isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.1.1-cve-2022-2097.patch

dca3ee
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
dca3ee
From: Alex Chernyakhovsky <achernya@google.com>
dca3ee
Date: Thu, 16 Jun 2022 12:00:22 +1000
dca3ee
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
dca3ee
MIME-Version: 1.0
dca3ee
Content-Type: text/plain; charset=UTF-8
dca3ee
Content-Transfer-Encoding: 8bit
dca3ee
dca3ee
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
dca3ee
that performs operations on 6 16-byte blocks concurrently (the
dca3ee
"grandloop") and then proceeds to handle the "short" tail (which can
dca3ee
be anywhere from 0 to 5 blocks) that remain.
dca3ee
dca3ee
As part of initialization, the assembly initializes $len to the true
dca3ee
length, less 96 bytes and converts it to a pointer so that the $inp
dca3ee
can be compared to it. Each iteration of "grandloop" checks to see if
dca3ee
there's a full 96-byte chunk to process, and if so, continues. Once
dca3ee
this has been exhausted, it falls through to "short", which handles
dca3ee
the remaining zero to five blocks.
dca3ee
dca3ee
Unfortunately, the jump at the end of "grandloop" had a fencepost
dca3ee
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
dca3ee
equal). This should be `jbe`, as $inp is pointing to the *end* of the
dca3ee
chunk currently being handled. If $inp == $len, that means that
dca3ee
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
dca3ee
then there's 5 or fewer 16-byte blocks left to be handled, and the
dca3ee
fall-through is intended.
dca3ee
dca3ee
The net effect of `jb` instead of `jbe` is that the last 16-byte block
dca3ee
of the last 96-byte chunk was completely omitted. The contents of
dca3ee
`out` in this position were never written to. Additionally, since
dca3ee
those bytes were never processed, the authentication tag generated is
dca3ee
also incorrect.
dca3ee
dca3ee
The same fencepost error, and identical logic, exists in both
dca3ee
aesni_ocb_encrypt and aesni_ocb_decrypt.
dca3ee
dca3ee
This addresses CVE-2022-2097.
dca3ee
dca3ee
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
dca3ee
Co-authored-by: David Benjamin <davidben@google.com>
dca3ee
dca3ee
Reviewed-by: Paul Dale <pauli@openssl.org>
dca3ee
Reviewed-by: Tomas Mraz <tomas@openssl.org>
dca3ee
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
dca3ee
---
dca3ee
 crypto/aes/asm/aesni-x86.pl | 4 ++--
dca3ee
 1 file changed, 2 insertions(+), 2 deletions(-)
dca3ee
dca3ee
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
dca3ee
index fe2b26542ab6..812758e02e04 100644
dca3ee
--- a/crypto/aes/asm/aesni-x86.pl
dca3ee
+++ b/crypto/aes/asm/aesni-x86.pl
dca3ee
@@ -2027,7 +2027,7 @@ sub aesni_generate6
dca3ee
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
dca3ee
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
dca3ee
 	&cmp		($inp,$len);			# done yet?
dca3ee
-	&jb		(&label("grandloop"));
dca3ee
+	&jbe		(&label("grandloop"));
dca3ee
 
dca3ee
 &set_label("short");
dca3ee
 	&add		($len,16*6);
dca3ee
@@ -2453,7 +2453,7 @@ sub aesni_generate6
dca3ee
 	&pxor		($rndkey1,$inout5);
dca3ee
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
dca3ee
 	&cmp		($inp,$len);			# done yet?
dca3ee
-	&jb		(&label("grandloop"));
dca3ee
+	&jbe		(&label("grandloop"));
dca3ee
 
dca3ee
 &set_label("short");
dca3ee
 	&add		($len,16*6);
dca3ee
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
dca3ee
From: Alex Chernyakhovsky <achernya@google.com>
dca3ee
Date: Thu, 16 Jun 2022 12:02:37 +1000
dca3ee
Subject: [PATCH] AES OCB test vectors
dca3ee
MIME-Version: 1.0
dca3ee
Content-Type: text/plain; charset=UTF-8
dca3ee
Content-Transfer-Encoding: 8bit
dca3ee
dca3ee
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
dca3ee
dca3ee
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
dca3ee
Co-authored-by: David Benjamin <davidben@google.com>
dca3ee
dca3ee
Reviewed-by: Paul Dale <pauli@openssl.org>
dca3ee
Reviewed-by: Tomas Mraz <tomas@openssl.org>
dca3ee
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
dca3ee
---
dca3ee
 test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
dca3ee
 1 file changed, 50 insertions(+)
dca3ee
dca3ee
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
dca3ee
index 1c02ea1e9c2d..e12670d9a4b4 100644
dca3ee
--- a/test/recipes/30-test_evp_data/evpciph.txt
dca3ee
+++ b/test/recipes/30-test_evp_data/evpciph.txt
dca3ee
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
dca3ee
 Operation = DECRYPT
dca3ee
 Result = CIPHERFINAL_ERROR
dca3ee
 
dca3ee
+#Test vectors generated to validate aesni_ocb_encrypt on x86
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = C14DFF7D62A13C4A3422456207453190
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = BE0228651ED4E48A11BDED68D953F3A0
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = E84AAC18666116990A3A37B3A5FC55BD
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
dca3ee
+
dca3ee
+Cipher = aes-128-ocb
dca3ee
+Key = 000102030405060708090A0B0C0D0E0F
dca3ee
+IV = 000000000001020304050607
dca3ee
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
dca3ee
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
dca3ee
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
dca3ee
+
dca3ee
 Title = AES XTS test vectors from IEEE Std 1619-2007
dca3ee
 
dca3ee
 # Using the same key twice for encryption is always banned.