hmac-drbg: ignore any passed MAC parameter

The MAC parameter should only ever be set to HMAC.
Since setting it to anything else isn't defined, this parameter is ignored.

Fixes #29003

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29012)

diff --git a/providers/implementations/include/prov/drbg.h b/providers/implementations/include/prov/drbg.h
index 4fca02090790c2c00b7c414149757416edb4a7df..e74ddd0717cd77e96782eb4bff673ebd86194472 100644 (file)
--- a/providers/implementations/include/prov/drbg.h
+++ b/providers/implementations/include/prov/drbg.h
@@ -231,7 +231,6 @@ struct drbg_get_ctx_params_st {
     OSSL_PARAM *cipher;         /* CTR DRBG */
     OSSL_PARAM *df;             /* CTR DRBG */
     OSSL_PARAM *digest;         /* HASH & HMAC DRBG */
-    OSSL_PARAM *mac;            /* HMAC DRBG */
 };
 
 int ossl_drbg_get_ctx_params(PROV_DRBG *drbg,
@@ -247,7 +246,6 @@ struct drbg_set_ctx_params_st {
     OSSL_PARAM *cipher;     /* CTR DRBG */
     OSSL_PARAM *df;         /* CTR DRBG */
     OSSL_PARAM *digest;     /* HASH and HMAC DRBG */
-    OSSL_PARAM *mac;        /* HMAC DRBG */
     OSSL_PARAM *ind_d;      /* HASH and HMAC DRBG */
     OSSL_PARAM *prov;
     OSSL_PARAM *reseed_req;

diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
index 3743de2f1da2d1d13862691610cc3dbf7726dd88..adf1d24e58221972012f24806d5dc4ec6d295ed1 100644 (file)
--- a/providers/implementations/rands/drbg_hmac.c
+++ b/providers/implementations/rands/drbg_hmac.c
@@ -369,7 +369,6 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
 {
     PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
     PROV_DRBG_HMAC *hmac;
-    const char *name;
     const EVP_MD *md;
     struct drbg_get_ctx_params_st p;
     int ret = 0, complete = 0;
@@ -388,14 +387,6 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
     if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
         return 0;
 
-    if (p.mac != NULL) {
-        if (hmac->ctx == NULL)
-            goto err;
-        name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx));
-        if (!OSSL_PARAM_set_utf8_string(p.mac, name))
-            goto err;
-    }
-
     if (p.digest != NULL) {
         md = ossl_prov_digest_md(&hmac->digest);
         if (md == NULL
@@ -424,7 +415,6 @@ static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p,
 {
     OSSL_PROVIDER *prov = NULL;
     EVP_MD *md = NULL;
-    EVP_MAC *mac = NULL;
     int ret = 0;
 
     if (macctx == NULL || digest == NULL)
@@ -448,24 +438,7 @@ static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p,
         }
     }
 
-    if (p->mac == NULL) {
-        ret = 1;
-        goto done;
-    }
-
-    if (p->mac->data_type != OSSL_PARAM_UTF8_STRING)
-        goto done;
-
-    EVP_MAC_CTX_free(*macctx);
-    *macctx = NULL;
-
-    mac = evp_mac_fetch_from_prov(prov, (const char *)p->mac->data, NULL);
-    if (mac) {
-        *macctx = EVP_MAC_CTX_new(mac);
-        /* The context holds on to the MAC */
-        EVP_MAC_free(mac);
-        ret = 1;
-    }
+    ret = 1;
 
 done:
     ossl_provider_free(prov);
@@ -488,15 +461,17 @@ static int drbg_hmac_set_ctx_params_locked
     (void)ERR_set_mark();
     if (!drbg_fetch_algs_from_prov(p, libctx, &hmac->ctx, &prov_md)) {
         (void)ERR_pop_to_mark();
-        /* fall back to full implementation search */
-        if (!ossl_prov_digest_load(&hmac->digest, p->digest, p->propq,
-                                   p->engine, libctx))
-            return 0;
+        if (p->digest != NULL) {
+            /* fall back to full implementation search */
+            if (!ossl_prov_digest_load(&hmac->digest, p->digest, p->propq,
+                                       p->engine, libctx))
+                return 0;
 
-        if (!ossl_prov_macctx_load(&hmac->ctx, p->mac, NULL, p->digest,
-                                   p->propq, p->engine,
-                                   NULL, NULL, NULL, libctx))
-            return 0;
+            if (!ossl_prov_macctx_load(&hmac->ctx, NULL, NULL, p->digest,
+                                       p->propq, p->engine,
+                                       "HMAC", NULL, NULL, libctx))
+                return 0;
+        }
     } else {
         (void)ERR_clear_last_mark();
         if (prov_md)

diff --git a/providers/implementations/rands/drbg_hmac.inc.in b/providers/implementations/rands/drbg_hmac.inc.in
index c8c13333f2fbcc1137701cb9fdbbb2f74f6fb6f7..53f81410f3bba2e81bc74902dd099530974d65c5 100644 (file)
--- a/providers/implementations/rands/drbg_hmac.inc.in
+++ b/providers/implementations/rands/drbg_hmac.inc.in
@@ -12,8 +12,7 @@ use OpenSSL::paramnames qw(produce_param_decoder);
 -}
 
 {- produce_param_decoder('drbg_hmac_get_ctx_params',
-                         (['OSSL_DRBG_PARAM_MAC',                    'mac',         'utf8_string'],
-                          ['OSSL_DRBG_PARAM_DIGEST',                 'digest',      'utf8_string'],
+                         (['OSSL_DRBG_PARAM_DIGEST',                 'digest',      'utf8_string'],
                           ['OSSL_RAND_PARAM_STATE',                  'state',       'int'],
                           ['OSSL_RAND_PARAM_STRENGTH',               'str',         'uint'],
                           ['OSSL_RAND_PARAM_MAX_REQUEST',            'maxreq',      'size_t'],
@@ -34,7 +33,6 @@ use OpenSSL::paramnames qw(produce_param_decoder);
                          (['OSSL_DRBG_PARAM_PROPERTIES',           'propq',       'utf8_string'],
                           ['OSSL_ALG_PARAM_ENGINE',                'engine',      'utf8_string', 'hidden'],
                           ['OSSL_DRBG_PARAM_DIGEST',               'digest',      'utf8_string'],
-                          ['OSSL_DRBG_PARAM_MAC',                  'mac',         'utf8_string'],
                           ['OSSL_PROV_PARAM_CORE_PROV_NAME',       'prov',        'utf8_string'],
                           ['OSSL_DRBG_PARAM_RESEED_REQUESTS',      'reseed_req',  'uint'],
                           ['OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL', 'reseed_time', 'uint64'],