Detect GCM-SIV alignment change (#1145)

Author: justsmth

crypto/cipher_extra/aead_test.cc

@@ -25,6 +25,7 @@
 
 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
+#include "./internal.h"
 #include "../test/abi_test.h"
 #include "../test/file_test.h"
 #include "../test/test_util.h"
@@ -1247,6 +1248,117 @@ TEST(AEADTest, WycheproofXChaCha20Poly1305) {
       });
 }
 
+static int awslc_encrypt(EVP_AEAD_CTX *ctx, uint8_t *nonce,
+                                       uint8_t *ct, uint8_t *pt) {
+  size_t ct_len = 0;
+  GTEST_LOG_(INFO) << "awslc_encrypt: Ctx.State Location: "
+                   << &ctx->state;
+  if (EVP_AEAD_CTX_seal(ctx, ct, &ct_len, 32, nonce, 12, pt, 16, NULL, 0) !=
+      1) {
+    return 1;
+  }
+
+  return 0;
+}
+
+static int awslc_decrypt(const EVP_AEAD *cipher, uint8_t ct[32], uint8_t *key,
+                         size_t key_len, uint8_t nonce[12], uint8_t pt[16]) {
+
+  EVP_AEAD_CTX ctx;
+  size_t pt_len = 0;
+
+  EVP_AEAD_CTX_zero(&ctx);
+  if (EVP_AEAD_CTX_init(&ctx, cipher, key, key_len, 16, NULL) != 1) {
+    return 1;
+  }
+  GTEST_LOG_(INFO) << "awslc_decrypt: Ctx.State Location: " << &ctx.state;
+
+  if (EVP_AEAD_CTX_open(&ctx, pt, &pt_len, 16, nonce, 12, ct, 32, NULL, 0) !=
+      1) {
+    return 1;
+  }
+
+  return 0;
+}
+
+TEST(AEADTest, TestGCMSIV128Change16Alignment) {
+  uint8_t key[16] = {0};
+  uint8_t nonce[12] = {0};
+  uint8_t pt[16] = {0};
+  uint8_t ct[32] = {0};
+  EVP_AEAD_CTX* encrypt_ctx_128 = (EVP_AEAD_CTX*)malloc(sizeof(EVP_AEAD_CTX) + 8);
+
+  const EVP_AEAD *cipher_128 = EVP_aead_aes_128_gcm_siv();
+
+  EVP_AEAD_CTX_zero(encrypt_ctx_128);
+  ASSERT_TRUE(EVP_AEAD_CTX_init(encrypt_ctx_128, cipher_128, key, 16, 16, NULL))
+      << ERR_error_string(ERR_get_error(), NULL);
+  ASSERT_FALSE(awslc_encrypt(encrypt_ctx_128, nonce, ct, pt))
+      << ERR_error_string(ERR_get_error(), NULL);
+  ASSERT_FALSE(awslc_decrypt(cipher_128, ct, key, 16, nonce, pt))
+      << ERR_error_string(ERR_get_error(), NULL);
+
+  GTEST_LOG_(INFO) << "Orig. Ctx.State Location: " << &encrypt_ctx_128->state;
+  EVP_AEAD_CTX *moved_encrypt_ctx_128 =
+      (EVP_AEAD_CTX *)(((uint8_t *)encrypt_ctx_128) + 8);
+  memmove(moved_encrypt_ctx_128, encrypt_ctx_128, sizeof(EVP_AEAD_CTX));
+  GTEST_LOG_(INFO) << "Moved Ctx.State Location: "
+                   << &moved_encrypt_ctx_128->state;
+
+  if (awslc_encrypt(moved_encrypt_ctx_128, nonce, ct, pt) != 1) {
+    if (x86_64_assembly_implementation_FOR_TESTING()) {
+      FAIL() << "Expected failure in awslc_encrypt";
+    }
+  } else {
+    if (!x86_64_assembly_implementation_FOR_TESTING()) {
+      FAIL() << "Failure in awslc_encrypt";
+    }
+    uint32_t err = ERR_get_error();
+    EXPECT_EQ(ERR_R_CIPHER_LIB, ERR_GET_LIB(err));
+    EXPECT_EQ(CIPHER_R_ALIGNMENT_CHANGED, ERR_GET_REASON(err));
+  }
+  free(encrypt_ctx_128);
+}
+
+TEST(AEADTest, TestGCMSIV256Change16Alignment) {
+  uint8_t nonce[12] = {0};
+  uint8_t key[32] = {0};
+  uint8_t pt[16] = {0};
+  uint8_t ct[32] = {0};
+  EVP_AEAD_CTX* encrypt_ctx_256 = (EVP_AEAD_CTX*)malloc(sizeof(EVP_AEAD_CTX) + 8);
+
+  const EVP_AEAD *cipher_256 = EVP_aead_aes_256_gcm_siv();
+
+  EVP_AEAD_CTX_zero(encrypt_ctx_256);
+  ASSERT_TRUE(EVP_AEAD_CTX_init(encrypt_ctx_256, cipher_256, key, 32, 16, NULL))
+      << ERR_error_string(ERR_get_error(), NULL);
+  ASSERT_FALSE(awslc_encrypt(encrypt_ctx_256, nonce, ct, pt))
+      << ERR_error_string(ERR_get_error(), NULL);
+  ASSERT_FALSE(awslc_decrypt(cipher_256, ct, key, 32, nonce, pt))
+      << ERR_error_string(ERR_get_error(), NULL);
+
+  GTEST_LOG_(INFO) << "Orig. Ctx.State Location: " << &encrypt_ctx_256->state;
+  EVP_AEAD_CTX *moved_encrypt_ctx_256 =
+      (EVP_AEAD_CTX *)(((uint8_t *)encrypt_ctx_256) + 8);
+  memmove(moved_encrypt_ctx_256, encrypt_ctx_256, sizeof(EVP_AEAD_CTX));
+  GTEST_LOG_(INFO) << "Moved Ctx.State Location: "
+                   << &moved_encrypt_ctx_256->state;
+
+  if (awslc_encrypt(moved_encrypt_ctx_256, nonce, ct, pt) != 1) {
+    if (x86_64_assembly_implementation_FOR_TESTING()) {
+      FAIL() << "Expected failure in awslc_encrypt";
+    }
+  } else {
+    if (!x86_64_assembly_implementation_FOR_TESTING()) {
+      FAIL() << "Failure in awslc_encrypt";
+    }
+    uint32_t err = ERR_get_error();
+    EXPECT_EQ(ERR_R_CIPHER_LIB, ERR_GET_LIB(err));
+    EXPECT_EQ(CIPHER_R_ALIGNMENT_CHANGED, ERR_GET_REASON(err));
+  }
+  free(encrypt_ctx_256);
+}
+
 TEST(AEADTest, FreeNull) { EVP_AEAD_CTX_free(nullptr); }
 
