Skip to content

Migrate HMAC_* to EVP_MAC interface #498

New issue
New issue
Open
Open
Migrate HMAC_* to EVP_MAC interface#498
@VladGud

Description

@VladGud
VladGud
opened on Dec 30, 2025

Migrate HMAC_* to EVP_MAC interface

Issue Summary

Migrate the HMAC implementation in gost_keyexpimp.c from deprecated HMAC_* APIs to the modern EVP_MAC interface to ensure compatibility with OpenSSL builds that disable deprecated functionality.

Problem Description

The current HMAC usage in key derivation functions relies on deprecated HMAC APIs (HMAC_CTX_new, HMAC_CTX_free, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_reset), which are marked for removal in future OpenSSL versions. This prevents the codebase from building or running with OPENSSL_NO_DEPRECATED_3_0 enabled. The migration to EVP_MAC provides a stable, provider-based alternative that aligns with OpenSSL's modern architecture.

Current Implementation

  • gost_kdftree2012_256() uses HMAC_CTX *ctx with HMAC_CTX_new(), HMAC_Init_ex(), HMAC_Update(), HMAC_Final(), HMAC_CTX_reset(), and HMAC_CTX_free()
  • Context is created, initialized with key and digest, updated with data, finalized, and reset for multiple iterations

Required Changes

1. Replace HMAC_CTX with EVP_MAC context

  • Modify gost_kdftree2012_256() to use EVP_MAC *mac and EVP_MAC_CTX *mac_ctx
  • Replace HMAC_CTX_new() with EVP_MAC_fetch("HMAC") and EVP_MAC_CTX_new()

2. Update MAC initialization

  • Replace HMAC_Init_ex() with EVP_MAC_init() using OSSL_MAC_PARAM_DIGEST parameter (set to NID_id_GostR3411_2012_256)

3. Update MAC update and final operations

  • Replace HMAC_Update() with EVP_MAC_update()
  • Replace HMAC_Final() with EVP_MAC_final()

4. Update context reset and cleanup

  • Replace HMAC_CTX_reset() with re-running EVP_MAC_init() with the same key and parameters
  • Replace HMAC_CTX_free() with EVP_MAC_CTX_free() and EVP_MAC_free()

5. Handle EVP_MAC availability

  • Add checks for EVP_MAC support; provide fallback or error if not available

Files to Modify

  • gost_keyexpimp.c: Update gost_kdftree2012_256() function to use EVP_MAC APIs

Dependencies

This task has no dependencies on other issues but should be completed before full provider decoupling (#116, #117).

Acceptance Criteria

  • HMAC implementation uses only EVP_MAC APIs, no HMAC_* calls remain
  • Key derivation function gost_kdftree2012_256() works correctly with EVP_MAC

Testing

  • Unit tests for key derivation (gost_kdftree2012_256) pass with new implementation
  • Integration tests with TLS tree key derivation (gost_tlstree) succeed

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions