Skip to content

Comments

s390x: EVP_CipherInit_ex sequences lead to wrong results#15521

Closed
juergenchrist wants to merge 2 commits intoopenssl:masterfrom
juergenchrist:fix/s390evpinit
Closed

s390x: EVP_CipherInit_ex sequences lead to wrong results#15521
juergenchrist wants to merge 2 commits intoopenssl:masterfrom
juergenchrist:fix/s390evpinit

Conversation

@juergenchrist
Copy link
Contributor

@juergenchrist juergenchrist commented May 28, 2021

The EVP-API allows users to provide parts and even change the direction (decryption vs encryption or vice versa) without providing all arguments. This led to some errors on s390x where, e.g., a late change in the direction caused the cipher to perform the wrong operation.

This is the master branch equivalent of PR #14900. For more details on why we want this and where the init sequences come from, please see #14900 (comment).

Checklist
  • tests are added or updated

t8m
t8m reviewed May 28, 2021
View reviewed changes
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 28, 2021
slontis
slontis reviewed May 28, 2021
View reviewed changes
@slontis slontis requested a review from p-steuer May 28, 2021 21:16
@juergenchrist
Fix CipherInit on s390x.
21377b5 
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting.  Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures.  Fix this by recomputing
the function codes on the fly during updates and final operations.

Signed-off-by: Juergen Christ <[email protected]>
slontis
slontis reviewed Jun 2, 2021
View reviewed changes
test/evp_extra_test.c Outdated
Copy link
Member

@slontis slontis Jun 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests normally just do

if (TEST_XXX())
goto err;

Copy link
Member

@t8m t8m Jun 3, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, although it is rather:

if (!TEST_condition(func()))
    goto err;

or

ret = TEST_condition(func1())
    && TEST_condition(func2())
    .....

@juergenchrist Please look at the other testcases. These TEST_condition calls really help to diagnose what was the erroneous result.

Copy link
Contributor Author

@juergenchrist juergenchrist Jun 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out. I changed all occurrences but kept the additional info message.

slontis
slontis reviewed Jun 2, 2021
View reviewed changes
slontis
slontis reviewed Jun 2, 2021
View reviewed changes
@t8m t8m added the triaged: bug The issue/pr is/fixes a bug label Jun 3, 2021
@t8m t8m added this to the 3.0.0 milestone Jun 3, 2021
@t8m
Copy link
Member

t8m commented Jun 3, 2021

The test failure is relevant.

@juergenchrist
Test EVP_CipherInit sequences and resets
5a0bfe3 
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x.  Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results.  Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Juergen Christ <[email protected]>
t8m
t8m approved these changes Jun 4, 2021
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@t8m t8m added approval: review pending This pull request needs review by a committer and removed approval: otc review pending labels Jun 4, 2021
@juergenchrist
Copy link
Contributor Author

juergenchrist commented Jun 4, 2021
edited
Loading

One question regarding this: I also find cipher implementations in crypto/evp/e_aes.c. These once are still buggy but I could not figure out how to use them with the 3.0 code. A fix for them for the 1.1.1 branch is in #14900 but I am not sure if it works with 3.0. Can anybody please tell me how to deal with this file?

@paulidale
Copy link
Contributor

paulidale commented Jun 4, 2021

Configure and build with no-asm and they should be used.

@paulidale paulidale added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Jun 7, 2021
@juergenchrist
Copy link
Contributor Author

juergenchrist commented Jun 7, 2021

Configure and build with no-asm and they should be used.

I cannot verify that. I still get the provider implementations used all the time. Even replacing the EVP_fetch in the test with the appropriate EVP_aes_<keylen>_<mode>() did not give me the old implementation for long. The implicit fetch in evp_cipher_init_internal gives me again the new version. From the code I think the only way to get the old code is if an engine gives exactly this cipher since in that case we skip the whole provider code.

If that is true I have no idea how I can use the old versions. So the old code looks pretty dead to me and I do not think we need to care about it. But anyway, the fixes in #14900 could be used here, too.

@slontis
Copy link
Member

slontis commented Jun 7, 2021

From the code I think the only way to get the old code is if an engine gives exactly this cipher since in that case we skip the whole provider code.

You are correct. Engines are the only reason most of the legacy code is still needed.

@openssl-machine
Copy link
Collaborator

openssl-machine commented Jun 8, 2021

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

@paulidale
Copy link
Contributor

paulidale commented Jun 8, 2021

Merged to master, thanks for the fix.

@paulidale paulidale closed this Jun 8, 2021
openssl-machine pushed a commit that referenced this pull request Jun 8, 2021
@juergenchrist @paulidale
Fix CipherInit on s390x.
ff555f8 
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting.  Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures.  Fix this by recomputing
the function codes on the fly during updates and final operations.

Signed-off-by: Juergen Christ <[email protected]>

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from #15521)
openssl-machine pushed a commit that referenced this pull request Jun 8, 2021
@juergenchrist @paulidale
Test EVP_CipherInit sequences and resets
063e019 
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x.  Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results.  Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Juergen Christ <[email protected]>

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from #15521)
@juergenchrist juergenchrist deleted the fix/s390evpinit branch June 8, 2021 07:58
@p-steuer p-steuer mentioned this pull request Jun 8, 2021
Closed
@p-steuer
Copy link
Member

p-steuer commented Jun 8, 2021

You are correct. Engines are the only reason most of the legacy code is still needed.

If an engine implements eg aes-256-gcm how would the legacy platform specific code in e_aes.c be used ?

If the platformspecific code in e_aes.c is still somehow relevant in master, first commit from #14900 would be needed for master as well.

devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021
@juergenchrist @devnexen
Fix CipherInit on s390x.
1e410c0 
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting.  Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures.  Fix this by recomputing
the function codes on the fly during updates and final operations.

Signed-off-by: Juergen Christ <[email protected]>

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#15521)
devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021
@juergenchrist @devnexen
Test EVP_CipherInit sequences and resets
6e549b0 
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x.  Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results.  Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Juergen Christ <[email protected]>

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#15521)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slontis slontis slontis left review comments

@t8m t8m t8m approved these changes

@paulidale paulidale paulidale approved these changes

@p-steuer p-steuer Awaiting requested review from p-steuer

Assignees

No one assigned

Labels

approval: done This pull request has the required number of approvals branch: master Applies to master branch severity: fips change The pull request changes FIPS provider sources triaged: bug The issue/pr is/fixes a bug

Projects

None yet

Milestone

3.0.0

Development

Successfully merging this pull request may close these issues.

6 participants

@juergenchrist @t8m @paulidale @slontis @openssl-machine @p-steuer