Heads up on a nasty OpenSSL CMAC bug

Daniel Franke dfoxfranke at gmail.com
Tue Feb 28 23:20:37 UTC 2017

I just tripped over a nasty bug in OpenSSL's CMAC implementation,
present from 1.1.0 onward and now likely to be fixed in 1.1.0f. I
thought I'd give you a heads up in order to save you some sanity when
you're implementing draft-aanchal4-ntp-mac.


The bug is that CMAC_CTX_cleanup() makes an inappropriate call to
free. As a result, you'll later end up with a double free when you
call CMAC_CTX_free() on the same context object.

You can work around this problem by avoiding calls to
CMAC_CTX_cleanup() in affected versions, and instead simulating them
by calling CMAC_CTX_free() followed by CMAC_CTX_new(), like so:

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
ctx = CMAC_CTX_new();

CMAC_CTX_free() internally contains a call to CMAC_CTX_cleanup() in a
manner that doesn't trigger the bug, so this workaround still
correctly results in sensitive data being zeroed out before it's
freed. It is however considerably less efficient since it performs an
unnecessary malloc.

More information about the devel mailing list