File openssl-fips-xts_nonidentical_key_parts.patch of Package openssl-1_1.16402
Index: openssl-1.1.0i/crypto/evp/e_aes.c
===================================================================
--- openssl-1.1.0i.orig/crypto/evp/e_aes.c 2019-11-29 15:55:20.119533679 +0100
+++ openssl-1.1.0i/crypto/evp/e_aes.c 2019-11-29 15:58:06.256671259 +0100
@@ -144,6 +144,26 @@ void AES_xts_decrypt(const char *inp, ch
const unsigned char iv[16]);
#endif
+static int xts_check_key(const unsigned char *key, unsigned int key_len)
+{
+ /*
+ * key consists of two keys of equal size concatenated,
+ * therefore the length must be even
+ */
+ if (key_len % 2)
+ return 0;
+
+# ifdef OPENSSL_FIPS
+ /* FIPS 140-2 IG A.9 mandates that the key parts mustn't match */
+ if (FIPS_module_mode() &&
+ CRYPTO_memcmp(key, key + (key_len / 2), key_len / 2) == 0) {
+ return 0;
+ }
+# endif
+
+ return 1;
+}
+
#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
# include "ppc_arch.h"
# ifdef VPAES_ASM
@@ -371,6 +391,9 @@ static int aesni_xts_init_key(EVP_CIPHER
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
/* key_len is two AES keys */
if (enc) {
aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
@@ -775,6 +798,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
xctx->stream = NULL;
/* key_len is two AES keys */
@@ -2176,7 +2202,9 @@ static int aes_xts_init_key(EVP_CIPHER_C
if (!iv && !key)
return 1;
- if (key)
+ if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
do {
#ifdef AES_XTS_ASM
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
@@ -2260,6 +2288,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
xctx->xts.key1 = &xctx->ks1;
} while (0);
+ }
if (iv) {
xctx->xts.key2 = &xctx->ks2;