crypto/internal/fips140/aes: mark AES-ECB as not approved

FiloSottile · gopherbot · commit dd7a7ba38f36 · 2024-12-17T08:02:39.000-08:00
NIST SP 800-131Ar3 ipd, scheduled for publication in 2025Q1, marks AES-ECB as disallowed for encryption, and legacy use for decryption. There are apparently no details on how the transition is going to work, so to avoid surprises we just mark direct use of the Block as non-approved. We need to use Encrypt from higher level modes without tripping the service indicator. Within the aes package, we just use the internal function. For the gcm package we could do something more clever, but this deep into the freeze, just make an exported function that we commit to use nowhere else. I could not figure out a decent way to block ECB on GODEBUG=fips140=only. For #69536 Change-Id: I972a4b5da8efd0a0ab68d7dd509bec73aa2d6b68 Reviewed-on: https://go-review.googlesource.com/c/go/+/636775 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/src/crypto/internal/fips140/aes/aes.go b/src/crypto/internal/fips140/aes/aes.go
@@ -94,6 +94,8 @@ func newBlockExpanded(c *blockExpanded, key []byte) {
 func (c *Block) BlockSize() int { return BlockSize }
 
 func (c *Block) Encrypt(dst, src []byte) {
+	// AES-ECB is not approved in FIPS 140-3 mode.
+	fips140.RecordNonApproved()
 	if len(src) < BlockSize {
 		panic("crypto/aes: input not full block")
 	}
@@ -103,11 +105,12 @@ func (c *Block) Encrypt(dst, src []byte) {
 	if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
 		panic("crypto/aes: invalid buffer overlap")
 	}
-	fips140.RecordApproved()
 	encryptBlock(c, dst, src)
 }
 
 func (c *Block) Decrypt(dst, src []byte) {
+	// AES-ECB is not approved in FIPS 140-3 mode.
+	fips140.RecordNonApproved()
 	if len(src) < BlockSize {
 		panic("crypto/aes: input not full block")
 	}
@@ -117,6 +120,12 @@ func (c *Block) Decrypt(dst, src []byte) {
 	if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
 		panic("crypto/aes: invalid buffer overlap")
 	}
-	fips140.RecordApproved()
 	decryptBlock(c, dst, src)
 }
+
+// EncryptBlockInternal applies the AES encryption function to one block.
+//
+// It is an internal function meant only for the gcm package.
+func EncryptBlockInternal(c *Block, dst, src []byte) {
+	encryptBlock(c, dst, src)
+}
diff --git a/src/crypto/internal/fips140/aes/cbc.go b/src/crypto/internal/fips140/aes/cbc.go
@@ -50,7 +50,7 @@ func cryptBlocksEncGeneric(b *Block, civ *[BlockSize]byte, dst, src []byte) {
 	for len(src) > 0 {
 		// Write the xor to dst, then encrypt in place.
 		subtle.XORBytes(dst[:BlockSize], src[:BlockSize], iv)
-		b.Encrypt(dst[:BlockSize], dst[:BlockSize])
+		encryptBlock(b, dst[:BlockSize], dst[:BlockSize])
 
 		// Move to the next block with this block as the next iv.
 		iv = dst[:BlockSize]
@@ -111,7 +111,7 @@ func cryptBlocksDecGeneric(b *Block, civ *[BlockSize]byte, dst, src []byte) {
 	copy(civ[:], src[start:end])
 
 	for start >= 0 {
-		b.Decrypt(dst[start:end], src[start:end])
+		decryptBlock(b, dst[start:end], src[start:end])
 
 		if start > 0 {
 			subtle.XORBytes(dst[start:end], dst[start:end], src[prev:start])
diff --git a/src/crypto/internal/fips140/aes/ctr.go b/src/crypto/internal/fips140/aes/ctr.go
@@ -132,7 +132,7 @@ func ctrBlocks(b *Block, dst, src []byte, ivlo, ivhi uint64) {
 		byteorder.BEPutUint64(buf[i:], ivhi)
 		byteorder.BEPutUint64(buf[i+8:], ivlo)
 		ivlo, ivhi = add128(ivlo, ivhi, 1)
-		b.Encrypt(buf[i:], buf[i:])
+		encryptBlock(b, buf[i:], buf[i:])
 	}
 	// XOR into buf first, in case src and dst overlap (see above).
 	subtle.XORBytes(buf, src, buf)
diff --git a/src/crypto/internal/fips140/aes/gcm/cmac.go b/src/crypto/internal/fips140/aes/gcm/cmac.go
@@ -28,7 +28,7 @@ func NewCMAC(b *aes.Block) *CMAC {
 }
 
 func (c *CMAC) deriveSubkeys() {
-	c.b.Encrypt(c.k1[:], c.k1[:])
+	aes.EncryptBlockInternal(&c.b, c.k1[:], c.k1[:])
 	msb := shiftLeft(&c.k1)
 	c.k1[len(c.k1)-1] ^= msb * 0b10000111
 
