- Reported
-
- Issued
-
- Package
-
libcrux-aesgcm
(crates.io)
- Type
-
Vulnerability
- Categories
-
- References
-
- CVSS Score
- 6.3
MEDIUM
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- Present
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- Low
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
- Patched
-
no patched versions
- Affected Functions
- Version
libcrux_aesgcm::AesGcm128Key::decrypt
-
libcrux_aesgcm::AesGcm256Key::decrypt
-
libcrux_aesgcm::aes_gcm_128::AesGcm128::decrypt
-
libcrux_aesgcm::aes_gcm_128::Key::decrypt
-
libcrux_aesgcm::aes_gcm_128::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_128::neon::Key::decrypt
-
libcrux_aesgcm::aes_gcm_128::neon::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_128::neon::NeonAesGcm128::decrypt
-
libcrux_aesgcm::aes_gcm_128::portable::Key::decrypt
-
libcrux_aesgcm::aes_gcm_128::portable::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_128::portable::PortableAesGcm128::decrypt
-
libcrux_aesgcm::aes_gcm_128::x64::Key::decrypt
-
libcrux_aesgcm::aes_gcm_128::x64::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_128::x64::X64AesGcm128::decrypt
-
libcrux_aesgcm::aes_gcm_256::AesGcm256::decrypt
-
libcrux_aesgcm::aes_gcm_256::Key::decrypt
-
libcrux_aesgcm::aes_gcm_256::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_256::neon::Key::decrypt
-
libcrux_aesgcm::aes_gcm_256::neon::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_256::neon::NeonAesGcm256::decrypt
-
libcrux_aesgcm::aes_gcm_256::portable::Key::decrypt
-
libcrux_aesgcm::aes_gcm_256::portable::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_256::portable::PortableAesGcm256::decrypt
-
libcrux_aesgcm::aes_gcm_256::x64::Key::decrypt
-
libcrux_aesgcm::aes_gcm_256::x64::KeyRef::decrypt
-
libcrux_aesgcm::aes_gcm_256::x64::X64AesGcm256::decrypt
-
Description
AES-GCM decryption used an implementation for checking the provided
authentication tag against the recomputed authentication tag that was
intended to be constant-time, but resulted in non-constant-time code
generation in certain circumstances.
Note that libcrux-aesgcm does not give guarantees on constant-time
code generation and possible mitigations must be considered
on a best-effort basis.
Impact
Users of libcrux-aesgcm that expose a decryption oracle to an
attacker, which allows repeatedly querying for the same ciphertext
were at risk from timing side-channel attacks, depending on their
compilation environment. In the worst case, this could lead to
recovery of the recomputed authentication tag by the attacker, which
enables ciphertext forgery.
Mitigation
Starting from version 0.0.9 (published as libcrux-aes@v0.0.9),
AES-GCM decryption uses a different, best-effort constant-time
implementation of the tag check, which has been checked to reliably
lead to constant time code generation, at the moment.
Advisory available under CC0-1.0
license.