Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()
These undocumented functions were never integrated into the EVP layer and implement the AES Infinite Garble Extension (IGE) mode and AES Bi-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but this issue was never fixed for backwards compatibility reasons. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8710)
This commit is contained in:
parent
9bba2c4c97
commit
fd367b4ce3
6 changed files with 49 additions and 9 deletions
11
CHANGES
11
CHANGES
|
@ -9,6 +9,17 @@
|
||||||
|
|
||||||
Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
|
Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
|
||||||
|
|
||||||
|
*) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
|
||||||
|
deprecated. These undocumented functions were never integrated into the EVP
|
||||||
|
layer and implement the AES Infinite Garble Extension (IGE) mode and AES
|
||||||
|
Bi-directional IGE mode. These modes were never formally standardised and
|
||||||
|
usage of these functions is believed to be very small. In particular
|
||||||
|
AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
|
||||||
|
is ever used. The security implications are believed to be minimal, but
|
||||||
|
this issue was never fixed for backwards compatibility reasons. New code
|
||||||
|
should not use these modes.
|
||||||
|
[Matt Caswell]
|
||||||
|
|
||||||
*) Add prediction resistance to the DRBG reseeding process.
|
*) Add prediction resistance to the DRBG reseeding process.
|
||||||
[Paul Dale]
|
[Paul Dale]
|
||||||
|
|
||||||
|
|
10
apps/speed.c
10
apps/speed.c
|
@ -166,10 +166,12 @@ static int DES_ede3_cbc_encrypt_loop(void *args);
|
||||||
#endif
|
#endif
|
||||||
static int AES_cbc_128_encrypt_loop(void *args);
|
static int AES_cbc_128_encrypt_loop(void *args);
|
||||||
static int AES_cbc_192_encrypt_loop(void *args);
|
static int AES_cbc_192_encrypt_loop(void *args);
|
||||||
static int AES_ige_128_encrypt_loop(void *args);
|
|
||||||
static int AES_cbc_256_encrypt_loop(void *args);
|
static int AES_cbc_256_encrypt_loop(void *args);
|
||||||
|
#if !OPENSSL_API_3
|
||||||
|
static int AES_ige_128_encrypt_loop(void *args);
|
||||||
static int AES_ige_192_encrypt_loop(void *args);
|
static int AES_ige_192_encrypt_loop(void *args);
|
||||||
static int AES_ige_256_encrypt_loop(void *args);
|
static int AES_ige_256_encrypt_loop(void *args);
|
||||||
|
#endif
|
||||||
static int CRYPTO_gcm128_aad_loop(void *args);
|
static int CRYPTO_gcm128_aad_loop(void *args);
|
||||||
static int RAND_bytes_loop(void *args);
|
static int RAND_bytes_loop(void *args);
|
||||||
static int EVP_Update_loop(void *args);
|
static int EVP_Update_loop(void *args);
|
||||||
|
@ -428,9 +430,11 @@ static const OPT_PAIR doit_choices[] = {
|
||||||
{"aes-128-cbc", D_CBC_128_AES},
|
{"aes-128-cbc", D_CBC_128_AES},
|
||||||
{"aes-192-cbc", D_CBC_192_AES},
|
{"aes-192-cbc", D_CBC_192_AES},
|
||||||
{"aes-256-cbc", D_CBC_256_AES},
|
{"aes-256-cbc", D_CBC_256_AES},
|
||||||
|
#if !OPENSSL_API_3
|
||||||
{"aes-128-ige", D_IGE_128_AES},
|
{"aes-128-ige", D_IGE_128_AES},
|
||||||
{"aes-192-ige", D_IGE_192_AES},
|
{"aes-192-ige", D_IGE_192_AES},
|
||||||
{"aes-256-ige", D_IGE_256_AES},
|
{"aes-256-ige", D_IGE_256_AES},
|
||||||
|
#endif
|
||||||
#ifndef OPENSSL_NO_RC2
|
#ifndef OPENSSL_NO_RC2
|
||||||
{"rc2-cbc", D_CBC_RC2},
|
{"rc2-cbc", D_CBC_RC2},
|
||||||
{"rc2", D_CBC_RC2},
|
{"rc2", D_CBC_RC2},
|
||||||
|
@ -869,6 +873,7 @@ static int AES_cbc_256_encrypt_loop(void *args)
|
||||||
return count;
|
return count;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if !OPENSSL_API_3
|
||||||
static int AES_ige_128_encrypt_loop(void *args)
|
static int AES_ige_128_encrypt_loop(void *args)
|
||||||
{
|
{
|
||||||
loopargs_t *tempargs = *(loopargs_t **) args;
|
loopargs_t *tempargs = *(loopargs_t **) args;
|
||||||
|
@ -904,6 +909,7 @@ static int AES_ige_256_encrypt_loop(void *args)
|
||||||
(size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT);
|
(size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT);
|
||||||
return count;
|
return count;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