 // Deterministic IV generation for AES-GCM 256.

crypto/cipher_extra/e_aesgcmsiv.c

@@ -21,8 +21,7 @@
 #include <openssl/err.h>
 
 #include "../fipsmodule/cipher/internal.h"
-#include "../internal.h"
-
+#include "./internal.h"
 
 #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12
 #define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16
@@ -53,8 +52,11 @@ static struct aead_aes_gcm_siv_asm_ctx *asm_ctx_from_ctx(
     const EVP_AEAD_CTX *ctx) {
   // ctx->state must already be 8-byte aligned. Thus, at most, we may need to
   // add eight to align it to 16 bytes.
-  const uintptr_t offset = ((uintptr_t)&ctx->state) & 8;
-  return (struct aead_aes_gcm_siv_asm_ctx *)(&ctx->state.opaque[offset]);
+  const uintptr_t actual_offset = ((uintptr_t)&ctx->state) & 8;
+  if(ctx->state_offset != actual_offset) {
+    return NULL;
+  }
+  return (struct aead_aes_gcm_siv_asm_ctx *)(&ctx->state.opaque[actual_offset]);
 }
 
 // aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
@@ -85,7 +87,12 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     return 0;
   }
 
+  ctx->state_offset = ((uintptr_t)&ctx->state) & 8;
   struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
+  if(gcm_siv_ctx == NULL) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR);
+    return 0;
+  }
   assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);
 
   if (key_bits == 128) {
@@ -332,6 +339,10 @@ static int aead_aes_gcm_siv_asm_seal_scatter(
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
   const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
+  if(gcm_siv_ctx == NULL) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_ALIGNMENT_CHANGED);
+    return 0;
+  }
   const uint64_t in_len_64 = in_len;
   const uint64_t ad_len_64 = ad_len;
 
@@ -420,6 +431,10 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
+  if(gcm_siv_ctx == NULL) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_ALIGNMENT_CHANGED);
+    return 0;
+  }
   const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN;
   const uint8_t *const given_tag = in + plaintext_len;
 
@@ -852,6 +867,13 @@ const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {
   return &aead_aes_256_gcm_siv;
 }
 
+int x86_64_assembly_implementation_FOR_TESTING(void) {
+  if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) {
+    return 1;
+  }
+  return 0;
+}
+
 #else
 
 const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) {
@@ -862,4 +884,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {
   return &aead_aes_256_gcm_siv;
 }
 
+int x86_64_assembly_implementation_FOR_TESTING(void) {
+  return 0;
+}
+
 #endif  // AES_GCM_SIV_ASM

crypto/cipher_extra/internal.h

@@ -245,6 +245,7 @@ OPENSSL_INLINE void chacha20_poly1305_seal(uint8_t *out_ciphertext,
 }
 #endif
 
+OPENSSL_EXPORT int x86_64_assembly_implementation_FOR_TESTING(void);
 
 #if defined(__cplusplus)
 }  // extern C

include/openssl/aead.h

@@ -222,6 +222,7 @@ union evp_aead_ctx_st_state {
 struct evp_aead_ctx_st {
   const EVP_AEAD *aead;
   union evp_aead_ctx_st_state state;
+  uint8_t state_offset;
   // tag_len may contain the actual length of the authentication tag if it is
   // known at initialization time.
   uint8_t tag_len;

include/openssl/cipher.h

@@ -690,5 +690,6 @@ BSSL_NAMESPACE_END
 #define CIPHER_R_XTS_DATA_UNIT_IS_TOO_LARGE 139
 #define CIPHER_R_CTRL_OPERATION_NOT_PERFORMED 140
 #define CIPHER_R_SERIALIZATION_INVALID_EVP_AEAD_CTX 141
+#define CIPHER_R_ALIGNMENT_CHANGED 142
 
 #endif  // OPENSSL_HEADER_CIPHER_H