OpenSSL AES-OCB IV Ignored in EVP_Cipher One-Shot Interface Vulnerability

A vulnerability exists in OpenSSL's AES-OCB implementation when the EVP_Cipher() one-shot interface is used. The issue arises because the application-supplied initialization vector (IV) is silently ignored, leading to the reuse of nonces in encryption. This nonce reuse can result in a loss of confidentiality, as it allows for the forgery of ciphertext. The vulnerability affects OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0, but not the FIPS modules in these versions, as the issue is outside the OpenSSL FIPS module boundary.

Impact

Exploitation of this vulnerability causes nonce reuse in AES-OCB encryption, leading to a loss of confidentiality. It allows for the forgery of ciphertext, as the authentication tag can be manipulated to depend only on the key and IV, bypassing the integrity of the encrypted data.

Reproduction

To reproduce this vulnerability, an application must use the AES-OCB cipher with the EVP_Cipher() one-shot API, instead of the recommended streaming interface. The application should supply an IV, which will be ignored, leading to the use of a default nonce that can be exploited by reusing the same key and nonce combination for encryption.

Remediation

Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.21. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.