CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86

Resolves: CVE-2022-2097 Signed-off-by: Clemens Lang <cllang@redhat.com>
2 years ago · 5901637dea
parent f3b52e907b
commit 5901637dea
2 changed files with 159 additions and 1 deletions
--- a/0069-CVE-2022-2097.patch
+++ b/0069-CVE-2022-2097.patch
@ -0,0 +1,151 @@
+From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c)
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93]
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index 4245fe34e17e..7cf838db170b 100644
+--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2025,7 +2025,7 @@ sub aesni_generate6
+ 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+@@ -2451,7 +2451,7 @@ sub aesni_generate6
+ 	&pxor		($rndkey1,$inout5);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:02:37 +1000
+Subject: [PATCH] AES OCB test vectors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be)
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8]
+---
+ .../30-test_evp_data/evpciph_aes_ocb.txt      | 50 +++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
+index e58ee34b6b3f..de098905230b 100644
+--- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
+++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
+@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
+ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486
+ Operation = DECRYPT
+ Result = CIPHERFINAL_ERROR
+
+#Test vectors generated to validate aesni_ocb_encrypt on x86
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = C14DFF7D62A13C4A3422456207453190
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = BE0228651ED4E48A11BDED68D953F3A0
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = E84AAC18666116990A3A37B3A5FC55BD
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 36%{?dist}
+Release: 37%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -135,6 +135,9 @@ Patch67: 0067-fix-ppc64-montgomery.patch
 #https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa
 #https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739
 Patch68: 0068-CVE-2022-2068.patch
+# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
+# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
+Patch69: 0069-CVE-2022-2097.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -465,6 +468,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37
+- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
+  Resolves: CVE-2022-2097
+
 * Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
 - Ciphersuites with RSAPSK KX should be filterd in FIPS mode
 - Related: rhbz#2085088