Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using KBKDF with KMAC causes dereference of NULL function pointer #24410

Open
maxammann opened this issue May 15, 2024 · 0 comments
Open

Using KBKDF with KMAC causes dereference of NULL function pointer #24410

maxammann opened this issue May 15, 2024 · 0 comments
Labels
branch: master Merge to master branch branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 severity: important Important bugs affecting a released version triaged: bug The issue/pr is/fixes a bug

Comments

@maxammann
Copy link
Contributor

maxammann commented May 15, 2024
edited

When using KMAC with KBKDF without a key (or a zero-length key), a
NULL function pointer is dereferenced. Here are the breadcrumbs that lead to
the SEGV:

  1. Because the mac is KMAC this condition is true:
    https://github.com/trail-of-forks/openssl/blob/104c9b57ce9fafcdc2650259e726633566b9c479/providers/implementations/kdfs/kbkdf.c/#L305
  2. During kmac_derive EVP_MAC_final is called:
    https://github.com/trail-of-forks/openssl/blob/104c9b57ce9fafcdc2650259e726633566b9c479/providers/implementations/kdfs/kbkdf.c/#L269
  3. Which then calls DigestUpdate:
    https://github.com/trail-of-forks/openssl/blob/104c9b57ce9fafcdc2650259e726633566b9c479/providers/implementations/macs/kmac_prov.c/#L353
  4. Which then calls ctx->update, but the update field is NULL:
    https://github.com/trail-of-forks/openssl/blob/104c9b57ce9fafcdc2650259e726633566b9c479/crypto/evp/digest.c/#L427-L428

The main reason for this is because if the key is not set or zero-length then the digest is not initialized before usage: https://github.com/trail-of-forks/openssl/blob/104c9b57ce9fafcdc2650259e726633566b9c479/providers/implementations/kdfs/kbkdf.c/#L421-L426

Here is a test-case that shows the SEGV:

EVP_KDF *kdf;
EVP_KDF_CTX *kctx;
unsigned char out[10];
OSSL_PARAM params[12], *p = params;

kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
kctx = EVP_KDF_CTX_new(kdf);
EVP_KDF_free(kdf);

*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, "", strlen(""));
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0);
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, "KMAC256", 0);

*p = OSSL_PARAM_construct_end();
if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0)
printf("error\n");

EVP_KDF_CTX_free(kctx);

tested on 0fff6a2

Backtrace:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==144656==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7ffd57c09610 sp 0x7ffd57c09368 T0)
==144656==Hint: pc points to the zero page.
==144656==The signal is caused by a READ memory access.
==144656==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)
    #1 0x5734eb9a3787 in kmac_final /home/maximilianammann/openssl/providers/implementations/macs/kmac_prov.c:353:12
    #2 0x5734ec0add61 in evp_mac_final /home/maximilianammann/openssl/crypto/evp/mac_lib.c:165:11
    #3 0x5734ec0ad056 in EVP_MAC_final /home/maximilianammann/openssl/crypto/evp/mac_lib.c:174:12
    #4 0x5734eb913512 in kmac_derive /home/maximilianammann/openssl/providers/implementations/kdfs/kbkdf.c:269:15
    #5 0x5734eb90fc07 in kbkdf_derive /home/maximilianammann/openssl/providers/implementations/kdfs/kbkdf.c:307:15
    #6 0x5734eb34305c in EVP_KDF_derive /home/maximilianammann/openssl/crypto/evp/kdf_lib.c:144:12
    #7 0x5734eb1e5020 in test_tob /home/maximilianammann/openssl/test/bioprinttest.c:306:5
    #8 0x5734eb1f8c98 in run_tests /home/maximilianammann/openssl/test/testutil/driver.c:342:23
    #9 0x5734eb1fe2b2 in main /home/maximilianammann/openssl/test/testutil/main.c:31:15
    #10 0x7767fc629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==144656==ABORTING

Related note:

According to SP800-185 a KMAC key K is defined as:

"K is a key bit string of any length, including zero."
@maxammann maxammann added the issue: bug report The issue was opened to report a bug label May 15, 2024
@t8m t8m added branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 and removed issue: bug report The issue was opened to report a bug labels May 15, 2024
@mattcaswell mattcaswell added severity: important Important bugs affecting a released version and removed branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 labels May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 severity: important Important bugs affecting a released version triaged: bug The issue/pr is/fixes a bug
Projects
Project Board
Status: New
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxammann @t8m @mattcaswell