EVP_MAC_init - specify the hash algorithm

Thomas Dwyer III tomiii at tomiii.com
Tue Jul 13 23:38:40 UTC 2021


Thanks for that example. It's very helpful! I didn't know about the new
EVP_MAC API (although I see it now in the migration guide). I wrote my
implementation based on
https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying :-)


Tom.III


On Tue, Jul 13, 2021 at 4:07 PM Dr Paul Dale <pauli at openssl.org> wrote:

> Please don't do it the PKEY way :)
>
> Your code should look more like:
>
> OSSL_PARAMS params[2];
> EVP_MAC *mac = EVP_MAC_new(NULL, "HMAC", NULL);
> EVP_MAC_CTX *mac_ctx = EVP_MAC_CTX_new(mac);
> EVP_MAC_free(mac); /* Now or later is all good and depends on the app
> reusing it or not */
>
> params[0] = OSSL_PARAMS_construct_utf8_string("digest", "SHA256", 0);
> params[1] = OSSL_PARAMS_construct_end();
>
> EVP_MAC_init(mac_ctx, key, key_len, params);
> EVP_MAC_update(mac_ctx, data1, data1_len);
> EVP_MAC_update(mac_ctx, data2, data2_len);
> EVP_MAC_update(mac_ctx, data3, data3_len);
> EVP_MAC_final(mac_ctx, out, &out_size, out_len);
> EVP_MAC_CTX_free(mac_ctx);
>
> There are various other calls that tweak the flow but this is the basic
> idea.
>
>
> Pauli
>
> On 14/7/21 8:48 am, Thomas Dwyer III wrote:
>
> This seems to work for me in 3.0, passing the EVP_MD to
> EVP_DigestSignInit():
>
> pkey = EVP_PKEY_new_mac_key()
> EVP_DigestSignInit()
> EVP_DigestSignUpdate()
> EVP_DigestSignUpdate()
> .
> .
> .
> EVP_DigestSignFinal()
>
>
> Regards,
> Tom.III
>
>
>
> On Tue, Jul 13, 2021 at 11:02 AM Ken Goldman <kgoldman at us.ibm.com> wrote:
>
>> Porting to 3.0 ... HMAC_Init_ex() had a place for
>> the hash algorithm.  EVP_MAC_init() does not,
>> unless it's embedded in the 'params' parameter.
>>
>> Any advice?  Or a sample for doing an
>> HMAC with 3.0?
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210713/c39bfb56/attachment.html>


More information about the openssl-users mailing list