From patchwork Wed Dec 21 22:41:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079227 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7A57C4332F for ; Wed, 21 Dec 2022 22:42:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235100AbiLUWm1 (ORCPT ); Wed, 21 Dec 2022 17:42:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234712AbiLUWmZ (ORCPT ); Wed, 21 Dec 2022 17:42:25 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC21425C6 for ; Wed, 21 Dec 2022 14:41:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HInbXzTW3Cb08AWmdq+dd1m19tc/OaqTF+DjibQiGV4=; b=V+37GQdGcNHX80ghWSmP1ow1Rrfy9Nnq0QKelH2wAQ/Nn3nEVIonLvumMuIE3+u+oyd4XU +EQUrICDPdeUPKWulIwGWMag5PqpA4YXuc0bNRkjRqO2VqiOCUvpqgSmKSfAHpNSo+rzFG b4Jnr1eJfdKMzZD8RlguSQR+frPHV+s= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-365-8dHjQDtpMTyIwbTTfApP6A-1; Wed, 21 Dec 2022 17:41:36 -0500 X-MC-Unique: 8dHjQDtpMTyIwbTTfApP6A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1C521196EF88; Wed, 21 Dec 2022 22:41:36 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id 108F840C2064; Wed, 21 Dec 2022 22:41:33 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 1/6] crypto: xts - restrict key lengths to approved values in FIPS mode Date: Wed, 21 Dec 2022 23:41:06 +0100 Message-Id: <20221221224111.19254-2-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Nicolai Stange According to FIPS 140-3 IG C.I., only (total) key lengths of either 256 bits or 512 bits are allowed with xts(aes). Make xts_verify_key() to reject anything else in FIPS mode. As xts(aes) is the only approved xts() template instantiation in FIPS mode, the new restriction implemented in xts_verify_key() effectively only applies to this particular construction. Signed-off-by: Nicolai Stange Signed-off-by: Vladis Dronov --- include/crypto/xts.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/crypto/xts.h b/include/crypto/xts.h index 0f8dba69feb4..a233c1054df2 100644 --- a/include/crypto/xts.h +++ b/include/crypto/xts.h @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm, if (keylen % 2) return -EINVAL; + /* + * In FIPS mode only a combined key length of either 256 or + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. + */ + if (fips_enabled && keylen != 32 && keylen != 64) + return -EINVAL; + /* ensure that the AES and tweak key are not identical */ if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && From patchwork Wed Dec 21 22:41:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079228 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B34ABC4332F for ; Wed, 21 Dec 2022 22:42:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235159AbiLUWmo (ORCPT ); Wed, 21 Dec 2022 17:42:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235115AbiLUWmi (ORCPT ); Wed, 21 Dec 2022 17:42:38 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34C4B26FA for ; Wed, 21 Dec 2022 14:41:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662513; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kwJqqlZWZgLxuuvmSlfjzB7OmFV7j8hdyZMfzqN2TDg=; b=D8Yc4JZBCiyaAIN1k3MeQOY6l9GCZ4aNEGifqvUiQ86E9mMO1Hg6eEv/LC6WcVXETn4+xB V4BWOK0JuISeAU8Go8d3xtD5WMf7pvTNc/LNJQSHQSa1Id2qNvkr3I8baXr/GemnUYnMn3 gLDxB5P9XCkPXh7hr0qHvDP4t733bOQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-452--KixWts-M8G2-wcS8cIkrw-1; Wed, 21 Dec 2022 17:41:51 -0500 X-MC-Unique: -KixWts-M8G2-wcS8cIkrw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B99C685A588; Wed, 21 Dec 2022 22:41:50 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id C698F40C2064; Wed, 21 Dec 2022 22:41:48 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 2/6] crypto: xts - drop xts_check_key() Date: Wed, 21 Dec 2022 23:41:07 +0100 Message-Id: <20221221224111.19254-3-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org xts_check_key() is obsoleted by xts_verify_key(). Over time XTS crypto drivers adopted the newer xts_verify_key() variant, but xts_check_key() is still used by a number of drivers. Switch drivers to use the newer xts_verify_key() and make a couple of cleanups. This allows us