EVP_PKEY_cmp() fails for HMAC EVP_PKEYs

[npmccallum]

  #include <openssl/evp.h>
  #include <assert.h>

  int
  main()
  {
      EVP_PKEY *a = NULL;
      EVP_PKEY *b = NULL;

      a = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "foo", 3);
      b = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "foo", 3);
      assert(a);
      assert(b);

      assert(EVP_PKEY_cmp(a, b) == 0);
      return 0;
  }

test: test.c:15: main: Assertion `EVP_PKEY_cmp(a, b) == 0' failed.

[mattcaswell]

If you check the return value from EVP_PKEY_cmp() you will find that it is -2 in the above code. The documentation for EVP_PKEY_cmp() has this to say on its return values:

The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the
keys match, 0 if they don't match, -1 if the key types are different and
-2 if the operation is not supported.

So this means "operation is not supported" in your context. That's because we don't currently support comparison of HMAC keys.

This isn't a bug as such, its a missing feature. Perhaps the documentation could be more explicit about which EVP_PKEY types actually support comparison.