Headline
CVE-2022-2582: service/s3/s3crypto: V2 Client Release (#3403) · aws/aws-sdk-go@35fa6dd
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
@@ -1,8 +1,11 @@ // +build go1.9
package s3crypto
import ( “bytes” “encoding/hex” “encoding/json” “fmt” “io” “io/ioutil” @@ -15,7 +18,7 @@ func TestAES_GCM_NIST_gcmEncryptExtIV256_PTLen_128_Test_0(t *testing.T) { iv, _ := hex.DecodeString(“0d18e06c7c725ac9e362e1ce”) key, _ := hex.DecodeString(“31bdadd96698c204aa9ce1448ea94ae1fb4a9a0b3c9d773b51bb1822666b8f22”) plaintext, _ := hex.DecodeString(“2db5168e932556f8089a0622981d017d”) expected, _ := hex.DecodeString(“fa4362189661d163fcd6a56d8bf0405ad636ac1bbedd5cc3ee727dc2ab4a9489”) expected, _ := hex.DecodeString(“fa4362189661d163fcd6a56d8bf0405a”) tag, _ := hex.DecodeString(“d636ac1bbedd5cc3ee727dc2ab4a9489”) aesgcmTest(t, iv, key, plaintext, expected, tag) } @@ -24,7 +27,7 @@ func TestAES_GCM_NIST_gcmEncryptExtIV256_PTLen_104_Test_3(t *testing.T) { iv, _ := hex.DecodeString(“4742357c335913153ff0eb0f”) key, _ := hex.DecodeString(“e5a0eb92cc2b064e1bc80891faf1fab5e9a17a9c3a984e25416720e30e6c2b21”) plaintext, _ := hex.DecodeString(“8499893e16b0ba8b007d54665a”) expected, _ := hex.DecodeString(“eb8e6175f1fe38eb1acf95fd5188a8b74bb74fda553e91020a23deed45”) expected, _ := hex.DecodeString(“eb8e6175f1fe38eb1acf95fd51”) tag, _ := hex.DecodeString(“88a8b74bb74fda553e91020a23deed45”) aesgcmTest(t, iv, key, plaintext, expected, tag) } @@ -33,7 +36,7 @@ func TestAES_GCM_NIST_gcmEncryptExtIV256_PTLen_256_Test_6(t *testing.T) { iv, _ := hex.DecodeString(“a291484c3de8bec6b47f525f”) key, _ := hex.DecodeString(“37f39137416bafde6f75022a7a527cc593b6000a83ff51ec04871a0ff5360e4e”) plaintext, _ := hex.DecodeString(“fafd94cede8b5a0730394bec68a8e77dba288d6ccaa8e1563a81d6e7ccc7fc97”) expected, _ := hex.DecodeString(“44dc868006b21d49284016565ffb3979cc4271d967628bf7cdaf86db888e92e501a2b578aa2f41ec6379a44a31cc019c”) expected, _ := hex.DecodeString(“44dc868006b21d49284016565ffb3979cc4271d967628bf7cdaf86db888e92e5”) tag, _ := hex.DecodeString(“01a2b578aa2f41ec6379a44a31cc019c”) aesgcmTest(t, iv, key, plaintext, expected, tag) } @@ -42,11 +45,62 @@ func TestAES_GCM_NIST_gcmEncryptExtIV256_PTLen_408_Test_8(t *testing.T) { iv, _ := hex.DecodeString(“92f258071d79af3e63672285”) key, _ := hex.DecodeString(“595f259c55abe00ae07535ca5d9b09d6efb9f7e9abb64605c337acbd6b14fc7e”) plaintext, _ := hex.DecodeString(“a6fee33eb110a2d769bbc52b0f36969c287874f665681477a25fc4c48015c541fbe2394133ba490a34ee2dd67b898177849a91”) expected, _ := hex.DecodeString(“bbca4a9e09ae9690c0f6f8d405e53dccd666aa9c5fa13c8758bc30abe1ddd1bcce0d36a1eaaaaffef20cd3c5970b9673f8a65c26ccecb9976fd6ac9c2c0f372c52c821”) expected, _ := hex.DecodeString(“bbca4a9e09ae9690c0f6f8d405e53dccd666aa9c5fa13c8758bc30abe1ddd1bcce0d36a1eaaaaffef20cd3c5970b9673f8a65c”) tag, _ := hex.DecodeString(“26ccecb9976fd6ac9c2c0f372c52c821”) aesgcmTest(t, iv, key, plaintext, expected, tag) }
type KAT struct { IV string `json:"iv"` Key string `json:"key"` Plaintext string `json:"pt"` AAD string `json:"aad"` CipherText string `json:"ct"` Tag string `json:"tag"` }
func TestAES_GCM_KATS(t *testing.T) { fileContents, err := ioutil.ReadFile(“testdata/aes_gcm.json”) if err != nil { t.Fatalf("failed to read KAT file: %v", err) }
var kats []KAT err = json.Unmarshal(fileContents, &kats) if err != nil { t.Fatalf("failed to unmarshal KAT json file: %v", err) }
for i, kat := range kats { t.Run(fmt.Sprintf("Case%d", i), func(t *testing.T) { if len(kat.AAD) > 0 { t.Skip(“Skipping… SDK implementation does not expose additional authenticated data”) } iv, err := hex.DecodeString(kat.IV) if err != nil { t.Fatalf("failed to decode iv: %v", err) } key, err := hex.DecodeString(kat.Key) if err != nil { t.Fatalf("failed to decode key: %v", err) } plaintext, err := hex.DecodeString(kat.Plaintext) if err != nil { t.Fatalf("failed to decode plaintext: %v", err) } ciphertext, err := hex.DecodeString(kat.CipherText) if err != nil { t.Fatalf("failed to decode ciphertext: %v", err) } tag, err := hex.DecodeString(kat.Tag) if err != nil { t.Fatalf("failed to decode tag: %v", err) } aesgcmTest(t, iv, key, plaintext, ciphertext, tag) }) } }
func TestGCMEncryptReader_SourceError(t *testing.T) { gcm := &gcmEncryptReader{ encrypter: &mockCipherAEAD{}, @@ -105,6 +159,8 @@ func TestGCMDecryptReader_DecrypterOpenError(t *testing.T) { }
func aesgcmTest(t *testing.T, iv, key, plaintext, expected, tag []byte) { t.Helper() const gcmTagSize = 16 cd := CipherData{ Key: key, IV: iv, @@ -122,11 +178,11 @@ func aesgcmTest(t *testing.T, iv, key, plaintext, expected, tag []byte) { }
// splitting tag and ciphertext etag := ciphertext[len(ciphertext)-16:] etag := ciphertext[len(ciphertext)-gcmTagSize:] if !bytes.Equal(etag, tag) { t.Errorf(“expected tags to be equivalent”) } if !bytes.Equal(ciphertext, expected) { if !bytes.Equal(ciphertext[:len(ciphertext)-gcmTagSize], expected) { t.Errorf(“expected ciphertext to be equivalent”) }
Related news
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.