https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598 https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05 From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 4 Jul 2023 17:30:35 +0200 Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode The AES-SIV mode allows for multiple associated data items authenticated separately with any of these being 0 length. The provided implementation ignores such empty associated data which is incorrect in regards to the RFC 5297 and is also a security issue because such empty associated data then become unauthenticated if an application expects to authenticate them. Fixes CVE-2023-2975 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21384) (cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, if (!ossl_prov_is_running()) return 0; - if (inl == 0) { - *outl = 0; - return 1; - } + /* Ignore just empty encryption/decryption call and not AAD. */ + if (out != NULL) { + if (inl == 0) { + if (outl != NULL) + *outl = 0; + return 1; + } - if (outsize < inl) { - ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); - return 0; + if (outsize < inl) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); + return 0; + } } if (ctx->hw->cipher(ctx, out, in, inl) <= 0) From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 4 Jul 2023 17:50:37 +0200 Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21384) (cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc) --- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt @@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 Plaintext = 112233445566778899aabbccddee Ciphertext = 40c02b9690c4dc04daef7f6afe5c +Cipher = aes-128-siv +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +Tag = f1c5fdeac1f15a26779c1501f9fb7588 +Plaintext = 112233445566778899aabbccddee +Ciphertext = 27e946c669088ab06da58c5c831c + +Cipher = aes-128-siv +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +AAD = +Tag = d1022f5b3664e5a4dfaf90f85be6f28a +Plaintext = 112233445566778899aabbccddee +Ciphertext = b66cff6b8eca0b79f083b39a0901 + Cipher = aes-128-siv Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 @@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d +Cipher = aes-128-siv +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +AAD = +AAD = 09f911029d74e35bd84156c5635688c0 +Tag = 83ce6593a8fa67eb6fcd2819cedfc011 +Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 +Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d + +Cipher = aes-128-siv +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f +AAD = +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +AAD = 09f911029d74e35bd84156c5635688c0 +Tag = 77dd4a44f5a6b41302121ee7f378de25 +Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 +Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe + Cipher = aes-192-siv Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0 AAD = 101112131415161718191a1b1c1d1e1f2021222324252627