mac: add EVP_MAC_finalXOF() function

Fixes #14140
Fixes #13232
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15061)

crypto/err/openssl.txt

@@ -727,6 +727,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
 EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error
 EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error
 EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa
+EVP_R_SETTING_XOF_FAILED:227:setting xof failed
 EVP_R_SET_DEFAULT_PROPERTY_FAILURE:209:set default property failure
 EVP_R_TOO_MANY_RECORDS:183:too many records
 EVP_R_UNABLE_TO_ENABLE_LOCKING:212:unable to enable locking

crypto/evp/evp_err.c

@@ -133,10 +133,10 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NULL_MAC_PKEY_CTX), "null mac pkey ctx"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ONLY_ONESHOT_SUPPORTED),
     "only oneshot supported"},
-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
-    "operation not supported for this keytype"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_INITIALIZED),
     "operation not initialized"},
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+    "operation not supported for this keytype"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
     "output would overflow"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
@@ -151,6 +151,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
     "private key encode error"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_SETTING_XOF_FAILED), "setting xof failed"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_SET_DEFAULT_PROPERTY_FAILURE),
     "set default property failure"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"},

crypto/evp/mac_lib.c

@@ -116,21 +116,56 @@ int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen)
     return ctx->meth->update(ctx->data, data, datalen);
 }
 
-int EVP_MAC_final(EVP_MAC_CTX *ctx,
-                  unsigned char *out, size_t *outl, size_t outsize)
+static int evp_mac_final(EVP_MAC_CTX *ctx, int xof,
+                         unsigned char *out, size_t *outl, size_t outsize)
 {
     size_t l;
-    int res = 1;
+    int res;
+    OSSL_PARAM params[2];
+
+    if (ctx == NULL || ctx->meth == NULL) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_NULL_ALGORITHM);
+        return 0;
+    }
+    if (ctx->meth->final == NULL) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
+        return 0;
+    }
 
-    if (out != NULL)
-        res = ctx->meth->final(ctx->data, out, &l, outsize);
-    else
-        l = EVP_MAC_CTX_get_mac_size(ctx);
+    if (out == NULL) {
+        if (outl == NULL) {
+            ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
+            return 0;
+        }
+        *outl = EVP_MAC_CTX_get_mac_size(ctx);
+        return 1;
+    }
+    if (xof) {
+        params[0] = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_XOF, &xof);
+        params[1] = OSSL_PARAM_construct_end();
+
+        if (EVP_MAC_CTX_set_params(ctx, params) <= 0) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_SETTING_XOF_FAILED);
+            return 0;
+        }
+    }
+    res = ctx->meth->final(ctx->data, out, &l, outsize);
     if (outl != NULL)
         *outl = l;
     return res;
 }
 
+int EVP_MAC_final(EVP_MAC_CTX *ctx,
+                  unsigned char *out, size_t *outl, size_t outsize)
+{
+    return evp_mac_final(ctx, 0, out, outl, outsize);
+}
+
+int EVP_MAC_finalXOF(EVP_MAC_CTX *ctx, unsigned char *out, size_t outsize)
+{
+    return evp_mac_final(ctx, 1, out, NULL, outsize);
+}
+
 /*
  * The {get,set}_params functions return 1 if there is no corresponding
  * function in the implementation.  This is the same as if there was one,

include/openssl/evp.h

@@ -1181,6 +1181,7 @@ int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen,
 int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen);
 int EVP_MAC_final(EVP_MAC_CTX *ctx,
                   unsigned char *out, size_t *outl, size_t outsize);
+int EVP_MAC_finalXOF(EVP_MAC_CTX *ctx, unsigned char *out, size_t outsize);
 const OSSL_PARAM *EVP_MAC_gettable_params(const EVP_MAC *mac);
 const OSSL_PARAM *EVP_MAC_gettable_ctx_params(const EVP_MAC *mac);
 const OSSL_PARAM *EVP_MAC_settable_ctx_params(const EVP_MAC *mac);

include/openssl/evperr.h

@@ -95,8 +95,8 @@
 # define EVP_R_NO_OPERATION_SET                           149
 # define EVP_R_NULL_MAC_PKEY_CTX                          208
 # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
-# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
 # define EVP_R_OPERATION_NOT_INITIALIZED                  151
+# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
 # define EVP_R_OUTPUT_WOULD_OVERFLOW                      202
 # define EVP_R_PARAMETER_TOO_LARGE                        187
 # define EVP_R_PARTIALLY_OVERLAPPING                      162
@@ -105,6 +105,7 @@
 # define EVP_R_PRIVATE_KEY_DECODE_ERROR                   145
 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR                   146
 # define EVP_R_PUBLIC_KEY_NOT_RSA                         106
+# define EVP_R_SETTING_XOF_FAILED                         227
 # define EVP_R_SET_DEFAULT_PROPERTY_FAILURE               209
 # define EVP_R_TOO_MANY_RECORDS                           183
 # define EVP_R_UNABLE_TO_ENABLE_LOCKING                   212

util/libcrypto.num

@@ -4413,6 +4413,7 @@ EVP_MAC_CTX_get_mac_size                ?	3_0_0	EXIST::FUNCTION:
 EVP_MAC_init                            ?	3_0_0	EXIST::FUNCTION:
 EVP_MAC_update                          ?	3_0_0	EXIST::FUNCTION:
 EVP_MAC_final                           ?	3_0_0	EXIST::FUNCTION:
+EVP_MAC_finalXOF                        ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_supports_digest_nid            ?	3_0_0	EXIST::FUNCTION:
 SRP_VBASE_add0_user                     ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
 SRP_user_pwd_new                        ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP