[openssl/openssl] a98f33: Fix AES OCB encrypt/decrypt for x86 AES-NI
richard
noreply at reply.github.openssl.org
Tue Jul 5 10:12:41 UTC 2022
Branch: refs/heads/openssl-3.0
Home: https://github.openssl.org/openssl/openssl
Commit: a98f339ddd7e8f487d6e0088d4a9a42324885a93
https://github.openssl.org/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
Author: Alex Chernyakhovsky <achernya at google.com>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M crypto/aes/asm/aesni-x86.pl
Log Message:
-----------
Fix AES OCB encrypt/decrypt for x86 AES-NI
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno at google.com>
Co-authored-by: David Benjamin <davidben at google.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c)
Commit: 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
https://github.openssl.org/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
Author: Alex Chernyakhovsky <achernya at google.com>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
Log Message:
-----------
AES OCB test vectors
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
Co-authored-by: Alejandro Sedeño <asedeno at google.com>
Co-authored-by: David Benjamin <davidben at google.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be)
Commit: 6677e4519d09ce49e83217fa1f685e592d1648f3
https://github.openssl.org/openssl/openssl/commit/6677e4519d09ce49e83217fa1f685e592d1648f3
Author: Richard Levitte <levitte at openssl.org>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M CHANGES.md
M NEWS.md
Log Message:
-----------
Update CHANGES and NEWS for upcoming release 3.0.5
Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes
Commit: 0202f1d49ee0b6e2ffa49743973e5c0c044e8a33
https://github.openssl.org/openssl/openssl/commit/0202f1d49ee0b6e2ffa49743973e5c0c044e8a33
Author: Richard Levitte <levitte at openssl.org>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M apps/gendsa.c
M crypto/aes/asm/aesni-x86.pl
M crypto/bio/bss_dgram.c
M crypto/bn/bn_gcd.c
M crypto/cmp/cmp_protect.c
M crypto/der_writer.c
M crypto/evp/evp_local.h
M crypto/evp/evp_pbe.c
M crypto/rsa/rsa_chk.c
M crypto/x509/by_store.c
M crypto/x509/x509_d2.c
M doc/internal/man3/ossl_DER_w_bn.pod
M doc/internal/man7/DERlib.pod
M doc/man3/EVP_set_default_properties.pod
M doc/man3/SSL_get_current_cipher.pod
M doc/man7/provider-cipher.pod
M doc/man7/provider-digest.pod
M doc/man7/provider-kdf.pod
M doc/man7/provider-mac.pod
M doc/man7/provider-storemgmt.pod
M include/internal/der.h
M providers/common/der/der_rsa_key.c
M providers/implementations/kdfs/x942kdf.c
M test/recipes/20-test_cli_fips.t
M test/recipes/25-test_verify.t
M test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
Log Message:
-----------
Update copyright year
Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes
Commit: 826cc2d3914cfbacf34574e557f55ac640ceb431
https://github.openssl.org/openssl/openssl/commit/826cc2d3914cfbacf34574e557f55ac640ceb431
Author: Richard Levitte <richard at levitte.org>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M providers/fips-sources.checksums
M providers/fips.checksum
Log Message:
-----------
make update
Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes
Commit: ad4910fad22d57c6d685b0ca83bdb7b2bf69d8fd
https://github.openssl.org/openssl/openssl/commit/ad4910fad22d57c6d685b0ca83bdb7b2bf69d8fd
Author: Richard Levitte <richard at levitte.org>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for release of 3.0.5
Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes
Commit: 7762f082d8d3958475d136f499ce34c58539a94d
https://github.openssl.org/openssl/openssl/commit/7762f082d8d3958475d136f499ce34c58539a94d
Author: Richard Levitte <richard at levitte.org>
Date: 2022-07-05 (Tue, 05 Jul 2022)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for 3.0.6
Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes
Compare: https://github.openssl.org/openssl/openssl/compare/c6b5c00c0e6a...7762f082d8d3
More information about the openssl-commits
mailing list