File openssl-fips-xts_nonidentical_key_parts.patch of Package openssl-1_1.28594
Index: openssl-1.1.0i/crypto/evp/e_aes.c
===================================================================
--- openssl-1.1.0i.orig/crypto/evp/e_aes.c
+++ openssl-1.1.0i/crypto/evp/e_aes.c
@@ -160,6 +160,26 @@ static void ctr64_inc(unsigned char *cou
} while (n);
}
+static int xts_check_key(const unsigned char *key, unsigned int key_len)
+{
+ /*
+ * key consists of two keys of equal size concatenated,
+ * therefore the length must be even
+ */
+ if (key_len % 2)
+ return 0;
+
+# ifdef OPENSSL_FIPS
+ /* FIPS 140-2 IG A.9 mandates that the key parts mustn't match */
+ if (FIPS_module_mode() &&
+ CRYPTO_memcmp(key, key + (key_len / 2), key_len / 2) == 0) {
+ return 0;
+ }
+# endif
+
+ return 1;
+}
+
#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
# include "ppc_arch.h"
# ifdef VPAES_ASM
@@ -387,6 +407,9 @@ static int aesni_xts_init_key(EVP_CIPHER
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
/* key_len is two AES keys */
if (enc) {
aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
@@ -791,6 +814,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
xctx->stream = NULL;
/* key_len is two AES keys */
@@ -3302,7 +3328,9 @@ static int aes_xts_init_key(EVP_CIPHER_C
if (!iv && !key)
return 1;
- if (key)
+ if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
do {
#ifdef AES_XTS_ASM
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
@@ -3386,6 +3414,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
xctx->xts.key1 = &xctx->ks1;
} while (0);
+ }
if (iv) {
xctx->xts.key2 = &xctx->ks2;
