Project

General

Profile

Actions
Copy link

Bug #5251

closed

EVP_PKEY_base_id returns 0

Added by Varun Patil over 1 year ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Varun Patil
Category:
Security
Target version:
0.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Tags:
openssl

Description

We use EVP_PKEY_base_id to get the key type, which is required when using HMAC signing. Latest ndn-cxx.
This might be a bug in OpenSSL. Thoughts?

The following code prints 0 for me, and HMAC signing fails.

#include <openssl/evp.h>
#include <openssl/rsa.h>

void main() {
    EVP_PKEY *pkey = NULL;
    unsigned char buf[32] = {1};

    if (!(pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, buf, 32))) {
        exit(1);
    }
    printf ("%d\n", EVP_PKEY_base_id(pkey));
}

$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Related issues 2 (1 open1 closed)

Related to ndn-cxx - Feature #5154: OpenSSL 3.0 supportClosedDavide Pesavento

Actions
Related to ndn-cxx - Task #5241: Redesign support for HMAC keysNew

Actions
Actions
Copy link
 #1

Updated by Davide Pesavento over 1 year ago

  • Category set to Security
  • Start date deleted (01/12/2023)

Yes I noticed this in #5154 and later opened #5241 because my understanding at the time was that we were improperly using openssl APIs and we needed to redesign our HMAC integration, though I may be wrong about that.

Actions
Copy link
 #2

Updated by Davide Pesavento over 1 year ago

Actions
Copy link
 #3

Updated by Davide Pesavento over 1 year ago

The man page for EVP_PKEY_base_id says:

The following functions are only reliable with EVP_PKEYs that have been assigned an internal key with EVP_PKEY_assign_*():
EVP_PKEY_get_id(), EVP_PKEY_get_base_id(), EVP_PKEY_type()

However, the EVP_PKEY_assign_* functions were deprecated in openssl 3.0, and in any case I don't see such a function for HMAC.

The man page for EVP_PKEY_new_raw_private_key says:

EVP_PKEY_new_raw_private_key() may also be used with most MACs implemented as public key algorithms, so key types such as "HMAC", "POLY1305", "SIPHASH", [...] are also accepted. This usage is, as mentioned above, discouraged in favor of the EVP_MAC(3) API.

The EVP_MAC API is new in openssl 3.0. This new API does not seem to use the EVP_PKEY structure; instead the key is passed as void* or char* to the relevant functions.

Actions
Copy link
 #4

Updated by Davide Pesavento about 1 year ago

@Varun Patil do you still plan to report this upstream?

Actions
Copy link
 #5

Updated by Davide Pesavento 9 months ago

  • Status changed from New to Code review
  • Assignee set to Varun Patil
  • Target version set to 0.9.0
  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by Davide Pesavento 9 months ago

  • Status changed from Code review to Closed
Actions
Copy link
 #7

Updated by Davide Pesavento 8 months ago

  • Tags set to openssl
Actions
Copy link

Also available in: Atom PDF