[Bug 1934] New: mac_init() calls HMAC_Init() without previously having called HMAC_CTX_init().

Thu Sep 8 00:00:50 EST 2011

https://bugzilla.mindrot.org/show_bug.cgi?id=1934

             Bug #: 1934
           Summary: mac_init() calls HMAC_Init() without previously having
                    called HMAC_CTX_init().
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: rdugal at certicom.com

I have been doing some work with OpenSSH 5.8p1, attempting to use an
alternative engine for crypto. In mac.c, the function mac_init() calls
HMAC_Init() without previously having called HMAC_CTX_init(). However,
OpenSSL documentation states that HMAC_CTX_init() is mandatory.

See http://www.openssl.org/docs/crypto/hmac.html

HMAC_CTX_init() initialises a HMAC_CTX before first use. It must be
called. HMAC_CTX_init() must have been called before the first use of
an HMAC_CTX in this function. N.B. HMAC_Init() had this undocumented 
behaviour in previous versions of OpenSSL - failure to switch to 
HMAC_Init_ex() in programs that expect it will cause them to stop
working.

While this appears to currently cause no issues with OpenSSH 5.8p1
using OpenSSL 1.0.0d and the default crypto engine, it may cause
problems (such as segfaults in my case) when attempting to use an
alternative engine.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.