|
|
6e1574 |
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
|
|
|
6e1574 |
From: Alex Chernyakhovsky <achernya@google.com>
|
|
|
6e1574 |
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
|
|
6e1574 |
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
|
|
6e1574 |
MIME-Version: 1.0
|
|
|
6e1574 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6e1574 |
Content-Transfer-Encoding: 8bit
|
|
|
6e1574 |
|
|
|
6e1574 |
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
|
|
6e1574 |
that performs operations on 6 16-byte blocks concurrently (the
|
|
|
6e1574 |
"grandloop") and then proceeds to handle the "short" tail (which can
|
|
|
6e1574 |
be anywhere from 0 to 5 blocks) that remain.
|
|
|
6e1574 |
|
|
|
6e1574 |
As part of initialization, the assembly initializes $len to the true
|
|
|
6e1574 |
length, less 96 bytes and converts it to a pointer so that the $inp
|
|
|
6e1574 |
can be compared to it. Each iteration of "grandloop" checks to see if
|
|
|
6e1574 |
there's a full 96-byte chunk to process, and if so, continues. Once
|
|
|
6e1574 |
this has been exhausted, it falls through to "short", which handles
|
|
|
6e1574 |
the remaining zero to five blocks.
|
|
|
6e1574 |
|
|
|
6e1574 |
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
|
|
6e1574 |
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
|
|
6e1574 |
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
|
|
6e1574 |
chunk currently being handled. If $inp == $len, that means that
|
|
|
6e1574 |
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
|
|
6e1574 |
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
|
|
6e1574 |
fall-through is intended.
|
|
|
6e1574 |
|
|
|
6e1574 |
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
|
|
6e1574 |
of the last 96-byte chunk was completely omitted. The contents of
|
|
|
6e1574 |
`out` in this position were never written to. Additionally, since
|
|
|
6e1574 |
those bytes were never processed, the authentication tag generated is
|
|
|
6e1574 |
also incorrect.
|
|
|
6e1574 |
|
|
|
6e1574 |
The same fencepost error, and identical logic, exists in both
|
|
|
6e1574 |
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
|
|
6e1574 |
|
|
|
6e1574 |
This addresses CVE-2022-2097.
|
|
|
6e1574 |
|
|
|
6e1574 |
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
|
|
6e1574 |
Co-authored-by: David Benjamin <davidben@google.com>
|
|
|
6e1574 |
|
|
|
6e1574 |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
6e1574 |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
6e1574 |
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
|
|
|
6e1574 |
---
|
|
|
6e1574 |
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
|
|
6e1574 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
6e1574 |
|
|
|
6e1574 |
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
|
|
6e1574 |
index fe2b26542ab6..812758e02e04 100644
|
|
|
6e1574 |
--- a/crypto/aes/asm/aesni-x86.pl
|
|
|
6e1574 |
+++ b/crypto/aes/asm/aesni-x86.pl
|
|
|
6e1574 |
@@ -2027,7 +2027,7 @@ sub aesni_generate6
|
|
|
6e1574 |
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
|
|
6e1574 |
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
|
|
6e1574 |
&cmp ($inp,$len); # done yet?
|
|
|
6e1574 |
- &jb (&label("grandloop"));
|
|
|
6e1574 |
+ &jbe (&label("grandloop"));
|
|
|
6e1574 |
|
|
|
6e1574 |
&set_label("short");
|
|
|
6e1574 |
&add ($len,16*6);
|
|
|
6e1574 |
@@ -2453,7 +2453,7 @@ sub aesni_generate6
|
|
|
6e1574 |
&pxor ($rndkey1,$inout5);
|
|
|
6e1574 |
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
|
|
6e1574 |
&cmp ($inp,$len); # done yet?
|
|
|
6e1574 |
- &jb (&label("grandloop"));
|
|
|
6e1574 |
+ &jbe (&label("grandloop"));
|
|
|
6e1574 |
|
|
|
6e1574 |
&set_label("short");
|
|
|
6e1574 |
&add ($len,16*6);
|
|
|
6e1574 |
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
|
|
|
6e1574 |
From: Alex Chernyakhovsky <achernya@google.com>
|
|
|
6e1574 |
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
|
|
6e1574 |
Subject: [PATCH] AES OCB test vectors
|
|
|
6e1574 |
MIME-Version: 1.0
|
|
|
6e1574 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6e1574 |
Content-Transfer-Encoding: 8bit
|
|
|
6e1574 |
|
|
|
6e1574 |
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
|
|
6e1574 |
|
|
|
6e1574 |
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
|
|
6e1574 |
Co-authored-by: David Benjamin <davidben@google.com>
|
|
|
6e1574 |
|
|
|
6e1574 |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
6e1574 |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
6e1574 |
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
|
|
|
6e1574 |
---
|
|
|
6e1574 |
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
|
|
|
6e1574 |
1 file changed, 50 insertions(+)
|
|
|
6e1574 |
|
|
|
6e1574 |
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
|
|
|
6e1574 |
index 1c02ea1e9c2d..e12670d9a4b4 100644
|
|
|
6e1574 |
--- a/test/recipes/30-test_evp_data/evpciph.txt
|
|
|
6e1574 |
+++ b/test/recipes/30-test_evp_data/evpciph.txt
|
|
|
6e1574 |
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
|
|
|
6e1574 |
Operation = DECRYPT
|
|
|
6e1574 |
Result = CIPHERFINAL_ERROR
|
|
|
6e1574 |
|
|
|
6e1574 |
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = C14DFF7D62A13C4A3422456207453190
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
|
|
6e1574 |
+
|
|
|
6e1574 |
+Cipher = aes-128-ocb
|
|
|
6e1574 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
6e1574 |
+IV = 000000000001020304050607
|
|
|
6e1574 |
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
|
|
6e1574 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
|
|
6e1574 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|
|
|
6e1574 |
+
|
|
|
6e1574 |
Title = AES XTS test vectors from IEEE Std 1619-2007
|
|
|
6e1574 |
|
|
|
6e1574 |
# Using the same key twice for encryption is always banned.
|