diff --git a/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch b/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d4aecb38501e9af701b5c145ab6cbe37c8984dd --- /dev/null +++ b/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch @@ -0,0 +1,64 @@ +From 66834f8fa72803f243a94014ad3af8161947a054 Mon Sep 17 00:00:00 2001 +From: yinyongkang +Date: Thu, 7 Jul 2022 16:55:55 +0800 +Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI + +aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path +that performs operations on 6 16-byte blocks concurrently (the +"grandloop") and then proceeds to handle the "short" tail (which can +be anywhere from 0 to 5 blocks) that remain. + +As part of initialization, the assembly initializes $len to the true +length, less 96 bytes and converts it to a pointer so that the $inp +can be compared to it. Each iteration of "grandloop" checks to see if +there's a full 96-byte chunk to process, and if so, continues. Once +this has been exhausted, it falls through to "short", which handles +the remaining zero to five blocks. + +Unfortunately, the jump at the end of "grandloop" had a fencepost +error, doing a `jb` ("jump below") rather than `jbe` (jump below or +equal). This should be `jbe`, as $inp is pointing to the *end* of the +chunk currently being handled. If $inp == $len, that means that +there's a whole 96-byte chunk waiting to be handled. If $inp > $len, +then there's 5 or fewer 16-byte blocks left to be handled, and the +fall-through is intended. + +The net effect of `jb` instead of `jbe` is that the last 16-byte block +of the last 96-byte chunk was completely omitted. The contents of +`out` in this position were never written to. Additionally, since +those bytes were never processed, the authentication tag generated is +also incorrect. + +The same fencepost error, and identical logic, exists in both +aesni_ocb_encrypt and aesni_ocb_decrypt. + +This addresses CVE-2022-2097. +--- + crypto/aes/asm/aesni-x86.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl +index fe2b265..812758e 100644 +--- a/crypto/aes/asm/aesni-x86.pl ++++ b/crypto/aes/asm/aesni-x86.pl +@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &movdqu (&QWP(-16*2,$out,$inp),$inout4); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &pxor ($rndkey1,$inout5); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +-- +2.33.0 + diff --git a/openssl.spec b/openssl.spec index cb0f5395cbffbe02c96354caf20817259a2cd7ec..2ecbd8121919214fa5fe900ce3de55e0563c582c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 5 +Release: 6 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -31,6 +31,7 @@ Patch20: Backport-ct_test.c-Update-the-epoch-time.patch Patch21: Feature-Support-TLCP-protocol.patch Patch22: Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch Patch23: CVE-2022-2068-Fix-file-operations-in-c_rehash.patch +Patch24: CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -227,6 +228,9 @@ make test || : %ldconfig_scriptlets libs %changelog +* Thu Jul 7 2022 yinyongkang - 1:1.1.1m-6 +- fix CVE-2022-2097 + * Thu Jun 30 2022 wangcheng - 1:1.1.1m-5 - fix CVE-2022-2068