During testing with strongswan 5.1.3, an issue with openssl 1.0.1o was
found. Openssl 1.0.1o has added code in HMAC_Init_ex() to detect
changing of message digest function. But that does not work when the
context has just been initialized with HMAC_CTX_init(). In this case,
ctx->md will be NULL after initialization and will not equal to the
function returned by EVP_sha256() and passed to HMAC_Init_ex().
Enclosed is a patch and test case.
diff -urN openssl-1.0.1p.orig/crypto/hmac/hmac.c
openssl-1.0.1p/crypto/hmac/hmac.c
--- openssl-1.0.1p.orig/crypto/hmac/hmac.c 2015-07-09 08:21:24.000000000
-0400
+++ openssl-1.0.1p/crypto/hmac/hmac.c 2015-07-14 11:15:21.754743504 -0400
@@ -88,7 +88,7 @@
}
#endif
/* If we are changing MD then we must have a key */
- if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+ if (md != NULL && md != ctx->md && ctx->md != NULL && (key == NULL || len
< 0))
return 0;
if (md != NULL) {
#include <openssl/engine.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <stdio.h>
int main(int argc, char ** argv)
{
HMAC_CTX ctx;
int ret;
HMAC_CTX_init(&ctx);
ret = HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL);
if (ret == 0)
{
printf("Failed\n");
return 1;
}
printf("Success\n");
return 0;
}
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev