There is one feature of Libgcrypt’s MAC API that in my opinion can be a
certain security risk for applications.
Take for instance the HMAC verification:
|static gcry_err_code_t hmac_verify (gcry_mac_hd_t h, const unsigned
char *buf, size_t buflen) { unsigned int dlen; const unsigned char
*digest; dlen = _gcry_md_get_algo_dlen (h->u.hmac.md_algo); digest =
_gcry_md_read (h->u.hmac.md_ctx, h->u.hmac.md_algo); if (buflen > dlen)
return GPG_ERR_INV_LENGTH; return buf_eq_const (buf, digest, buflen) ? 0
: GPG_ERR_CHECKSUM; } |
If there a MAC is provided to the verify function that is shorter than
the regular MAC length, the verification succeeds if that shorter MAC is
matching the start of the regular MAC.
The risk for applications is that if a client application is just
handing through an attacker controlled MAC value together with its
length, then attacks are possible if the size of the MAC can be
controlled by the attacker in the protocol. (Zero-length MAC are caught
by the higher level API functions.) It would be more conservative to
enforce the full length of the MAC in the verification function and
allow shortened MACs only as specific variant algorithms.
I tested this and actually the only MAC verification that I found that
doesn’t accept MACs of size one is that of the GMAC algorithm.
- Falko
--
*MTG AG*
Dr. Falko Strenzke
Executive System Architect
Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>
------------------------------------------------------------------------
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde
This email may contain confidential and/or privileged information. If
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised
copying or distribution of this email is not permitted.
Data protection information: Privacy policy
<https://www.mtg.de/en/privacy-policy>
certain security risk for applications.
Take for instance the HMAC verification:
|static gcry_err_code_t hmac_verify (gcry_mac_hd_t h, const unsigned
char *buf, size_t buflen) { unsigned int dlen; const unsigned char
*digest; dlen = _gcry_md_get_algo_dlen (h->u.hmac.md_algo); digest =
_gcry_md_read (h->u.hmac.md_ctx, h->u.hmac.md_algo); if (buflen > dlen)
return GPG_ERR_INV_LENGTH; return buf_eq_const (buf, digest, buflen) ? 0
: GPG_ERR_CHECKSUM; } |
If there a MAC is provided to the verify function that is shorter than
the regular MAC length, the verification succeeds if that shorter MAC is
matching the start of the regular MAC.
The risk for applications is that if a client application is just
handing through an attacker controlled MAC value together with its
length, then attacks are possible if the size of the MAC can be
controlled by the attacker in the protocol. (Zero-length MAC are caught
by the higher level API functions.) It would be more conservative to
enforce the full length of the MAC in the verification function and
allow shortened MACs only as specific variant algorithms.
I tested this and actually the only MAC verification that I found that
doesn’t accept MACs of size one is that of the GMAC algorithm.
- Falko
--
*MTG AG*
Dr. Falko Strenzke
Executive System Architect
Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>
------------------------------------------------------------------------
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde
This email may contain confidential and/or privileged information. If
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised
copying or distribution of this email is not permitted.
Data protection information: Privacy policy
<https://www.mtg.de/en/privacy-policy>
Attached Files:
-
smime.p7s (4.70 KB)