[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Wed Apr 3 06:04:17 UTC 2019
The branch master has been updated
via 5516c19b0314ef9416c5b02ae6347c4f52209e6a (commit)
from 705a27f7e07c006b167b59070ff635a61f8e0407 (commit)
- Log -----------------------------------------------------------------
commit 5516c19b0314ef9416c5b02ae6347c4f52209e6a
Author: Pauli <paul.dale at oracle.com>
Date: Wed Apr 3 16:03:46 2019 +1000
AES-XTS block limit.
Limit the number of AES blocks in a data unit to 2^20 or less.
This corresponds to the mandates in IEEE Std 1619-2018 and NIST SP 800-38E.
Note: that this is a change from IEEE Std 1619-2007 which only recommended
this limit.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8627)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 3 +++
crypto/err/openssl.txt | 2 ++
crypto/evp/e_aes.c | 13 ++++++++++++-
crypto/evp/evp_err.c | 3 +++
crypto/modes/modes_lcl.h | 6 ++++++
include/openssl/evperr.h | 2 ++
6 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/CHANGES b/CHANGES
index 28d732b..e70e42b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,9 @@
Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as
+ mandated by IEEE Std 1619-2018.
+
*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 27e1890..8808b25 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -756,6 +756,7 @@ EVP_F_AES_INIT_KEY:133:aes_init_key
EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher
EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher
+EVP_F_AES_XTS_CIPHER:229:aes_xts_cipher
EVP_F_ALG_MODULE_INIT:177:alg_module_init
EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key
EVP_F_ARIA_GCM_CTRL:197:aria_gcm_ctrl
@@ -2413,6 +2414,7 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
EVP_R_UPDATE_ERROR:189:update error
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
+EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE:191:xts data unit is too large
KDF_R_INVALID_DIGEST:100:invalid digest
KDF_R_INVALID_MAC_TYPE:116:invalid mac type
KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 5b473bc..b628c05 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -3520,6 +3520,17 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
return 0;
/*
+ * Impose a limit of 2^20 blocks per data unit as specifed by
+ * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
+ * indicated that this was a SHOULD NOT rather than a MUST NOT.
+ * NIST SP 800-38E mandates the same limit.
+ */
+ if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
+ return 0;
+ }
+
+ /*
* Verify that the two keys are different.
*
* This addresses the vulnerability described in Rogaway's September 2004
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 068120e..6e72b6b 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -21,6 +21,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
@@ -303,6 +304,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"wrap mode not allowed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
"wrong final block length"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
+ "xts data unit is too large"},
{0, NULL}
};
diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_lcl.h
index 0517808..aed79ff 100644
--- a/crypto/modes/modes_lcl.h
+++ b/crypto/modes/modes_lcl.h
@@ -133,6 +133,12 @@ struct gcm128_context {
#endif
};
+/*
+ * The maximum permitted number of cipher blocks per data unit in XTS mode.
+ * Reference IEEE Std 1619-2018.
+ */
+#define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20)
+
struct xts128_context {
void *key1, *key2;
block128_f block1, block2;
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index 598930a..d60402c 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -30,6 +30,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
# define EVP_F_AES_WRAP_CIPHER 170
+# define EVP_F_AES_XTS_CIPHER 229
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_ARIA_CCM_INIT_KEY 175
# define EVP_F_ARIA_GCM_CTRL 197
@@ -225,5 +226,6 @@ int ERR_load_EVP_strings(void);
# define EVP_R_UPDATE_ERROR 189
# define EVP_R_WRAP_MODE_NOT_ALLOWED 170
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191
#endif
More information about the openssl-commits
mailing list