AES-XTS block limit.

Limit the number of AES blocks in a data unit to 2^20 or less. This corresponds to the mandates in IEEE Std 1619-2018 and NIST SP 800-38E. Note: that this is a change from IEEE Std 1619-2007 which only recommended this limit. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8627)
2025-01-30 14:01:55 +08:00 · 2019-04-03 16:03:46 +10:00 · 2019-04-03 16:03:46 +10:00 · 5516c19b03
commit 5516c19b03
parent 705a27f7e0
6 changed files with 28 additions and 1 deletions
--- a/3
+++ b/3
@ -9,6 +9,9 @@

 Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]

+  *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as
+     mandated by IEEE Std 1619-2018.
+
  *) Added newline escaping functionality to a filename when using openssl dgst.
     This output format is to replicate the output format found in the '*sum'
     checksum programs. This aims to preserve backward compatibility.
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@ -756,6 +756,7 @@ EVP_F_AES_INIT_KEY:133:aes_init_key
 EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher
 EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
 EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher
+EVP_F_AES_XTS_CIPHER:229:aes_xts_cipher
 EVP_F_ALG_MODULE_INIT:177:alg_module_init
 EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key
 EVP_F_ARIA_GCM_CTRL:197:aria_gcm_ctrl
@ -2413,6 +2414,7 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
 EVP_R_UPDATE_ERROR:189:update error
 EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
 EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
+EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE:191:xts data unit is too large
 KDF_R_INVALID_DIGEST:100:invalid digest
 KDF_R_INVALID_MAC_TYPE:116:invalid mac type
 KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -3519,6 +3519,17 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
            || len < AES_BLOCK_SIZE)
        return 0;

+    /*
+     * Impose a limit of 2^20 blocks per data unit as specifed by
+     * IEEE Std 1619-2018.  The earlier and obsolete IEEE Std 1619-2007
+     * indicated that this was a SHOULD NOT rather than a MUST NOT.
+     * NIST SP 800-38E mandates the same limit.
+     */
+    if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
+        EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
+        return 0;
+    }
+
    /*
     * Verify that the two keys are different.
     *
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@ -21,6 +21,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
    {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
    {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
    {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
@ -303,6 +304,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
    "wrap mode not allowed"},
    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
    "wrong final block length"},
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
+    "xts data unit is too large"},
    {0, NULL}
 };

--- a/crypto/modes/modes_lcl.h
+++ b/crypto/modes/modes_lcl.h
@ -133,6 +133,12 @@ struct gcm128_context {
 #endif
 };

+/*
+ * The maximum permitted number of cipher blocks per data unit in XTS mode.
+ * Reference IEEE Std 1619-2018.
+ */
+#define XTS_MAX_BLOCKS_PER_DATA_UNIT            (1<<20)
+
 struct xts128_context {
    void *key1, *key2;
    block128_f block1, block2;
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@ -30,6 +30,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_AES_OCB_CIPHER                             169
 # define EVP_F_AES_T4_INIT_KEY                            178
 # define EVP_F_AES_WRAP_CIPHER                            170
+# define EVP_F_AES_XTS_CIPHER                             229
 # define EVP_F_ALG_MODULE_INIT                            177
 # define EVP_F_ARIA_CCM_INIT_KEY                          175
 # define EVP_F_ARIA_GCM_CTRL                              197
@ -225,5 +226,6 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_UPDATE_ERROR                               189
 # define EVP_R_WRAP_MODE_NOT_ALLOWED                      170
 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH                   109
+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE                 191

 #endif