mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-23 14:42:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
6ebf6d5159
openssl/crypto
History
Alex Chernyakhovsky 6ebf6d5159 Fix AES OCB encrypt/decrypt for x86 AES-NI 
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.

As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.

Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.

The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.

The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.

This addresses CVE-2022-2097.

Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2022-07-05 10:10:24 +02:00
..
aes Fix AES OCB encrypt/decrypt for x86 AES-NI 2022-07-05 10:10:24 +02:00
aria Change loops conditions to make zero loop risk more obvious. 2022-05-24 14:11:20 +10:00
asn1 CMS: Export CMS_EnvelopedData and add CMS_EnvelopedData_decrypt() 2022-06-28 17:51:21 +02:00
async Update copyright year 2022-05-03 13:34:51 +01:00
bf Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
bio Avoid using union wrt. SystemTimeToFileTime 2022-06-29 12:11:17 +10:00
bn Fix bn_gcd code to check return value when calling BN_one() 2022-07-05 08:14:20 +02:00
buffer
camellia Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
cast Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
chacha Optimize chacha20 on aarch64 by SVE2 2022-06-22 17:07:17 +10:00
cmac Fix the incorrect checks of EVP_CIPHER_CTX_set_key_length 2022-05-27 07:57:43 +02:00
cmp CMP: implement optional hashAlg field of certConf CMPv3 message 2022-07-01 07:38:50 +01:00
cms CMS: Export CMS_EnvelopedData and add CMS_EnvelopedData_decrypt() 2022-06-28 17:51:21 +02:00
comp
conf Avoid crashing if CONF_modules_unload() is called after OPENSSL_cleanup() 2022-07-01 11:20:51 +02:00
crmf crmf_lib.c: Make sure Ed signature for POPO is called without digest 2022-05-05 09:52:27 +02:00
ct CTLOG_new_ex: Fix copy&paste error when setting propq 2022-06-02 12:08:12 +02:00
des Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
dh Coverity: fix 1506298: negative returns 2022-07-01 16:36:21 +10:00
dsa Coverity: fix 1506297: negative returns 2022-07-01 16:36:21 +10:00
dso Update copyright year 2022-05-03 13:34:51 +01:00
ec Fix a memory leak in EC_GROUP_new_from_ecparameters 2022-06-25 07:20:33 +02:00
encode_decode Check return value of ossl_parse_property() 2022-06-06 09:44:53 +02:00
engine Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats 2022-06-22 09:36:14 +02:00
err RSA keygen update: Raise an error if no prime candidate q is found. 2022-06-13 10:56:31 +02:00
ess
evp store_result: Add fallback for fetching the keymgmt from the provider of the store 2022-06-28 17:54:56 +02:00
ffc Update copyright year 2022-05-03 13:34:51 +01:00
hmac
http crypto/http/http_client.c: Add the check for OPENSSL_strdup 2022-06-23 12:35:09 +02:00
idea
kdf
lhash Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats 2022-06-22 09:36:14 +02:00
md2
md4
md5 Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
mdc2
modes Change loops conditions to make zero loop risk more obvious. 2022-05-24 14:11:20 +10:00
objects Objects: Add OIDs needed for CAdES-Processing 2022-06-28 17:12:06 +02:00
ocsp Update copyright year 2022-05-03 13:34:51 +01:00
pem Update copyright year 2022-05-03 13:34:51 +01:00
perlasm x86asm: Generate endbr32 based on __CET__. 2022-05-24 13:16:06 +10:00
pkcs7 Revert unnecessary PKCS7_verify() performance optimization 2022-06-02 18:41:49 +02:00
pkcs12 Update copyright year 2022-05-03 13:34:51 +01:00
poly1305 Generate the preprocessed .s files for chacha and poly 1305 on ia64 2022-05-27 08:10:49 +02:00
property put_str: Use memcpy instead of strncpy 2022-06-23 15:44:19 +02:00
rand Clarify use of EGD for HPNS in rand/rand_egd.c comments. 2022-06-17 09:28:19 +10:00
rc2
rc4 Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
rc5 Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
ripemd Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
rsa Fix memory leak in ossl_rsa_fromdata. 2022-06-28 17:07:53 +02:00
seed
sha Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
siphash Update copyright year 2022-05-03 13:34:51 +01:00
sm2 Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
