Commit d6b34570 authored by Pauli's avatar Pauli
Browse files

Limit the number of AES-GCM keys allowed in TLS. A new error is raised if this 


limit is ever reached.

This is a FIPS 140-2 requirement from IG A.5 "Key/IV Pair Uniqueness
Requirements from SP 800-38D".

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7129)
parent f88b9b79

crypto/err/openssl.txt

+3 −0
Original line number Diff line number Diff line
@@ -711,6 +711,7 @@ ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init 
ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init

EVP_F_AESNI_INIT_KEY:165:aesni_init_key

EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl

EVP_F_AES_GCM_TLS_CIPHER:207:aes_gcm_tls_cipher

EVP_F_AES_INIT_KEY:133:aes_init_key

EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher

EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
@@ -805,6 +806,7 @@ EVP_F_PKEY_SET_TYPE:158:pkey_set_type 
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth

EVP_F_RC5_CTRL:125:rc5_ctrl

EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl

EVP_F_S390X_AES_GCM_TLS_CIPHER:208:s390x_aes_gcm_tls_cipher

EVP_F_UPDATE:173:update

KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str

KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
@@ -2265,6 +2267,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ 
EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error

EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error

EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa

EVP_R_TOO_MANY_RECORDS:183:too many records

EVP_R_UNKNOWN_CIPHER:160:unknown cipher

EVP_R_UNKNOWN_DIGEST:161:unknown digest

EVP_R_UNKNOWN_OPTION:169:unknown option

crypto/evp/e_aes.c

+27 −0
Original line number Diff line number Diff line
@@ -44,6 +44,7 @@ typedef struct { 
    int taglen;

    int iv_gen;                 /* It is OK to generate IVs */

    int tls_aad_len;            /* TLS AAD length */

    uint64_t tls_enc_records;   /* Number of TLS records encrypted */

    ctr128_f ctr;

} EVP_AES_GCM_CTX;
@@ -1069,6 +1070,7 @@ typedef struct { 
    int kreslen;



    int tls_aad_len;

    uint64_t tls_enc_records;   /* Number of TLS records encrypted */

} S390X_AES_GCM_CTX;



typedef struct {
@@ -1692,6 +1694,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 
        buf = EVP_CIPHER_CTX_buf_noconst(c);

        memcpy(buf, ptr, arg);

        gctx->tls_aad_len = arg;

        gctx->tls_enc_records = 0;



        len = buf[arg - 2] << 8 | buf[arg - 1];

        /* Correct length for explicit iv. */
@@ -1791,6 +1794,17 @@ static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))

        return -1;



    /*

     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness

     * Requirements from SP 800-38D".  The requirements is for one party to the

     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting

     * side only.

     */

    if (ctx->encrypt && ++gctx->tls_enc_records == 0) {

        EVPerr(EVP_F_S390X_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);

        goto err;

    }



    if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN

                                     : EVP_CTRL_GCM_SET_IV_INV,

                            EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
@@ -2901,6 +2915,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 
            return 0;

        memcpy(c->buf, ptr, arg);

        gctx->tls_aad_len = arg;

        gctx->tls_enc_records = 0;

        {

            unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];

            /* Correct length for explicit IV */
@@ -3035,6 +3050,18 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
    if (out != in

        || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))

        return -1;

    

    /*

     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness

     * Requirements from SP 800-38D".  The requirements is for one party to the

     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting

     * side only.

     */

    if (ctx->encrypt && ++gctx->tls_enc_records == 0) {

        EVPerr(EVP_F_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);

        goto err;

    }



    /*

     * Set IV from start of buffer or generate IV and write to start of

     * buffer.

crypto/evp/evp_err.c

+4 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 
static const ERR_STRING_DATA EVP_str_functs[] = {

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_TLS_CIPHER, 0), "aes_gcm_tls_cipher"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
@@ -148,6 +149,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = { 
    {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_TLS_CIPHER, 0),

     "s390x_aes_gcm_tls_cipher"},

    {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},

    {0, NULL}

};
@@ -239,6 +242,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { 
    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),

    "private key encode error"},

    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},

    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"},

    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},

    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},

    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},

include/openssl/evperr.h

+3 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ int ERR_load_EVP_strings(void); 
 */

# define EVP_F_AESNI_INIT_KEY                             165

# define EVP_F_AES_GCM_CTRL                               196

# define EVP_F_AES_GCM_TLS_CIPHER                         207

# define EVP_F_AES_INIT_KEY                               133

# define EVP_F_AES_OCB_CIPHER                             169

# define EVP_F_AES_T4_INIT_KEY                            178
@@ -115,6 +116,7 @@ int ERR_load_EVP_strings(void); 
# define EVP_F_RC2_MAGIC_TO_METH                          109

# define EVP_F_RC5_CTRL                                   125

# define EVP_F_S390X_AES_GCM_CTRL                         201

# define EVP_F_S390X_AES_GCM_TLS_CIPHER                   208

# define EVP_F_UPDATE                                     173



/*
@@ -174,6 +176,7 @@ int ERR_load_EVP_strings(void); 
# define EVP_R_PRIVATE_KEY_DECODE_ERROR                   145

# define EVP_R_PRIVATE_KEY_ENCODE_ERROR                   146

# define EVP_R_PUBLIC_KEY_NOT_RSA                         106

# define EVP_R_TOO_MANY_RECORDS                           183

# define EVP_R_UNKNOWN_CIPHER                             160

# define EVP_R_UNKNOWN_DIGEST                             161

# define EVP_R_UNKNOWN_OPTION                             169