-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HMAC with SHAKE128 via EVP interface crashes on EVP_DigestSignUpdate #8563
Comments
I just had a quick look at your example and can confirm that it crashes with 9c0cf21. Note that in the debug version the crash occurs earlier (in EVP_DigestSignInit), where it aborts after the following assertion fails Line 41 in 9c0cf21
This is the callstack:
|
I forgot to mention: |
Assert failure also happens with the HMAC_* functions for SHAKE128, but it doesn't crash. |
Did this test ever work for you? I was able to trace the assertion failure(*) back to commit 91ce87c by @dot-asm which introduced EVP_shake128() and EVP_shake256(). @dot-asm would you mind taking a look at this issue? (*) Side Note, FWIW: somewhere between 91ce87c and current master, |
I fail to see that it has something to do with quoted m_sha3.c. It's all HMAC thing (which I didn't touch). On related note HMAC is not actually defined with SHAKEs, only with SHA's. Which is why sizeof(key) is limited 144, value specific to most "demanding" SHA3-224. This is not really an excuse for not handling the error condition, just an explanation where does 144 come from. Why not SHAKE128? Well, ask NIST. Again, not an excuse for not handling error condition, just explanation for why you shouln't actually expect HMAC work with SHAKEs, be it 128 or 256, it won't be interoperable with anything else. |
Ok, thanks for your quick reply @dot-asm. I'd like to emphasize that the reason why I adressed you in particular was not to blame you for anything, it was just the hope that you could shed some light on this issue (which you did), since git told me you were involved somehow. :-) If HMAC and SHAKE are not meant to be used together, then OpenSSL should error out gracefully instead of crashing. Since I am not really familiar with the subject, somebody else from @openssl with more expertise would have to take a look at this issue. |
I agree things should be handled better. Could the HMAC code check for a variable length digest and fail if so? The algorithm should work with any fixed length digest. |
There seems to be two separate issues here:
Not yet investigated what happens in 1.1.1 wrt to issue (2). |
(2) does not appear to be an issue in 1.1.1, and the code behaves correctly in a non-debug build, i.e. the EVP_DigestSignInit call fails as expected. In a debug build the assertion is hit and therefore a crash results. |
See discussion in github issue openssl#8563 Fixes openssl#8563
See discussion in github issue openssl#8563 Fixes openssl#8563
Version: git master
The following results in a null pointer dereference. As far as I could tell this only happens with SHAKE128.
The text was updated successfully, but these errors were encountered: