[openssl/openssl] 919925: Fix AES OCB encrypt/decrypt for x86 AES-NI

Richard Levitte noreply at reply.github.openssl.org
Tue Jul 5 10:14:17 UTC 2022 

  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.openssl.org/openssl/openssl
  Commit: 919925673d6c9cfed3c1085497f5dfbbed5fc431
      https://github.openssl.org/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431
  Author: Alex Chernyakhovsky <achernya at google.com>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M crypto/aes/asm/aesni-x86.pl

  Log Message:
  -----------
  Fix AES OCB encrypt/decrypt for x86 AES-NI

aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.

As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.

Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.

The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.

The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.

This addresses CVE-2022-2097.

Co-authored-by: Alejandro Sedeño <asedeno at google.com>
Co-authored-by: David Benjamin <davidben at google.com>

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>


  Commit: 9131afdca30b6d1650af9ea6179569a80ab8cb06
      https://github.openssl.org/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06
  Author: Alex Chernyakhovsky <achernya at google.com>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M test/recipes/30-test_evp_data/evpciph.txt

  Log Message:
  -----------
  AES OCB test vectors

Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.

Co-authored-by: Alejandro Sedeño <asedeno at google.com>
Co-authored-by: David Benjamin <davidben at google.com>

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>


  Commit: 78ba51a3b8b505d8d03abca8fa95e4fb1464d94e
      https://github.openssl.org/openssl/openssl/commit/78ba51a3b8b505d8d03abca8fa95e4fb1464d94e
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M CHANGES
    M NEWS

  Log Message:
  -----------
  Update CHANGES and NEWS for upcoming release 1.1.1q

Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes


  Commit: 95a17c0ead00885452d13309eaffd04c1737d05d
      https://github.openssl.org/openssl/openssl/commit/95a17c0ead00885452d13309eaffd04c1737d05d
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M crypto/aes/asm/aesni-x86.pl
    M crypto/bn/bn_gcd.c
    M crypto/x509v3/v3_addr.c
    M doc/man3/SSL_get_current_cipher.pod
    M test/recipes/30-test_evp_data/evpciph.txt

  Log Message:
  -----------
  Update copyright year


Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes


  Commit: 29708a562a1887a91de0fa6ca668c71871accde9
      https://github.openssl.org/openssl/openssl/commit/29708a562a1887a91de0fa6ca668c71871accde9
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M CHANGES
    M NEWS
    M README
    M include/openssl/opensslv.h

  Log Message:
  -----------
  Prepare for 1.1.1q release

Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes


  Commit: 299e10165194d3d12e8fd559febbc2e5b771de26
      https://github.openssl.org/openssl/openssl/commit/299e10165194d3d12e8fd559febbc2e5b771de26
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2022-07-05 (Tue, 05 Jul 2022)

  Changed paths:
    M CHANGES
    M NEWS
    M README
    M include/openssl/opensslv.h

  Log Message:
  -----------
  Prepare for 1.1.1r-dev

Reviewed-by: Paul Dale <pauli at openssl.org>
Release: yes


Compare: https://github.openssl.org/openssl/openssl/compare/6495cab1c876...299e10165194

More information about the openssl-commits mailing list