*) Add SM2 base algorithm support.
[Jack Lloyd]
+ *) AES-XTS mode now enforces that its two keys are different to mitigate
+ the attacked described in "Efficient Instantiations of Tweakable
+ Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+ Details of this attack can be obtained from:
+ http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+ [Paul Dale]
+
*) s390x assembly pack: add (improved) hardware-support for the following
cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
aes-cfb/cfb8, aes-ecb.
const unsigned char *in, size_t len)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
- if (!xctx->xts.key1 || !xctx->xts.key2)
+
+ if (xctx->xts.key1 == NULL
+ || xctx->xts.key2 == NULL
+ || out == NULL
+ || in == NULL
+ || len < AES_BLOCK_SIZE)
return 0;
- if (!out || !in || len < AES_BLOCK_SIZE)
+
+ /*
+ * Verify that the two keys are different.
+ *
+ * This addresses the vulnerability described in Rogaway's September 2004
+ * paper (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf):
+ * "Efficient Instantiations of Tweakable Blockciphers and Refinements
+ * to Modes OCB and PMAC".
+ *
+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states that:
+ * "The check for Key_1 != Key_2 shall be done at any place BEFORE
+ * using the keys in the XTS-AES algorithm to process data with them."
+ */
+ if (CRYPTO_memcmp(xctx->xts.key1, xctx->xts.key2,
+ EVP_CIPHER_CTX_key_length(ctx) / 2) == 0)
return 0;
+
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
IV = 00000000000000000000000000000000
Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
+Result = CIPHERUPDATE_ERROR
Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222