diff options
author | Pauli <paul.dale@oracle.com> | 2018-09-05 12:18:22 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2018-09-12 08:40:47 +1000 |
commit | 95eda4f09a37382393cfec7933bac4deb613cdec (patch) | |
tree | 283cd1052842397e9ac6bfaa2c498cccbbb9d53e | |
parent | a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed (diff) |
FIPS 140-2 IG A.9 XTS key check.
Add a check that the two keys used for AES-XTS are different.
One test case uses the same key for both of the AES-XTS keys. This causes
a failure under FIP 140-2 IG A.9. Mark the test as returning a failure.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7120)
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | crypto/evp/e_aes.c | 24 | ||||
-rw-r--r-- | test/recipes/30-test_evp_data/evpciph.txt | 1 |
3 files changed, 30 insertions, 2 deletions
@@ -24,6 +24,13 @@ *) Add SM2 base algorithm support. [Jack Lloyd] + *) AES-XTS mode now enforces that its two keys are different to mitigate + the attacked described in "Efficient Instantiations of Tweakable + Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. + Details of this attack can be obtained from: + http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf + [Paul Dale] + *) s390x assembly pack: add (improved) hardware-support for the following cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb, aes-cfb/cfb8, aes-ecb. diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 0add393276..61d37a899f 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -3410,10 +3410,30 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); - if (!xctx->xts.key1 || !xctx->xts.key2) + + if (xctx->xts.key1 == NULL + || xctx->xts.key2 == NULL + || out == NULL + || in == NULL + || len < AES_BLOCK_SIZE) return 0; - if (!out || !in || len < AES_BLOCK_SIZE) + + /* + * Verify that the two keys are different. + * + * This addresses the vulnerability described in Rogaway's September 2004 + * paper (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf): + * "Efficient Instantiations of Tweakable Blockciphers and Refinements + * to Modes OCB and PMAC". + * + * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states that: + * "The check for Key_1 != Key_2 shall be done at any place BEFORE + * using the keys in the XTS-AES algorithm to process data with them." + */ + if (CRYPTO_memcmp(xctx->xts.key1, xctx->xts.key2, + EVP_CIPHER_CTX_key_length(ctx) / 2) == 0) return 0; + if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt index d117455052..d1086b7241 100644 --- a/test/recipes/30-test_evp_data/evpciph.txt +++ b/test/recipes/30-test_evp_data/evpciph.txt @@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e +Result = CIPHERUPDATE_ERROR Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 |