diff options
| author | Daiki Ueno <dueno@redhat.com> | 2020-04-11 15:28:29 +0200 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2020-04-14 15:12:34 +0200 |
| commit | ec04c1f8911c37be2cad198a9a68ce3ef54d8426 (patch) | |
| tree | 7c6a8318ce61853661905741c1d7c2b571e0ddc0 | |
| parent | b143a756aee850b0a0d3bdfdfaa51ee27cb2f25f (diff) | |
| download | gnutls-tmp-xts-ig-a9.tar.gz | |
xts: check key blocks according to FIPS-140-2 IG A.9tmp-xts-ig-a9
The implementation guidance suggests that a check of key1 != key2
should be done at any place before the keys are used:
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf
Signed-off-by: Daiki Ueno <dueno@redhat.com>
| -rw-r--r-- | lib/nettle/cipher.c | 52 |
1 files changed, 48 insertions, 4 deletions
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c index 5a8836bbf5..35719357f4 100644 --- a/lib/nettle/cipher.c +++ b/lib/nettle/cipher.c @@ -327,6 +327,50 @@ _cfb8_decrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, } static void +_xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key) +{ + if (_gnutls_fips_mode_enabled() && + safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes128_set_encrypt_key(xts_key, key); +} + +static void +_xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key) +{ + if (_gnutls_fips_mode_enabled() && + safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes128_set_decrypt_key(xts_key, key); +} + +static void +_xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key) +{ + if (_gnutls_fips_mode_enabled() && + safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes256_set_encrypt_key(xts_key, key); +} + +static void +_xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key) +{ + if (_gnutls_fips_mode_enabled() && + safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes256_set_decrypt_key(xts_key, key); +} + +static void _xts_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { @@ -802,8 +846,8 @@ static const struct nettle_cipher_st builtin_ciphers[] = { .ctx_size = sizeof(struct xts_aes128_key), .encrypt = _xts_aes128_encrypt, .decrypt = _xts_aes128_decrypt, - .set_encrypt_key = (nettle_set_key_func*)xts_aes128_set_encrypt_key, - .set_decrypt_key = (nettle_set_key_func*)xts_aes128_set_decrypt_key, + .set_encrypt_key = (nettle_set_key_func*)_xts_aes128_set_encrypt_key, + .set_decrypt_key = (nettle_set_key_func*)_xts_aes128_set_decrypt_key, .max_iv_size = AES_BLOCK_SIZE, }, { .algo = GNUTLS_CIPHER_AES_256_XTS, @@ -813,8 +857,8 @@ static const struct nettle_cipher_st builtin_ciphers[] = { .ctx_size = sizeof(struct xts_aes256_key), .encrypt = _xts_aes256_encrypt, .decrypt = _xts_aes256_decrypt, - .set_encrypt_key = (nettle_set_key_func*)xts_aes256_set_encrypt_key, - .set_decrypt_key = (nettle_set_key_func*)xts_aes256_set_decrypt_key, + .set_encrypt_key = (nettle_set_key_func*)_xts_aes256_set_encrypt_key, + .set_decrypt_key = (nettle_set_key_func*)_xts_aes256_set_decrypt_key, .max_iv_size = AES_BLOCK_SIZE, }, }; |