"Elliott, Robert (Servers)" <elliott@xxxxxxx> writes: >> diff --git a/include/crypto/xts.h b/include/crypto/xts.h > ... >> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher >> *tfm, >> if (keylen % 2) >> return -EINVAL; >> >> + /* >> + * In FIPS mode only a combined key length of either 256 or >> + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. >> + */ >> + if (fips_enabled && keylen != 32 && keylen != 64) >> + return -EINVAL; >> + >> /* ensure that the AES and tweak key are not identical */ >> if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & >> CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && >> -- >> 2.38.0 > > There's another function in the same file called xts_check_key() > that is used by some of the hardware drivers: Right, thanks for spotting. AFAICT, xts_check_key() is the older of the two variants, xts_verify_key() had been introduced with commit f1c131b45410 ("crypto: xts - Convert to skcipher"). There had initially only been a single call from generic crypto/xts.c and the main difference to xts_check_key() had been that it took a crypto_skcipher for its tfm argument rather than a plain crypto_tfm as xts_check_key() did. It seems that over time, xts crypto drivers adopted the newer xts_verify_key() variant then. > > arch/s390/crypto/paes_s390.c: * xts_check_key verifies the key length is not odd and makes > [that references it in the comment but actually calls xts_verify_key in the code] > drivers/crypto/axis/artpec6_crypto.c: ret = xts_check_key(&cipher->base, key, keylen); > drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen); > drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen); > drivers/crypto/ccree/cc_cipher.c: xts_check_key(tfm, key, keylen)) { > drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > drivers/crypto/atmel-aes.c: err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > > It already has one check qualified by fips_enabled: > > /* ensure that the AES and tweak key are not identical */ > if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) > return -EINVAL; > > Should that implement the same key length restrictions? >From a quick glance, all of the above drivers merely convert some crypto_skcipher to a crypto_tfm before passing it to xts_check_key(). So I think these should all be made to call xts_verify_key() directly instead, the former xts_check_key() could then get dropped. But that's more of a cleanup IMO and would probably deserve a separate patch series on its own. Thanks! Nicolai -- SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman (HRB 36809, AG Nürnberg)