[strongSwan] failure with ike using sha2
Martin Willi
martin at strongswan.org
Mon Mar 30 10:41:53 CEST 2015
Hi Luka,
> I have just found out, that recent openssl 1.0.2 commit
> 929b0d70c19f60227f89fac63f22a21f21950823
> breaks hmac when using openssl plugin for hmac functions
This commit prevents the pre-initialization with an empty key we use to
avoid any non-initialized use of HMAC_Update(). Most likely we should
track the state of key initialization ourselves, which allows us to
remove that initialization.
Can you please test the patch at [1] and let us know if that works with
the new OpenSSL version?
While our API use here is certainly questionable, I'm asking myself if
that check in OpenSSL is a not a little too strict. Setting a
zero-length key seems legitimate to me; but not sure if any protocol
exists that uses such a key.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=openssl-hmac
More information about the Users
mailing list