From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen

When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 src/auth.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 8f86b9a..a3b3d20 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
 {
 	static gcry_md_hd_t digest;
 	gcry_error_t err;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
 	if (!digest) {
 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
 		}
 	}
 	gcry_md_write(digest, data, datalen);
-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+	memcpy(result, gcry_md_read(digest, 0), hlen);
 	gcry_md_reset(digest);
 	return 0;
 }
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
 {
 	unsigned char *our_hmac;
 	int rc;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+	our_hmac = malloc(hlen);
 	if (!our_hmac)
 		return -1;
 
 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
 	if (rc)
 		goto out_free;
-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+	rc = memcmp(our_hmac, hmac, hlen);
 
 out_free:
 	if (our_hmac)
-- 
2.44.0