2129150 – fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

Bug 2129150 - fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

Summary: fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libgcrypt
Sub Component:
Version:	9.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	9.1
Assignee:	Jakub Jelen
QA Contact:	Stanislav Zidek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2131209 2131666
TreeView+	depends on / blocked

Reported:	2022-09-22 17:13 UTC by Clemens Lang
Modified:	2022-10-14 17:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:	libgcrypt-1.10.0-7.el9_1
Doc Type:	Bug Fix
Doc Text:	Cause: Integer overflow Consequence: Miscalculation of SHA3 digests for inputs larger than 4GB fed into the libgcrypt at once. Fix: The internal variables now use more appropriate integer types. Result: The SHA3 digests are calculated correctly for inputs larger than 4GB.
Clone Of:
Clones:	2131209 2131666 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Reproducer program (5.03 KB, text/x-csrc) 2022-09-22 17:13 UTC, Clemens Lang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-8390	0	None	None	None	2022-09-23 16:55:55 UTC
Red Hat Issue Tracker	RHELPLAN-134731	0	None	None	None	2022-10-03 08:36:14 UTC

Description Clemens Lang 2022-09-22 17:13:37 UTC

Created attachment 1913587 [details]
Reproducer program

Description of problem:
libgcrypt does not correctly compute SHA-3 hashes of buffers that are larger than 4 GiB. Computation is correct when performed incrementally.

Version-Release number of selected component (if applicable):
1.10.0-5.el9_9

How reproducible:
Run the attached reproducer with --bytes $(( 0xffffffff )) sha3-256 and --bytes $(( 0x100000000 )) sha3-256.

Steps to Reproduce:
1. gcc -o libgcrypt-ldt-hash -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 $(pkg-config --cflags libgcrypt) libgcrypt-ldt-hash.c $(pkg-config --libs libgcrypt) $(pkg-config --libs gpg-error)
2. ./libgcrypt-ldt-hash --bytes $(( 0xffffffff )) --verbose sha3-256 (passes)
3. ./libgcrypt-ldt-hash --bytes $(( 0x100000000 )) --verbose sha3-256 (fails due to hash mismatch)

Actual results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   472e199b66c2ae3002909d1f33c05583525cabeb121c4eb14191c28b2c280aaf
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Expected results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Additional info:
This causes failues in the large data ACVP tests.

Comment 1 Jakub Jelen 2022-09-23 16:49:52 UTC

The sha3 issue should be solved with the following change:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/6

I will work on the regression tests and I believe we should be able to include this change in the next build for FIPS too.

Comment 2 Jakub Jelen 2022-09-23 17:20:25 UTC

Filled upstream https://dev.gnupg.org/T6217

Note You need to log in before you can comment on or make changes to this bug.