Don't allow SHAKE128/SHAKE256 with HMAC

See discussion in github issue #8563 Fixes #8563 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8584)
author: Matt Caswell <matt@openssl.org> 2019-03-26 13:32:39 +0000
committer: Matt Caswell <matt@openssl.org> 2019-03-27 14:32:08 +0000
commit: 48fdeca01dab31237a711d9fdf4452ebf8443716 (patch)
tree: a691873403db8825fdf700a3d69c153e45e33255 /crypto/hmac
parent: 17838470617afd50813a66adcebad2e6e17de79c (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index e78f66a732..5d934e9588 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
         return 0;
     }
 
+    /*
+     * The HMAC construction is not allowed to be used with the
+     * extendable-output functions (XOF) shake128 and shake256.
+     */
+    if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+        return 0;
+
     if (key != NULL) {
         reset = 1;
         j = EVP_MD_block_size(md);
author	Matt Caswell <matt@openssl.org>	2019-03-26 13:32:39 +0000
committer	Matt Caswell <matt@openssl.org>	2019-03-27 14:32:08 +0000
commit	48fdeca01dab31237a711d9fdf4452ebf8443716 (patch)
tree	a691873403db8825fdf700a3d69c153e45e33255 /crypto/hmac
parent	17838470617afd50813a66adcebad2e6e17de79c (diff)