Skip to content

Comments

hmac: stop using secure memory for the HMAC key (versions 3.3 and before)#28412

Closed
paulidale wants to merge 1 commit intoopenssl:openssl-3.3from
paulidale:hmac-insecure-memory-33
Closed

hmac: stop using secure memory for the HMAC key (versions 3.3 and before)#28412
paulidale wants to merge 1 commit intoopenssl:openssl-3.3from
paulidale:hmac-insecure-memory-33

Conversation

@paulidale
Copy link
Contributor

@paulidale paulidale commented Sep 1, 2025

Secure memory is design for long term storage of private material. HMAC keys are not this.

Secure memory use was introduced in July 2020 by commit 3fddbb2.

Fixes #28346

Back port after merge fix.

@paulidale
hmac: stop using secure memory for the HMAC key
d31ddd9 
Secure memory is design for long term storage of private material.
HMAC keys are not this.

Secure memory use was introduced in July 2020 by commit
3fddbb2.

Fixes openssl#28346
@paulidale paulidale self-assigned this Sep 1, 2025
@paulidale paulidale added approval: review pending This pull request needs review by a committer triaged: bug The issue/pr is/fixes a bug branch: 3.0 Applies to openssl-3.0 branch tests: exempted The PR is exempt from requirements for testing branch: 3.2 Applies to openssl-3.2 (EOL) branch: 3.3 Applies to openssl-3.3 labels Sep 1, 2025
@paulidale paulidale changed the title hmac: stop using secure memory for the HMAC key hmac: stop using secure memory for the HMAC key (versions 3.3 and before) Sep 1, 2025
@paulidale paulidale mentioned this pull request Sep 1, 2025
Closed
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Sep 2, 2025
@paulidale paulidale requested a review from a team September 2, 2025 23:27
@paulidale
Copy link
Contributor Author

paulidale commented Sep 3, 2025

Ping for second review please

esyr
esyr approved these changes Sep 3, 2025
View reviewed changes
@paulidale
Copy link
Contributor Author

paulidale commented Sep 4, 2025

Ping for second review please @openssl/committers

beldmit
beldmit approved these changes Sep 4, 2025
View reviewed changes
Copy link
Member

@beldmit beldmit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@beldmit beldmit added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Sep 4, 2025
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Sep 5, 2025
@openssl-machine
Copy link
Collaborator

openssl-machine commented Sep 5, 2025

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request Sep 7, 2025
@paulidale
hmac: stop using secure memory for the HMAC key
8e3c760 
Secure memory is design for long term storage of private material.
HMAC keys are not this.

Secure memory use was introduced in July 2020 by commit
3fddbb2.

Fixes #28346

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #28412)
@paulidale
Copy link
Contributor Author

paulidale commented Sep 7, 2025

Merged to 3.3, 3.2 and 3.0.

@paulidale paulidale closed this Sep 7, 2025
@paulidale paulidale deleted the hmac-insecure-memory-33 branch September 7, 2025 07:21
openssl-machine pushed a commit that referenced this pull request Sep 7, 2025
@paulidale
hmac: stop using secure memory for the HMAC key
c54f56c 
Secure memory is design for long term storage of private material.
HMAC keys are not this.

Secure memory use was introduced in July 2020 by commit
3fddbb2.

Fixes #28346

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #28412)

(cherry picked from commit 8e3c760)
openssl-machine pushed a commit that referenced this pull request Sep 7, 2025
@paulidale
hmac: stop using secure memory for the HMAC key
6d68901 
Secure memory is design for long term storage of private material.
HMAC keys are not this.

Secure memory use was introduced in July 2020 by commit
3fddbb2.

Fixes #28346

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #28412)

(cherry picked from commit 8e3c760)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esyr esyr esyr approved these changes

@t8m t8m t8m approved these changes

@beldmit beldmit beldmit approved these changes

Assignees

@paulidale paulidale

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: 3.0 Applies to openssl-3.0 branch branch: 3.2 Applies to openssl-3.2 (EOL) branch: 3.3 Applies to openssl-3.3 severity: fips change The pull request changes FIPS provider sources tests: exempted The PR is exempt from requirements for testing triaged: bug The issue/pr is/fixes a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@paulidale @openssl-machine @esyr @t8m @beldmit