Skip to content

Support EVP_MAC for HMAC #120769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 17 commits into from
Closed

Support EVP_MAC for HMAC #120769

wants to merge 17 commits into from

Conversation

vcsjones
Copy link
Member

If we are on OpenSSL 3, we should use the EVP_MAC APIs instead of the now deprecated HMAC APIs.

Replaces #118856
Closes #118807
Contributes to #46526

@vcsjones vcsjones added this to the 11.0.0 milestone Oct 15, 2025
@vcsjones vcsjones requested a review from bartonjs October 15, 2025 20:56
@vcsjones vcsjones self-assigned this Oct 15, 2025
@Copilot Copilot AI review requested due to automatic review settings October 15, 2025 20:56
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR migrates HMAC implementation to use OpenSSL 3.0's EVP_MAC APIs instead of the deprecated HMAC APIs when running on OpenSSL 3+, while maintaining backward compatibility with older OpenSSL versions.

Key Changes

  • Introduced DN_MAC_CTX wrapper structure to support both legacy HMAC_CTX and new EVP_MAC_CTX implementations
  • Added runtime detection and initialization of EVP_MAC support
  • Implemented workaround for OpenSSL 3.0.0-3.0.2 bug where EVP_MAC_init cannot reset with existing key

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pal_hmac.h Updated function signatures to use DN_MAC_CTX instead of HMAC_CTX and added the new context structure definition
pal_hmac.c Implemented dual-path logic for EVP_MAC (OpenSSL 3.0+) and legacy HMAC APIs with version-specific workarounds
osslcompat_30.h Added OSSL_MAC_PARAM_DIGEST constant and EVP_MD_get0_name function declaration for OpenSSL 3.0 compatibility
opensslshim.h Registered new OpenSSL functions (CRYPTO_clear_free, CRYPTO_zalloc, EVP_MD_get0_name) and added version constant for OpenSSL 3.0.2
IncrementalHashTests.cs Added test case to verify HMAC cloning with empty keys works correctly

@vcsjones @Copilot
Fix extra whitespace.
53dfbc1 
Co-authored-by: Copilot <[email protected]>
This was referenced Oct 16, 2025
Open
Open
@vcsjones vcsjones closed this Oct 16, 2025
@build-analysis build-analysis bot mentioned this pull request Oct 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs Awaiting requested review from bartonjs

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

Please switch from HMAC to EVP MAC APIs

1 participant

@vcsjones