________________________________________
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list