RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1306953 - hash input truncation: GNUTLS vs nettle
Summary: hash input truncation: GNUTLS vs nettle
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnutls
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks: 1296594 1313485
TreeView+ depends on / blocked
 
Reported: 2016-02-12 09:38 UTC by Dr. David Alan Gilbert
Modified: 2016-11-04 00:59 UTC (History)
4 users (show)

Fixed In Version: gnutls-3.3.22-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 00:59:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1310103 0 unspecified CLOSED hash input truncation: GNUTLS vs nettle 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2016:2218 0 normal SHIPPED_LIVE gnutls bug fix and enhancement update 2016-11-03 13:25:10 UTC

Description Dr. David Alan Gilbert 2016-02-12 09:38:18 UTC 
Description of problem:

GNUTLS has a function gnutls_hash:

   int gnutls_hash(gnutls_hash_hd_t handle, const void * ptext, size_t ptext_len);

it lets you perform md5 or any of the other hashes on a chunk of data;
this is implemented by a call to the nettle libraries implementation:

void
md5_update(struct md5_ctx *ctx,
           unsigned length,        <<<<<-
           const uint8_t *data);

Note that here someone unwisely used an 'unsigned' length.

Thus if you pass a large ptext_len into gnutls_hash, the length gets
truncated and thus only produces a hash on part of the data.
In my case I passed a 4GB chunk which ended up hashing 0 bytes!

Nettle fixed this upstream in:
   b8bfc32f (Niels Möller 2013-04-26 10:28:57 +0200)
   Use size_t rather than unsigned for all hash-related functions.

I'm not sure if gnutls has any fixes.

I hit this during development, I'm not aware of anything in particular
that would hit it.

Here's a backtrace that shows the truncation:

Breakpoint 1, gnutls_hash (handle=0x7f5a74029020, text=0x7f5a83e00000, textlen=4294967296) at crypto-api.c:503
503             return _gnutls_hash((digest_hd_st *) handle, text, textlen);
(gdb) b wrap_nettle_hash_update

Breakpoint 2, wrap_nettle_hash_update (_ctx=0x7f5a74045b10, text=0x7f5a83e00000, textsize=4294967296) at mac.c:305
305     {
(gdb) list

Breakpoint 3, nettle_md5_update (ctx=0x7f5a74045b10, length=0, data=0x7f5a83e00000 "S\377") at md5.c:62
62	{


I guess you could fixit in the wrap_nettle_hash_update (that's part of gnutls), but I guess you would also have to go on a hunting trip for anything
else that makes the same mistake.  Or update nettle.

Version-Release number of selected component (if applicable):
gnutls-3.3.8-12.el7_1.1.x86_64
nettle-2.7.1-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. allocate 4GB of RAM
2. Initialise gnutls
3. gnutls_hash on the 4GB chunk using md5

Actual results:
The md5 result for a zero length input.

Expected results:
The md5 result for your actual data.

Additional info:
Comment 4 Karel Srot 2016-02-16 15:03:22 UTC 
Is this kind of fix safe? Wouldn't it break ABI?
Comment 5 Nikos Mavrogiannopoulos 2016-02-16 15:07:35 UTC 
The fix is for gnutls only which uses an ABI that allows 64-bit numbers; thus it doesn't break the ABI. The API problem with nettle is not addressed by the fix.
Comment 12 errata-xmlrpc 2016-11-04 00:59:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2218.html
Note You need to log in before you can comment on or make changes to this bug.