booth/SOURCES/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch

66 lines
1.6 KiB
Diff

From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen
When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
src/auth.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/auth.c b/src/auth.c
index 8f86b9a..a3b3d20 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
{
static gcry_md_hd_t digest;
gcry_error_t err;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
if (!digest) {
err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
}
}
gcry_md_write(digest, data, datalen);
- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+ memcpy(result, gcry_md_read(digest, 0), hlen);
gcry_md_reset(digest);
return 0;
}
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
{
unsigned char *our_hmac;
int rc;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
- our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+ our_hmac = malloc(hlen);
if (!our_hmac)
return -1;
rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
if (rc)
goto out_free;
- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+ rc = memcmp(our_hmac, hmac, hlen);
out_free:
if (our_hmac)
--
2.44.0