Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect digest with hmac-blake2s #19

Closed
rot256 opened this issue Aug 25, 2019 · 8 comments
Closed

Incorrect digest with hmac-blake2s #19

rot256 opened this issue Aug 25, 2019 · 8 comments

Comments

@rot256
Copy link

rot256 commented Aug 25, 2019
edited
Loading

I seem to be getting incorrect results when using the hmac crate with blake2s. I have verified that the implementation of the hash functions themselves behave identically.

HMAC-Blake2s : mismatching output

MACing the empty message with the empty key, using Go /x/crypto for reference:

package main

import (
	"crypto/hmac"
	"encoding/hex"
	"fmt"
	"golang.org/x/crypto/blake2s"
	"hash"
)

func main() {
	var sum [blake2s.Size]byte
	mac := hmac.New(func() hash.Hash {
		h, _ := blake2s.New256(nil)
		return h
	}, []byte{})
	mac.Sum(sum[:0])
	fmt.Println(hex.EncodeToString(sum[:]))
}

Go Playground

Outputs eaf4bb25938f4d20e72656bbbc7a9bf63c0c18537333c35bdb67db1402661acd

use blake2::Blake2s;
use hex;
use hmac::Hmac;
use hmac::Mac;

fn main() {
    let mac = Hmac::<Blake2s>::new_varkey(&[]).unwrap();
    println!("{}", hex::encode(mac.result().code()));
}

Outputs 972c8a67004c0a295f6aa879b2130cada52849501e36bd1791b588a356ea852f

HMAC-SHA256 : identical output

The same behaviour does not occur when instantiating HMAC with SHA256:

package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
)

func main() {
	var sum [sha256.Size]byte
	mac := hmac.New(sha256.New, []byte{})
	mac.Sum(sum[:0])
	fmt.Println(hex.EncodeToString(sum[:]))
}

Go Playgound

Outputs b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad

use hex;
use hmac::Hmac;
use hmac::Mac;
use sha2::Sha256;

fn main() {
    let mac = Hmac::<Sha256>::new_varkey(&[]).unwrap();
    println!("{}", hex::encode(mac.result().code()));
}

Outputs b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad

I have reason to believe the Rust implementation is at fault: the Go code is used in wireguard-go and successfully performs cryptographic handshakes with other compatible clients.
@newpavlov
Copy link
Member

Thank you for reporting this! The problem is in the blake2 crate, we have provided incorrect block sizes (32 bytes instead of 64 for blake2s and 64 instead of 128 for blake2b). I will publish an update ASAP.

@newpavlov
Copy link
Member

newpavlov commented Aug 25, 2019
edited
Loading

Done! I've published blake2 v0.8.1 and yanked v0.8.0. Running cargo update should fix the issue. Can you please confirm?

@rot256
Copy link
Author

rot256 commented Aug 26, 2019

Confirmed working.

@rot256 rot256 closed this as completed Aug 26, 2019
@brycx
Copy link
Contributor

brycx commented Sep 4, 2019

I think it would be worthwhile to file a RustSec advisory for this. The affected version was released October 2018 while the fixed version was released August this year. Also, according to libs.rs, the blake2 crate is used in 148 other crates.

Note: I haven't checked the other versions.

@tarcieri
Copy link
Member

tarcieri commented Sep 4, 2019

This definitely falls under RustSec's "cryptographic failure" category

@newpavlov
Copy link
Member

newpavlov commented Sep 4, 2019
edited
Loading

@tarcieri
Can you create the advisory? v0.8.0 is already yanked, but I am not sure what should be done with the earlier versions.

@tarcieri
Copy link
Member

tarcieri commented Sep 5, 2019

@newpavlov sure

tarcieri added a commit to rustsec/advisory-db that referenced this issue Sep 6, 2019
@tarcieri
Add advisory for broken blake2 impls
766fa79 
BLAKE2b and BLAKE2s were implemented using the wrong block size. All
versions of the `blake2` crate prior to v0.8.1 compute incorrect
digests.

See: RustCrypto/MACs#19
@tarcieri tarcieri mentioned this issue Sep 6, 2019
Merged
@tarcieri
Copy link
Member

tarcieri commented Sep 6, 2019

Opened a PR with an advisory here: rustsec/advisory-db#151

tarcieri added a commit to rustsec/advisory-db that referenced this issue Sep 6, 2019
@tarcieri
Add advisory for broken blake2 impls
6d0db72 
BLAKE2b and BLAKE2s were implemented using the wrong block size. All
versions of the `blake2` crate prior to v0.8.1 compute incorrect
digests.

See: RustCrypto/MACs#19
@beta-vulnerability-notify beta-vulnerability-notify bot mentioned this issue Sep 19, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tarcieri @newpavlov @rot256 @brycx