HMAC verification with EVP Interface

Billy Brumley bbrumley at
Fri Aug 27 06:47:07 UTC 2021

> > Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular
> > ol' memcmp.
> What's the rationale?  The HMAC result isn't secret.

The _purported_ tag is public, but the _ground truth_ tag is not.
Indeed, that's the whole reason to use a constant time compare.
Otherwise, an attacker can adaptively construct a valid tag, or
forgery, for a chosen message (with no previous valid tag seen) by
varying tag bytes and submitting a chosen message with the candidate
tag for verification, and measuring the time. A regular memcmp will
early exit on the first mismatch between the purported tag and the
ground truth tag. In this way, the attack is linear in complexity.

This is the textbook example I give in my crypto courses for timing attacks.



More information about the openssl-users mailing list