Blame SOURCES/0069-CVE-2022-2097.patch

727bdf
From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001
727bdf
From: Alex Chernyakhovsky <achernya@google.com>
727bdf
Date: Thu, 16 Jun 2022 12:00:22 +1000
727bdf
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
727bdf
MIME-Version: 1.0
727bdf
Content-Type: text/plain; charset=UTF-8
727bdf
Content-Transfer-Encoding: 8bit
727bdf
727bdf
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
727bdf
that performs operations on 6 16-byte blocks concurrently (the
727bdf
"grandloop") and then proceeds to handle the "short" tail (which can
727bdf
be anywhere from 0 to 5 blocks) that remain.
727bdf
727bdf
As part of initialization, the assembly initializes $len to the true
727bdf
length, less 96 bytes and converts it to a pointer so that the $inp
727bdf
can be compared to it. Each iteration of "grandloop" checks to see if
727bdf
there's a full 96-byte chunk to process, and if so, continues. Once
727bdf
this has been exhausted, it falls through to "short", which handles
727bdf
the remaining zero to five blocks.
727bdf
727bdf
Unfortunately, the jump at the end of "grandloop" had a fencepost
727bdf
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
727bdf
equal). This should be `jbe`, as $inp is pointing to the *end* of the
727bdf
chunk currently being handled. If $inp == $len, that means that
727bdf
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
727bdf
then there's 5 or fewer 16-byte blocks left to be handled, and the
727bdf
fall-through is intended.
727bdf
727bdf
The net effect of `jb` instead of `jbe` is that the last 16-byte block
727bdf
of the last 96-byte chunk was completely omitted. The contents of
727bdf
`out` in this position were never written to. Additionally, since
727bdf
those bytes were never processed, the authentication tag generated is
727bdf
also incorrect.
727bdf
727bdf
The same fencepost error, and identical logic, exists in both
727bdf
aesni_ocb_encrypt and aesni_ocb_decrypt.
727bdf
727bdf
This addresses CVE-2022-2097.
727bdf
727bdf
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
727bdf
Co-authored-by: David Benjamin <davidben@google.com>
727bdf
727bdf
Reviewed-by: Paul Dale <pauli@openssl.org>
727bdf
Reviewed-by: Tomas Mraz <tomas@openssl.org>
727bdf
(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c)
727bdf
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93]
727bdf
---
727bdf
 crypto/aes/asm/aesni-x86.pl | 4 ++--
727bdf
 1 file changed, 2 insertions(+), 2 deletions(-)
727bdf
727bdf
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
727bdf
index 4245fe34e17e..7cf838db170b 100644
727bdf
--- a/crypto/aes/asm/aesni-x86.pl
727bdf
+++ b/crypto/aes/asm/aesni-x86.pl
727bdf
@@ -2025,7 +2025,7 @@ sub aesni_generate6
727bdf
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
727bdf
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
727bdf
 	&cmp		($inp,$len);			# done yet?
727bdf
-	&jb		(&label("grandloop"));
727bdf
+	&jbe		(&label("grandloop"));
727bdf
 
727bdf
 &set_label("short");
727bdf
 	&add		($len,16*6);
727bdf
@@ -2451,7 +2451,7 @@ sub aesni_generate6
727bdf
 	&pxor		($rndkey1,$inout5);
727bdf
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
727bdf
 	&cmp		($inp,$len);			# done yet?
727bdf
-	&jb		(&label("grandloop"));
727bdf
+	&jbe		(&label("grandloop"));
727bdf
 
727bdf
 &set_label("short");
727bdf
 	&add		($len,16*6);
727bdf
From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001
727bdf
From: Alex Chernyakhovsky <achernya@google.com>
727bdf
Date: Thu, 16 Jun 2022 12:02:37 +1000
727bdf
Subject: [PATCH] AES OCB test vectors
727bdf
MIME-Version: 1.0
727bdf
Content-Type: text/plain; charset=UTF-8
727bdf
Content-Transfer-Encoding: 8bit
727bdf
727bdf
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
727bdf
727bdf
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
727bdf
Co-authored-by: David Benjamin <davidben@google.com>
727bdf
727bdf
Reviewed-by: Paul Dale <pauli@openssl.org>
727bdf
Reviewed-by: Tomas Mraz <tomas@openssl.org>
727bdf
(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be)
727bdf
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8]
727bdf
---
727bdf
 .../30-test_evp_data/evpciph_aes_ocb.txt      | 50 +++++++++++++++++++
727bdf
 1 file changed, 50 insertions(+)
727bdf
727bdf
diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
727bdf
index e58ee34b6b3f..de098905230b 100644
727bdf
--- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
727bdf
+++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
727bdf
@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
727bdf
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486
727bdf
 Operation = DECRYPT
727bdf
 Result = CIPHERFINAL_ERROR
727bdf
+
727bdf
+#Test vectors generated to validate aesni_ocb_encrypt on x86
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = C14DFF7D62A13C4A3422456207453190
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = BE0228651ED4E48A11BDED68D953F3A0
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = E84AAC18666116990A3A37B3A5FC55BD
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
727bdf
+
727bdf
+Cipher = aes-128-ocb
727bdf
+Key = 000102030405060708090A0B0C0D0E0F
727bdf
+IV = 000000000001020304050607
727bdf
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
727bdf
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
727bdf
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C