[openssl-commits] [openssl] master update
Paul I. Dale
pauli at openssl.org
Tue Sep 11 22:47:17 UTC 2018
The branch master has been updated
via b28bfa7e5685588113a33708477b065d5888283e (commit)
via 95eda4f09a37382393cfec7933bac4deb613cdec (commit)
from a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed (commit)
- Log -----------------------------------------------------------------
commit b28bfa7e5685588113a33708477b065d5888283e
Author: Pauli <paul.dale at oracle.com>
Date: Wed Sep 12 08:42:15 2018 +1000
Add a note to CHANGES indicating that AES-XTS now enforces two different
keys.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7120)
commit 95eda4f09a37382393cfec7933bac4deb613cdec
Author: Pauli <paul.dale at oracle.com>
Date: Wed Sep 5 12:18:22 2018 +1000
FIPS 140-2 IG A.9 XTS key check.
Add a check that the two keys used for AES-XTS are different.
One test case uses the same key for both of the AES-XTS keys. This causes
a failure under FIP 140-2 IG A.9. Mark the test as returning a failure.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7120)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 7 ++++++-
crypto/evp/e_aes.c | 24 ++++++++++++++++++++++--
test/recipes/30-test_evp_data/evpciph.txt | 1 +
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/CHANGES b/CHANGES
index abb03b4..657f0cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,12 @@
Changes between 1.1.1 and 1.1.2 [xx XXX xxxx]
- *)
+ *) AES-XTS mode now enforces that its two keys are different to mitigate
+ the attacked described in "Efficient Instantiations of Tweakable
+ Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+ Details of this attack can be obtained from:
+ http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+ [Paul Dale]
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 0add393..61d37a8 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -3410,10 +3410,30 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
- if (!xctx->xts.key1 || !xctx->xts.key2)
+
+ if (xctx->xts.key1 == NULL
+ || xctx->xts.key2 == NULL
+ || out == NULL
+ || in == NULL
+ || len < AES_BLOCK_SIZE)
return 0;
- if (!out || !in || len < AES_BLOCK_SIZE)
+
+ /*
+ * Verify that the two keys are different.
+ *
+ * This addresses the vulnerability described in Rogaway's September 2004
+ * paper (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf):
+ * "Efficient Instantiations of Tweakable Blockciphers and Refinements
+ * to Modes OCB and PMAC".
+ *
+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states that:
+ * "The check for Key_1 != Key_2 shall be done at any place BEFORE
+ * using the keys in the XTS-AES algorithm to process data with them."
+ */
+ if (CRYPTO_memcmp(xctx->xts.key1, xctx->xts.key2,
+ EVP_CIPHER_CTX_key_length(ctx) / 2) == 0)
return 0;
+
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
index d117455..d1086b7 100644
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000000000000000000000000000000000
IV = 00000000000000000000000000000000
Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
+Result = CIPHERUPDATE_ERROR
Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222
More information about the openssl-commits
mailing list