From: Nicolai Stange <nstange@suse.de>
To: "Elliott, Robert (Servers)" <elliott@hpe.com>
Cc: Nicolai Stange <nstange@suse.de>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Vladis Dronov <vdronov@redhat.com>,
Stephan Mueller <smueller@chronox.de>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/4] crypto: xts - restrict key lengths to approved values in FIPS mode
Date: Wed, 09 Nov 2022 11:06:17 +0100 [thread overview]
Message-ID: <8735asfnmu.fsf@suse.de> (raw)
In-Reply-To: <MW5PR84MB1842EEC44A8CB6594D4D0CD0AB3F9@MW5PR84MB1842.NAMPRD84.PROD.OUTLOOK.COM> (Robert Elliott's message of "Tue, 8 Nov 2022 20:34:10 +0000")
"Elliott, Robert (Servers)" <elliott@hpe.com> writes:
>> diff --git a/include/crypto/xts.h b/include/crypto/xts.h
> ...
>> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher
>> *tfm,
>> if (keylen % 2)
>> return -EINVAL;
>>
>> + /*
>> + * In FIPS mode only a combined key length of either 256 or
>> + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I.
>> + */
>> + if (fips_enabled && keylen != 32 && keylen != 64)
>> + return -EINVAL;
>> +
>> /* ensure that the AES and tweak key are not identical */
>> if ((fips_enabled || (crypto_skcipher_get_flags(tfm) &
>> CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) &&
>> --
>> 2.38.0
>
> There's another function in the same file called xts_check_key()
> that is used by some of the hardware drivers:
Right, thanks for spotting.
AFAICT, xts_check_key() is the older of the two variants,
xts_verify_key() had been introduced with commit f1c131b45410 ("crypto:
xts - Convert to skcipher"). There had initially only been a single
call from generic crypto/xts.c and the main difference to
xts_check_key() had been that it took a crypto_skcipher for its tfm
argument rather than a plain crypto_tfm as xts_check_key() did.
It seems that over time, xts crypto drivers adopted the newer
xts_verify_key() variant then.
>
> arch/s390/crypto/paes_s390.c: * xts_check_key verifies the key length is not odd and makes
> [that references it in the comment but actually calls xts_verify_key in the code]
> drivers/crypto/axis/artpec6_crypto.c: ret = xts_check_key(&cipher->base, key, keylen);
> drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen);
> drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen);
> drivers/crypto/ccree/cc_cipher.c: xts_check_key(tfm, key, keylen)) {
> drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);
> drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);
> drivers/crypto/atmel-aes.c: err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);
>
> It already has one check qualified by fips_enabled:
>
> /* ensure that the AES and tweak key are not identical */
> if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2))
> return -EINVAL;
>
> Should that implement the same key length restrictions?
From a quick glance, all of the above drivers merely convert some
crypto_skcipher to a crypto_tfm before passing it to xts_check_key().
So I think these should all be made to call xts_verify_key() directly
instead, the former xts_check_key() could then get dropped. But that's
more of a cleanup IMO and would probably deserve a separate patch series
on its own.
Thanks!
Nicolai
--
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
(HRB 36809, AG Nürnberg)
next prev parent reply other threads:[~2022-11-09 10:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 14:20 [PATCH 0/4] Trivial set of FIPS 140-3 related changes Nicolai Stange
2022-11-08 14:20 ` [PATCH 1/4] crypto: xts - restrict key lengths to approved values in FIPS mode Nicolai Stange
2022-11-08 17:12 ` Elliott, Robert (Servers)
2022-11-09 10:39 ` Nicolai Stange
2022-11-11 4:22 ` Herbert Xu
2022-11-08 20:34 ` Elliott, Robert (Servers)
2022-11-09 10:06 ` Nicolai Stange [this message]
2022-11-11 4:23 ` Herbert Xu
2022-11-08 14:20 ` [PATCH 2/4] crypto: testmgr - disallow plain cbcmac(aes) " Nicolai Stange
2022-11-08 14:20 ` [PATCH 3/4] crypto: testmgr - disallow plain ghash " Nicolai Stange
2022-11-08 14:20 ` [PATCH 4/4] crypto: testmgr - allow ecdsa-nist-p256 and -p384 " Nicolai Stange
2022-12-21 15:24 ` [PATCH 0/4] Trivial set of FIPS 140-3 related changes Vladis Dronov
2022-12-21 20:46 ` Eric Biggers
2022-12-21 22:49 ` Vladis Dronov
2022-12-21 15:25 ` [PATCH 5/6] crypto: xts - drop xts_check_key() Vladis Dronov
2022-12-21 15:26 ` [PATCH 6/6] crypto: xts - drop redundant xts key check Vladis Dronov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735asfnmu.fsf@suse.de \
--to=nstange@suse.de \
--cc=davem@davemloft.net \
--cc=elliott@hpe.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox