Re: [PATCH 10/24] crypto: ccree - Forbid 2-key 3DES in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, 11. April 2019, 10:51:06 CEST schrieb Herbert Xu:

Hi Herbert,

> This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode.
> 
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> ---
> 
>  drivers/crypto/ccree/cc_aead.c |   37 +++++++++++++++++++++++++++++++++++--
> 1 file changed, 35 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/crypto/ccree/cc_aead.c b/drivers/crypto/ccree/cc_aead.c
> index a3527c00b29a..c5cde327cf1f 100644
> --- a/drivers/crypto/ccree/cc_aead.c
> +++ b/drivers/crypto/ccree/cc_aead.c
> @@ -650,6 +650,39 @@ static int cc_aead_setkey(struct crypto_aead *tfm,
> const u8 *key, return rc;
>  }
> 
> +static int cc_des3_aead_setkey(struct crypto_aead *aead, const u8 *key,
> +			       unsigned int keylen)

This function looks very similar to des3_aead_setkey in the different caam 
code changes.

Thus, wouldn't it be better to have common service function?
> +{
> +	struct crypto_authenc_keys keys;
> +	u32 flags;
> +	int err;
> +
> +	err = crypto_authenc_extractkeys(&keys, key, keylen);
> +	if (unlikely(err))
> +		goto badkey;
> +
> +	err = -EINVAL;
> +	if (keys.enckeylen != DES3_EDE_KEY_SIZE)
> +		goto badkey;
> +
> +	flags = crypto_aead_get_flags(aead);
> +	err = __des3_verify_key(&flags, keys.enckey);
> +	if (unlikely(err)) {
> +		crypto_aead_set_flags(aead, flags);
> +		goto out;
> +	}
> +
> +	err = cc_aead_setkey(aead, key, keylen);
> +
> +out:
> +	memzero_explicit(&keys, sizeof(keys));
> +	return err;
> +
> +badkey:
> +	crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
> +	goto out;
> +}
> +
>  static int cc_rfc4309_ccm_setkey(struct crypto_aead *tfm, const u8 *key,
>  				 unsigned int keylen)
>  {
> @@ -2372,7 +2405,7 @@ static struct cc_alg_template aead_algs[] = {
>  		.driver_name = "authenc-hmac-sha1-cbc-des3-ccree",
>  		.blocksize = DES3_EDE_BLOCK_SIZE,
>  		.template_aead = {
> -			.setkey = cc_aead_setkey,
> +			.setkey = cc_des3_aead_setkey,
>  			.setauthsize = cc_aead_setauthsize,
>  			.encrypt = cc_aead_encrypt,
>  			.decrypt = cc_aead_decrypt,
> @@ -2412,7 +2445,7 @@ static struct cc_alg_template aead_algs[] = {
>  		.driver_name = "authenc-hmac-sha256-cbc-des3-ccree",
>  		.blocksize = DES3_EDE_BLOCK_SIZE,
>  		.template_aead = {
> -			.setkey = cc_aead_setkey,
> +			.setkey = cc_des3_aead_setkey,
>  			.setauthsize = cc_aead_setauthsize,
>  			.encrypt = cc_aead_encrypt,
>  			.decrypt = cc_aead_decrypt,



Ciao
Stephan





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux