CLI Truncated Tag Authentication fix

[ikkebr]

The CLI verify command accepts truncated authentication tags of arbitrary length, including a single byte. The verification routine base64url-decodes the user-supplied --tag argument and uses the decoded length as the comparison length for CRYPTO_memcmp(). No minimum tag length is enforced. An attacker supplying a 1-byte tag only needs to match the first byte of the real tag.

[burgerdev]

Hi @ikkebr,

there may be a misunderstanding here, this is actually working as intended.

When using the CLI, you are in full control of the arguments you pass to it, and can verify any sort of requirements externally, keeping the (C) implementation simple. Anyway, forcing the full tag length is definitely not how it's intended to be used - you'd usually want to check something like 4 bytes. This is what's implemented in the glome-login CLI and in the PAM module, where we're directly dealing with attacker-supplied data and have no means to implement external checks.

You might be interested in the Rust CLI, which is about to replace the C CLI (#221) and has an additional flag with which you can enforce a minimum length.

glome/rust/src/cli/bin.rs

Lines 42 to 48 in d680822

	/// Minimum tag length
	///
	/// Ideally a multiple of 4, defaults to 10 matching the
	/// MIN_ENCODED_AUTHCODE_LEN in login/login.h.
	/// Must be at least 2 and will be increased to 2 if the argument is lower.
	#[arg(long, value_name = "n", default_value_t = 10)]
	min_tag_length: u8,

Cheers, Markus