Skip to content

Ensure HMAC_Init_ex reinitializes data properly#2806

Merged
justsmth merged 2 commits intoaws:mainfrom
samuel40791765:hmac-reinit
Nov 11, 2025
Merged

Ensure HMAC_Init_ex reinitializes data properly#2806
justsmth merged 2 commits intoaws:mainfrom
samuel40791765:hmac-reinit

Conversation

@samuel40791765
Copy link
Copy Markdown
Contributor

@samuel40791765 samuel40791765 commented Nov 7, 2025

Description of changes:

I discovered this edge case when working with an older Ruby version. This discrepancy only exists in older versions since Ruby openssl migrated from using the HMAC_CTX APIs to use the EVP layer in 3.1: ruby/ruby@b91f62f.

test_reset_keep_key was failing since we were MACing the data twice. It turns out the call to h1.reset wasn't working properly and this was due to our implementation of HMAC_Init_ex not reinitializing the data input when only HMAC_Update had been called. According to the original function contract, HMAC_Init_ex should reinitialize the inputted data, but the computed key should still be preserved.

This is a minor edge case due to how older versions of Ruby were consuming HMAC_CTX. Their call to HMAC_Final was called upon a copy of the original HMAC_CTX. The original HMAC_CTX was always within a HMAC_Update state and AWS-LC was not properly reinitializing these cases.

Call-outs:

N/A

Testing:

New tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 requested a review from a team as a code owner November 7, 2025 23:04
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clang-tidy made some suggestions

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Nov 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.25%. Comparing base (93f9f73) to head (7642806).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2806      +/-   ##
==========================================
- Coverage   78.42%   78.25%   -0.18%     
==========================================
  Files         683      683              
  Lines      116286   117182     +896     
  Branches    16401    16474      +73     
==========================================
+ Hits        91197    91696     +499     
- Misses      24215    24605     +390     
- Partials      874      881       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

justsmth
justsmth reviewed Nov 10, 2025
View reviewed changes
WillChilds-Klein
WillChilds-Klein reviewed Nov 10, 2025
View reviewed changes
justsmth
justsmth previously approved these changes Nov 10, 2025
View reviewed changes
nebeid
nebeid reviewed Nov 11, 2025
View reviewed changes
@justsmth justsmth merged commit f16a20d into aws:main Nov 11, 2025
486 of 501 checks passed
@samuel40791765 samuel40791765 deleted the hmac-reinit branch November 11, 2025 18:04
sgmenda pushed a commit to sgmenda/aws-lc that referenced this pull request Nov 11, 2025
@samuel40791765 @sgmenda
Ensure HMAC_Init_ex reinitializes data properly (aws#2806)
c0b7546 
### Description of changes: 
I discovered this edge case when working with an older Ruby version.
This discrepancy only exists in older versions since Ruby openssl
migrated from using the `HMAC_CTX` APIs to use the `EVP` layer in 3.1:
ruby/ruby@b91f62f.


[`test_reset_keep_key`](https://github.com/ruby/ruby/blame/cf4a034d59913fb71a7dd1b052164984be4a3d14/test/openssl/test_hmac.rb#L37-L43)
was failing since we were MACing the data twice. It turns out the call
to `h1.reset` wasn't working properly and this was due to our
implementation of `HMAC_Init_ex` not reinitializing the data input when
only `HMAC_Update` had been called. According to the original function
contract, `HMAC_Init_ex` should reinitialize the inputted data, but the
computed key should still be preserved.

This is a minor edge case due to how older versions of Ruby were
consuming `HMAC_CTX`. [Their
call](https://github.com/ruby/ruby/blob/ruby_2_7/ext/openssl/ossl_hmac.c#L167-L174)
to `HMAC_Final` was called upon a copy of the original `HMAC_CTX`. The
original `HMAC_CTX` was always within a `HMAC_Update` state and AWS-LC
was not properly reinitializing these cases.

### Call-outs:
N/A

### Testing:
New tests

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@nebeid nebeid nebeid left review comments

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@samuel40791765 @codecov-commenter @WillChilds-Klein @nebeid @justsmth