[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl-dev] sizeof (HMAC_CTX) changes with update, breaks binary compatibility
From:       Dan McDonald <danmcd () omniti ! com>
Date:       2015-06-12 1:07:18
Message-ID: 03D16161-2518-4AA9-9305-CF45EC6A7357 () omniti ! com
[Download RAW message or body]

I noticed that a new field was added to HMAC_CTX in the 1.0.2a->b or 1.0.1m->n \
update:

typedef struct hmac_ctx_st {
   const EVP_MD *md;
   EVP_MD_CTX md_ctx;
   EVP_MD_CTX i_ctx;
   EVP_MD_CTX o_ctx;
   unsigned int key_length;
   unsigned char key[HMAC_MAX_MD_CBLOCK];
+ int key_init;
} HMAC_CTX;

This breaks binary compatibility.  I found this out the hard way during an attempt to \
update OmniOS's OpenSSL to 1.0.2b ('014, bloody) or 1.0.1n (006, 012).  Observe our \
use of HMAC_CTX in illumos (which OmniOS is a distribution of):

struct Mac {
        char            *name;
        int             enabled;
        u_int           mac_len;
        u_char          *key;
        u_int           key_len;
        int             type;
        const EVP_MD    *evp_md;
        HMAC_CTX        evp_ctx;
};
struct Comp {
        int     type;
        int     enabled;
        char    *name;
};
struct Newkeys {
        Enc     enc;
        Mac     mac;
        Comp    comp; /* XXX KEBE SAYS THIS GETS CLOBBERED!!! */
};

You can see the code here:

	http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/ssh/include/kex.h#100

What is supposed to happen in this situation?  I was under the impression that letter \
releases don't break binary compatibility.  The SSH in illumos breaks because of \
this, but it appears OpenSSH has worked around such a situation.

Clues are welcome.

Thanks,
Dan McDonald -- OmniOS Engineering

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


[prev in list] [next in list] [prev in thread] [next in thread]