On Thu, Aug 29, 2013, mhnrj79 wrote: > Hi, > I have tested the AES engine using SSLv3 protocol and it works well. > However, when testing AES with HMAC-SHA1, I am getting error > "SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:484:". > Following on, when I tried AES with HMAC-SHA1 engine using TLSv1 protocol, I > didn't get the error. > Please advice on this behaviour. > > Additionally, I would like to know how to get access to the key used for > HMAC-SHA1 operation from the EVP structure. > Currently, I am using a hardcoded key. >
The high level MAC (including HMAC) interfaces go through EVP_PKEY treating it as a signing operation. It *is* possible to redirect HMAC in that way but only if the application uses the EVP_PKEY MAC interface. Anything using the HMAC_* functions directly wont use the ENGINE. There is a big gotcha though. The "lucky 13" attack fix had to bypass EVP entirely and reimplement HMAC (and SSLv3 MAC) in constant time. That means that the record MAC operations for SSL/TLS can no longer be redirected through an ENGINE. At some point this will be addressed but it requires support at the ENGINE (and associated hardware) too: to implement the appropriate constant time algorithms. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