@@ -45,7 +45,7 @@ func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {
 		// Special-cased as a single empty partial final block.
 		x = c.k2
 		x[len(m)] ^= 0b10000000
-		c.b.Encrypt(x[:], x[:])
+		aes.EncryptBlockInternal(&c.b, x[:], x[:])
 		return x
 	}
 	for len(m) >= aes.BlockSize {
@@ -54,15 +54,15 @@ func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {
 			// Final complete block.
 			subtle.XORBytes(x[:], c.k1[:], x[:])
 		}
-		c.b.Encrypt(x[:], x[:])
+		aes.EncryptBlockInternal(&c.b, x[:], x[:])
 		m = m[aes.BlockSize:]
 	}
 	if len(m) > 0 {
 		// Final incomplete block.
 		subtle.XORBytes(x[:], m, x[:])
 		subtle.XORBytes(x[:], c.k2[:], x[:])
 		x[len(m)] ^= 0b10000000
-		c.b.Encrypt(x[:], x[:])
+		aes.EncryptBlockInternal(&c.b, x[:], x[:])
 	}
 	return x
 }
diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_asm.go b/src/crypto/internal/fips140/aes/gcm/gcm_asm.go
@@ -81,7 +81,7 @@ func seal(out []byte, g *GCM, nonce, plaintext, data []byte) {
 		gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
 	}
 
-	g.cipher.Encrypt(tagMask[:], counter[:])
+	aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:])
 
 	var tagOut [gcmTagSize]byte
 	gcmAesData(&g.productTable, data, &tagOut)
@@ -114,7 +114,7 @@ func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error {
 		gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
 	}
 
-	g.cipher.Encrypt(tagMask[:], counter[:])
+	aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:])
 
 	var expectedTag [gcmTagSize]byte
 	gcmAesData(&g.productTable, data, &expectedTag)
diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_generic.go b/src/crypto/internal/fips140/aes/gcm/gcm_generic.go
@@ -12,7 +12,7 @@ import (
 
 func sealGeneric(out []byte, g *GCM, nonce, plaintext, additionalData []byte) {
 	var H, counter, tagMask [gcmBlockSize]byte
-	g.cipher.Encrypt(H[:], H[:])
+	aes.EncryptBlockInternal(&g.cipher, H[:], H[:])
 	deriveCounterGeneric(&H, &counter, nonce)
 	gcmCounterCryptGeneric(&g.cipher, tagMask[:], tagMask[:], &counter)
 
@@ -25,7 +25,7 @@ func sealGeneric(out []byte, g *GCM, nonce, plaintext, additionalData []byte) {
 
 func openGeneric(out []byte, g *GCM, nonce, ciphertext, additionalData []byte) error {
 	var H, counter, tagMask [gcmBlockSize]byte
-	g.cipher.Encrypt(H[:], H[:])
+	aes.EncryptBlockInternal(&g.cipher, H[:], H[:])
 	deriveCounterGeneric(&H, &counter, nonce)
 	gcmCounterCryptGeneric(&g.cipher, tagMask[:], tagMask[:], &counter)
 
@@ -70,7 +70,7 @@ func gcmCounterCryptGeneric(b *aes.Block, out, src []byte, counter *[gcmBlockSiz
 	var mask [gcmBlockSize]byte
 
 	for len(src) >= gcmBlockSize {
-		b.Encrypt(mask[:], counter[:])
+		aes.EncryptBlockInternal(b, mask[:], counter[:])
 		gcmInc32(counter)
 
 		subtle.XORBytes(out, src, mask[:])
@@ -79,7 +79,7 @@ func gcmCounterCryptGeneric(b *aes.Block, out, src []byte, counter *[gcmBlockSiz
 	}
 
 	if len(src) > 0 {
-		b.Encrypt(mask[:], counter[:])
+		aes.EncryptBlockInternal(b, mask[:], counter[:])
 		gcmInc32(counter)
 		subtle.XORBytes(out, src, mask[:])
 	}

