From 45321c41e2108a14bfe2f185e15f946dc20e9b19 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 15 Apr 2011 12:01:53 +0000 Subject: [PATCH] Add length limitation from SP800-38E. --- crypto/evp/e_aes.c | 8 ++++++++ crypto/evp/evp.h | 2 ++ crypto/evp/evp_err.c | 2 ++ 3 files changed, 12 insertions(+) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index c093eb5e59..3b21ab9ccf 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -519,6 +519,14 @@ static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out, return -1; if (!out || !in) return -1; +#ifdef OPENSSL_FIPS + /* Requirement of SP800-38E */ + if (FIPS_mode() && len > (1L<<20)*16) + { + EVPerr(EVP_F_AES_XTS, EVP_R_TOO_LARGE); + return -1; + } +#endif if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, ctx->encrypt)) return -1; diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index b4c8675043..74ca64bc99 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -1248,6 +1248,7 @@ void ERR_load_EVP_strings(void); /* Function codes. */ #define EVP_F_AESNI_INIT_KEY 165 #define EVP_F_AES_INIT_KEY 133 +#define EVP_F_AES_XTS 172 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_D2I_PKEY 100 #define EVP_F_DO_SIGVER_INIT 161 @@ -1369,6 +1370,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 #define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 #define EVP_R_PUBLIC_KEY_NOT_RSA 106 +#define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER 160 #define EVP_R_UNKNOWN_DIGEST 161 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index ae0a45ff30..095f7c712b 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -72,6 +72,7 @@ static ERR_STRING_DATA EVP_str_functs[]= { {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"}, {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, +{ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"}, {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, {ERR_FUNC(EVP_F_DO_SIGVER_INIT), "DO_SIGVER_INIT"}, @@ -196,6 +197,7 @@ static ERR_STRING_DATA EVP_str_reasons[]= {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"}, {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"}, {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, +{ERR_REASON(EVP_R_TOO_LARGE) ,"too large"}, {ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, {ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},