On 8/01/2016 4:30 a.m., Tim Ruehsen wrote:
On Thursday 07 January 2016 15:05:38 Niels Möller wrote:
Tim Ruehsen writes:
But what's wrong with providing a larger buffer than needed ?
I don't think about it as the size of the provided buffer, but as the requested size of the digest (intended for the usecase of truncated digests). And it's not defined how to produce a 20-byte md5 digest. If
md5_digest(&md5, 20, digest);
were allowed, what should it do? Write 16 bytes, and leave the remaining 4 bytes untouched?
You put the answer into my mouth... yes, that seems intuitive to me.
Then what will the application do with 4 random bytes of output? It clearly is not aware of the 16-byte digest size limit. So what basis do we have to be certain it will output or use only those 16 bytes, and not doing something such as sending the buffer to snprintf with length parameter of 20 there as well. Or worse, passing just the (unterminated) buffer start pointer to sprintf.
It is a very bad policy for any code, let alone security code, to just blindly trust that the external software will operate correctly.
The choice is also not so black and white. There are a bunch of other "intuitive" actions that could be performed: * wipe the entire digest and emit 20 bytes of 0's, or * wipe the entire digest and emit 20 bytes of 1's, or * wipe the extra 4 bytes with 0's, or * wipe the extra 4 bytes with 1's, or * wipe the 1st of the extra bytes with a null byte, or * throw an exception.
Each of which has its own set of problems and nasty side effects depending on what the external software is doing or assuming.
Some admins have their jobs due to 'stop-by-assertion' software - at least that is good thing about assertions ;)
I suspect that 'continue-with-silent-data-corruption' software would give them even more work...
Definitely. That's why I try to avoid either of them.
An assertion doesn't give the higher layers a chance to intervene.
The higher layers are clearly broken in their designed use of the nettle API. This is not a dynamic limit being checked, but an explicit and fixed global value of MD5_DIGEST_SIZE.
Amos