Route KDF key-exchange and MAC-signature through wolfProvider directly#429
Open
yosuke-wolfssl wants to merge 1 commit into
Open
Route KDF key-exchange and MAC-signature through wolfProvider directly#429yosuke-wolfssl wants to merge 1 commit into
yosuke-wolfssl wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR ensures the HKDF/TLS1-PRF key-exchange and HMAC/CMAC “MAC-via-signature” paths are always executed by wolfProvider’s own implementations, rather than accidentally being satisfied by another provider via EVP fetches from the provider’s child libctx.
Changes:
- Reworked KDF key-exchange (HKDF/TLS1-PRF) to call wolfProvider KDF implementations via their dispatch tables, avoiding EVP_KDF_fetch entirely.
- Reworked MAC-signature bridging (HMAC/CMAC) to call wolfProvider MAC implementations via their dispatch tables, avoiding EVP_MAC_fetch entirely.
- Guarded TLS1-PRF keyexch algorithm registration behind
WP_HAVE_TLS1_PRF.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/wp_kdf_exch.c | Switches HKDF/TLS1-PRF keyexch to invoke wolfProvider KDF dispatch directly (no EVP fetch), with TLS1-PRF code compiled under WP_HAVE_TLS1_PRF. |
| src/wp_mac_sig.c | Switches HMAC/CMAC signature path to invoke wolfProvider MAC dispatch directly (no EVP fetch) and removes property-query retention. |
| src/wp_wolfprov.c | Wraps TLS1-PRF keyexch algorithm registration with #ifdef WP_HAVE_TLS1_PRF to match symbol availability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The HKDF/TLS1-PRF key-exchange and HMAC/CMAC signature bridges advertised by
wolfProvider silently delegated the actual derivation/MAC to another provider.
This pins both to wolfProvider's own implementations, and fixes a related
correctness bug in the KDF key-exchange context duplication.
Fixes 5533 (KDF key-exchange) and 6498 (MAC-via-signature).
Root cause
wp_kdf_ctx_newandwp_mac_ctx_newre-fetched their backingEVP_KDF/EVP_MACfromprovCtx->libCtx:provCtx->libCtxis not the application's libctx — it is the child libctxcreated in
OSSL_provider_initviaOSSL_LIB_CTX_new_child(wp_wolfprov.c).A provider is not a member of the child context it spawns, so wolfProvider's own
algorithms are absent there; only the sibling/default providers bridged from the
parent are present. The fetch therefore resolved to whichever provider answered
the name — commonly the OpenSSL default provider.
Verified empirically (instrumented derive in the real test):
So a caller that selected
provider=wolfprovfor the key-exchange/signaturecould still have the derivation/MAC computed elsewhere, with no error. Appending
provider=wolfprov(the findings' suggested fix) does not work — the queryreturns NULL in the child libctx and breaks the path.
Change
Drive wolfProvider's own KDF/MAC implementation dispatch tables directly
instead of fetching through a libctx. The function pointers are resolved once
from the exported dispatch (
wp_kdf_hkdf_functions,wp_kdf_tls1_prf_functions,wp_hmac_functions,wp_cmac_functions) into the context and called with theprovider context — the same enriched-ctx + loader technique
wp_drbg.calreadyuses for the parent rand dispatch. This binds the backing implementation at
compile time and removes the libctx dependency entirely, so HKDF, TLS1-PRF, HMAC
and CMAC can no longer fall back to another provider.
This is consistent with the rest of the provider: of ~130 context constructors,
these two were the only EVP-passthrough shims; everything else already calls
wolfCrypt directly.
Additional correctness fixes
DUPCTXwas shallow.OSSL_FUNC_KEYEXCH_DUPCTXisregistered, so
EVP_PKEY_CTX_dupcallswp_kdf_ctx_dup, but it created afresh, unconfigured KDF context — the duplicate silently lost its
salt/key/info and derived incorrectly (or failed). The wolfProvider KDF
dispatch had no
OSSL_FUNC_KDF_DUPCTXto copy state, and there is no getterto read the config back. Added deep-copy
dupctximplementations towp_hkdf.candwp_tls1_prf.c, wired through the same loader as the otherops. Also makes
EVP_KDF_CTX_dupwork for the standalone HKDF/TLS1-PRF KDFs.set_ctx_paramsfailure.wp_mac_digest_sign_initnowpropagates a
setParamsfailure into the error path instead of continuing.Files
src/wp_kdf_exch.c— HKDF/TLS1-PRF keyexch drive wolfProvider's KDF dispatchdirectly (
wp_kdf_ctx_load); deep-copywp_kdf_ctx_dupvia the resolveddupctx.src/wp_mac_sig.c— HMAC/CMAC signature drive wolfProvider's MAC dispatchdirectly (
wp_mac_ctx_load); propagatesetParamsreturn.src/wp_hkdf.c— addwp_kdf_hkdf_dup(OSSL_FUNC_KDF_DUPCTX).src/wp_tls1_prf.c— addwp_kdf_tls1_prf_dup(OSSL_FUNC_KDF_DUPCTX).src/wp_wolfprov.c— guard the TLS1-PRF keyexch registration underWP_HAVE_TLS1_PRF(the backing KDF symbol only exists there).Incidental cleanup left behind by removing the fetch path: dead
propQueryandlibCtxfields (MAC), TLS1-PRF param helpers moved under theWP_HAVE_TLS1_PRFguard, and unused
<openssl/evp.h>/<openssl/kdf.h>/<openssl/ec.h>includes.
Verification
(macOS, no leak detection); the new
dupctxallocations report noleaks/overflows.
EVP_PKEY_CTX_dupsit, and confirms both derive identical output (MATCH). Negative control
(deep-copy disabled) reproduces the bug (
dup derive FAILED), confirming thecheck is meaningful.
nmon isolated objects compiled withWP_HAVE_TLS1_PRFoff: no reference towp_kdf_tls1_prf_functions, and no-Wunused-functionunder-Werror.