[openssl.org #3024] Segfault with 'openssl enc' when using aes-cbc-hmac-sha1
OpenSSL 'enc' will fail with a segfault or other errors when attempting to decrypt a file using aes-256-cbc-hmac-sha1. This behavior started with recent Lucky 13 security patches and has been backported to older OpenSSL versions, such as 1.0.1. Apparently, 'enc' does not support the cbc-hmac-sha1 mode of operation. This should probably fail immediately when used, rather than allow the user to encrypt data, then fail on decryption. The same applies to gcm mode, which is also not supported. Alternatively, 'enc' could support these authenticated modes of operation, which would be a useful feature. My version of OpenSSL and package: -- $ openssl version OpenSSL 1.0.1 14 Mar 2012 $ dpkg -l | grep openssl ii openssl 1.0.1-4ubuntu5.8 Secure Socket Layer (SSL) binary and related cryptographic tools $ md5sum /usr/bin/openssl 7902443a1f767a63e8656ccf6a6623e2 /usr/bin/openssl -- Failing to decrypt a short plaintext: -- $ echo This is plaintext plaintext.txt $ openssl enc -aes-256-cbc-hmac-sha1 -k password -in plaintext.txt -out ciphertext.enc $ openssl enc -d -aes-256-cbc-hmac-sha1 -k password -in ciphertext.enc bad decrypt 140608068572832:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:532: -- Segfaulting on an all-zeros input: -- $ dd if=/dev/zero of=zeros bs=1 count=40 40+0 records in 40+0 records out 40 bytes (40 B) copied, 0.00196226 s, 20.4 kB/s $ openssl enc -aes-256-cbc-hmac-sha1 -k password -in zeros -out encrypted-zeros $ openssl enc -d -aes-256-cbc-hmac-sha1 -k password -in encrypted-zeros -out decrypted-zeros Segmentation fault (core dumped) -- GDB output of a version built from 1.0.2-dev: -- (gdb) run enc -d -aes-256-cbc-hmac-sha1 -k password -in encrypted-zeros -out decrypted-zeros Starting program: /home/sweis/workspace/openssl/apps/openssl enc -d -aes-256-cbc-hmac-sha1 -k password -in encrypted-zeros -out decrypted-zeros ... Program received signal SIGSEGV, Segmentation fault. sha1_block_data_order_avx () at sha1-x86_64.s:3394 3394 vmovdqu 32(%r9),%xmm2 -- Thank you. -- Steve Weis | PrivateCore Co-Founder | st...@privatecore.com | 415-952-7978 This is plaintext encrypted-zeros Description: Binary data ciphertext.enc Description: Binary data
Adding support to verify TPM certificates with AKID serial mismatches
Hello openssl-dev. I've run into an issue using OpenSSL to verify a certificate chain from an Infineon TPM endorsement key. This is not an OpenSSL bug, but rather an issue handling certificates deployed in the wild. I believe Infineon may have published intermediate certificates with an invalid serial number in the X509v3 Authority Identifier. These are being properly rejected in X509_check_akid(). Unfortunately, I'm stuck using these certificates and would like to continue using OpenSSL to verify them. I've written a small change (see below) to handle this, but is there any recommended workaround? Infineon's EK intermediate certificates (e.g. IFX08.pem), their root certificate (IFX-root.pem), and their issuer Verisign's certificate (VRSN-root.pem) are posted on this page: http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f#db3a304412b407950112b4165f462052 I've attached these as files in this message as well. You can see that the AKID in IFX08 is: X509v3 Authority Key Identifier: keyid:56:EB:91:44:85:63:D6:72:B3:AE:D4:45:96:0B:F7:94:0E:54:42:A6 DirName:/C=DE/ST=Bavaria/O=Infineon Technologies AG/OU=AIM/CN=IFX TPM EK Root CA serial:03 The authority keyid matches the IFX-root key's SKID. However, the 03 serial number doesn't appear to be correct and is rejected by X509_check_akid. This same problem has apparently come up for people with other certificates, e.g.: http://www.mail-archive.com/openssl-users@openssl.org/msg62131.html As a workaround, I added a flag to make check_issuer more lenient and ignore issuer serial mismatches. See the attached patch. The usage is as follows: $ openssl verify -CApath /path/to/my/certs IFX08.pem IFX08.pem: C = DE, ST = Saxony, O = Infineon Technologies AG, OU = AIM, CN = IFX TPM EK Intermediate CA 08 error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -ignore_akid_issuer_serial_mismatch -CApath /path/to/my/certs IFX08.pem IFX08.pem: OK Thanks for any help or suggestions. IFX08.pem Description: Binary data IFX-root.pem Description: Binary data VRSN-root.pem Description: Binary data lenient-x509-check.patch Description: Binary data