[openssl] master update
Matt Caswell
matt at openssl.org
Wed Mar 27 14:36:12 UTC 2019
The branch master has been updated
via 48fdeca01dab31237a711d9fdf4452ebf8443716 (commit)
via 17838470617afd50813a66adcebad2e6e17de79c (commit)
from 183f52e29af27285ea4ed7c947b71c83618f8702 (commit)
- Log -----------------------------------------------------------------
commit 48fdeca01dab31237a711d9fdf4452ebf8443716
Author: Matt Caswell <matt at openssl.org>
Date: Tue Mar 26 13:32:39 2019 +0000
Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563
Fixes #8563
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
commit 17838470617afd50813a66adcebad2e6e17de79c
Author: Matt Caswell <matt at openssl.org>
Date: Tue Mar 26 12:11:12 2019 +0000
Correctly check the return code of EVP_MAC_ctrl everwhere it is used
EVP_MAC_ctrl is documented to return 0 or -1 on failure. Numerous places
were not getting this check correct.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/pkey_mac.c | 12 ++++++------
crypto/hmac/hmac.c | 7 +++++++
crypto/kdf/sskdf.c | 8 ++++----
crypto/modes/siv128.c | 4 ++--
doc/man3/EVP_MAC.pod | 3 +++
doc/man3/HMAC.pod | 4 +++-
test/recipes/30-test_evp_data/evpmac.txt | 8 ++++++++
7 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c
index 858ca28..fc627f1 100644
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@@ -231,9 +231,9 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
int rv;
if ((rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_ENGINE,
- ctx->engine)) < 0
+ ctx->engine)) <= 0
|| (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_CIPHER,
- p2)) < 0
+ p2)) <= 0
|| !(rv = EVP_MAC_init(hctx->ctx)))
return rv;
}
@@ -275,7 +275,7 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
return 0;
break;
case MAC_TYPE_MAC:
- if (!EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY, p2, p1))
+ if (EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY, p2, p1) <= 0)
return 0;
break;
default:
@@ -296,11 +296,11 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
(ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr;
if ((rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_ENGINE,
- ctx->engine)) < 0
+ ctx->engine)) <= 0
|| (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_MD,
- hctx->raw_data.md)) < 0
+ hctx->raw_data.md)) <= 0
|| (rv = EVP_MAC_ctrl(hctx->ctx, EVP_MAC_CTRL_SET_KEY,
- key->data, key->length)) < 0)
+ key->data, key->length)) <= 0)
return rv;
}
break;
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index e78f66a..5d934e9 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
return 0;
}
+ /*
+ * The HMAC construction is not allowed to be used with the
+ * extendable-output functions (XOF) shake128 and shake256.
+ */
+ if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+ return 0;
+
if (key != NULL) {
reset = 1;
j = EVP_MD_block_size(md);
diff --git a/crypto/kdf/sskdf.c b/crypto/kdf/sskdf.c
index e999b54..935428f 100644
--- a/crypto/kdf/sskdf.c
+++ b/crypto/kdf/sskdf.c
@@ -138,7 +138,7 @@ static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
if (custom == NULL)
return 1;
- if (!EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_CUSTOM, custom, custom_len))
+ if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_CUSTOM, custom, custom_len) <= 0)
return 0;
/* By default only do one iteration if kmac_out_len is not specified */
@@ -153,7 +153,7 @@ static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
|| kmac_out_len == 64))
return 0;
- if (!EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_SIZE, kmac_out_len))
+ if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_SIZE, kmac_out_len) <= 0)
return 0;
/*
@@ -200,10 +200,10 @@ static int SSKDF_mac_kdm(const EVP_MAC *kdf_mac, const EVP_MD *hmac_md,
if (ctx == NULL || ctx_init == NULL)
goto end;
if (hmac_md != NULL &&
- !EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, hmac_md))
+ EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, hmac_md) <= 0)
goto end;
- if (!EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, salt, salt_len))
+ if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, salt, salt_len) <= 0)
goto end;
if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
diff --git a/crypto/modes/siv128.c b/crypto/modes/siv128.c
index 99b11d1..f812d0a 100644
--- a/crypto/modes/siv128.c
+++ b/crypto/modes/siv128.c
@@ -166,8 +166,8 @@ int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
|| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
|| (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
|| (ctx->mac_ctx = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
- || !EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc)
- || !EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen)
+ || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
+ || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
|| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
|| !EVP_MAC_CTX_copy(ctx->mac_ctx, ctx->mac_ctx_init)
|| !EVP_MAC_update(ctx->mac_ctx, zero, sizeof(zero))
diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod
index 32bf589..a55d8db 100644
--- a/doc/man3/EVP_MAC.pod
+++ b/doc/man3/EVP_MAC.pod
@@ -202,6 +202,9 @@ For MAC implementations that use an underlying computation algorithm,
these controls set what the algorithm should be, and the engine that
implements the algorithm if needed.
+Note that not all algorithms may support all digests. HMAC does not support
+variable output length digests such as SHAKE128 or SHAKE256.
+
B<EVP_MAC_CTRL_SET_ENGINE> takes one argument: C<ENGINE *>
B<EVP_MAC_CTRL_SET_MD> takes one argument: C<EVP_MD *>
diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod
index 10a7250..a9bcd0e 100644
--- a/doc/man3/HMAC.pod
+++ b/doc/man3/HMAC.pod
@@ -63,7 +63,9 @@ If B<md> is NULL, the digest is placed in a static array. The size of
the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
value for B<md> to use the static array is not thread safe.
-B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<evp_md> is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does
+not support variable output length digests such as EVP_shake128() and
+EVP_shake256().
HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt
index 732c8c4..ada1ae6 100644
--- a/test/recipes/30-test_evp_data/evpmac.txt
+++ b/test/recipes/30-test_evp_data/evpmac.txt
@@ -589,6 +589,14 @@ Input = "Sample message for keylen>blocklen"
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687
Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915
+Title = HMAC self generated tests
+
+MAC = HMAC
+Algorithm = SHAKE128
+Input = "Test that SHAKE128 fails"
+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+Result = MAC_CTRL_ERROR
+
Title = CMAC tests (from FIPS module)
More information about the openssl-commits
mailing list