OpenSSL 1.0.2 no-asm RC4_40 OOB read
guidovranken opened this issue · comments
Compile OpenSSL 1.0.2 without assembly
CC=clang ./config no-asm -fsanitize=address && make -j12Then compile and run this file
#define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; }
#define CF_CHECK_NE(expr, res) if ( (expr) == (res) ) { goto end; }
#include <openssl/cmac.h>
int main(void)
{
const unsigned char input[6] = { 0 };
const unsigned char key[1] = { 0 };
CMAC_CTX* ctx = CMAC_CTX_new();
const EVP_CIPHER* cipher = NULL;
/* Initialize */
{
CF_CHECK_NE(cipher = EVP_rc4_40(), NULL);
CF_CHECK_EQ(CMAC_Init(ctx, key, sizeof(key), cipher, NULL), 1);
}
CF_CHECK_EQ(CMAC_Update(ctx, input, sizeof(input)), 1);
end:
return 0;
}$ clang -fsanitize=address -I openssl-1.0.2r/include/ cmac-poc.c openssl-1.0.2r/libcrypto.a
$ ./a.out
=================================================================
==30930==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006f24e0 at pc 0x000000525504 bp 0x7ffde649f590 sp 0x7ffde649f588
READ of size 8 at 0x0000006f24e0 thread T0
#0 0x525503 in RC4 (/home/jhg/ossl-102-cmac-poc/a.out+0x525503)
#1 0x5128f5 in rc4_cipher (/home/jhg/ossl-102-cmac-poc/a.out+0x5128f5)
#2 0x51b28d in CMAC_Update (/home/jhg/ossl-102-cmac-poc/a.out+0x51b28d)
#3 0x5127f2 in main (/home/jhg/ossl-102-cmac-poc/a.out+0x5127f2)
#4 0x7efc41786b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a3a9 in _start (/home/jhg/ossl-102-cmac-poc/a.out+0x41a3a9)
0x0000006f24e6 is located 0 bytes to the right of global variable 'input' defined in 'cmac-poc.c:8:25' (0x6f24e0) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/jhg/ossl-102-cmac-poc/a.out+0x525503) in RC4
Shadow bytes around the buggy address:
0x0000800d6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800d6490: 00 00 00 00 00 00 00 00 00 00 00 00[06]f9 f9 f9
0x0000800d64a0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800d64b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d64c0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800d64d0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800d64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30930==ABORTING
Does CMAC with RC4 even make sense? It needs a block cipher. Moreover, the subkeys are computed with operations over GF(2^(block_size)), which means the scheme is parametrized by a suitable irreducible polynomial. SP 800-38B, section 5.3, defines polynomials for 64-bit (DES or 3DES) and 128-bit (AES) block ciphers.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
That corresponds to the bl == 16 check here, but that uses DES's polynomial for all other block size. OpenSSL should probably be making CMAC_Init fail here.
https://github.com/openssl/openssl/blob/master/crypto/cmac/cmac.c#L43
(To that end, there's no need to use EVP_MAX_BLOCK_LENGTH because the largest block size for which CMAC is currently defined is 16 bytes.)
@mattcaswell I suppose this won't be fixed because it's 1.0.2? Would you suggest I prevent performing CMAC RC4 in my fuzzer?
Yes, assuming this only impacts 1.0.2 i don't think this will get fixed, so I suggest you prevent CMAC with RC4 for 1.0.2.
Please check if this still applicable on newer versions, such as 1.1.1 or master