static int CRYPTO_gcm128_aad_loop(void *args)
|
static int CRYPTO_gcm128_aad_loop(void *args)
|
||||||
{
|
{
|
||||||
|
@ -2429,6 +2435,7 @@ int speed_main(int argc, char **argv)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if !OPENSSL_API_3
|
||||||
if (doit[D_IGE_128_AES]) {
|
if (doit[D_IGE_128_AES]) {
|
||||||
for (testnum = 0; testnum < size_num; testnum++) {
|
for (testnum = 0; testnum < size_num; testnum++) {
|
||||||
print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][testnum],
|
print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][testnum],
|
||||||
|
@ -2462,6 +2469,7 @@ int speed_main(int argc, char **argv)
|
||||||
print_result(D_IGE_256_AES, testnum, count, d);
|
print_result(D_IGE_256_AES, testnum, count, d);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
if (doit[D_GHASH]) {
|
if (doit[D_GHASH]) {
|
||||||
for (i = 0; i < loopargs_len; i++) {
|
for (i = 0; i < loopargs_len; i++) {
|
||||||
loopargs[i].gcm_ctx =
|
loopargs[i].gcm_ctx =
|
||||||
|
|
|
@ -9,6 +9,10 @@
|
||||||
|
|
||||||
#include "internal/cryptlib.h"
|
#include "internal/cryptlib.h"
|
||||||
|
|
||||||
|
#if OPENSSL_API_3
|
||||||
|
NON_EMPTY_TRANSLATION_UNIT
|
||||||
|
#else
|
||||||
|
|
||||||
#include <openssl/aes.h>
|
#include <openssl/aes.h>
|
||||||
#include "aes_locl.h"
|
#include "aes_locl.h"
|
||||||
|
|
||||||
|
@ -34,6 +38,7 @@ typedef struct {
|
||||||
|
|
||||||
/* N.B. The IV for this mode is _twice_ the block size */
|
/* N.B. The IV for this mode is _twice_ the block size */
|
||||||
|
|
||||||
|
/* Use of this function is deprecated. */
|
||||||
void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
|
void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
size_t length, const AES_KEY *key,
|
size_t length, const AES_KEY *key,
|
||||||
unsigned char *ivec, const int enc)
|
unsigned char *ivec, const int enc)
|
||||||
|
@ -162,6 +167,14 @@ void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
/*
|
/*
|
||||||
* Note that its effectively impossible to do biIGE in anything other
|
* Note that its effectively impossible to do biIGE in anything other
|
||||||
* than a single pass, so no provision is made for chaining.
|
* than a single pass, so no provision is made for chaining.
|
||||||
|
*
|
||||||
|
* NB: The implementation of AES_bi_ige_encrypt has a bug. It is supposed to use
|
||||||
|
* 2 AES keys, but in fact only one is ever used. This bug has been present
|
||||||
|
* since this code was first implemented. It is believed to have minimal
|
||||||
|
* security impact in practice and has therefore not been fixed for backwards
|
||||||
|
* compatibility reasons.
|
||||||
|
*
|
||||||
|
* Use of this function is deprecated.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* N.B. The IV for this mode is _four times_ the block size */
|
/* N.B. The IV for this mode is _four times_ the block size */
|
||||||
|
@ -282,3 +295,4 @@ void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
|
@ -67,6 +67,7 @@ void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
|
void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
size_t length, const AES_KEY *key,
|
size_t length, const AES_KEY *key,
|
||||||
unsigned char *ivec, int *num);
|
unsigned char *ivec, int *num);
|
||||||
|
# if !OPENSSL_API_3
|
||||||
/* NB: the IV is _two_ blocks long */
|
/* NB: the IV is _two_ blocks long */
|
||||||
void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
|
void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
size_t length, const AES_KEY *key,
|
size_t length, const AES_KEY *key,
|
||||||
|
@ -76,6 +77,7 @@ void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
|
||||||
size_t length, const AES_KEY *key,
|
size_t length, const AES_KEY *key,
|
||||||
const AES_KEY *key2, const unsigned char *ivec,
|
const AES_KEY *key2, const unsigned char *ivec,
|
||||||
const int enc);
|
const int enc);
|
||||||
|
# endif
|
||||||
|
|
||||||
int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
|
int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
|
||||||
unsigned char *out,
|
unsigned char *out,
|
||||||
|
|
