Hi Steve, Please refer the following mail from you:
http://www.mail-archive.com/openssl-dev%40openssl.org/msg32918.html "... The high level MAC (including HMAC) interfaces go through EVP_PKEY treating it as a signing operation. It *is* possible to redirect HMAC in that way but only if the application uses the EVP_PKEY MAC interface. Anything using the HMAC_* functions directly wont use the ENGINE. There is a big gotcha though. The "lucky 13" attack fix had to bypass EVP entirely and reimplement HMAC (and SSLv3 MAC) in constant time. That means that the record MAC operations for SSL/TLS can no longer be redirected through an ENGINE. At some point this will be addressed but it requires support at the ENGINE (and associated hardware) too: to implement the appropriate constant time algorithms. Steve .." could you please help me find the changeset that fixed the lucky 13 attack? I am in need of testing my engine which is supposed to take care of the following command: ./openssl dgst -engine af_alg -sha1 -mac hmac -macopt hexkey:f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff data_32.txt The command gives the correct hmac but without going through the engine! ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
