From 10953f021b3bab8a92d10def897bb489cacad625 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 30 Mar 2026 11:47:13 +0200 Subject: [PATCH] CMAC: fix wraparound in streaming update. The guard `if (cmac->totalSz != 0)` was used to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously fire again and discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex. Identified by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io) --- wolfcrypt/src/aes.c | 4 +--- wolfcrypt/src/cmac.c | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index cb4258e634..a3b75dbb34 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -16377,9 +16377,7 @@ int wc_local_CmacUpdateAes(struct Cmac *cmac, const byte* in, word32 inSz) { in += add; if (cmac->bufferSz == WC_AES_BLOCK_SIZE && inSz != 0) { - if (cmac->totalSz != 0) { - xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE); - } + xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE); ret = AesEncrypt_preFetchOpt(aes, cmac->buffer, cmac->digest, &did_prefetches); if (ret == 0) { diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c index 66e45f9247..ba579516d1 100644 --- a/wolfcrypt/src/cmac.c +++ b/wolfcrypt/src/cmac.c @@ -238,9 +238,7 @@ int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz) inSz -= add; if (cmac->bufferSz == WC_AES_BLOCK_SIZE && inSz != 0) { - if (cmac->totalSz != 0) { - xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE); - } + xorbuf(cmac->buffer, cmac->digest, WC_AES_BLOCK_SIZE); wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer); cmac->totalSz += WC_AES_BLOCK_SIZE;