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,8 @@ func newBlockExpanded(c *blockExpanded, key []byte) {`
`94`	`94`	`func (c *Block) BlockSize() int { return BlockSize }`
`95`	`95`
`96`	`96`	`func (c *Block) Encrypt(dst, src []byte) {`
	`97`	`+ // AES-ECB is not approved in FIPS 140-3 mode.`
	`98`	`+ fips140.RecordNonApproved()`
`97`	`99`	`if len(src) < BlockSize {`
`98`	`100`	`panic("crypto/aes: input not full block")`
`99`	`101`	`}`
`@@ -103,11 +105,12 @@ func (c *Block) Encrypt(dst, src []byte) {`
`103`	`105`	`if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {`
`104`	`106`	`panic("crypto/aes: invalid buffer overlap")`
`105`	`107`	`}`
`106`		`- fips140.RecordApproved()`
`107`	`108`	`encryptBlock(c, dst, src)`
`108`	`109`	`}`
`109`	`110`
`110`	`111`	`func (c *Block) Decrypt(dst, src []byte) {`
	`112`	`+ // AES-ECB is not approved in FIPS 140-3 mode.`
	`113`	`+ fips140.RecordNonApproved()`
`111`	`114`	`if len(src) < BlockSize {`
`112`	`115`	`panic("crypto/aes: input not full block")`
`113`	`116`	`}`
`@@ -117,6 +120,12 @@ func (c *Block) Decrypt(dst, src []byte) {`
`117`	`120`	`if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {`
`118`	`121`	`panic("crypto/aes: invalid buffer overlap")`
`119`	`122`	`}`
`120`		`- fips140.RecordApproved()`
`121`	`123`	`decryptBlock(c, dst, src)`
`122`	`124`	`}`
	`125`	`+`
	`126`	`+// EncryptBlockInternal applies the AES encryption function to one block.`
	`127`	`+//`
	`128`	`+// It is an internal function meant only for the gcm package.`
	`129`	`+func EncryptBlockInternal(c *Block, dst, src []byte) {`
	`130`	`+ encryptBlock(c, dst, src)`
	`131`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ func ctrBlocks(b *Block, dst, src []byte, ivlo, ivhi uint64) {`
`132`	`132`	`byteorder.BEPutUint64(buf[i:], ivhi)`
`133`	`133`	`byteorder.BEPutUint64(buf[i+8:], ivlo)`
`134`	`134`	`ivlo, ivhi = add128(ivlo, ivhi, 1)`
`135`		`- b.Encrypt(buf[i:], buf[i:])`
	`135`	`+ encryptBlock(b, buf[i:], buf[i:])`
`136`	`136`	`}`
`137`	`137`	`// XOR into buf first, in case src and dst overlap (see above).`
`138`	`138`	`subtle.XORBytes(buf, src, buf)`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func NewCMAC(b aes.Block) CMAC {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`func (c *CMAC) deriveSubkeys() {`
`31`		`- c.b.Encrypt(c.k1[:], c.k1[:])`
	`31`	`+ aes.EncryptBlockInternal(&c.b, c.k1[:], c.k1[:])`
`32`	`32`	`msb := shiftLeft(&c.k1)`
`33`	`33`	`c.k1[len(c.k1)-1] ^= msb * 0b10000111`
`34`	`34`
`@@ -45,7 +45,7 @@ func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {`
`45`	`45`	`// Special-cased as a single empty partial final block.`
`46`	`46`	`x = c.k2`
`47`	`47`	`x[len(m)] ^= 0b10000000`
`48`		`- c.b.Encrypt(x[:], x[:])`
	`48`	`+ aes.EncryptBlockInternal(&c.b, x[:], x[:])`
`49`	`49`	`return x`
`50`	`50`	`}`
`51`	`51`	`for len(m) >= aes.BlockSize {`
`@@ -54,15 +54,15 @@ func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {`
`54`	`54`	`// Final complete block.`
`55`	`55`	`subtle.XORBytes(x[:], c.k1[:], x[:])`
`56`	`56`	`}`
`57`		`- c.b.Encrypt(x[:], x[:])`
	`57`	`+ aes.EncryptBlockInternal(&c.b, x[:], x[:])`
`58`	`58`	`m = m[aes.BlockSize:]`
`59`	`59`	`}`
`60`	`60`	`if len(m) > 0 {`
`61`	`61`	`// Final incomplete block.`
`62`	`62`	`subtle.XORBytes(x[:], m, x[:])`
`63`	`63`	`subtle.XORBytes(x[:], c.k2[:], x[:])`
`64`	`64`	`x[len(m)] ^= 0b10000000`
`65`		`- c.b.Encrypt(x[:], x[:])`
	`65`	`+ aes.EncryptBlockInternal(&c.b, x[:], x[:])`
`66`	`66`	`}`
`67`	`67`	`return x`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ func seal(out []byte, g *GCM, nonce, plaintext, data []byte) {`
`81`	`81`	`gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))`
`82`	`82`	`}`
`83`	`83`
`84`		`- g.cipher.Encrypt(tagMask[:], counter[:])`
	`84`	`+ aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:])`
`85`	`85`
`86`	`86`	`var tagOut [gcmTagSize]byte`
`87`	`87`	`gcmAesData(&g.productTable, data, &tagOut)`
`@@ -114,7 +114,7 @@ func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error {`
`114`	`114`	`gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))`
`115`	`115`	`}`
`116`	`116`
`117`		`- g.cipher.Encrypt(tagMask[:], counter[:])`
	`117`	`+ aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:])`
`118`	`118`
`119`	`119`	`var expectedTag [gcmTagSize]byte`
`120`	`120`	`gcmAesData(&g.productTable, data, &expectedTag)`