FIPS 140-2 IG A.9 AES-XTS key handling. #7120
This is an implementation of the extra check required by FIPS 140-2 IG A.9. The two uses for AES-XTS are mandated to be different. If they are the same, there is a vulnerability published by Rogaway in September 2004 in the paper: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.
The main negative side effect is that old encrypted data that used the same key twice will be unable to be decrypted. Thus, this change should be conditional on a FIPS mode of some kind (which is currently undefined). One of the AES-XTS test cases uses the same key twice, this test has been modified so an error is expected. Ideally, this would also be dependent on a FIPS mode -- possibly by duplicating the test case and flagging one as FIPS and the other as not.
The WIP tag depends on a resolution of the FIPS mode question.
Add a check that the two keys used for AES-XTS are different. One test case uses the same key for both of the AES-XTS keys. This causes a failure under FIP 140-2 IG A.9. Mark the test as returning a failure. Reviewed-by: Tim Hudson <email@example.com> (Merged from #7120)
keys. Reviewed-by: Tim Hudson <firstname.lastname@example.org> (Merged from #7120)