From 5901637dea33e48404f8cb6ac1c0e267324a908a Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 5 Jul 2022 14:04:03 +0200 Subject: [PATCH] CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097 Signed-off-by: Clemens Lang --- 0069-CVE-2022-2097.patch | 151 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 9 ++- 2 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 0069-CVE-2022-2097.patch diff --git a/0069-CVE-2022-2097.patch b/0069-CVE-2022-2097.patch new file mode 100644 index 0000000..47fcaa5 --- /dev/null +++ b/0069-CVE-2022-2097.patch @@ -0,0 +1,151 @@ +From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001 +From: Alex Chernyakhovsky +Date: Thu, 16 Jun 2022 12:00:22 +1000 +Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path +that performs operations on 6 16-byte blocks concurrently (the +"grandloop") and then proceeds to handle the "short" tail (which can +be anywhere from 0 to 5 blocks) that remain. + +As part of initialization, the assembly initializes $len to the true +length, less 96 bytes and converts it to a pointer so that the $inp +can be compared to it. Each iteration of "grandloop" checks to see if +there's a full 96-byte chunk to process, and if so, continues. Once +this has been exhausted, it falls through to "short", which handles +the remaining zero to five blocks. + +Unfortunately, the jump at the end of "grandloop" had a fencepost +error, doing a `jb` ("jump below") rather than `jbe` (jump below or +equal). This should be `jbe`, as $inp is pointing to the *end* of the +chunk currently being handled. If $inp == $len, that means that +there's a whole 96-byte chunk waiting to be handled. If $inp > $len, +then there's 5 or fewer 16-byte blocks left to be handled, and the +fall-through is intended. + +The net effect of `jb` instead of `jbe` is that the last 16-byte block +of the last 96-byte chunk was completely omitted. The contents of +`out` in this position were never written to. Additionally, since +those bytes were never processed, the authentication tag generated is +also incorrect. + +The same fencepost error, and identical logic, exists in both +aesni_ocb_encrypt and aesni_ocb_decrypt. + +This addresses CVE-2022-2097. + +Co-authored-by: Alejandro Sedeño +Co-authored-by: David Benjamin + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c) +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93] +--- + crypto/aes/asm/aesni-x86.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl +index 4245fe34e17e..7cf838db170b 100644 +--- a/crypto/aes/asm/aesni-x86.pl ++++ b/crypto/aes/asm/aesni-x86.pl +@@ -2025,7 +2025,7 @@ sub aesni_generate6 + &movdqu (&QWP(-16*2,$out,$inp),$inout4); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +@@ -2451,7 +2451,7 @@ sub aesni_generate6 + &pxor ($rndkey1,$inout5); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001 +From: Alex Chernyakhovsky +Date: Thu, 16 Jun 2022 12:02:37 +1000 +Subject: [PATCH] AES OCB test vectors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue. + +Co-authored-by: Alejandro Sedeño +Co-authored-by: David Benjamin + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be) +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8] +--- + .../30-test_evp_data/evpciph_aes_ocb.txt | 50 +++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt +index e58ee34b6b3f..de098905230b 100644 +--- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt ++++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt +@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021 + Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486 + Operation = DECRYPT + Result = CIPHERFINAL_ERROR ++ ++#Test vectors generated to validate aesni_ocb_encrypt on x86 ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = C14DFF7D62A13C4A3422456207453190 ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = 41970D13737B7BD1B5FBF49ED4412CA5 ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = BE0228651ED4E48A11BDED68D953F3A0 ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = 17BC6E10B16E5FDC52836E7D589518C7 ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = E84AAC18666116990A3A37B3A5FC55BD ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED ++ ++Cipher = aes-128-ocb ++Key = 000102030405060708090A0B0C0D0E0F ++IV = 000000000001020304050607 ++Tag = 3E5EA7EE064FE83B313E28D411E91EAD ++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D ++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C diff --git a/openssl.spec b/openssl.spec index 0eccec7..178de5f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 36%{?dist} +Release: 37%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -135,6 +135,9 @@ Patch67: 0067-fix-ppc64-montgomery.patch #https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa #https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739 Patch68: 0068-CVE-2022-2068.patch +# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93 +# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 +Patch69: 0069-CVE-2022-2097.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -465,6 +468,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Jul 05 2022 Clemens Lang - 1:3.0.1-37 +- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 + Resolves: CVE-2022-2097 + * Thu Jun 16 2022 Dmitry Belyavskiy - 1:3.0.1-36 - Ciphersuites with RSAPSK KX should be filterd in FIPS mode - Related: rhbz#2085088