[Bug 1934] New: mac_init() calls HMAC_Init() without previously having called HMAC_CTX_init().
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Sep 8 00:00:50 EST 2011
https://bugzilla.mindrot.org/show_bug.cgi?id=1934
Bug #: 1934
Summary: mac_init() calls HMAC_Init() without previously having
called HMAC_CTX_init().
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Miscellaneous
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: rdugal at certicom.com
I have been doing some work with OpenSSH 5.8p1, attempting to use an
alternative engine for crypto. In mac.c, the function mac_init() calls
HMAC_Init() without previously having called HMAC_CTX_init(). However,
OpenSSL documentation states that HMAC_CTX_init() is mandatory.
See http://www.openssl.org/docs/crypto/hmac.html
HMAC_CTX_init() initialises a HMAC_CTX before first use. It must be
called. HMAC_CTX_init() must have been called before the first use of
an HMAC_CTX in this function. N.B. HMAC_Init() had this undocumented
behaviour in previous versions of OpenSSL - failure to switch to
HMAC_Init_ex() in programs that expect it will cause them to stop
working.
While this appears to currently cause no issues with OpenSSH 5.8p1
using OpenSSL 1.0.0d and the default crypto engine, it may cause
problems (such as segfaults in my case) when attempting to use an
alternative engine.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list