mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 16:20:48 +02:00
CMAC: fix wraparound in streaming update.
The guard `if (cmac->totalSz != 0)` was used to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously fire again and discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex. Identified by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
This commit is contained in:
+1
-3
@@ -16377,9 +16377,7 @@ int wc_local_CmacUpdateAes(struct Cmac *cmac, const byte* in, word32 inSz) {
|
||||
in += add;
|
||||
|
||||
if (cmac->bufferSz == WC_AES_BLOCK_SIZE && inSz != 0) {
|
||||
if (cmac->totalSz != 0) {
|
||||
xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE);
|
||||
}
|
||||
xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE);
|
||||
ret = AesEncrypt_preFetchOpt(aes, cmac->buffer,
|
||||
cmac->digest, &did_prefetches);
|
||||
if (ret == 0) {
|
||||
|
||||
@@ -238,9 +238,7 @@ int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz)
|
||||
inSz -= add;
|
||||
|
||||
if (cmac->bufferSz == WC_AES_BLOCK_SIZE && inSz != 0) {
|
||||
if (cmac->totalSz != 0) {
|
||||
xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE);
|
||||
}
|
||||
xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE);
|
||||
wc_AesEncryptDirect(&cmac->aes, cmac->digest,
|
||||
cmac->buffer);
|
||||
cmac->totalSz += WC_AES_BLOCK_SIZE;
|
||||
|
||||
Reference in New Issue
Block a user