From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Wed, 21 Feb 2024 18:12:28 +0100 Subject: [PATCH] auth: Check result of gcrypt gcry_md_get_algo_dlen When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This value is then used for memcmp so wrong hmac might be accepted as correct. Signed-off-by: Jan Friesse --- src/attr.c | 2 +- src/auth.c | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/attr.c b/src/attr.c index 44061e3..bc154f0 100644 --- a/src/attr.c +++ b/src/attr.c @@ -142,7 +142,7 @@ static int read_server_reply( return -2; } len = ntohl(header->length); - rv = tpt->recv(site, msg+len, len-sizeof(*header)); + rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header)); if (rv < 0) { return -1; } diff --git a/src/auth.c b/src/auth.c index 8f86b9a..a3b3d20 100644 --- a/src/auth.c +++ b/src/auth.c @@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen, { static gcry_md_hd_t digest; gcry_error_t err; + int hlen; + + hlen = gcry_md_get_algo_dlen(hid); + if (!hlen) + return -1; if (!digest) { err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC); @@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen, } } gcry_md_write(digest, data, datalen); - memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid)); + memcpy(result, gcry_md_read(digest, 0), hlen); gcry_md_reset(digest); return 0; } @@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen, { unsigned char *our_hmac; int rc; + int hlen; + + hlen = gcry_md_get_algo_dlen(hid); + if (!hlen) + return -1; - our_hmac = malloc(gcry_md_get_algo_dlen(hid)); + our_hmac = malloc(hlen); if (!our_hmac) return -1; rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen); if (rc) goto out_free; - rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid)); + rc = memcmp(our_hmac, hmac, hlen); out_free: if (our_hmac) -- 2.23.0