verification of MACs of size 1

Falko Strenzke falko.strenzke at mtg.de
Wed Oct 18 13:12:42 CEST 2023 

There is one feature of Libgcrypt’s MAC API that in my opinion can be a 
certain security risk for applications.

Take for instance the HMAC verification:

|static gcry_err_code_t hmac_verify (gcry_mac_hd_t h, const unsigned 
char *buf, size_t buflen) { unsigned int dlen; const unsigned char 
*digest; dlen = _gcry_md_get_algo_dlen (h->u.hmac.md_algo); digest = 
_gcry_md_read (h->u.hmac.md_ctx, h->u.hmac.md_algo); if (buflen > dlen) 
return GPG_ERR_INV_LENGTH; return buf_eq_const (buf, digest, buflen) ? 0 
: GPG_ERR_CHECKSUM; } |

If there a MAC is provided to the verify function that is shorter than 
the regular MAC length, the verification succeeds if that shorter MAC is 
matching the start of the regular MAC.

The risk for applications is that if a client application is just 
handing through an attacker controlled MAC value together with its 
length, then attacks are possible if the size of the MAC can be 
controlled by the attacker in the protocol.  (Zero-length MAC are caught 
by the higher level API functions.) It would be more conservative to 
enforce the full length of the MAC in the verification function and 
allow shortened MACs only as specific variant algorithms.

I tested this and actually the only MAC verification that I found that 
doesn’t accept MACs of size one is that of the GMAC algorithm.

- Falko

-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke at mtg.de
Web: mtg.de <https://www.mtg.de>


------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20231018/3a2aac92/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20231018/3a2aac92/attachment-0001.bin>

More information about the Gcrypt-devel mailing list