git.ipfire.org Git - thirdparty/openssl.git/commit

author	Neil Horman <nhorman@openssl.org>
	Tue, 6 Jan 2026 17:08:40 +0000 (12:08 -0500)
committer	Neil Horman <nhorman@openssl.org>
	Fri, 9 Jan 2026 15:07:59 +0000 (10:07 -0500)
commit	8655a91c79b0f3e4543e89c2f42eafcefa0a5cc4
tree	2c9ac6c5dd4a4f8f32978f5ec52c3852ef3d0a32	tree \| snapshot
parent	2b91fd900f46396ae95c624c3404fbae4adc6109	commit \| diff

fetch macctx while fetching digest when creating HMAC-DRBG

Somewhere in our conversion from .c files to .inc files for our rand
providers, we created code in drbg_hmac_set_ctx_params_locked to fetch
our digest and hmac when creating the rand instance. However, the
function drbg_fetch_algs_from_prov only fetched our digest for this rand
type, not the hmac, and returned 1 while doing so, indicating success.
This is problematic because it means that we never wind up fetching an
HMAC for this rand type. As a result we never compute the strength of
the DRBG and so any attempt to seed it fails.

Ensure that, if we load a digest for this DRBG, we also fetch an HMAC,
and fail if we can't do so, so the HMAC-DRBG is useful.

Fixes openssl/private#853

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29560)