sm3 Add ROTATE inline asm support for SM3 2022-06-22 12:46:50 +02:00
sm4 Update copyright year 2022-05-03 13:34:51 +01:00
srp
stack
store store_result: Add fallback for fetching the keymgmt from the provider of the store 2022-06-28 17:54:56 +02:00
ts Update copyright year 2022-05-03 13:34:51 +01:00
txt_db
ui Fix the check of UI_method_set_ex_data 2022-05-27 07:57:43 +02:00
whrlpool Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
x509 v3_sxnet: add a check for the return of i2s_ASN1_INTEGER() 2022-07-05 08:08:12 +02:00
alphacpuid.pl
arm64cpuid.pl Update copyright year 2022-05-03 13:34:51 +01:00
arm_arch.h Apply the AES-GCM unroll8 optimization patch to Neoverse N2 2022-05-23 11:05:51 +10:00
armcap.c Apply the AES-GCM unroll8 optimization patch to Neoverse N2 2022-05-23 11:05:51 +10:00
armv4cpuid.pl
asn1_dsa.c
bsearch.c
build.info QUIC wire format support 2022-05-27 08:00:52 +02:00
c64xpluscpuid.pl
context.c Update copyright year 2022-05-03 13:34:51 +01:00
core_algorithm.c Refactor method construction pre- and post-condition 2022-05-05 15:05:54 +02:00
core_fetch.c Always try to construct methods as new provider might be added 2022-05-12 08:28:12 +02:00
core_namemap.c Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats 2022-06-22 09:36:14 +02:00
cpt_err.c err: add additional errors 2022-01-12 20:10:21 +11:00
cpuid.c Update copyright year 2022-05-03 13:34:51 +01:00
cryptlib.c Update copyright year 2022-05-03 13:34:51 +01:00
ctype.c tolower: refine the tolower code to avoid a memory access 2022-05-23 09:51:28 +10:00
cversion.c
der_writer.c der_writer: Use uint32_t instead of long. 2022-06-27 10:58:40 +02:00
dllmain.c Update copyright year 2022-05-03 13:34:51 +01:00
ebcdic.c
ex_data.c
getenv.c Update copyright year 2022-05-03 13:34:51 +01:00
ia64cpuid.S
info.c Update copyright year 2022-05-03 13:34:51 +01:00
init.c Avoid reusing the init_lock for a different purpose 2022-06-15 09:45:51 +02:00
initthread.c Update copyright year 2022-05-03 13:34:51 +01:00
LPdir_nyi.c
LPdir_unix.c Update copyright year 2022-05-03 13:34:51 +01:00
LPdir_vms.c
LPdir_win32.c
LPdir_win.c
LPdir_wince.c
mem_clr.c
mem_sec.c Update copyright year 2022-05-03 13:34:51 +01:00
mem.c Update copyright year 2022-05-03 13:34:51 +01:00
mips_arch.h
o_dir.c Update copyright year 2022-05-03 13:34:51 +01:00
o_fopen.c Update copyright year 2022-05-03 13:34:51 +01:00
o_init.c Update copyright year 2022-05-03 13:34:51 +01:00
o_str.c strcasecmp: implement strcasecmp and strncasecmp 2022-05-23 09:51:28 +10:00
o_time.c
packet.c QUIC wire format support 2022-05-27 08:00:52 +02:00
param_build_set.c Update copyright year 2022-05-03 13:34:51 +01:00
param_build.c Update copyright year 2022-05-03 13:34:51 +01:00
params_dup.c Update copyright year 2022-05-03 13:34:51 +01:00
params_from_text.c
params.c Update copyright year 2022-05-03 13:34:51 +01:00
pariscid.pl
passphrase.c Update copyright year 2022-05-03 13:34:51 +01:00
ppccap.c Update copyright year 2022-05-03 13:34:51 +01:00
ppccpuid.pl Update copyright year 2022-05-03 13:34:51 +01:00
provider_child.c For child libctx / provider, don't count self-references in parent 2022-05-05 15:06:11 +02:00
provider_conf.c Update copyright year 2022-05-03 13:34:51 +01:00
provider_core.c crypto/provider_core.c: Avoid calling unlock two times 2022-06-28 17:48:19 +02:00
provider_local.h
provider_predefined.c
provider.c
punycode.c
quic_vlint.c QUIC wire format support 2022-05-27 08:00:52 +02:00
README-sparse_array.md
riscv64cpuid.pl Add basic RISC-V cpuid and OPENSSL_riscvcap 2022-05-19 16:32:49 +10:00
riscvcap.c Add basic RISC-V cpuid and OPENSSL_riscvcap 2022-05-19 16:32:49 +10:00
s390x_arch.h Update copyright year 2022-05-03 13:34:51 +01:00
s390xcap.c s390: Add new machine generation 2022-04-12 13:04:57 +02:00
s390xcpuid.pl
self_test_core.c Update copyright year 2022-05-03 13:34:51 +01:00
sparccpuid.S
sparcv9cap.c
sparse_array.c Update copyright year 2022-05-03 13:34:51 +01:00
threads_lib.c
threads_none.c
threads_pthread.c Update copyright year 2022-05-03 13:34:51 +01:00
threads_win.c
trace.c http_client.c: Dump response on error when tracing is enabled 2022-05-30 22:43:44 +02:00
uid.c
vms_rms.h
x86_64cpuid.pl
x86cpuid.pl