isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
6e1574
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
6e1574
From: Alex Chernyakhovsky <achernya@google.com>
6e1574
Date: Thu, 16 Jun 2022 12:00:22 +1000
6e1574
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
6e1574
MIME-Version: 1.0
6e1574
Content-Type: text/plain; charset=UTF-8
6e1574
Content-Transfer-Encoding: 8bit
6e1574
6e1574
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
6e1574
that performs operations on 6 16-byte blocks concurrently (the
6e1574
"grandloop") and then proceeds to handle the "short" tail (which can
6e1574
be anywhere from 0 to 5 blocks) that remain.
6e1574
6e1574
As part of initialization, the assembly initializes $len to the true
6e1574
length, less 96 bytes and converts it to a pointer so that the $inp
6e1574
can be compared to it. Each iteration of "grandloop" checks to see if
6e1574
there's a full 96-byte chunk to process, and if so, continues. Once
6e1574
this has been exhausted, it falls through to "short", which handles
6e1574
the remaining zero to five blocks.
6e1574
6e1574
Unfortunately, the jump at the end of "grandloop" had a fencepost
6e1574
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
6e1574
equal). This should be `jbe`, as $inp is pointing to the *end* of the
6e1574
chunk currently being handled. If $inp == $len, that means that
6e1574
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
6e1574
then there's 5 or fewer 16-byte blocks left to be handled, and the
6e1574
fall-through is intended.
6e1574
6e1574
The net effect of `jb` instead of `jbe` is that the last 16-byte block
6e1574
of the last 96-byte chunk was completely omitted. The contents of
6e1574
`out` in this position were never written to. Additionally, since
6e1574
those bytes were never processed, the authentication tag generated is
6e1574
also incorrect.
6e1574
6e1574
The same fencepost error, and identical logic, exists in both
6e1574
aesni_ocb_encrypt and aesni_ocb_decrypt.
6e1574
6e1574
This addresses CVE-2022-2097.
6e1574
6e1574
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
6e1574
Co-authored-by: David Benjamin <davidben@google.com>
6e1574
6e1574
Reviewed-by: Paul Dale <pauli@openssl.org>
6e1574
Reviewed-by: Tomas Mraz <tomas@openssl.org>
6e1574
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
6e1574
---
6e1574
 crypto/aes/asm/aesni-x86.pl | 4 ++--
6e1574
 1 file changed, 2 insertions(+), 2 deletions(-)
6e1574
6e1574
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
6e1574
index fe2b26542ab6..812758e02e04 100644
6e1574
--- a/crypto/aes/asm/aesni-x86.pl
6e1574
+++ b/crypto/aes/asm/aesni-x86.pl
6e1574
@@ -2027,7 +2027,7 @@ sub aesni_generate6
6e1574
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
6e1574
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
6e1574
 	&cmp		($inp,$len);			# done yet?
6e1574
-	&jb		(&label("grandloop"));
6e1574
+	&jbe		(&label("grandloop"));
6e1574
 
6e1574
 &set_label("short");
6e1574
 	&add		($len,16*6);
6e1574
@@ -2453,7 +2453,7 @@ sub aesni_generate6
6e1574
 	&pxor		($rndkey1,$inout5);
6e1574
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
6e1574
 	&cmp		($inp,$len);			# done yet?
6e1574
-	&jb		(&label("grandloop"));
6e1574
+	&jbe		(&label("grandloop"));
6e1574
 
6e1574
 &set_label("short");
6e1574
 	&add		($len,16*6);
6e1574
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
6e1574
From: Alex Chernyakhovsky <achernya@google.com>
6e1574
Date: Thu, 16 Jun 2022 12:02:37 +1000
6e1574
Subject: [PATCH] AES OCB test vectors
6e1574
MIME-Version: 1.0
6e1574
Content-Type: text/plain; charset=UTF-8
6e1574
Content-Transfer-Encoding: 8bit
6e1574
6e1574
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
6e1574
6e1574
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
6e1574
Co-authored-by: David Benjamin <davidben@google.com>
6e1574
6e1574
Reviewed-by: Paul Dale <pauli@openssl.org>
6e1574
Reviewed-by: Tomas Mraz <tomas@openssl.org>
6e1574
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
6e1574
---
6e1574
 test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
6e1574
 1 file changed, 50 insertions(+)
6e1574
6e1574
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
6e1574
index 1c02ea1e9c2d..e12670d9a4b4 100644
6e1574
--- a/test/recipes/30-test_evp_data/evpciph.txt
6e1574
+++ b/test/recipes/30-test_evp_data/evpciph.txt
6e1574
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
6e1574
 Operation = DECRYPT
6e1574
 Result = CIPHERFINAL_ERROR
6e1574
 
6e1574
+#Test vectors generated to validate aesni_ocb_encrypt on x86
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = C14DFF7D62A13C4A3422456207453190
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = BE0228651ED4E48A11BDED68D953F3A0
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = E84AAC18666116990A3A37B3A5FC55BD
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
6e1574
+
6e1574
+Cipher = aes-128-ocb
6e1574
+Key = 000102030405060708090A0B0C0D0E0F
6e1574
+IV = 000000000001020304050607
6e1574
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
6e1574
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
6e1574
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
6e1574
+
6e1574
 Title = AES XTS test vectors from IEEE Std 1619-2007
6e1574
 
6e1574
 # Using the same key twice for encryption is always banned.