Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
openssl-1_0_0.18624
openssl-fips-xts_nonidentical_key_parts.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-fips-xts_nonidentical_key_parts.patch of Package openssl-1_0_0.18624
Index: openssl-1.0.2j/crypto/evp/e_aes.c =================================================================== --- openssl-1.0.2j.orig/crypto/evp/e_aes.c 2017-02-16 17:20:41.647972394 +0100 +++ openssl-1.0.2j/crypto/evp/e_aes.c 2017-02-17 17:05:29.251130889 +0100 @@ -177,6 +177,26 @@ void AES_xts_decrypt(const char *inp, ch # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks # endif +static int xts_check_key(const unsigned char *key, unsigned int key_len) +{ + /* + * key consists of two keys of equal size concatenated, + * therefore the length must be even + */ + if (key_len % 2) + return 0; + +# ifdef OPENSSL_FIPS + /* FIPS 140-2 IG A.9 mandates that the key parts mustn't match */ + if (FIPS_module_mode() && + CRYPTO_memcmp(key, key + (key_len / 2), key_len / 2) == 0) { + return 0; + } +# endif + + return 1; +} + # if defined(AES_ASM) && !defined(I386_ONLY) && ( \ ((defined(__i386) || defined(__i386__) || \ defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ @@ -387,6 +407,9 @@ static int aesni_xts_init_key(EVP_CIPHER return 1; if (key) { + if (xts_check_key(key, ctx->key_len) == 0) + return 0; + /* key_len is two AES keys */ if (enc) { aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); @@ -707,6 +730,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE return 1; if (key) { + if (xts_check_key(key, ctx->key_len) == 0) + return 0; + int bits = ctx->key_len * 4; xctx->stream = NULL; /* key_len is two AES keys */ @@ -1650,7 +1676,10 @@ static int aes_xts_init_key(EVP_CIPHER_C if (!iv && !key) return 1; - if (key) + if (key) { + if (xts_check_key(key, ctx->key_len) == 0) + return 0; + do { # ifdef AES_XTS_ASM xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; @@ -1719,6 +1748,7 @@ static int aes_xts_init_key(EVP_CIPHER_C xctx->xts.key1 = &xctx->ks1; } while (0); + } if (iv) { xctx->xts.key2 = &xctx->ks2;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor