master branch: EVP_PKEY_new_mac_key fails with 0-length key

[ngg]

The following function call returns NULL on the current master branch.
OpenSSL 1.1.1 versions (and also 3.0.0 alpha6) returned a valid EVP_PKEY* pointer.

EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, (const unsigned char*)"", 0);

I think this was an unintentional change during the provider refactor.
Using empty keys is not really useful, I'm not sure how this affects others, we found this issue with our tests that tried to use empty keys as well.

Full test code to reproduce:

#include <string.h>
#include <stdio.h>

#include "openssl/evp.h"

int test(const char* key_str)
{
  EVP_PKEY* key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
                                       (const unsigned char*) key_str, strlen(key_str));
  if (!key) return 1;

  EVP_MD_CTX* ctx = EVP_MD_CTX_new();
  if (!ctx) return 2;
  const EVP_MD* md = EVP_sha512();
  if (!md) return 3;

  EVP_PKEY_CTX* evpPkeyCtxPtr;
  if (!EVP_DigestSignInit(ctx, &evpPkeyCtxPtr, md, NULL, key)) return 4;

  if (!EVP_DigestSignUpdate(ctx, "message", 7)) return 5;

  unsigned char sign[1024];
  size_t sign_len = 1024;
  if (!EVP_DigestSignFinal(ctx, sign, &sign_len)) return 6;

  EVP_PKEY_free(key);
  EVP_MD_CTX_free(ctx);
  return 0;
}

int main()
{
  printf("key: %d\n", test("key"));
  printf("empty key: %d\n", test(""));
  return 0;
}

Output of the sample program on master branch:

key: 0
empty key: 1

Output when using OpenSSL 1.1.1h or 3.0.0-alpha6:

key: 0
empty key: 0

[kaduk]

It feels like this is something of a recurring topic -- we had HMAC with zero-length IKM in #11920 and empty salt for KDF in #12409 and empty secret for KDF in #12826 . I somehow thought that we had added a test for HMAC somewhere along the way, but I guess not...

[Ishani-3]

Hi , Hope you all are having a great day! I'm here as I'm also facing the same issue mentioned above with openssl-3.0.8 and I'm aware this issue is not yet fixed, would be great if following questions are answered.
I would like to know if it will be fixed and if yes then, when fix can be expected atleast for openssl-3.1.x?

Is there any way I can work around this?

[Ishani-3]

Hi, Can someone help me with some information regarding following context?

we are facing around 40% degradation with HMAC algorithm performance with Openssl-3.1.0 in comparision with 1.1.1t, it invokes EVP_PKEY_new_mac_key which is currently failing with 0 length key (as title says), we made it working by providing non-zero key length.

Is degradation expected with HMAC algorithm performance due to providers introduction?
If yes then what % of degradation it is to be ?

Would be great if provided with some information for above questions for Openssl-3.1.0 .

[paulidale]

I would expect a slow down using this path.

Try using the EVP_MAC APIs instead of the EVP_PKEY ones.
Prefetch the HMAC, configure it and clone contexts using EVP_MAC_CTX_dup.