From: Pauli Date: Tue, 28 Oct 2025 02:38:38 +0000 (+1100) Subject: hmac-drbg: ignore any passed MAC parameter X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a5683b1d6ea637dc9f304faf5bb5190d28cf9a9c;p=thirdparty%2Fopenssl.git hmac-drbg: ignore any passed MAC parameter The MAC parameter should only ever be set to HMAC. Since setting it to anything else isn't defined, this parameter is ignored. Fixes #29003 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Shane Lontis Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/29012) --- diff --git a/providers/implementations/include/prov/drbg.h b/providers/implementations/include/prov/drbg.h index 4fca0209079..e74ddd0717c 100644 --- a/providers/implementations/include/prov/drbg.h +++ b/providers/implementations/include/prov/drbg.h @@ -231,7 +231,6 @@ struct drbg_get_ctx_params_st { OSSL_PARAM *cipher; /* CTR DRBG */ OSSL_PARAM *df; /* CTR DRBG */ OSSL_PARAM *digest; /* HASH & HMAC DRBG */ - OSSL_PARAM *mac; /* HMAC DRBG */ }; int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, @@ -247,7 +246,6 @@ struct drbg_set_ctx_params_st { OSSL_PARAM *cipher; /* CTR DRBG */ OSSL_PARAM *df; /* CTR DRBG */ OSSL_PARAM *digest; /* HASH and HMAC DRBG */ - OSSL_PARAM *mac; /* HMAC DRBG */ OSSL_PARAM *ind_d; /* HASH and HMAC DRBG */ OSSL_PARAM *prov; OSSL_PARAM *reseed_req; diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 3743de2f1da..adf1d24e582 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -369,7 +369,6 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; PROV_DRBG_HMAC *hmac; - const char *name; const EVP_MD *md; struct drbg_get_ctx_params_st p; int ret = 0, complete = 0; @@ -388,14 +387,6 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - if (p.mac != NULL) { - if (hmac->ctx == NULL) - goto err; - name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx)); - if (!OSSL_PARAM_set_utf8_string(p.mac, name)) - goto err; - } - if (p.digest != NULL) { md = ossl_prov_digest_md(&hmac->digest); if (md == NULL @@ -424,7 +415,6 @@ static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p, { OSSL_PROVIDER *prov = NULL; EVP_MD *md = NULL; - EVP_MAC *mac = NULL; int ret = 0; if (macctx == NULL || digest == NULL) @@ -448,24 +438,7 @@ static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p, } } - if (p->mac == NULL) { - ret = 1; - goto done; - } - - if (p->mac->data_type != OSSL_PARAM_UTF8_STRING) - goto done; - - EVP_MAC_CTX_free(*macctx); - *macctx = NULL; - - mac = evp_mac_fetch_from_prov(prov, (const char *)p->mac->data, NULL); - if (mac) { - *macctx = EVP_MAC_CTX_new(mac); - /* The context holds on to the MAC */ - EVP_MAC_free(mac); - ret = 1; - } + ret = 1; done: ossl_provider_free(prov); @@ -488,15 +461,17 @@ static int drbg_hmac_set_ctx_params_locked (void)ERR_set_mark(); if (!drbg_fetch_algs_from_prov(p, libctx, &hmac->ctx, &prov_md)) { (void)ERR_pop_to_mark(); - /* fall back to full implementation search */ - if (!ossl_prov_digest_load(&hmac->digest, p->digest, p->propq, - p->engine, libctx)) - return 0; + if (p->digest != NULL) { + /* fall back to full implementation search */ + if (!ossl_prov_digest_load(&hmac->digest, p->digest, p->propq, + p->engine, libctx)) + return 0; - if (!ossl_prov_macctx_load(&hmac->ctx, p->mac, NULL, p->digest, - p->propq, p->engine, - NULL, NULL, NULL, libctx)) - return 0; + if (!ossl_prov_macctx_load(&hmac->ctx, NULL, NULL, p->digest, + p->propq, p->engine, + "HMAC", NULL, NULL, libctx)) + return 0; + } } else { (void)ERR_clear_last_mark(); if (prov_md) diff --git a/providers/implementations/rands/drbg_hmac.inc.in b/providers/implementations/rands/drbg_hmac.inc.in index c8c13333f2f..53f81410f3b 100644 --- a/providers/implementations/rands/drbg_hmac.inc.in +++ b/providers/implementations/rands/drbg_hmac.inc.in @@ -12,8 +12,7 @@ use OpenSSL::paramnames qw(produce_param_decoder); -} {- produce_param_decoder('drbg_hmac_get_ctx_params', - (['OSSL_DRBG_PARAM_MAC', 'mac', 'utf8_string'], - ['OSSL_DRBG_PARAM_DIGEST', 'digest', 'utf8_string'], + (['OSSL_DRBG_PARAM_DIGEST', 'digest', 'utf8_string'], ['OSSL_RAND_PARAM_STATE', 'state', 'int'], ['OSSL_RAND_PARAM_STRENGTH', 'str', 'uint'], ['OSSL_RAND_PARAM_MAX_REQUEST', 'maxreq', 'size_t'], @@ -34,7 +33,6 @@ use OpenSSL::paramnames qw(produce_param_decoder); (['OSSL_DRBG_PARAM_PROPERTIES', 'propq', 'utf8_string'], ['OSSL_ALG_PARAM_ENGINE', 'engine', 'utf8_string', 'hidden'], ['OSSL_DRBG_PARAM_DIGEST', 'digest', 'utf8_string'], - ['OSSL_DRBG_PARAM_MAC', 'mac', 'utf8_string'], ['OSSL_PROV_PARAM_CORE_PROV_NAME', 'prov', 'utf8_string'], ['OSSL_DRBG_PARAM_RESEED_REQUESTS', 'reseed_req', 'uint'], ['OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL', 'reseed_time', 'uint64'],