booth/SOURCES/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch

From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen

When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 src/auth.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 8f86b9a..a3b3d20 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
 {
 	static gcry_md_hd_t digest;
 	gcry_error_t err;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
 	if (!digest) {
 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
 		}
 	}
 	gcry_md_write(digest, data, datalen);
-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+	memcpy(result, gcry_md_read(digest, 0), hlen);
 	gcry_md_reset(digest);
 	return 0;
 }
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
 {
 	unsigned char *our_hmac;
 	int rc;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+	our_hmac = malloc(hlen);
 	if (!our_hmac)
 		return -1;
 
 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
 	if (rc)
 		goto out_free;
-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+	rc = memcmp(our_hmac, hmac, hlen);
 
 out_free:
 	if (our_hmac)
-- 
2.44.0
Import from AlmaLinux 9 2024-06-11 09:29:49 +00:00			`From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001`
			`From: Jan Friesse <jfriesse@redhat.com>`
			`Date: Wed, 21 Feb 2024 18:12:28 +0100`
			`Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen`

			`When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This`
			`value is then used for memcmp so wrong hmac might be accepted as`
			`correct.`

			`Signed-off-by: Jan Friesse <jfriesse@redhat.com>`
			`---`
			`src/auth.c \| 16 +++++++++++++---`
			`1 file changed, 13 insertions(+), 3 deletions(-)`

			`diff --git a/src/auth.c b/src/auth.c`
			`index 8f86b9a..a3b3d20 100644`
			`--- a/src/auth.c`
			`+++ b/src/auth.c`
			`@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,`
			`{`
			`static gcry_md_hd_t digest;`
			`gcry_error_t err;`
			`+ int hlen;`
			`+`
			`+ hlen = gcry_md_get_algo_dlen(hid);`
			`+ if (!hlen)`
			`+ return -1;`

			`if (!digest) {`
			`err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);`
			`@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,`
			`}`
			`}`
			`gcry_md_write(digest, data, datalen);`
			`- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));`
			`+ memcpy(result, gcry_md_read(digest, 0), hlen);`
			`gcry_md_reset(digest);`
			`return 0;`
			`}`
			`@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,`
			`{`
			`unsigned char *our_hmac;`
			`int rc;`
			`+ int hlen;`
			`+`
			`+ hlen = gcry_md_get_algo_dlen(hid);`
			`+ if (!hlen)`
			`+ return -1;`

			`- our_hmac = malloc(gcry_md_get_algo_dlen(hid));`
			`+ our_hmac = malloc(hlen);`
			`if (!our_hmac)`
			`return -1;`

			`rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);`
			`if (rc)`
			`goto out_free;`
			`- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));`
			`+ rc = memcmp(our_hmac, hmac, hlen);`

			`out_free:`
			`if (our_hmac)`
			`--`
			`2.44.0`