to drop xts_check_key() completely and avoid redundancy. Signed-off-by: Vladis Dronov Reviewed-by: Eric Biggers --- arch/s390/crypto/paes_s390.c | 2 +- drivers/crypto/atmel-aes.c | 2 +- drivers/crypto/axis/artpec6_crypto.c | 2 +- drivers/crypto/cavium/cpt/cptvf_algs.c | 8 +++---- .../crypto/cavium/nitrox/nitrox_skcipher.c | 8 +++---- drivers/crypto/ccree/cc_cipher.c | 2 +- .../crypto/marvell/octeontx/otx_cptvf_algs.c | 2 +- .../marvell/octeontx2/otx2_cptvf_algs.c | 2 +- include/crypto/xts.h | 21 +++---------------- 9 files changed, 15 insertions(+), 34 deletions(-) diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c index a279b7d23a5e..29dc827e0fe8 100644 --- a/arch/s390/crypto/paes_s390.c +++ b/arch/s390/crypto/paes_s390.c @@ -474,7 +474,7 @@ static int xts_paes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, return rc; /* - * xts_check_key verifies the key length is not odd and makes + * xts_verify_key verifies the key length is not odd and makes * sure that the two keys are not the same. This can be done * on the two protected keys as well */ diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c index 886bf258544c..130f8bf09a9a 100644 --- a/drivers/crypto/atmel-aes.c +++ b/drivers/crypto/atmel-aes.c @@ -1879,7 +1879,7 @@ static int atmel_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key, struct atmel_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm); int err; - err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); + err = xts_verify_key(tfm, key, keylen); if (err) return err; diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c index 51c66afbe677..f6f41e316dfe 100644 --- a/drivers/crypto/axis/artpec6_crypto.c +++ b/drivers/crypto/axis/artpec6_crypto.c @@ -1621,7 +1621,7 @@ artpec6_crypto_xts_set_key(struct crypto_skcipher *cipher, const u8 *key, crypto_skcipher_ctx(cipher); int ret; - ret = xts_check_key(&cipher->base, key, keylen); + ret = xts_verify_key(cipher, key, keylen); if (ret) return ret; diff --git a/drivers/crypto/cavium/cpt/cptvf_algs.c b/drivers/crypto/cavium/cpt/cptvf_algs.c index 9eca0c302186..0b38c2600b86 100644 --- a/drivers/crypto/cavium/cpt/cptvf_algs.c +++ b/drivers/crypto/cavium/cpt/cptvf_algs.c @@ -232,13 +232,12 @@ static int cvm_decrypt(struct skcipher_request *req) static int cvm_xts_setkey(struct crypto_skcipher *cipher, const u8 *key, u32 keylen) { - struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); - struct cvm_enc_ctx *ctx = crypto_tfm_ctx(tfm); + struct cvm_enc_ctx *ctx = crypto_skcipher_ctx(cipher); int err; const u8 *key1 = key; const u8 *key2 = key + (keylen / 2); - err = xts_check_key(tfm, key, keylen); + err = xts_verify_key(cipher, key, keylen); if (err) return err; ctx->key_len = keylen; @@ -289,8 +288,7 @@ static int cvm_validate_keylen(struct cvm_enc_ctx *ctx, u32 keylen) static int cvm_setkey(struct crypto_skcipher *cipher, const u8 *key, u32 keylen, u8 cipher_type) { - struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); - struct cvm_enc_ctx *ctx = crypto_tfm_ctx(tfm); + struct cvm_enc_ctx *ctx = crypto_skcipher_ctx(cipher); ctx->cipher_type = cipher_type; if (!cvm_validate_keylen(ctx, keylen)) { diff --git a/drivers/crypto/cavium/nitrox/nitrox_skcipher.c b/drivers/crypto/cavium/nitrox/nitrox_skcipher.c index 248b4fff1c72..138261dcd032 100644 --- a/drivers/crypto/cavium/nitrox/nitrox_skcipher.c +++ b/drivers/crypto/cavium/nitrox/nitrox_skcipher.c @@ -337,12 +337,11 @@ static int nitrox_3des_decrypt(struct skcipher_request *skreq) static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int keylen) { - struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); - struct nitrox_crypto_ctx *nctx = crypto_tfm_ctx(tfm); + struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(cipher); struct flexi_crypto_context *fctx; int aes_keylen, ret; - ret = xts_check_key(tfm, key, keylen); + ret = xts_verify_key(cipher, key, keylen); if (ret) return ret; @@ -362,8 +361,7 @@ static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher, static int nitrox_aes_ctr_rfc3686_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int