FIPS 140-2 IG A.9 XTS key check.

Add a check that the two keys used for AES-XTS are different.

One test case uses the same key for both of the AES-XTS keys.  This causes
a failure under FIP 140-2 IG A.9.  Mark the test as returning a failure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7120)

diff --git a/CHANGES b/CHANGES
index abb03b4e4b30a8df4eca8e5d364adfd69988b427..d5ed4227cb397717267dd70f2e629cc0ff2fe760 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,13 @@
   *) Add SM2 base algorithm support.
      [Jack Lloyd]
 
+  *) AES-XTS mode now enforces that its two keys are different to mitigate
+     the attacked described in "Efficient Instantiations of Tweakable
+     Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+     Details of this attack can be obtained from:
+     http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+     [Paul Dale]
+
   *) s390x assembly pack: add (improved) hardware-support for the following
      cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
      aes-cfb/cfb8, aes-ecb.

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 0add393276bccaa4d62a99372d061f2329dd72ef..61d37a899f67202c2e8a43ea1f9f33ba466b9650 100644 (file)
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -3410,10 +3410,30 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
     EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
-    if (!xctx->xts.key1 || !xctx->xts.key2)
+
+    if (xctx->xts.key1 == NULL
+            || xctx->xts.key2 == NULL
+            || out == NULL
+            || in == NULL
+            || len < AES_BLOCK_SIZE)
         return 0;
-    if (!out || !in || len < AES_BLOCK_SIZE)
+
+    /*
+     * Verify that the two keys are different.
+     *
+     * This addresses the vulnerability described in Rogaway's September 2004
+     * paper (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf):
+     *      "Efficient Instantiations of Tweakable Blockciphers and Refinements
+     *       to Modes OCB and PMAC".
+     *
+     * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states that:
+     *      "The check for Key_1 != Key_2 shall be done at any place BEFORE
+     *       using the keys in the XTS-AES algorithm to process data with them."
+    */
+    if (CRYPTO_memcmp(xctx->xts.key1, xctx->xts.key2,
+                      EVP_CIPHER_CTX_key_length(ctx) / 2) == 0)
         return 0;
+
     if (xctx->stream)
         (*xctx->stream) (in, out, len,
                          xctx->xts.key1, xctx->xts.key2,

diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
index d117455052f5cc45ea818b9c7f049c4411fed23e..d1086b7241a5f7b0d21ae00f3cfaa2f6e678f73a 100644 (file)
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000000000000000000000000000000000
 IV = 00000000000000000000000000000000
 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
 Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
+Result = CIPHERUPDATE_ERROR
 
 Cipher = aes-128-xts
 Key = 1111111111111111111111111111111122222222222222222222222222222222