isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.1.1-cve-2022-2097.patch

eaef03
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
eaef03
From: Alex Chernyakhovsky <achernya@google.com>
eaef03
Date: Thu, 16 Jun 2022 12:00:22 +1000
eaef03
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
eaef03
MIME-Version: 1.0
eaef03
Content-Type: text/plain; charset=UTF-8
eaef03
Content-Transfer-Encoding: 8bit
eaef03
eaef03
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
eaef03
that performs operations on 6 16-byte blocks concurrently (the
eaef03
"grandloop") and then proceeds to handle the "short" tail (which can
eaef03
be anywhere from 0 to 5 blocks) that remain.
eaef03
eaef03
As part of initialization, the assembly initializes $len to the true
eaef03
length, less 96 bytes and converts it to a pointer so that the $inp
eaef03
can be compared to it. Each iteration of "grandloop" checks to see if
eaef03
there's a full 96-byte chunk to process, and if so, continues. Once
eaef03
this has been exhausted, it falls through to "short", which handles
eaef03
the remaining zero to five blocks.
eaef03
eaef03
Unfortunately, the jump at the end of "grandloop" had a fencepost
eaef03
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
eaef03
equal). This should be `jbe`, as $inp is pointing to the *end* of the
eaef03
chunk currently being handled. If $inp == $len, that means that
eaef03
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
eaef03
then there's 5 or fewer 16-byte blocks left to be handled, and the
eaef03
fall-through is intended.
eaef03
eaef03
The net effect of `jb` instead of `jbe` is that the last 16-byte block
eaef03
of the last 96-byte chunk was completely omitted. The contents of
eaef03
`out` in this position were never written to. Additionally, since
eaef03
those bytes were never processed, the authentication tag generated is
eaef03
also incorrect.
eaef03
eaef03
The same fencepost error, and identical logic, exists in both
eaef03
aesni_ocb_encrypt and aesni_ocb_decrypt.
eaef03
eaef03
This addresses CVE-2022-2097.
eaef03
eaef03
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
eaef03
Co-authored-by: David Benjamin <davidben@google.com>
eaef03
eaef03
Reviewed-by: Paul Dale <pauli@openssl.org>
eaef03
Reviewed-by: Tomas Mraz <tomas@openssl.org>
eaef03
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
eaef03
---
eaef03
 crypto/aes/asm/aesni-x86.pl | 4 ++--
eaef03
 1 file changed, 2 insertions(+), 2 deletions(-)
eaef03
eaef03
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
eaef03
index fe2b26542ab6..812758e02e04 100644
eaef03
--- a/crypto/aes/asm/aesni-x86.pl
eaef03
+++ b/crypto/aes/asm/aesni-x86.pl
eaef03
@@ -2027,7 +2027,7 @@ sub aesni_generate6
eaef03
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
eaef03
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
eaef03
 	&cmp		($inp,$len);			# done yet?
eaef03
-	&jb		(&label("grandloop"));
eaef03
+	&jbe		(&label("grandloop"));
eaef03
 
eaef03
 &set_label("short");
eaef03
 	&add		($len,16*6);
eaef03
@@ -2453,7 +2453,7 @@ sub aesni_generate6
eaef03
 	&pxor		($rndkey1,$inout5);
eaef03
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
eaef03
 	&cmp		($inp,$len);			# done yet?
eaef03
-	&jb		(&label("grandloop"));
eaef03
+	&jbe		(&label("grandloop"));
eaef03
 
eaef03
 &set_label("short");
eaef03
 	&add		($len,16*6);
eaef03
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
eaef03
From: Alex Chernyakhovsky <achernya@google.com>
eaef03
Date: Thu, 16 Jun 2022 12:02:37 +1000
eaef03
Subject: [PATCH] AES OCB test vectors
eaef03
MIME-Version: 1.0
eaef03
Content-Type: text/plain; charset=UTF-8
eaef03
Content-Transfer-Encoding: 8bit
eaef03
eaef03
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
eaef03
eaef03
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
eaef03
Co-authored-by: David Benjamin <davidben@google.com>
eaef03
eaef03
Reviewed-by: Paul Dale <pauli@openssl.org>
eaef03
Reviewed-by: Tomas Mraz <tomas@openssl.org>
eaef03
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
eaef03
---
eaef03
 test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
eaef03
 1 file changed, 50 insertions(+)
eaef03
eaef03
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
eaef03
index 1c02ea1e9c2d..e12670d9a4b4 100644
eaef03
--- a/test/recipes/30-test_evp_data/evpciph.txt
eaef03
+++ b/test/recipes/30-test_evp_data/evpciph.txt
eaef03
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
eaef03
 Operation = DECRYPT
eaef03
 Result = CIPHERFINAL_ERROR
eaef03
 
eaef03
+#Test vectors generated to validate aesni_ocb_encrypt on x86
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = C14DFF7D62A13C4A3422456207453190
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = BE0228651ED4E48A11BDED68D953F3A0
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = E84AAC18666116990A3A37B3A5FC55BD
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
eaef03
+
eaef03
+Cipher = aes-128-ocb
eaef03
+Key = 000102030405060708090A0B0C0D0E0F
eaef03
+IV = 000000000001020304050607
eaef03
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
eaef03
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
eaef03
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
eaef03
+
eaef03
 Title = AES XTS test vectors from IEEE Std 1619-2007
eaef03
 
eaef03
 # Using the same key twice for encryption is always banned.