[PATCH v2] Disallow XOF algorithms for gcry_md_hash_buffers

Peter Wu peter at lekensteyn.nl
Thu Mar 24 13:38:06 CET 2016 

* cipher/md.c (_gcry_md_hash_buffer): Skip calculation for XOFs.
(_gcry_md_hash_buffers): Fail when XOFs are selected.
* doc/gcrypt.texi: Explicitly document above behavior for XOFs.
* tests/benchmark.c: Skip benchmarking hash functions without a fixed
output length.
--

Caught by UndefinedBehaviorSanitizer while running tests/benchmarks
where gcry_md_hash_buffer(GCRY_MD_SHAKE128) would result in
memcpy(digest, NULL, 0).

Signed-off-by: Peter Wu <peter at lekensteyn.nl>
---
 v2: just shortcircuit in gcry_md_hash_buffer for XOFs and reject the algo in
     gcry_md_hash_buffers. Adjust documentation and tests accordingly.

tests/benchmarks md SHAKE128 now shows "0ms" for the last column, but at least
the UB warning is gone.
---
 cipher/md.c       | 5 +++++
 doc/gcrypt.texi   | 4 +++-
 tests/benchmark.c | 2 ++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/cipher/md.c b/cipher/md.c
index 0414dcb..d1d0812 100644
--- a/cipher/md.c
+++ b/cipher/md.c
@@ -948,6 +948,8 @@ _gcry_md_hash_buffer (int algo, void *digest,
     _gcry_sha1_hash_buffer (digest, buffer, length);
   else if (algo == GCRY_MD_RMD160 && !fips_mode () )
     _gcry_rmd160_hash_buffer (digest, buffer, length);
+  else if (md_digest_length (algo) == 0)
+    ; /* Nothing to do for hashes without a fixed output length. */
   else
     {
       /* For the others we do not have a fast function, so we use the
@@ -1007,6 +1009,9 @@ _gcry_md_hash_buffers (int algo, unsigned int flags, void *digest,
   if (hmac && iovcnt < 1)
     return GPG_ERR_INV_ARG;
 
+  if (md_digest_length (algo) == 0)
+    return GPG_ERR_INV_ARG;
+
   if (algo == GCRY_MD_SHA1 && !hmac)
     _gcry_sha1_hash_buffers (digest, iov, iovcnt);
   else
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 3265a70..9481be9 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -3378,6 +3378,7 @@ described by @var{iov} and @var{iovcnt}.  @var{digest} must be
 allocated by the caller, large enough to hold the message digest
 yielded by the the specified algorithm @var{algo}.  This required size
 may be obtained by using the function @code{gcry_md_get_algo_dlen}.
+This function cannot be used for extendable-output functions.
 
 @var{iov} is an array of buffer descriptions with @var{iovcnt} items.
 The caller should zero out the structures in this array and for each
@@ -3402,7 +3403,8 @@ immediately returns the message digest of the @var{length} bytes at
 @var{buffer}.  @var{digest} must be allocated by the caller, large
 enough to hold the message digest yielded by the the specified algorithm
 @var{algo}.  This required size may be obtained by using the function
- at code{gcry_md_get_algo_dlen}.
+ at code{gcry_md_get_algo_dlen}.  This function has no effect for
+extendable-output functions.
 
 Note that in contrast to @code{gcry_md_hash_buffers} this function
 will abort the process if an unavailable algorithm is used.
diff --git a/tests/benchmark.c b/tests/benchmark.c
index 53b83b1..5f94cc8 100644
--- a/tests/benchmark.c
+++ b/tests/benchmark.c
@@ -499,6 +499,8 @@ md_bench ( const char *algoname )
       for (i=1; i < 400; i++)
         if (in_fips_mode && i == GCRY_MD_MD5)
           ; /* Don't use MD5 in fips mode.  */
+        else if (gcry_md_get_algo_dlen (i) == 0)
+          ; /* Skip hash functions without a fixed output length. */
         else if ( !gcry_md_test_algo (i) )
           md_bench (gcry_md_algo_name (i));
       return;
-- 
2.7.4

More information about the Gcrypt-devel mailing list