Make CMAC properly fail if cipher is not CBC mode one #19401
Conversation
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used.
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode.
t8m
added
branch: master
|
I think it is a bug that we allow non-CBC-mode ciphers with CMAC as that is completely insecure use of the crypto primitive. So I propose this should be also added to 3.0. |
beldmit
removed
the
approval: otc review pending
github-actions
bot
added
the
severity: fips change
|
Heh, we misuse CMAC in evp_extra_test.c. Fixup commit added. |
|
@beldmit still OK? |
|
Yes, still OK if tests passed |
Is this in the RFC? So CFB/OFB modes, for example, are not ok? I'm wondering how breaking this change might end up being if we backport to 3.0... |
|
CI failure looks relevant |
This is by definition of the CMAC. https://en.wikipedia.org/wiki/One-key_MAC |
In theory one could use the CMAC MAC with other mode cipher but the result would not be interoperable and with completely bogus security properties - potentially even completely insecure one. |
That may be the case - but my bet is that this will break people. Not a decision to make without some OTC input IMO. |
|
OTC Question: Should we fix this, and if so in which branches? |
It will break only those who accidentally have a serious security issue in their code. And yeah, I agree this should be discussed within OTC. |
| if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx)) | ||
| return 0; | ||
|
|
||
| if (EVP_CIPHER_get_mode(ossl_prov_cipher_cipher(&macctx->cipher)) |
There was a problem hiding this comment.
Nicely backwards compatible if the returned error is ignored 😃
paulidale
added
approval: done
openssl-machine
removed
the
approval: done
|
This pull request is ready to merge |
openssl-machine
added
the
approval: ready to merge
|
OTC: This is ok for 3.1 and above, not for 3.0. |
t8m
removed
hold: need otc decision
t8m
added
approval: review pending
|
Actually this needs re-approval from @beldmit |
|
Still OK |
t8m
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Merged to master and 3.1 branches. Thank you for the reviews. |
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401) (cherry picked from commit 9270f67)
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #19401)
The currently used cipher is aes256 which is an alias to AES-256-CBC, so the demo is correct. However it might be misleading so make it clear the CBC mode cipher is used. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Also add negative test cases for CMAC and GMAC using a cipher with wrong mode. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19401)
Also avoid misleading users in the demo by use of the alias name.
Checklist