|
@ -15,19 +15,21 @@
|
||||||
#include "internal/nelem.h"
|
#include "internal/nelem.h"
|
||||||
#include "testutil.h"
|
#include "testutil.h"
|
||||||
|
|
||||||
#define TEST_SIZE 128
|
#if !OPENSSL_API_3
|
||||||
#define BIG_TEST_SIZE 10240
|
|
||||||
|
|
||||||
#if BIG_TEST_SIZE < TEST_SIZE
|
# define TEST_SIZE 128
|
||||||
#error BIG_TEST_SIZE is smaller than TEST_SIZE
|
# define BIG_TEST_SIZE 10240
|
||||||
#endif
|
|
||||||
|
# if BIG_TEST_SIZE < TEST_SIZE
|
||||||
|
# error BIG_TEST_SIZE is smaller than TEST_SIZE
|
||||||
|
# endif
|
||||||
|
|
||||||
static unsigned char rkey[16];
|
static unsigned char rkey[16];
|
||||||
static unsigned char rkey2[16];
|
static unsigned char rkey2[16];
|
||||||
static unsigned char plaintext[BIG_TEST_SIZE];
|
static unsigned char plaintext[BIG_TEST_SIZE];
|
||||||
static unsigned char saved_iv[AES_BLOCK_SIZE * 4];
|
static unsigned char saved_iv[AES_BLOCK_SIZE * 4];
|
||||||
|
|
||||||
#define MAX_VECTOR_SIZE 64
|
# define MAX_VECTOR_SIZE 64
|
||||||
|
|
||||||
struct ige_test {
|
struct ige_test {
|
||||||
const unsigned char key[16];
|
const unsigned char key[16];
|
||||||
|
@ -432,9 +434,11 @@ static int test_bi_ige_garble3(void)
|
||||||
/* Fail if there is more than 1% matching bytes */
|
/* Fail if there is more than 1% matching bytes */
|
||||||
return TEST_size_t_le(matches, sizeof(checktext) / 100);
|
return TEST_size_t_le(matches, sizeof(checktext) / 100);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
int setup_tests(void)
|
int setup_tests(void)
|
||||||
{
|
{
|
||||||
|
#if !OPENSSL_API_3
|
||||||
RAND_bytes(rkey, sizeof(rkey));
|
RAND_bytes(rkey, sizeof(rkey));
|
||||||
RAND_bytes(rkey2, sizeof(rkey2));
|
RAND_bytes(rkey2, sizeof(rkey2));
|
||||||
RAND_bytes(plaintext, sizeof(plaintext));
|
RAND_bytes(plaintext, sizeof(plaintext));
|
||||||
|
@ -450,5 +454,6 @@ int setup_tests(void)
|
||||||
ADD_TEST(test_bi_ige_garble3);
|
ADD_TEST(test_bi_ige_garble3);
|
||||||
ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors));
|
ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors));
|
||||||
ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors));
|
ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors));
|
||||||
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -684,7 +684,7 @@ PKCS7_SIGNER_INFO_it 683 3_0_0 EXIST:!EXPORT_VAR_AS_FUNCTION:
|
||||||
PKCS7_SIGNER_INFO_it 683 3_0_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
|
PKCS7_SIGNER_INFO_it 683 3_0_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
|
||||||
CRYPTO_ocb128_copy_ctx 684 3_0_0 EXIST::FUNCTION:OCB
|
CRYPTO_ocb128_copy_ctx 684 3_0_0 EXIST::FUNCTION:OCB
|
||||||
TS_REQ_get_ext_d2i 685 3_0_0 EXIST::FUNCTION:TS
|
TS_REQ_get_ext_d2i 685 3_0_0 EXIST::FUNCTION:TS
|
||||||
AES_ige_encrypt 686 3_0_0 EXIST::FUNCTION:
|
AES_ige_encrypt 686 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
|
||||||
d2i_SXNET 687 3_0_0 EXIST::FUNCTION:
|
d2i_SXNET 687 3_0_0 EXIST::FUNCTION:
|
||||||
CTLOG_get0_log_id 688 3_0_0 EXIST::FUNCTION:CT
|
CTLOG_get0_log_id 688 3_0_0 EXIST::FUNCTION:CT
|
||||||
CMS_RecipientInfo_ktri_get0_signer_id 689 3_0_0 EXIST::FUNCTION:CMS
|
CMS_RecipientInfo_ktri_get0_signer_id 689 3_0_0 EXIST::FUNCTION:CMS
|
||||||
|
@ -1456,7 +1456,7 @@ EVP_PKEY_get0_DH 1442 3_0_0 EXIST::FUNCTION:DH
|
||||||
d2i_OCSP_CRLID 1443 3_0_0 EXIST::FUNCTION:OCSP
|
d2i_OCSP_CRLID 1443 3_0_0 EXIST::FUNCTION:OCSP
|
||||||
EVP_CIPHER_CTX_set_padding 1444 3_0_0 EXIST::FUNCTION:
|
EVP_CIPHER_CTX_set_padding 1444 3_0_0 EXIST::FUNCTION:
|
||||||
CTLOG_new_from_base64 1445 3_0_0 EXIST::FUNCTION:CT
|
CTLOG_new_from_base64 1445 3_0_0 EXIST::FUNCTION:CT
|
||||||
AES_bi_ige_encrypt 1446 3_0_0 EXIST::FUNCTION:
|
AES_bi_ige_encrypt 1446 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
|
||||||
ERR_pop_to_mark 1447 3_0_0 EXIST::FUNCTION:
|
ERR_pop_to_mark 1447 3_0_0 EXIST::FUNCTION:
|
||||||
CRL_DIST_POINTS_new 1449 3_0_0 EXIST::FUNCTION:
|
CRL_DIST_POINTS_new 1449 3_0_0 EXIST::FUNCTION:
|
||||||
EVP_PKEY_get0_asn1 1450 3_0_0 EXIST::FUNCTION:
|
EVP_PKEY_get0_asn1 1450 3_0_0 EXIST::FUNCTION:
|
||||||
|
|
Loading…
Reference in a new issue