FIPS 140-2 IG A.9 XTS key check.

Add a check that the two keys used for AES-XTS are different. One test case uses the same key for both of the AES-XTS keys. This causes a failure under FIP 140-2 IG A.9. Mark the test as returning a failure. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7120)
author: Pauli <paul.dale@oracle.com> 2018-09-05 12:18:22 +1000
committer: Pauli <paul.dale@oracle.com> 2018-09-12 08:40:47 +1000
commit: 95eda4f09a37382393cfec7933bac4deb613cdec (patch)
tree: 283cd1052842397e9ac6bfaa2c498cccbbb9d53e /CHANGES
parent: a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index abb03b4e4b..d5ed4227cb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,13 @@
   *) Add SM2 base algorithm support.
      [Jack Lloyd]
 
+  *) AES-XTS mode now enforces that its two keys are different to mitigate
+     the attacked described in "Efficient Instantiations of Tweakable
+     Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+     Details of this attack can be obtained from:
+     http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+     [Paul Dale]
+
   *) s390x assembly pack: add (improved) hardware-support for the following
      cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
      aes-cfb/cfb8, aes-ecb.
author	Pauli <paul.dale@oracle.com>	2018-09-05 12:18:22 +1000
committer	Pauli <paul.dale@oracle.com>	2018-09-12 08:40:47 +1000
commit	95eda4f09a37382393cfec7933bac4deb613cdec (patch)
tree	283cd1052842397e9ac6bfaa2c498cccbbb9d53e /CHANGES
parent	a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed (diff)