2129150 – fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2129150 - fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

Summary: fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libgcrypt
Sub Component:
Version:	9.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	9.1
Assignee:	Jakub Jelen
QA Contact:	Stanislav Zidek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2131209 2131666
TreeView+	depends on / blocked

Reported:	2022-09-22 17:13 UTC by Clemens Lang
Modified:	2023-06-05 16:14 UTC (History)
CC List:	3 users (show)
Fixed In Version:	libgcrypt-1.10.0-7.el9_1
Doc Type:	Bug Fix
Doc Text:	Cause: Integer overflow Consequence: Miscalculation of SHA3 digests for inputs larger than 4GB fed into the libgcrypt at once. Fix: The internal variables now use more appropriate integer types. Result: The SHA3 digests are calculated correctly for inputs larger than 4GB.
Clone Of:
Clones:	2131209 2131666 (view as bug list)
Environment:
Last Closed:	2023-06-05 16:13:48 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Reproducer program (5.03 KB, text/x-csrc) 2022-09-22 17:13 UTC, Clemens Lang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-8390	0	None	None	None	2022-09-23 16:55:55 UTC
Red Hat Issue Tracker	RHELPLAN-134731	0	None	None	None	2022-10-03 08:36:14 UTC

Description Clemens Lang 2022-09-22 17:13:37 UTC

Created attachment 1913587 [details]
Reproducer program

Description of problem:
libgcrypt does not correctly compute SHA-3 hashes of buffers that are larger than 4 GiB. Computation is correct when performed incrementally.

Version-Release number of selected component (if applicable):
1.10.0-5.el9_9

How reproducible:
Run the attached reproducer with --bytes $(( 0xffffffff )) sha3-256 and --bytes $(( 0x100000000 )) sha3-256.

Steps to Reproduce:
1. gcc -o libgcrypt-ldt-hash -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 $(pkg-config --cflags libgcrypt) libgcrypt-ldt-hash.c $(pkg-config --libs libgcrypt) $(pkg-config --libs gpg-error)
2. ./libgcrypt-ldt-hash --bytes $(( 0xffffffff )) --verbose sha3-256 (passes)
3. ./libgcrypt-ldt-hash --bytes $(( 0x100000000 )) --verbose sha3-256 (fails due to hash mismatch)

Actual results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   472e199b66c2ae3002909d1f33c05583525cabeb121c4eb14191c28b2c280aaf
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Expected results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Additional info:
This causes failues in the large data ACVP tests.

Comment 1 Jakub Jelen 2022-09-23 16:49:52 UTC

The sha3 issue should be solved with the following change:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/6

I will work on the regression tests and I believe we should be able to include this change in the next build for FIPS too.

Comment 2 Jakub Jelen 2022-09-23 17:20:25 UTC

Filled upstream https://dev.gnupg.org/T6217

Comment 13 Clemens Lang 2023-06-05 16:13:48 UTC

RHEL 9.1 contains libgcrypt-1.10.0-7.el9_0.

Note You need to log in before you can comment on or make changes to this bug.