2019-04-11 08:51:23

by Herbert Xu

[permalink] [raw]
Subject: [PATCH 22/24] crypto: sun4i-ss - Forbid 2-key 3DES in FIPS mode

This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode.

Signed-off-by: Herbert Xu <[email protected]>
---

drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
index 54fd714d53ca..06df336488fb 100644
--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
@@ -533,13 +533,12 @@ int sun4i_ss_des3_setkey(struct crypto_skcipher *tfm, const u8 *key,
unsigned int keylen)
{
struct sun4i_tfm_ctx *op = crypto_skcipher_ctx(tfm);
- struct sun4i_ss_ctx *ss = op->ss;
+ int err;
+
+ err = des3_verify_key(tfm, key);
+ if (unlikely(err))
+ return err;

- if (unlikely(keylen != 3 * DES_KEY_SIZE)) {
- dev_err(ss->dev, "Invalid keylen %u\n", keylen);
- crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
- return -EINVAL;
- }
op->keylen = keylen;
memcpy(op->key, key, keylen);
return 0;


2019-04-11 13:51:18

by Corentin Labbe

[permalink] [raw]
Subject: Re: [PATCH 22/24] crypto: sun4i-ss - Forbid 2-key 3DES in FIPS mode

On Thu, Apr 11, 2019 at 04:51:19PM +0800, Herbert Xu wrote:
> This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode.
>
> Signed-off-by: Herbert Xu <[email protected]>
> ---
>
> drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
> index 54fd714d53ca..06df336488fb 100644
> --- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
> +++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
> @@ -533,13 +533,12 @@ int sun4i_ss_des3_setkey(struct crypto_skcipher *tfm, const u8 *key,
> unsigned int keylen)
> {
> struct sun4i_tfm_ctx *op = crypto_skcipher_ctx(tfm);
> - struct sun4i_ss_ctx *ss = op->ss;
> + int err;
> +
> + err = des3_verify_key(tfm, key);
> + if (unlikely(err))
> + return err;
>
> - if (unlikely(keylen != 3 * DES_KEY_SIZE)) {
> - dev_err(ss->dev, "Invalid keylen %u\n", keylen);
> - crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
> - return -EINVAL;
> - }
> op->keylen = keylen;
> memcpy(op->key, key, keylen);
> return 0;

Acked-by: Corentin Labbe <[email protected]>
Tested-by: Corentin Labbe <[email protected]>