[openssl-dev] [openssl.org #3942] Patch to fix issue with HMAC_init_ex in 1.0.1

2015-09-08 Thread Emilia Käsper via RT 
Hm.

You pass in a NULL key. The docs say that a NULL key indicates that we should
reuse the existing key. With a new CTX, there is nothing to reuse, so it seems
reasonable that the call should fail.

If you actually wanted to set up the context with an empty key, you'd have to
pass in a dummy key buffer with a 0 length. This is awkward, otoh, I'm not
really sure why you'd want to do that in practice, so perhaps it's not terribly
important?

It's not a great API but we're bound by the documented contract. So I'm closing
this as Working As Intended. If you think I got it wrong, please reopen.

Cheers,
Emilia

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3942] Patch to fix issue with HMAC_init_ex in 1.0.1

2015-07-14 Thread Matthew A. Brannigan via RT 
During testing with strongswan 5.1.3, an issue with openssl 1.0.1o was
found.  Openssl 1.0.1o has added code in HMAC_Init_ex() to detect
changing of message digest function. But that does not work when the
context has just been initialized with HMAC_CTX_init(). In this case,
ctx->md will be NULL after initialization and will not equal to the
function returned by EVP_sha256() and passed to HMAC_Init_ex().

Enclosed is a patch and test case.

diff -urN openssl-1.0.1p.orig/crypto/hmac/hmac.c 
openssl-1.0.1p/crypto/hmac/hmac.c
--- openssl-1.0.1p.orig/crypto/hmac/hmac.c  2015-07-09 08:21:24.0 
-0400
+++ openssl-1.0.1p/crypto/hmac/hmac.c   2015-07-14 11:15:21.754743504 -0400
@@ -88,7 +88,7 @@
 }
 #endif
 /* If we are changing MD then we must have a key */
-if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+if (md != NULL && md != ctx->md && ctx->md != NULL && (key == NULL || len 
< 0))
 return 0;
 
 if (md != NULL) {
#include 
#include 
#include 
#include 

int main(int argc, char ** argv)
{
HMAC_CTX ctx;
int ret;

HMAC_CTX_init(&ctx);
ret = HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL);

if (ret == 0)
{
printf("Failed\n");
return 1;
}

printf("Success\n");

return 0;
}

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev