Limit the number of AES-GCM keys allowed in TLS. A new error is raised if this
limit is ever reached. This is a FIPS 140-2 requirement from IG A.5 "Key/IV Pair Uniqueness Requirements from SP 800-38D". Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7129)
This commit is contained in:
parent
f88b9b7915
commit
d6b345708f
4 changed files with 37 additions and 0 deletions
|
@ -711,6 +711,7 @@ ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init
|
|||
ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init
|
||||
EVP_F_AESNI_INIT_KEY:165:aesni_init_key
|
||||
EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl
|
||||
EVP_F_AES_GCM_TLS_CIPHER:207:aes_gcm_tls_cipher
|
||||
EVP_F_AES_INIT_KEY:133:aes_init_key
|
||||
EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher
|
||||
EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
|
||||
|
@ -805,6 +806,7 @@ EVP_F_PKEY_SET_TYPE:158:pkey_set_type
|
|||
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
|
||||
EVP_F_RC5_CTRL:125:rc5_ctrl
|
||||
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
|
||||
EVP_F_S390X_AES_GCM_TLS_CIPHER:208:s390x_aes_gcm_tls_cipher
|
||||
EVP_F_UPDATE:173:update
|
||||
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
|
||||
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
|
||||
|
@ -2265,6 +2267,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
|
|||
EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error
|
||||
EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error
|
||||
EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa
|
||||
EVP_R_TOO_MANY_RECORDS:183:too many records
|
||||
EVP_R_UNKNOWN_CIPHER:160:unknown cipher
|
||||
EVP_R_UNKNOWN_DIGEST:161:unknown digest
|
||||
EVP_R_UNKNOWN_OPTION:169:unknown option
|
||||
|
|
|
@ -44,6 +44,7 @@ typedef struct {
|
|||
int taglen;
|
||||
int iv_gen; /* It is OK to generate IVs */
|
||||
int tls_aad_len; /* TLS AAD length */
|
||||
uint64_t tls_enc_records; /* Number of TLS records encrypted */
|
||||
ctr128_f ctr;
|
||||
} EVP_AES_GCM_CTX;
|
||||
|
||||
|
@ -1069,6 +1070,7 @@ typedef struct {
|
|||
int kreslen;
|
||||
|
||||
int tls_aad_len;
|
||||
uint64_t tls_enc_records; /* Number of TLS records encrypted */
|
||||
} S390X_AES_GCM_CTX;
|
||||
|
||||
typedef struct {
|
||||
|
@ -1692,6 +1694,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
|||
buf = EVP_CIPHER_CTX_buf_noconst(c);
|
||||
memcpy(buf, ptr, arg);
|
||||
gctx->tls_aad_len = arg;
|
||||
gctx->tls_enc_records = 0;
|
||||
|
||||
len = buf[arg - 2] << 8 | buf[arg - 1];
|
||||
/* Correct length for explicit iv. */
|
||||
|
@ -1791,6 +1794,17 @@ static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
|||
if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
|
||||
return -1;
|
||||
|
||||
/*
|
||||
* Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
|
||||
* Requirements from SP 800-38D". The requirements is for one party to the
|
||||
* communication to fail after 2^64 - 1 keys. We do this on the encrypting
|
||||
* side only.
|
||||
*/
|
||||
if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
|
||||
EVPerr(EVP_F_S390X_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
|
||||
: EVP_CTRL_GCM_SET_IV_INV,
|
||||
EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
|
||||
|
@ -2901,6 +2915,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
|||
return 0;
|
||||
memcpy(c->buf, ptr, arg);
|
||||
gctx->tls_aad_len = arg;
|
||||
gctx->tls_enc_records = 0;
|
||||
{
|
||||
unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
|
||||
/* Correct length for explicit IV */
|
||||
|
@ -3035,6 +3050,18 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
|||
if (out != in
|
||||
|| len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
|
||||
return -1;
|
||||
|
||||
/*
|
||||
* Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
|
||||
* Requirements from SP 800-38D". The requirements is for one party to the
|
||||
* communication to fail after 2^64 - 1 keys. We do this on the encrypting
|
||||
* side only.
|
||||
*/
|
||||
if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
|
||||
EVPerr(EVP_F_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set IV from start of buffer or generate IV and write to start of
|
||||
* buffer.
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
static const ERR_STRING_DATA EVP_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_TLS_CIPHER, 0), "aes_gcm_tls_cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
|
||||
|
@ -148,6 +149,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
|
|||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_TLS_CIPHER, 0),
|
||||
"s390x_aes_gcm_tls_cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
|
||||
{0, NULL}
|
||||
};
|
||||
|
@ -239,6 +242,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
|
|||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
|
||||
"private key encode error"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
|
||||
|
|
|
@ -21,6 +21,7 @@ int ERR_load_EVP_strings(void);
|
|||
*/
|
||||
# define EVP_F_AESNI_INIT_KEY 165
|
||||
# define EVP_F_AES_GCM_CTRL 196
|
||||
# define EVP_F_AES_GCM_TLS_CIPHER 207
|
||||
# define EVP_F_AES_INIT_KEY 133
|
||||
# define EVP_F_AES_OCB_CIPHER 169
|
||||
# define EVP_F_AES_T4_INIT_KEY 178
|
||||
|
@ -115,6 +116,7 @@ int ERR_load_EVP_strings(void);
|
|||
# define EVP_F_RC2_MAGIC_TO_METH 109
|
||||
# define EVP_F_RC5_CTRL 125
|
||||
# define EVP_F_S390X_AES_GCM_CTRL 201
|
||||
# define EVP_F_S390X_AES_GCM_TLS_CIPHER 208
|
||||
# define EVP_F_UPDATE 173
|
||||
|
||||
/*
|
||||
|
@ -174,6 +176,7 @@ int ERR_load_EVP_strings(void);
|
|||
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
|
||||
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
|
||||
# define EVP_R_PUBLIC_KEY_NOT_RSA 106
|
||||
# define EVP_R_TOO_MANY_RECORDS 183
|
||||
# define EVP_R_UNKNOWN_CIPHER 160
|
||||
# define EVP_R_UNKNOWN_DIGEST 161
|
||||
# define EVP_R_UNKNOWN_OPTION 169
|
||||
|
|
Loading…
Reference in a new issue