<div dir="ltr"><div dir="ltr"><div>Thanks for that example. It's very helpful! I didn't know about the new EVP_MAC API (although I see it now in the migration guide). I wrote my implementation based on <a href="https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying">https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying</a> :-)</div><div><br></div><div><br></div><div>Tom.III</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 13, 2021 at 4:07 PM Dr Paul Dale <<a href="mailto:pauli@openssl.org">pauli@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Please don't do it the PKEY way :)<br>
<br>
Your code should look more like:<br>
<blockquote><font face="monospace">OSSL_PARAMS params[2];</font><br>
<font face="monospace">EVP_MAC *mac = EVP_MAC_new(NULL, "HMAC",
NULL);</font><br>
<font face="monospace">EVP_MAC_CTX *mac_ctx =
EVP_MAC_CTX_new(mac);</font><br>
<font face="monospace">EVP_MAC_free(mac); /* Now or later is all
good and depends on the app reusing it or not */</font><br>
<br>
<font face="monospace">params[0] =
OSSL_PARAMS_construct_utf8_string("digest", "SHA256", 0);</font><br>
<font face="monospace">params[1] = OSSL_PARAMS_construct_end();</font><br>
<br>
<font face="monospace">EVP_MAC_init(mac_ctx, key, key_len,
params);</font><br>
<font face="monospace">EVP_MAC_update(mac_ctx, data1, data1_len);</font><font face="monospace"><br>
EVP_MAC_update(mac_ctx, data2, data2_len);<br>
</font><font face="monospace">EVP_MAC_update(mac_ctx, data3,
data3_len);</font><br>
<font face="monospace">EVP_MAC_final(mac_ctx, out, &out_size,
out_len);</font><br>
<font face="monospace">EVP_MAC_CTX_free(mac_ctx);</font><br>
</blockquote>
There are various other calls that tweak the flow but this is the
basic idea.<br>
<br>
<br>
Pauli<br>
<br>
<div>On 14/7/21 8:48 am, Thomas Dwyer III
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>This seems to work for me in 3.0, passing the EVP_MD to
EVP_DigestSignInit():</div>
<div><br>
</div>
<div style="margin-left:40px">pkey = EVP_PKEY_new_mac_key()<br>
</div>
<div style="margin-left:40px">EVP_DigestSignInit()</div>
<div style="margin-left:40px">EVP_DigestSignUpdate()</div>
<div style="margin-left:40px">EVP_DigestSignUpdate()</div>
<div style="margin-left:40px">.</div>
<div style="margin-left:40px">.</div>
<div style="margin-left:40px">.</div>
<div style="margin-left:40px">EVP_DigestSignFinal()</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Tom.III</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jul 13, 2021 at 11:02
AM Ken Goldman <<a href="mailto:kgoldman@us.ibm.com" target="_blank">kgoldman@us.ibm.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Porting
to 3.0 ... HMAC_Init_ex() had a place for<br>
the hash algorithm. EVP_MAC_init() does not,<br>
unless it's embedded in the 'params' parameter.<br>
<br>
Any advice? Or a sample for doing an<br>
HMAC with 3.0?<br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div></div>