(Bug) Buffer overrun in gcry_cipher_gettag
jussi.kivilinna at iki.fi
Thu Mar 24 16:36:44 CET 2016
On 23.03.2016 04:25, Peter Wu wrote:
> On Tue, Mar 22, 2016 at 07:59:08PM -0400, Ian Goldberg wrote:
>> On Tue, Mar 22, 2016 at 11:27:26PM +0100, Peter Wu wrote:
>>> Ah, my bad. OCB happens to be unaffected, I included it because the code
>>> is smaller than the GCM case. I originally triggered it with AES-GCM.
>>> Please find minimal reproducers in the attached crash.c file.
>> You didn't attach anything?
> Oops, now I do.
> It also found that the meaning of the tag length is not fixed.
> For OCB the tag length can be 64, 96 or 128 bits (based on RFC 7253) so
> the libgcrypt API allows you to specify the maximum buffer size.
> Current implemented constraints:
> * CCM: taglen == authlen
> * cmac (as used by MAC-CMAC): 1 <= taglen <= block_size
> * GCM: 16 <= taglen (bug!)
> * OCB: ocb.taglen <= taglen (copy at most ocb.taglen)
> * Poly1305: 16 <= taglen (bug!)
Looks like that the tag length check for GCM should be:
if (outbuflen > GCRY_GCM_BLOCK_LEN)
else if (outbuflen == 0)
instead of current, which is just wrong:
if (outbuflen < GCRY_GCM_BLOCK_LEN)
That function should allow tag length that are less than maximum tag
length as GCM spec (NIST Special Publication 800-38D) tag may be
truncated by application.
For Poly1305, tag size is fixed to 128-bits (in RFC 7539), so enforcing
that should be ok.
> Anything outside this range results in one of the following errors:
> * GPG_ERR_BUFFER_TOO_SHORT (GCM, OCB, Poly1305)
> * GPG_ERR_INV_ARG (CCM, CMAC)
> * GPG_ERR_INV_LENGTH (CCM)
> I have some patches for the gettag crashes, but maybe it would also be
> nice to be consistent here and treat the input size solely as a hint for
> the input buffer size, and return failure if it is too small (instead of
> too large)? Of course the documentation has to be updated for this.
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
More information about the Gcrypt-devel