Bug #8439

test_aes_gcm_wrong_tag(OpenSSL::TestCipher) fails randomly

Added by Vit Ondruch 11 months ago. Updated 3 months ago.

[ruby-core:55143]
Status:Closed
Priority:Normal
Assignee:Martin Bosslet
Category:ext
Target version:2.1.0
ruby -v:ruby -v: ruby 2.0.0p195 (2013-05-14 revision 40734) [x86_64-linux] Backport:1.9.3: DONTNEED, 2.0.0: DONE

Description

=begin
7) Error:
testaesgcmwrongtag(OpenSSL::TestCipher):
OpenSSL::Cipher::CipherError: unable to set GCM tag
/builddir/build/BUILD/ruby-2.0.0-p195/test/openssl/testcipher.rb:190:in auth_tag='
/builddir/build/BUILD/ruby-2.0.0-p195/test/openssl/test_cipher.rb:190:intestaesgcmwrong_tag'

I am building ruby against openssl-1.0.1e-8.el7.x86_64
=end

Associated revisions

Revision 43676
Added by Akira Tanaka 5 months ago

  • test/openssl/testcipher.rb (testaesgcmwrongtag): Don't use String#succ because it can make modified (wrong) authtag longer than 16 bytes. The longer authtag makes that EVPCIPHERCTXctrl (and internally aesgcmctrl) fail. [Bug #8439] reported by Vit Ondruch.

History

#1 Updated by Zachary Scott 11 months ago

  • Category set to ext
  • Status changed from Open to Assigned
  • Assignee set to Martin Bosslet
  • Target version set to 2.1.0

Can you reproduce this with trunk?

#2 Updated by Vit Ondruch 10 months ago

Might be related/duplicate to #8221

#3 Updated by Martin Bosslet 10 months ago

vo.x (Vit Ondruch) wrote:

Might be related/duplicate to #8221

Yes, very much sounds like it. I need to take a deeper look at what happens in the OpenSSL implementation that might explain the random failures.

#4 Updated by Akira Tanaka 6 months ago

I tracked down the random failure.

It seems that the failure occur when tag[-1].succ is 2byte.
I.e. it fails when tag[-1] is "9", "Z", "z" or "\xFF".

I modified testaesgcmwrongtag as follows:

Index: test_cipher.rb

--- testcipher.rb (revision 43555)
+++ testcipher.rb (working copy)
@@ -187,6 +187,7 @@ class OpenSSL::TestCipher < Test::Unit::
tag = cipher.auth_tag

   decipher = new_decryptor('aes-128-gcm', key, iv)
  • p [tag[-1], tag[-1].succ] decipher.authtag = tag[0..-2] << tag[-1].succ decipher.authdata = "aad"

When the test fails, ["9", "10"], ["Z", "AA"], ["z", "aa"] or ["\xFF", "\x01\x00"] are shown.
Assuming tag[-1] is a random byte, I guess the test fails once per 64 times on average because 4/256=1/64.

I'm not sure the intent of tag[-1].succ, though.

#5 Updated by Akira Tanaka 5 months ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r43676.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

  • test/openssl/testcipher.rb (testaesgcmwrongtag): Don't use String#succ because it can make modified (wrong) authtag longer than 16 bytes. The longer authtag makes that EVPCIPHERCTXctrl (and internally aesgcmctrl) fail. [Bug #8439] reported by Vit Ondruch.

#6 Updated by Vit Ondruch 4 months ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: UNKNOWN, 2.0.0: REQUIRED

#7 Updated by Tomoyuki Chikanaga 3 months ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: REQUIRED to 1.9.3: UNKNOWN, 2.0.0: DONE

r43676 was backported to ruby20_0 at r44566.

#8 Updated by Usaku NAKAMURA 3 months ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: DONE to 1.9.3: DONTNEED, 2.0.0: DONE

Also available in: Atom PDF