Matt,
Thanks for the clarification.
Scott.
On Fri, Jun 19, 2015 at 01:04:08AM +0100, Matt Caswell wrote:
On 18/06/15 23:55, [email protected] wrote:
Hi,
We use openssl extensively in our product, today we upgraded from
openssl 1.0.2b to 1.0.2c (we build everything from source so the ABI
change from 1.0.2a to 1.0.2b didn't affect us), and are seeing issues.
I think I have tracked it down to the lines below from HMAC_init_ex,
which were introduced as part of the HMAC ABI fix
(1030f89f5ea238820645e3d34049eb1bd30e81c4):
+ /* If we are changing MD then we must have a key */
+ if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+ return 0;
previously you could call HMAC_init_ex with an evp_md and a NULL key,
this would save the evp_md in the HMAC_ctx and return, now it just
returns and on first call you need to provide both a key and an evp_md.
Before I go and modify our code, is this change intentional ?
Yes. The previous code was quite broken in this area - this change
seemed the least impact option without breaking the ABI and resolving
the issues.
The docs (http://www.openssl.org/docs/crypto/hmac.html) state:
HMAC_Init_ex() initialises or reuses a HMAC_CTX structure to use the
function evp_md and key key. Either can be NULL, in which case the
existing one will be reused. HMAC_CTX_init() must have been called
before the first use of an HMAC_CTX in this function.
In order to reuse an existing one there has to be something there in the
first place to reuse - so whilst what you were doing worked, I don't
think that was guaranteed by the documentation! Although actually the
docs probably need updating because I don't think it ever makes sense to
change the MD and reuse the key (the previous code wouldn't have worked
doing this anyway).
Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