keylen) { - struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); - struct nitrox_crypto_ctx *nctx = crypto_tfm_ctx(tfm); + struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(cipher); struct flexi_crypto_context *fctx; int aes_keylen; diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c index 309da6334a0a..2cd44d7457a4 100644 --- a/drivers/crypto/ccree/cc_cipher.c +++ b/drivers/crypto/ccree/cc_cipher.c @@ -460,7 +460,7 @@ static int cc_cipher_setkey(struct crypto_skcipher *sktfm, const u8 *key, } if (ctx_p->cipher_mode == DRV_CIPHER_XTS && - xts_check_key(tfm, key, keylen)) { + xts_verify_key(sktfm, key, keylen)) { dev_dbg(dev, "weak XTS key"); return -EINVAL; } diff --git a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c index 80ba77c793a7..83493dd0416f 100644 --- a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c +++ b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c @@ -398,7 +398,7 @@ static int otx_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm, const u8 *key1 = key; int ret; - ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); + ret = xts_verify_key(tfm, key, keylen); if (ret) return ret; ctx->key_len = keylen; diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c index 30b423605c9c..443202caa140 100644 --- a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c +++ b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c @@ -412,7 +412,7 @@ static int otx2_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm, const u8 *key1 = key; int ret; - ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); + ret = xts_verify_key(tfm, key, keylen); if (ret) return ret; ctx->key_len = keylen; diff --git a/include/crypto/xts.h b/include/crypto/xts.h index a233c1054df2..5a6a2cc89d49 100644 --- a/include/crypto/xts.h +++ b/include/crypto/xts.h @@ -8,23 +8,6 @@ #define XTS_BLOCK_SIZE 16 -static inline int xts_check_key(struct crypto_tfm *tfm, - const u8 *key, unsigned int keylen) -{ - /* - * key consists of keys of equal size concatenated, therefore - * the length must be even. - */ - if (keylen % 2) - return -EINVAL; - - /* ensure that the AES and tweak key are not identical */ - if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) - return -EINVAL; - - return 0; -} - static inline int xts_verify_key(struct crypto_skcipher *tfm, const u8 *key, unsigned int keylen) { @@ -42,7 +25,9 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm, if (fips_enabled && keylen != 32 && keylen != 64) return -EINVAL; - /* ensure that the AES and tweak key are not identical */ + /* ensure that the AES and tweak key are not identical + * when in FIPS mode or the FORBID_WEAK_KEYS flag is set. + */ if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) From patchwork Wed Dec 21 22:41:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079229 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2005C4332F for ; Wed, 21 Dec 2022 22:43:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235225AbiLUWnH (ORCPT ); Wed, 21 Dec 2022 17:43:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51342 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235189AbiLUWmx (ORCPT ); Wed, 21 Dec 2022 17:42:53 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 801391A3A7 for ; Wed, 21 Dec 2022 14:42:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kwfJcVBxWNMAZYpPSPCoOdNBGIp3nX0+9louWAKvFDk=; b=hVF82NH0j00tHKU2ij82hcpa0HAcwKcYnZdt7JfvglQQAcu2eCIcN+83acx/9MuXqliF8k VeyPYu1rtuMES4YEr1igpx+plp2gUYUQNoEdnq+r3sf3+Iw2VydMUdk653BQ4wi65Hub4j dVRYiAvVFLtZZP/oo/vp5O5rWc13/V8= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-523-2MYamv_BNpCM3A4WlGyW7A-1; Wed, 21 Dec 2022 17:42:06 -0500 X-MC-Unique: 2MYamv_BNpCM3A4WlGyW7A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DF71229AA39D; Wed, 21 Dec 2022 22:42:05 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id DD71240C2064; Wed, 21 Dec 2022 22:42:03 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 3/6] crypto: xts - drop redundant xts key check Date: Wed, 21 Dec 2022 23:41:08 +0100 Message-Id: <20221221224111.19254-4-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org xts_fallback_setkey() in xts_aes_set_key() will now enforce key size rule in FIPS mode when setting up the fallback algorithm keys, which makes the check in xts_aes_set_key() redundant or unreachable. So just drop this check. xts_fallback_setkey() now makes a key size check in xts_verify_key(): xts_fallback_setkey() crypto_skcipher_setkey() [ skcipher_setkey_unaligned() ] cipher->setkey() { .setkey = xts_setkey } xts_setkey() xts_verify_key() Signed-off-by: Vladis Dronov --- arch/s390/crypto/aes_s390.