Bug 2129150 - fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB
Summary: fips: libgcrypt SHA-3 miscomputes digests on buffers >= 4 GiB
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libgcrypt
Version: 9.0
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: rc
: 9.1
Assignee: Jakub Jelen
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks: 2131209 2131666
TreeView+ depends on / blocked
 
Reported: 2022-09-22 17:13 UTC by Clemens Lang
Modified: 2022-10-14 17:00 UTC (History)
3 users (show)

Fixed In Version: libgcrypt-1.10.0-7.el9_1
Doc Type: Bug Fix
Doc Text:
Cause: Integer overflow Consequence: Miscalculation of SHA3 digests for inputs larger than 4GB fed into the libgcrypt at once. Fix: The internal variables now use more appropriate integer types. Result: The SHA3 digests are calculated correctly for inputs larger than 4GB.
Clone Of:
: 2131209 2131666 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
Reproducer program (5.03 KB, text/x-csrc)
2022-09-22 17:13 UTC, Clemens Lang
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-8390 0 None None None 2022-09-23 16:55:55 UTC
Red Hat Issue Tracker RHELPLAN-134731 0 None None None 2022-10-03 08:36:14 UTC

Description Clemens Lang 2022-09-22 17:13:37 UTC
Created attachment 1913587 [details]
Reproducer program

Description of problem:
libgcrypt does not correctly compute SHA-3 hashes of buffers that are larger than 4 GiB. Computation is correct when performed incrementally.

Version-Release number of selected component (if applicable):
1.10.0-5.el9_9

How reproducible:
Run the attached reproducer with --bytes $(( 0xffffffff )) sha3-256 and --bytes $(( 0x100000000 )) sha3-256.

Steps to Reproduce:
1. gcc -o libgcrypt-ldt-hash -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 $(pkg-config --cflags libgcrypt) libgcrypt-ldt-hash.c $(pkg-config --libs libgcrypt) $(pkg-config --libs gpg-error)
2. ./libgcrypt-ldt-hash --bytes $(( 0xffffffff )) --verbose sha3-256 (passes)
3. ./libgcrypt-ldt-hash --bytes $(( 0x100000000 )) --verbose sha3-256 (fails due to hash mismatch)

Actual results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   472e199b66c2ae3002909d1f33c05583525cabeb121c4eb14191c28b2c280aaf
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Expected results:
Running test with 4294967296 (0x100000000) bytes
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (oneshot        ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b
libgcrypt-ldt-hash: 4294967296 B (0x100000000 B) (incremental    ) SHA3-256   be86a518eebe157b2da0d300be9a867880e1d1fe7493e416ee1d301b4284253b

Additional info:
This causes failues in the large data ACVP tests.

Comment 1 Jakub Jelen 2022-09-23 16:49:52 UTC
The sha3 issue should be solved with the following change:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/6

I will work on the regression tests and I believe we should be able to include this change in the next build for FIPS too.

Comment 2 Jakub Jelen 2022-09-23 17:20:25 UTC
Filled upstream https://dev.gnupg.org/T6217


Note You need to log in before you can comment on or make changes to this bug.