-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.0.2 no-asm RC4_40 OOB read #8972
Comments
Does CMAC with RC4 even make sense? It needs a block cipher. Moreover, the subkeys are computed with operations over GF(2^(block_size)), which means the scheme is parametrized by a suitable irreducible polynomial. SP 800-38B, section 5.3, defines polynomials for 64-bit (DES or 3DES) and 128-bit (AES) block ciphers. That corresponds to the (To that end, there's no need to use |
@mattcaswell I suppose this won't be fixed because it's 1.0.2? Would you suggest I prevent performing CMAC RC4 in my fuzzer? |
Yes, assuming this only impacts 1.0.2 i don't think this will get fixed, so I suggest you prevent CMAC with RC4 for 1.0.2. |
Please check if this still applicable on newer versions, such as 1.1.1 or master |
Compile OpenSSL 1.0.2 without assembly
CC=clang ./config no-asm -fsanitize=address && make -j12
Then compile and run this file
The text was updated successfully, but these errors were encountered: