[openssl] master update

Matt Caswell matt at openssl.org
Wed Mar 27 14:36:12 UTC 2019


The branch master has been updated
       via  48fdeca01dab31237a711d9fdf4452ebf8443716 (commit)
       via  17838470617afd50813a66adcebad2e6e17de79c (commit)
      from  183f52e29af27285ea4ed7c947b71c83618f8702 (commit)


- Log -----------------------------------------------------------------
commit 48fdeca01dab31237a711d9fdf4452ebf8443716
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 26 13:32:39 2019 +0000

    Don't allow SHAKE128/SHAKE256 with HMAC
    
    See discussion in github issue #8563
    
    Fixes #8563
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/8584)

commit 17838470617afd50813a66adcebad2e6e17de79c
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 26 12:11:12 2019 +0000

    Correctly check the return code of EVP_MAC_ctrl everwhere it is used
    
    EVP_MAC_ctrl is documented to return 0 or -1 on failure. Numerous places
    were not getting this check correct.
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/8584)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/pkey_mac.c                    | 12 ++++++------
 crypto/hmac/hmac.c                       |  7 +++++++
 crypto/kdf/sskdf.c                       |  8 ++++----
 crypto/modes/siv128.c                    |  4 ++--
 doc/man3/EVP_MAC.pod                     |  3 +++
 doc/man3/HMAC.pod                        |  4 +++-
 test/recipes/30-test_evp_data/evpmac.txt |  8 ++++++++
 7 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c
index 858ca28..fc627f1 100644
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@@ -231,9 +231,9 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                 int rv;
 
                 if ((rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_ENGINE,
-                                       ctx->engine)) < 0
+                                       ctx->engine)) <= 0
                     || (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_CIPHER,
-                                          p2)) < 0
+                                          p2)) <= 0
                     || !(rv = EVP_MAC_init(hctx->ctx)))
                     return rv;
             }
@@ -275,7 +275,7 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                 return 0;
             break;
         case MAC_TYPE_MAC:
-            if (!EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY, p2, p1))
+            if (EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY, p2, p1) <= 0)
                 return 0;
             break;
         default:
@@ -296,11 +296,11 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                     (ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr;
 
                 if ((rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_ENGINE,
-                                       ctx->engine)) < 0
+                                       ctx->engine)) <= 0
                     || (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_MD,
-                                          hctx->raw_data.md)) < 0
+                                          hctx->raw_data.md)) <= 0
                     || (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY,
-                                          key->data, key->length)) < 0)
+                                          key->data, key->length)) <= 0)
                     return rv;
             }
             break;
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index e78f66a..5d934e9 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
         return 0;
     }
 
+    /*
+     * The HMAC construction is not allowed to be used with the
+     * extendable-output functions (XOF) shake128 and shake256.
+     */
+    if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+        return 0;
+
     if (key != NULL) {
         reset = 1;
         j = EVP_MD_block_size(md);
diff --git a/crypto/kdf/sskdf.c b/crypto/kdf/sskdf.c
index e999b54..935428f 100644
--- a/crypto/kdf/sskdf.c
+++ b/crypto/kdf/sskdf.c
@@ -138,7 +138,7 @@ static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
     if (custom == NULL)
         return 1;
 
-    if (!EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_CUSTOM, custom, custom_len))
+    if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_CUSTOM, custom, custom_len) <= 0)
         return 0;
 
     /* By default only do one iteration if kmac_out_len is not specified */
@@ -153,7 +153,7 @@ static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
             || kmac_out_len == 64))
         return 0;
 
-    if (!EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_SIZE, kmac_out_len))
+    if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_SIZE, kmac_out_len) <= 0)
         return 0;
 
     /*
@@ -200,10 +200,10 @@ static int SSKDF_mac_kdm(const EVP_MAC *kdf_mac, const EVP_MD *hmac_md,
     if (ctx == NULL || ctx_init == NULL)
         goto end;
     if (hmac_md != NULL &&
-            !EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, hmac_md))
+            EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, hmac_md) <= 0)
         goto end;
 
-    if (!EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, salt, salt_len))
+    if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, salt, salt_len) <= 0)
         goto end;
 
     if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
diff --git a/crypto/modes/siv128.c b/crypto/modes/siv128.c
index 99b11d1..f812d0a 100644
--- a/crypto/modes/siv128.c
+++ b/crypto/modes/siv128.c
@@ -166,8 +166,8 @@ int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
             || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
             || (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
             || (ctx->mac_ctx = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
-            || !EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc)
-            || !EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen)
+            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
+            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
             || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
             || !EVP_MAC_CTX_copy(ctx->mac_ctx, ctx->mac_ctx_init)
             || !EVP_MAC_update(ctx->mac_ctx, zero, sizeof(zero))
diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod
index 32bf589..a55d8db 100644
--- a/doc/man3/EVP_MAC.pod
+++ b/doc/man3/EVP_MAC.pod
@@ -202,6 +202,9 @@ For MAC implementations that use an underlying computation algorithm,
 these controls set what the algorithm should be, and the engine that
 implements the algorithm if needed.
 
+Note that not all algorithms may support all digests. HMAC does not support
+variable output length digests such as SHAKE128 or SHAKE256.
+
 B<EVP_MAC_CTRL_SET_ENGINE> takes one argument: C<ENGINE *>
 
 B<EVP_MAC_CTRL_SET_MD> takes one argument: C<EVP_MD *>
diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod
index 10a7250..a9bcd0e 100644
--- a/doc/man3/HMAC.pod
+++ b/doc/man3/HMAC.pod
@@ -63,7 +63,9 @@ If B<md> is NULL, the digest is placed in a static array.  The size of
 the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
 value for B<md>  to use the static array is not thread safe.
 
-B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<evp_md> is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does
+not support variable output length digests such as EVP_shake128() and
+EVP_shake256().
 
 HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
 
diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt
index 732c8c4..ada1ae6 100644
--- a/test/recipes/30-test_evp_data/evpmac.txt
+++ b/test/recipes/30-test_evp_data/evpmac.txt
@@ -589,6 +589,14 @@ Input = "Sample message for keylen>blocklen"
 Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687
 Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915
 
+Title = HMAC self generated tests
+
+MAC = HMAC
+Algorithm = SHAKE128
+Input = "Test that SHAKE128 fails"
+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+Result = MAC_CTRL_ERROR
+
 
 Title = CMAC tests (from FIPS module)
 


More information about the openssl-commits mailing list