[openssl-dev] [openssl.org #4603] HMAC_Init_ex incompatible change (possibly doc bug)

Kurt Roeckx via RT rt at openssl.org
Sat Jul 2 11:13:45 UTC 2016 

Hi,

I received the following bug:
https://bugs.debian.org/829108

the HMAC manpage states:

   HMAC_Init_ex() initializes or reuses a HMAC_CTX structure to use the
   function evp_md and key key. Either can be NULL, in which case the
   existing one will be reused.

However, the current code does not allow the key to be zero when evp_md is
non-zero in all cases:

    /* If we are changing MD then we must have a key */
    if (md != NULL && md != ctx->md && (key == NULL || len < 0))
        return 0;

That means contrary to the documentation, the existing salt isn't reused
when the md argument is non-zero (and changes).

The issue is corrobated by the fact that HMAC_init_ex only relatively
recently gained a status return, so older programs won't check the return
value and will continue on, getting wrong results.

This particular line was introduced with this change:

https://github.com/openssl/openssl/commit/4b464e7b46682f568a5df550426b0cf4b22e2485

Although I don't know whether this just reworks the logic or introduces
the problem in the first place.

One program that might to be affected is GVPE - I opened a bug report
about it no longer working, although I can't find it at the moment. It
is possible (but not certain) that this is the reason for it no longer
working. Even though GVPE has had return code checking, due to a glitch
it wasn't enabled before openssl 1.1.0, so would not trigger with 1.0.x
builds.

So, either:

a) this is an incompatible and unintended change. in this case, there is potential
   for programs silently failing to compute correct hmacs now.
b) this is an incompatible but intended change, in which case this is a documentation
   bug.
c) this is not an incompatible recent change, in which case the logic always
   was like this but was reworked. in this case it is a documentation bug as well.
d) it is intended behaviour and the previous behaviour
   wasn't correct (e.g. it didn't reuse the key, but did something else).
   also a documentation bug in this case.

If this is an unintended behaviour change, maybe the large scale API
breakage in 1.1.0 would be a good moment to also rename HMAC_init_ex, so
programs have a chance to adaot.



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4603
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list