Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2129150

Summary: fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB
Product: Red Hat Enterprise Linux 9 Reporter: Clemens Lang <cllang>
Component: libgcryptAssignee: Jakub Jelen <jjelen>
Status: CLOSED CURRENTRELEASE QA Contact: Stanislav Zidek <szidek>
Severity: low Docs Contact:
Priority: medium    
Version: 9.0CC: jjelen, pvlasin, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libgcrypt-1.10.0-7.el9_1 Doc Type: Bug Fix
Doc Text:
Cause: Integer overflow Consequence: Miscalculation of SHA3 digests for inputs larger than 4GB fed into the libgcrypt at once. Fix: The internal variables now use more appropriate integer types. Result: The SHA3 digests are calculated correctly for inputs larger than 4GB.
 Story Points: ---
Clone Of:
: 2131209 2131666 (view as bug list) Environment:
Last Closed: 2023-06-05 16:13:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2131209, 2131666    
Attachments:
Description Flags
Reproducer program none

Description Clemens Lang 2022-09-22 17:13:37 UTC 
Created attachment 1913587 [details]
Reproducer program

Description of problem:
libgcrypt does not correctly compute SHA-3 hashes of buffers that are larger than 4 GiB. Computation is correct when performed incrementally.

Version-Release number of selected component (if applicable):
1.10.0-5.el9_9

How reproducible:
Run the attached reproducer with --bytes $(( 0xffffffff )) sha3-256 and --bytes $(( 0x100000000 )) sha3-256.

Steps to Reproduce:
1. gcc -o libgcrypt-ldt-hash -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 $(pkg-config --cflags libgcrypt) libgcrypt-ldt-hash.c $(pkg-config --libs libgcrypt) $(pkg-config --libs gpg-error)
2. ./libgcrypt-ldt-hash --bytes $(( 0xffffffff )) --verbose sha3-256 (passes)
3. ./libgcrypt-ldt-hash --bytes $(( 0x100000000 )) --verbose sha3-256 (fails due to hash mismatch)

Actual results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   472e199b66c2ae3002909d1f33c05583525cabeb121c4eb14191c28b2c280aaf
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Expected results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Additional info:
This causes failues in the large data ACVP tests.
Comment 1 Jakub Jelen 2022-09-23 16:49:52 UTC 
The sha3 issue should be solved with the following change:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/6

I will work on the regression tests and I believe we should be able to include this change in the next build for FIPS too.
Comment 2 Jakub Jelen 2022-09-23 17:20:25 UTC 
Filled upstream https://dev.gnupg.org/T6217
Comment 13 Clemens Lang 2023-06-05 16:13:48 UTC 
RHEL 9.1 contains libgcrypt-1.10.0-7.el9_0.