New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect usage of the HMAC APIs #13210
Comments
The paper Unintended Features of APIs: Cryptanalysis of Incremental HMAC is available on the conference site. |
I believe this is "yes", though there are perhaps arguments to be made about API stability.
This seems to be pretty unambiguously "yes". |
Since EVP_MAC is a new and as yet unreleased API, I think we should prevent the user from doing that with EVP_MAC. |
I think we should have some checks preventing bad order of operations in this and in some other cases. |
APIs like EVP_VerifyFinal() and EVP_DigestVerifyFinal() document that calling Update after Final is possible. I assume they don't have the same problem. |
Until I saw issue #13342 I had been thinking that we should incorporate checks everywhere for all APIs that ban this type of calling. The Verify APIs confuse this picture somewhat. |
I also wonder whether we have tests for this way of using the Verify APIs and whether it even still works with the provider model. |
Something to be noted is that It seems that HMAC_Final() doesn't do this sort of clearing... and maybe it should? EDIT: ... HMAC_Final() calls |
This talk discusses a security attack which may result if the HMAC APIs are used incorrectly:
https://www.youtube.com/watch?v=hYDD_rI_8tU
The issue occurs if an application developer makes calls in this order:
i.e. if an HMAC_CTX is reused to "incrementally" calculate the HMAC of a message consisting of multiple fragments, but without calling HMAC_Init_ex() again, before calling update and then final.
As noted above this is incorrect usage of the API, but the APIs do not protect you from this foot gun. Should they?
It looks to me like we don't do a check to protect against this in the EVP_MAC APIs either (and probably not with other init/update/final APIs). Should we?
The text was updated successfully, but these errors were encountered: