File gnutls-fips_XTS_key_check.patch of Package gnutls.18749

Index: gnutls-3.6.7/lib/nettle/backport/xts.c
===================================================================
--- gnutls-3.6.7.orig/lib/nettle/backport/xts.c	2020-04-07 11:11:54.506109418 +0200
+++ gnutls-3.6.7/lib/nettle/backport/xts.c	2020-04-07 16:52:48.543404370 +0200
@@ -203,6 +203,8 @@ xts_decrypt_message(const void *dec_ctx,
 void
 xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key)
 {
+    /* FIPS requires that the key and the tweak must not be non-equal */
+    assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0);
     aes128_set_encrypt_key(&xts_key->cipher, key);
     aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]);
 }
@@ -210,6 +212,8 @@ xts_aes128_set_encrypt_key(struct xts_ae
 void
 xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key)
 {
+    /* FIPS requires that the key and the tweak must not be non-equal */
+    assert(memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) != 0);
     aes128_set_decrypt_key(&xts_key->cipher, key);
     aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]);
 }
@@ -238,6 +242,8 @@ xts_aes128_decrypt_message(struct xts_ae
 void
 xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key)
 {
+    /* FIPS requires that the key and the tweak must not be non-equal */
+    assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0);
     aes256_set_encrypt_key(&xts_key->cipher, key);
     aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]);
 }
@@ -245,6 +251,8 @@ xts_aes256_set_encrypt_key(struct xts_ae
 void
 xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key)
 {
+    /* FIPS requires that the key and the tweak must not be non-equal */
+    assert(memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) != 0);
     aes256_set_decrypt_key(&xts_key->cipher, key);
     aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]);
 }
openSUSE Build Service is sponsored by