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c index 526c3f40f6a2..c773820e4af9 100644 --- a/arch/s390/crypto/aes_s390.c +++ b/arch/s390/crypto/aes_s390.c @@ -398,10 +398,6 @@ static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, if (err) return err; - /* In fips mode only 128 bit or 256 bit keys are valid */ - if (fips_enabled && key_len != 32 && key_len != 64) - return -EINVAL; - /* Pick the correct function code based on the key length */ fc = (key_len == 32) ? CPACF_KM_XTS_128 : (key_len == 64) ? CPACF_KM_XTS_256 : 0; From patchwork Wed Dec 21 22:41:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079230 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A53F3C10F1B for ; Wed, 21 Dec 2022 22:43:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235110AbiLUWnP (ORCPT ); Wed, 21 Dec 2022 17:43:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234882AbiLUWnB (ORCPT ); Wed, 21 Dec 2022 17:43:01 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8343020376 for ; Wed, 21 Dec 2022 14:42:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pplydIw3aMKsqvdgTdU8/nS7VlTB2EzgwMqQkCaddDc=; b=iqpzhqRd5UHD2z9nrcTBzcNBi24dZUHfMsCmwf//W7SrjZB4kqfy82OMNIwO3SnAt/Uv82 D63Dtam+TOlywf+eRFBHSq/Usj+vz3v7zf2z6fILWLKbCko4LN9xm7Q/Cv958PR7oXap9V vG5LIN43dYLJq3YYvjnF0WZscMUmSMc= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-642-keguWWWrPN6K1b3PzfrVGw-1; Wed, 21 Dec 2022 17:42:10 -0500 X-MC-Unique: keguWWWrPN6K1b3PzfrVGw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 02D3C1C05134; Wed, 21 Dec 2022 22:42:10 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB35B40C2064; Wed, 21 Dec 2022 22:42:07 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 4/6] crypto: testmgr - disallow plain cbcmac(aes) in FIPS mode Date: Wed, 21 Dec 2022 23:41:09 +0100 Message-Id: <20221221224111.19254-5-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Nicolai Stange cbcmac(aes) may be used only as part of the ccm(aes) construction in FIPS mode. Since commit d6097b8d5d55 ("crypto: api - allow algs only in specific constructions in FIPS mode") there's support for using spawns which by itself are marked as non-approved from approved template instantiations. So simply mark plain cbcmac(aes) as non-approved in testmgr to block any attempts of direct instantiations in FIPS mode. Signed-off-by: Nicolai Stange Signed-off-by: Vladis Dronov --- crypto/testmgr.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 4476ac97baa5..562463a77a76 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4501,7 +4501,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { #endif .alg = "cbcmac(aes)", - .fips_allowed = 1, .test = alg_test_hash, .suite = { .hash = __VECS(aes_cbcmac_tv_template) From patchwork Wed Dec 21 22:41:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079232 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD6ADC4332F for ; Wed, 21 Dec 2022 22:43:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235237AbiLUWnm (ORCPT ); Wed, 21 Dec 2022 17:43:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235191AbiLUWnL (ORCPT ); Wed, 21 Dec 2022 17:43:11 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ACC920F72 for ; Wed, 21 Dec 2022 14:42:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662537; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l9hhi/SANunKmoKwXebRhuBJH3zZsPz8xdoxFhR57EY=; b=O1fjfbZONIwrQ/ynVVlv7UQckfsBS0mOIj7qJKRjeziGE73fG99xF2cv4Mg4U86CwsAWuN