cmac_set_ctx_params(): Fail if cipher mode is not CBC

Also add negative test cases for CMAC and GMAC using
a cipher with wrong mode.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19401)

(cherry picked from commit 94976a1e8d)

doc/man7/EVP_MAC-CMAC.pod

@@ -38,7 +38,8 @@ Setting this parameter is identical to passing a I<key> to L<EVP_MAC_init(3)>.
 
 =item "cipher" (B<OSSL_MAC_PARAM_CIPHER>) <UTF8 string>
 
-Sets the name of the underlying cipher to be used.
+Sets the name of the underlying cipher to be used. The mode of the cipher
+must be CBC.
 
 =item "properties" (B<OSSL_MAC_PARAM_PROPERTIES>) <UTF8 string>
 

providers/implementations/macs/cmac_prov.c

@@ -18,6 +18,8 @@
 #include <openssl/params.h>
 #include <openssl/evp.h>
 #include <openssl/cmac.h>
+#include <openssl/err.h>
+#include <openssl/proverr.h>
 
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
@@ -195,8 +197,16 @@ static int cmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[])
     if (params == NULL)
         return 1;
 
-    if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx))
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CIPHER)) != NULL) {
-        return 0;
+        if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx))
+            return 0;
+
+        if (EVP_CIPHER_get_mode(ossl_prov_cipher_cipher(&macctx->cipher))
+            != EVP_CIPH_CBC_MODE) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+            return 0;
+        }
+    }
 
     if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING)

test/recipes/30-test_evp_data/evpmac_common.txt

@@ -259,6 +259,13 @@ Key = 0B122AC8F34ED1FE082A3625D157561454167AC145A10BBF77C6A70596D574F1
 Input = 498B53FDEC87EDCBF07097DCCDE93A084BAD7501A224E388DF349CE18959FE8485F8AD1537F0D896EA73BEDC7214713F
 Output = F62C46329B41085625669BAF51DEA66A
 
+FIPSversion = >3.0.99
+MAC = CMAC
+Algorithm = AES-256-ECB
+Key = 0B122AC8F34ED1FE082A3625D157561454167AC145A10BBF77C6A70596D574F1
+Input = 498B53FDEC87EDCBF07097DCCDE93A084BAD7501A224E388DF349CE18959FE8485F8AD1537F0D896EA73BEDC7214713F
+Result = MAC_INIT_ERROR
+
 Title = GMAC Tests (from NIST)
 
 MAC = GMAC
@@ -326,6 +333,12 @@ IV = 7AE8E2CA4EC500012E58495C
 Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
 Output = 00BDA1B7E87608BCBF470F12157F4C07
 
+MAC = GMAC
+Algorithm = AES-256-CBC
+Key = 4C973DBC7364621674F8B5B89E5C15511FCED9216490FB1C1A2CAA0FFE0407E5
+IV = 7AE8E2CA4EC500012E58495C
+Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
+Result = MAC_INIT_ERROR
 
 Title = KMAC Tests (From NIST)
 MAC = KMAC128