New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make CMAC properly fail if cipher is not CBC mode one #19401
Conversation
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used.
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode.
I think it is a bug that we allow non-CBC-mode ciphers with CMAC as that is completely insecure use of the crypto primitive. So I propose this should be also added to 3.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if tests passed
Heh, we misuse CMAC in evp_extra_test.c. Fixup commit added. |
@beldmit still OK? |
Yes, still OK if tests passed |
Is this in the RFC? So CFB/OFB modes, for example, are not ok? I'm wondering how breaking this change might end up being if we backport to 3.0... |
CI failure looks relevant |
This is by definition of the CMAC. https://en.wikipedia.org/wiki/One-key_MAC |
In theory one could use the CMAC MAC with other mode cipher but the result would not be interoperable and with completely bogus security properties - potentially even completely insecure one. |
That may be the case - but my bet is that this will break people. Not a decision to make without some OTC input IMO. |
OTC Question: Should we fix this, and if so in which branches? |
It will break only those who accidentally have a serious security issue in their code. And yeah, I agree this should be discussed within OTC. |
if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx)) | ||
return 0; | ||
|
||
if (EVP_CIPHER_get_mode(ossl_prov_cipher_cipher(&macctx->cipher)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely backwards compatible if the returned error is ignored 😃
This pull request is ready to merge |
OTC: This is ok for 3.1 and above, not for 3.0. |
Actually this needs re-approval from @beldmit |
Still OK |
This pull request is ready to merge |
Merged to master and 3.1 branches. Thank you for the reviews. |
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401) (cherry picked from commit 9270f67)
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Also avoid misleading users in the demo by use of the alias name.
Checklist