HMAC function in OPENSSL

jacques83 · 11-12-2005, 02:09 PM

i am trying to run the hmac md5 message digest algo in my implementation of IPSEC. i am confused as to how to directly run the hmac function from the openssl library. can anyone tell me the parameters to be passed in this function to run the hmac()?

thanks

primo · 11-12-2005, 11:23 PM

Man, try not to ask the questions in so many threads because it backfires with so many fragmentation. I'll try my best to explain the OpenSSL HMAC API to you. I haven't used it because I don't like it and I have mine.

I'm taking as reference the manual as it appears in FreeBSD:

Quote:

#include <openssl/hmac.h>

unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
int key_len, const unsigned char *d, int n, unsigned char *md, unsigned int *md_len);

This function does it all. The first argument should be either EVP_sha1() or EVP_md5(). There are more. You just choose it. Key and keylen are obvious. the next is the data (d) and the length of it. Then you have the message digest (md) and a value/result pointer to the length of md. (Remember that this length is of the binary data, not its ASCII hexadecimal representation.

Quote:

void HMAC_CTX_init(HMAC_CTX *ctx);

With this one you initialize a HMAC_CTX variable. Note that with the function above you don't need to declare one.

Quote:

void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md);

From the manpage:

Quote:

HMAC_Init() initializes a HMAC_CTX structure to use the hash function
evp_md and the key key which is key_len bytes long. It is deprecated
and only included for backward compatibility with OpenSSL 0.9.6b.

Quote:

void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md);
void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);

These functions are very much like hash functions. The last argument in Init_ex is a EVP_xxx() as described above. Remember that HMAC() does it all by first declaring a HMAC_CTX variable, then initialize the context, then setup the key with _Init, Update() it, call _Final() and the a security cleanup of the context (because the key is there)

Quote:

void HMAC_CTX_cleanup(HMAC_CTX *ctx);
void HMAC_cleanup(HMAC_CTX *ctx);

I don't like OpenSSL because it's an horrible API. Sizes should be size_t and much of the book-keeping may be done internally. It may be fast because it has so much assembly, but it's ugly.

jacques83 · 11-13-2005, 08:57 AM

thanks a lot man, i appreciate it

virtualCoder · 09-30-2008, 10:24 AM

I read that the key used and the quality of the hash function determine the strength of the hash. I would use EVP_sha1 as the function. I can make my own key from a single integer but that wouldnt make it a good key.

Is there a function that allows me to make a good key to use with hmac().

Quote:

This function does it all.

Also If I am understanding you correctly, no other function is needed for initialization if we use unsigned char *HMAC(...) . Is that correct?