| Message ID | E1hEVQU-0006oc-Sr@gondobar (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | Forbid 2-key 3DES in FIPS mode | expand |
Hi Herbert, On 4/11/19 10:51 AM, Herbert Xu wrote: > This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. > > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > --- > > drivers/crypto/stm32/stm32-cryp.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > > diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c > index 23b0b7bd64c7..5785f3e235ce 100644 > --- a/drivers/crypto/stm32/stm32-cryp.c > +++ b/drivers/crypto/stm32/stm32-cryp.c > @@ -762,10 +762,17 @@ static int stm32_cryp_des_setkey(struct crypto_ablkcipher *tfm, const u8 *key, > static int stm32_cryp_tdes_setkey(struct crypto_ablkcipher *tfm, const u8 *key, > unsigned int keylen) > { > - if (keylen != (3 * DES_KEY_SIZE)) > - return -EINVAL; > - else > - return stm32_cryp_setkey(tfm, key, keylen); > + u32 flags; > + int err; > + > + flags = crypto_ablkcipher_get_flags(tfm); > + err = __des3_verify_key(&flags, key); > + if (unlikely(err)) { > + crypto_ablkcipher_set_flags(tfm, flags); > + return err; > + } > + > + return stm32_cryp_setkey(tfm, key, keylen); > } > > static int stm32_cryp_aes_aead_setkey(struct crypto_aead *tfm, const u8 *key, > I was currently going to send patches around des and tdes key verification. Is there any plan to do the same factorization on des key check? Regarding this patch, ok for me. - Lionel Acked-by: Lionel Debieve<lionel.debieve@st.com> Tested-by: Lionel Debieve<lionel.debieve@st.com>
On Fri, Apr 12, 2019 at 01:36:44PM +0000, Lionel DEBIEVE wrote: > > I was currently going to send patches around des and tdes key verification. Is there any plan > to do the same factorization on des key check? If you have the time please do because I think some single DES drivers are missing the weak key check. The existing des_ekey function should be sufficient for the check. > Acked-by: Lionel Debieve<lionel.debieve@st.com> > Tested-by: Lionel Debieve<lionel.debieve@st.com> Thanks,
On 4/13/19 3:50 PM, Herbert Xu wrote: > On Fri, Apr 12, 2019 at 01:36:44PM +0000, Lionel DEBIEVE wrote: >> I was currently going to send patches around des and tdes key verification. Is there any plan >> to do the same factorization on des key check? > If you have the time please do because I think some single DES > drivers are missing the weak key check. The existing des_ekey > function should be sufficient for the check. ok, will try to do it in the same way you've done it for 3des using existing des_ekey function. Trying to push it this week for all impacted drivers. - Lionel > >> Acked-by: Lionel Debieve<lionel.debieve@st.com> >> Tested-by: Lionel Debieve<lionel.debieve@st.com> > Thanks, >
diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c index 23b0b7bd64c7..5785f3e235ce 100644 --- a/drivers/crypto/stm32/stm32-cryp.c +++ b/drivers/crypto/stm32/stm32-cryp.c @@ -762,10 +762,17 @@ static int stm32_cryp_des_setkey(struct crypto_ablkcipher *tfm, const u8 *key, static int stm32_cryp_tdes_setkey(struct crypto_ablkcipher *tfm, const u8 *key, unsigned int keylen) { - if (keylen != (3 * DES_KEY_SIZE)) - return -EINVAL; - else - return stm32_cryp_setkey(tfm, key, keylen); + u32 flags; + int err; + + flags = crypto_ablkcipher_get_flags(tfm); + err = __des3_verify_key(&flags, key); + if (unlikely(err)) { + crypto_ablkcipher_set_flags(tfm, flags); + return err; + } + + return stm32_cryp_setkey(tfm, key, keylen); } static int stm32_cryp_aes_aead_setkey(struct crypto_aead *tfm, const u8 *key,
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> --- drivers/crypto/stm32/stm32-cryp.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)