Skip to content

Fix/hkdf null salt openssl3#76

Open
seanjin99 wants to merge 1 commit intordkcentral:mainfrom
seanjin99:fix/hkdf-null-salt-openssl3
Open

Fix/hkdf null salt openssl3#76
seanjin99 wants to merge 1 commit intordkcentral:mainfrom
seanjin99:fix/hkdf-null-salt-openssl3

Conversation

@seanjin99
Copy link

@seanjin99 seanjin99 commented Mar 6, 2026
edited
Loading

Summary

Fix 8 DH/ECDH key exchange test failures on OpenSSL 3.x when useSalt=SEC_FALSE.

Problem

The hkdf() function in exchange.cpp passes nullptr to
EVP_PKEY_CTX_set1_hkdf_salt() when no salt is used. OpenSSL 3.x rejects
a NULL pointer even with length 0, causing all testKeyExchangeDH and
testKeyExchangeECDH tests with SEC_FALSE to fail.

Fix

Replace nullptr with "" (empty string) for the no-salt case. This provides
a valid non-NULL pointer with length 0, which both OpenSSL 1.1.x and 3.x accept.
The version-specific #if/#else guard for this call is no longer needed and
has been removed.

Also added descriptive comments to all remaining #if/#else/#endif blocks.

Testing

Verified 8/8 affected tests pass on:

  • OpenSSL 1.1.1w
  • OpenSSL 3.0.15
  • OpenSSL 3.0.18
  • OpenSSL 3.6.1

Fixes #75

Test Results: DH/ECDH Key Exchange (Tests 1193–1207)

Affected Tests

Test # Function Key Type Salt Type
1193 testKeyExchangeDH AES_128 SEC_FALSE DH
1195 testKeyExchangeDH AES_256 SEC_FALSE DH
1197 testKeyExchangeDH HMAC_128 SEC_FALSE DH
1199 testKeyExchangeDH HMAC_256 SEC_FALSE DH
1201 testKeyExchangeECDH AES_128 SEC_FALSE ECDH
1203 testKeyExchangeECDH AES_256 SEC_FALSE ECDH
1205 testKeyExchangeECDH HMAC_128 SEC_FALSE ECDH
1207 testKeyExchangeECDH HMAC_256 SEC_FALSE ECDH

Results Matrix

Without fix (main branch)

Platform OpenSSL Result
macOS (ARM64) 1.1.1w 8/8 passed
macOS (ARM64) 3.0.15 8/8 passed
macOS (ARM64) 3.0.18 0/8 passed
macOS (ARM64) 3.6.1 0/8 passed
ARM32 device 3.0.18 0/8 passed

With fix (PR #76)

Platform OpenSSL Result
macOS (ARM64) 1.1.1w 8/8 passed
macOS (ARM64) 3.0.15 8/8 passed
macOS (ARM64) 3.0.18 8/8 passed
macOS (ARM64) 3.6.1 8/8 passed
ARM32 device 3.0.18 8/8 passed
ARM32 device 3.6.1 8/8 passed

@seanjin99 seanjin99 force-pushed the fix/hkdf-null-salt-openssl3 branch 3 times, most recently from de88a89 to 4e74881 Compare March 6, 2026 21:35
@seanjin99
fix: pass empty string instead of nullptr for HKDF salt in exchange t…
610caf8 
…ests

OpenSSL 3.x rejects a NULL pointer passed to EVP_PKEY_CTX_set1_hkdf_salt()
even with length 0. Use an empty string "" instead of nullptr when
useSalt is false. This works on both OpenSSL 1.1.x and 3.x.

Also added version-guard comments to all #if/#else/#endif blocks for clarity.

Fixes rdkcentral#75
@seanjin99 seanjin99 force-pushed the fix/hkdf-null-salt-openssl3 branch from 4e74881 to 610caf8 Compare March 6, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: DH/ECDH key exchange tests fail on OpenSSL 3.x when salt is not used

1 participant

@seanjin99