search

pqc-thunderbird / libgcrypt

GNU General Public License v2.0
1 stars 0 forks source link

Security issue in MAC verification #19

Closed falko-strenzke closed 1 year ago

falko-strenzke commented 1 year ago 
static gcry_err_code_t
hmac_verify (gcry_mac_hd_t h, const unsigned char *buf, size_t buflen)
{
  unsigned int dlen;
  const unsigned char *digest;

  dlen = _gcry_md_get_algo_dlen (h->u.hmac.md_algo);
  digest = _gcry_md_read (h->u.hmac.md_ctx, h->u.hmac.md_algo);

  if (buflen > dlen)
    return GPG_ERR_INV_LENGTH;

  return buf_eq_const (buf, digest, buflen) ? 0 : GPG_ERR_CHECKSUM;
}

If there a MAC is provided to the verify function that is shorter than the regular MAC length, the verification succeeds if that shorter MAC is a matching the start of the regular MAC. This behaviour incurs the risk that an implementation issues the verification of a zero-length attacker controlled MAC that then verifies correctly.

falko-strenzke commented 1 year ago

cmac seems to be affected as well.

falko-strenzke commented 1 year ago

Botan does it correctly in src/lib/mac/mac.cpp:

bool MessageAuthenticationCode::verify_mac_result(const uint8_t mac[], size_t length) {
   secure_vector<uint8_t> our_mac = final();

   if(our_mac.size() != length) {
      return false;
   }

   return constant_time_compare(our_mac.data(), mac, length);
}
falko-strenzke commented 1 year ago

Reported to gcrypt-devel 2023-10-18