|
 |
22d461 |
From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001
|
|
|
22d461 |
From: Alex Chernyakhovsky <achernya@google.com>
|
|
|
22d461 |
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
|
|
22d461 |
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
|
|
22d461 |
MIME-Version: 1.0
|
|
|
22d461 |
Content-Type: text/plain; charset=UTF-8
|
|
|
22d461 |
Content-Transfer-Encoding: 8bit
|
|
|
22d461 |
|
|
|
22d461 |
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
|
|
22d461 |
that performs operations on 6 16-byte blocks concurrently (the
|
|
|
22d461 |
"grandloop") and then proceeds to handle the "short" tail (which can
|
|
|
22d461 |
be anywhere from 0 to 5 blocks) that remain.
|
|
|
22d461 |
|
|
|
22d461 |
As part of initialization, the assembly initializes $len to the true
|
|
|
22d461 |
length, less 96 bytes and converts it to a pointer so that the $inp
|
|
|
22d461 |
can be compared to it. Each iteration of "grandloop" checks to see if
|
|
|
22d461 |
there's a full 96-byte chunk to process, and if so, continues. Once
|
|
|
22d461 |
this has been exhausted, it falls through to "short", which handles
|
|
|
22d461 |
the remaining zero to five blocks.
|
|
|
22d461 |
|
|
|
22d461 |
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
|
|
22d461 |
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
|
|
22d461 |
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
|
|
22d461 |
chunk currently being handled. If $inp == $len, that means that
|
|
|
22d461 |
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
|
|
22d461 |
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
|
|
22d461 |
fall-through is intended.
|
|
|
22d461 |
|
|
|
22d461 |
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
|
|
22d461 |
of the last 96-byte chunk was completely omitted. The contents of
|
|
|
22d461 |
`out` in this position were never written to. Additionally, since
|
|
|
22d461 |
those bytes were never processed, the authentication tag generated is
|
|
|
22d461 |
also incorrect.
|
|
|
22d461 |
|
|
|
22d461 |
The same fencepost error, and identical logic, exists in both
|
|
|
22d461 |
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
|
|
22d461 |
|
|
|
22d461 |
This addresses CVE-2022-2097.
|
|
|
22d461 |
|
|
|
22d461 |
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
|
|
22d461 |
Co-authored-by: David Benjamin <davidben@google.com>
|
|
|
22d461 |
|
|
|
22d461 |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
22d461 |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
22d461 |
(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c)
|
|
|
22d461 |
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93]
|
|
|
22d461 |
---
|
|
|
22d461 |
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
|
|
22d461 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
22d461 |
|
|
|
22d461 |
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
|
|
22d461 |
index 4245fe34e17e..7cf838db170b 100644
|
|
|
22d461 |
--- a/crypto/aes/asm/aesni-x86.pl
|
|
|
22d461 |
+++ b/crypto/aes/asm/aesni-x86.pl
|
|
|
22d461 |
@@ -2025,7 +2025,7 @@ sub aesni_generate6
|
|
|
22d461 |
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
|
|
22d461 |
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
|
|
22d461 |
&cmp ($inp,$len); # done yet?
|
|
|
22d461 |
- &jb (&label("grandloop"));
|
|
|
22d461 |
+ &jbe (&label("grandloop"));
|
|
|
22d461 |
|
|
|
22d461 |
&set_label("short");
|
|
|
22d461 |
&add ($len,16*6);
|
|
|
22d461 |
@@ -2451,7 +2451,7 @@ sub aesni_generate6
|
|
|
22d461 |
&pxor ($rndkey1,$inout5);
|
|
|
22d461 |
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
|
|
22d461 |
&cmp ($inp,$len); # done yet?
|
|
|
22d461 |
- &jb (&label("grandloop"));
|
|
|
22d461 |
+ &jbe (&label("grandloop"));
|
|
|
22d461 |
|
|
|
22d461 |
&set_label("short");
|
|
|
22d461 |
&add ($len,16*6);
|
|
|
22d461 |
From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001
|
|
|
22d461 |
From: Alex Chernyakhovsky <achernya@google.com>
|
|
|
22d461 |
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
|
|
22d461 |
Subject: [PATCH] AES OCB test vectors
|
|
|
22d461 |
MIME-Version: 1.0
|
|
|
22d461 |
Content-Type: text/plain; charset=UTF-8
|
|
|
22d461 |
Content-Transfer-Encoding: 8bit
|
|
|
22d461 |
|
|
|
22d461 |
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
|
|
22d461 |
|
|
|
22d461 |
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
|
|
22d461 |
Co-authored-by: David Benjamin <davidben@google.com>
|
|
|
22d461 |
|
|
|
22d461 |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
22d461 |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
22d461 |
(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be)
|
|
|
22d461 |
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8]
|
|
|
22d461 |
---
|
|
|
22d461 |
.../30-test_evp_data/evpciph_aes_ocb.txt | 50 +++++++++++++++++++
|
|
|
22d461 |
1 file changed, 50 insertions(+)
|
|
|
22d461 |
|
|
|
22d461 |
diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
|
|
|
22d461 |
index e58ee34b6b3f..de098905230b 100644
|
|
|
22d461 |
--- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
|
|
|
22d461 |
+++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
|
|
|
22d461 |
@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
|
|
|
22d461 |
Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486
|
|
|
22d461 |
Operation = DECRYPT
|
|
|
22d461 |
Result = CIPHERFINAL_ERROR
|
|
|
22d461 |
+
|
|
|
22d461 |
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = C14DFF7D62A13C4A3422456207453190
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
|
|
22d461 |
+
|
|
|
22d461 |
+Cipher = aes-128-ocb
|
|
|
22d461 |
+Key = 000102030405060708090A0B0C0D0E0F
|
|
|
22d461 |
+IV = 000000000001020304050607
|
|
|
22d461 |
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
|
|
22d461 |
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
|
|
22d461 |
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|