Skip to content

Migrate CMAC_* to EVP_MAC interface #497

New issue
New issue
Open
Open
Migrate CMAC_* to EVP_MAC interface#497
@VladGud

Description

@VladGud
VladGud
opened on Dec 30, 2025

Migrate CMAC_* to EVP_MAC interface

Issue Summary

Migrate the CMAC implementation in gost_omac.c from deprecated CMAC_* APIs to the modern EVP_MAC interface to ensure compatibility with OpenSSL builds that disable deprecated functionality.

Problem Description

The current OMAC (CMAC) implementation relies on deprecated CMAC APIs (CMAC_CTX_new, CMAC_CTX_free, CMAC_Init, CMAC_Update, CMAC_Final, CMAC_CTX_copy), which are marked for removal in future OpenSSL versions. This prevents the codebase from building or running with OPENSSL_NO_DEPRECATED_3_0 enabled. The migration to EVP_MAC provides a stable, provider-based alternative that aligns with OpenSSL's modern architecture.

Current Implementation

  • OMAC_CTX structure contains CMAC_CTX *cmac_ctx
  • Functions like omac_key(), omac_imit_update(), omac_imit_final(), omac_imit_copy(), and omac_imit_cleanup() directly use CMAC_* APIs
  • Context initialization and cleanup rely on CMAC_CTX_new() and CMAC_CTX_free()
  • MAC computation uses CMAC_Init(), CMAC_Update(), and CMAC_Final()

Required Changes

1. Replace CMAC_CTX with EVP_MAC context

  • Modify OMAC_CTX to store EVP_MAC *mac and EVP_MAC_CTX *mac_ctx instead of CMAC_CTX *cmac_ctx
  • Update structure initialization to use EVP_MAC_fetch("CMAC") and EVP_MAC_CTX_new()

2. Update MAC initialization and key setting

  • In omac_key(), replace CMAC_Init() with EVP_MAC_init() using OSSL_MAC_PARAM_CIPHER parameter
  • Ensure cipher is specified by name (e.g., c->cipher_name)

3. Update MAC update and final operations

  • Replace CMAC_Update() with EVP_MAC_update()
  • Replace CMAC_Final() with EVP_MAC_final(), writing output to a buffer and then memcpy to dgst_size

4. Update context copy and cleanup

  • Replace CMAC_CTX_copy() with EVP_MAC_CTX_dup() (if available) or manual duplication
  • Replace CMAC_CTX_free() with EVP_MAC_CTX_free() and EVP_MAC_free()

5. Handle EVP_MAC availability

  • Add checks for EVP_MAC support; provide fallback or error if not available

Files to Modify

  • gost_omac.c: Update OMAC_CTX structure, omac_key(), omac_imit_update(), omac_imit_final(), omac_imit_copy(), omac_imit_cleanup()
  • Potentially gost_lcl.h: If OMAC_CTX is defined there, update accordingly

Acceptance Criteria

  • CMAC implementation uses only EVP_MAC APIs, no CMAC_* calls remain
  • OMAC operations (init, update, final, copy, cleanup) work correctly with EVP_MAC

Testing

  • Unit tests for OMAC (magma_mac, grasshopper_mac) pass with new implementation

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions