EVP_MAC way of setting the digest algorithm

Olivier Mascia om at integral.be
Wed Sep 27 08:53:10 UTC 2023


The documentation recommends not to use, for instance, EVP_sha256() __each time__ it is needed when setting up a EVP_MD_CTX like in this partial code (intentionally without error conditions tests):

	EVP_MD_CTX* ctx = EVP_MD_CTX_new();
	EVP_DigestInit_ex(ctx, EVP_sha256(), nullptr);

But that it would be wiser to use EVP_MD_fetch() and cache that while it fits, like in some cache structure which would hold a hand of algorithms useful to the repetitive task:

	EVP_MD* evp_sha256 = EVP_MD_fetch(nullptr, "SHA-256", nullptr);

And so, reuse that pointer in EVP_DigestInit_ex() to spare a call to EVP_sha256() or EVP_MD_fetch() each time.

When using the EVP_MAC_ interfaces, I can follow the same principle for the EVP_MAC* itself which will be passed to EVP_MAC_CTX_new(), after calling and caching EVP_MAC_fetch(nullptr, "HMAC", nullptr).  Yet, I find no way of setting the digest algorithm to use for this hmac, other than by text through OSSL_PARAM:

	const OSSL_PARAM params[] = {
		{"digest", OSSL_PARAM_UTF8_STRING, (void*)"SHA-256", 7, 0},
		{nullptr, 0, nullptr, 0, 0}

Is this really intentional? Is there an other way? If, for a hmac, it is perfectly acceptable, having no other way, to select the hash algorithm through text search each time it is needed, then why would this be less acceptable for EVP_MD_ interfaces themselves?

I have no functional issue.  It works.  The API just leaves me puzzled.

Olivier Mascia

More information about the openssl-users mailing list