BpDRf2QslxoOtLk/KiVev6DPdaba86Mo/5jN9ZAgfMtroQ84I7++CbBI3Hd9Cquf1UUXvs vNXXLlHf7ab0L5pdddM/+9qCFKb+++E= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-91-nYX_X2v-NmSrQ-6l_vld1g-1; Wed, 21 Dec 2022 17:42:14 -0500 X-MC-Unique: nYX_X2v-NmSrQ-6l_vld1g-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 79D2329AA385; Wed, 21 Dec 2022 22:42:13 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id B7BCB40C2064; Wed, 21 Dec 2022 22:42:11 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 5/6] crypto: testmgr - disallow plain ghash in FIPS mode Date: Wed, 21 Dec 2022 23:41:10 +0100 Message-Id: <20221221224111.19254-6-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Nicolai Stange ghash may be used only as part of the gcm(aes) construction in FIPS mode. Since commit d6097b8d5d55 ("crypto: api - allow algs only in specific constructions in FIPS mode") there's support for using spawns which by itself are marked as non-approved from approved template instantiations. So simply mark plain ghash as non-approved in testmgr to block any attempts of direct instantiations in FIPS mode. Signed-off-by: Nicolai Stange Signed-off-by: Vladis Dronov --- crypto/testmgr.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 562463a77a76..a223cf5f3626 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -5125,7 +5125,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ghash", .test = alg_test_hash, - .fips_allowed = 1, .suite = { .hash = __VECS(ghash_tv_template) } From patchwork Wed Dec 21 22:41:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladis Dronov X-Patchwork-Id: 13079231 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D7E8C10F1B for ; Wed, 21 Dec 2022 22:43:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235076AbiLUWng (ORCPT ); Wed, 21 Dec 2022 17:43:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234830AbiLUWnI (ORCPT ); Wed, 21 Dec 2022 17:43:08 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AEEEE24097 for ; Wed, 21 Dec 2022 14:42:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671662542; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mv0JdiEUm8fY4r7rY54vtlemTUttCXqsgsmptQYzLmc=; b=XMvPRkschODKbo9XNSiYPwAWu24KeDatRB/jKOS2IfW6l7GXtpjrRKafzGFEP18S3qWJmP O8ZbzD9v17kw5ZllBDMqwZ25+Y+hX6PT+Gnn750eibPfk+SVOSvWM7Qa67d+qfLXIp4+/j ZhD+G/MR4hTG9WpKbHswbOsPl2wh1Zo= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-116-fKIoZ0QBPd-fRFtYSUZekg-1; Wed, 21 Dec 2022 17:42:17 -0500 X-MC-Unique: fKIoZ0QBPd-fRFtYSUZekg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4522A858F0E; Wed, 21 Dec 2022 22:42:17 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-208-11.brq.redhat.com [10.40.208.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id 409A040C2004; Wed, 21 Dec 2022 22:42:14 +0000 (UTC) From: Vladis Dronov To: herbert@gondor.apana.org.au, davem@davemloft.net Cc: nstange@suse.de, elliott@hpe.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, smueller@chronox.de, vdronov@redhat.com Subject: [PATCH 6/6] crypto: testmgr - allow ecdsa-nist-p256 and -p384 in FIPS mode Date: Wed, 21 Dec 2022 23:41:11 +0100 Message-Id: <20221221224111.19254-7-vdronov@redhat.com> In-Reply-To: <20221221224111.19254-1-vdronov@redhat.com> References: <20221221224111.19254-1-vdronov@redhat.com> MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Nicolai Stange The kernel provides implementations of the NIST ECDSA signature verification primitives. For key sizes of 256 and 384 bits respectively they are approved and can be enabled in FIPS mode. Do so. Signed-off-by: Nicolai Stange Signed-off-by: Vladis Dronov --- crypto/testmgr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index a223cf5f3626..795c4858c741 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -5034,12 +5034,14 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ecdsa-nist-p256", .test = alg_test_akcipher, + .fips_allowed = 1, .suite = { .akcipher = __VECS(ecdsa_nist_p256_tv_template) } }, { .alg = "ecdsa-nist-p384", .test = alg_test_akcipher, + .fips_allowed = 1, .suite = { .akcipher = __VECS(ecdsa_nist_p384_tv_template) }