Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiggers@google.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [RFC PATCH 01/30] crypto: des/3des_ede - add new helpers to verify key length
Date: Sat, 22 Jun 2019 02:30:43 +0200	[thread overview]
Message-ID: <20190622003112.31033-2-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <20190622003112.31033-1-ard.biesheuvel@linaro.org>

The recently added helper routines to perform key strength validation
of 3ede_keys is slightly inadequate, since it doesn't check the key
length, and it comes in two versions, neither of which are highly
useful for anything other than skciphers (and many users still use the
older blkcipher interfaces).

So let's add a new helper and, considering that this is a helper function
that is only intended to be used by crypto code itself, put it in a new
des.h header under crypto/internal.

While at it, implement a similar helper for single DES, so that we can
replace the pattern of calling des_ekey() into a temp buffer that occurs
in many drivers in drivers/crypto.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 crypto/des_generic.c          | 13 ---
 include/crypto/internal/des.h | 85 ++++++++++++++++++++
 2 files changed, 85 insertions(+), 13 deletions(-)

diff --git a/crypto/des_generic.c b/crypto/des_generic.c
index d7a88b4fa611..c94a303da4dd 100644
--- a/crypto/des_generic.c
+++ b/crypto/des_generic.c
@@ -846,19 +846,6 @@ static void des_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
 	d[1] = cpu_to_le32(L);
 }
 
-/*
- * RFC2451:
- *
- *   For DES-EDE3, there is no known need to reject weak or
- *   complementation keys.  Any weakness is obviated by the use of
- *   multiple keys.
- *
- *   However, if the first two or last two independent 64-bit keys are
- *   equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
- *   same as DES.  Implementers MUST reject keys that exhibit this
- *   property.
- *
- */
 int __des3_ede_setkey(u32 *expkey, u32 *flags, const u8 *key,
 		      unsigned int keylen)
 {
diff --git a/include/crypto/internal/des.h b/include/crypto/internal/des.h
new file mode 100644
index 000000000000..e33b32c496cd
--- /dev/null
+++ b/include/crypto/internal/des.h
@@ -0,0 +1,85 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * DES & Triple DES EDE key verification helpers
+ */
+
+#ifndef __CRYPTO_INTERNAL_DES_H
+#define __CRYPTO_INTERNAL_DES_H
+
+#include <linux/crypto.h>
+#include <linux/fips.h>
+#include <crypto/des.h>
+
+static inline int crypto_des_verify_key(struct crypto_tfm *tfm, const u8 *key,
+					unsigned int key_len)
+{
+	u32 tmp[DES_EXPKEY_WORDS];
+	int err = -EINVAL;
+
+	if (key_len != DES_KEY_SIZE) {
+		crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+
+	if (!des_ekey(tmp, key) &&
+	    (fips_enabled || (crypto_tfm_get_flags(tfm) &
+			      CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)))
+		goto bad;
+
+	err = 0;
+out:
+	memzero_explicit(tmp, sizeof(tmp));
+	return err;
+
+bad:
+	crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
+	goto out;
+}
+
+/*
+ * RFC2451:
+ *
+ *   For DES-EDE3, there is no known need to reject weak or
+ *   complementation keys.  Any weakness is obviated by the use of
+ *   multiple keys.
+ *
+ *   However, if the first two or last two independent 64-bit keys are
+ *   equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
+ *   same as DES.  Implementers MUST reject keys that exhibit this
+ *   property.
+ *
+ */
+static inline int crypto_des3_ede_verify_key(struct crypto_tfm *tfm,
+					     const u8 *key,
+					     unsigned int key_len)
+{
+	int err = -EINVAL;
+	u32 K[6];
+
+	if (key_len != DES3_EDE_KEY_SIZE) {
+		crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+
+	memcpy(K, key, DES3_EDE_KEY_SIZE);
+
+	if ((!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
+	     !((K[2] ^ K[4]) | (K[3] ^ K[5]))) &&
+	    (fips_enabled || (crypto_tfm_get_flags(tfm) &
+		              CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)))
+		goto bad;
+
+	if ((!((K[0] ^ K[4]) | (K[1] ^ K[5]))) && fips_enabled)
+		goto bad;
+
+	err = 0;
+out:
+	memzero_explicit(K, DES3_EDE_KEY_SIZE);
+	return err;
+
+bad:
+	crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
+	goto out;
+}
+
+#endif /* __CRYPTO_INTERNAL_DES_H */
-- 
2.20.1


  reply	other threads:[~2019-06-22  0:31 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-22  0:30 [RFC PATCH 00/30] crypto: DES/3DES cleanup Ard Biesheuvel
2019-06-22  0:30 ` Ard Biesheuvel [this message]
2019-06-22  5:06   ` [RFC PATCH 01/30] crypto: des/3des_ede - add new helpers to verify key length Herbert Xu
2019-06-22  7:46     ` Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 02/30] crypto: s390/des - switch to new verification routines Ard Biesheuvel
2019-06-24 10:10   ` Harald Freudenberger
2019-06-22  0:30 ` [RFC PATCH 03/30] crypto: sparc/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 04/30] crypto: atmel/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 05/30] crypto: bcm/des " Ard Biesheuvel
2019-06-27  9:14   ` Horia Geanta
2019-06-27 10:59     ` Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 06/30] crypto: caam/des " Ard Biesheuvel
2019-06-27  9:57   ` Horia Geanta
2019-06-27 11:00     ` Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 07/30] crypto: cpt/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 08/30] crypto: nitrox/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 09/30] crypto: ccp/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 10/30] crypto: ccree/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 11/30] crypto: hifn/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 12/30] crypto: hisilicon/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 13/30] crypto: safexcel/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 14/30] crypto: ixp4xx/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 15/30] crypto: cesa/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 16/30] crypto: n2/des " Ard Biesheuvel
2019-06-22  0:30 ` [RFC PATCH 17/30] crypto: omap/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 18/30] crypto: picoxcell/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 19/30] crypto: qce/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 20/30] crypto: rk3288/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 21/30] crypto: stm32/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 22/30] crypto: sun4i/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 23/30] crypto: talitos/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 24/30] crypto: ux500/des " Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 25/30] crypto: 3des - move verification out of exported routine Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 26/30] crypto: des - remove unused function Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 27/30] crypto: des - split off DES library from generic DES cipher driver Ard Biesheuvel
2019-06-27  9:10   ` [PATCH] crypto: caam - fix dependency on CRYPTO_DES Horia Geanta
2019-06-27  9:12     ` Ard Biesheuvel
2019-06-27  9:21       ` Horia Geanta
2019-06-22  0:31 ` [RFC PATCH 28/30] crypto: x86/des - switch to library interface Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 29/30] crypto: des - remove now unused __des3_ede_setkey() Ard Biesheuvel
2019-06-22  0:31 ` [RFC PATCH 30/30] fs: cifs: move from the crypto cipher API to the new DES library interface Ard Biesheuvel
2019-06-26  3:40   ` Eric Biggers
2019-06-26  3:31 ` [RFC PATCH 00/30] crypto: DES/3DES cleanup Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190622003112.31033-2-ard.biesheuvel@linaro.org \
    --to=ard.biesheuvel@linaro.org \
    --cc=ebiggers@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox