lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 8 Nov 2022 20:34:10 +0000
From:   "Elliott, Robert (Servers)" <elliott@....com>
To:     Nicolai Stange <nstange@...e.de>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>
CC:     Vladis Dronov <vdronov@...hat.com>,
        Stephan Mueller <smueller@...onox.de>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 1/4] crypto: xts - restrict key lengths to approved values
 in FIPS mode

> diff --git a/include/crypto/xts.h b/include/crypto/xts.h
...
> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher
> *tfm,
>  	if (keylen % 2)
>  		return -EINVAL;
> 
> +	/*
> +	 * In FIPS mode only a combined key length of either 256 or
> +	 * 512 bits is allowed, c.f. FIPS 140-3 IG C.I.
> +	 */
> +	if (fips_enabled && keylen != 32 && keylen != 64)
> +		return -EINVAL;
> +
>  	/* ensure that the AES and tweak key are not identical */
>  	if ((fips_enabled || (crypto_skcipher_get_flags(tfm) &
>  			      CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) &&
> --
> 2.38.0

There's another function in the same file called xts_check_key() 
that is used by some of the hardware drivers:

arch/s390/crypto/paes_s390.c:    * xts_check_key verifies the key length is not odd and makes
 [that references it in the comment but actually calls xts_verify_key in the code]
drivers/crypto/axis/artpec6_crypto.c:   ret = xts_check_key(&cipher->base, key, keylen);
drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen);
drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen);
drivers/crypto/ccree/cc_cipher.c:           xts_check_key(tfm, key, keylen)) {
drivers/crypto/marvell/octeontx/otx_cptvf_algs.c:       ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);
drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c:     ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);
drivers/crypto/atmel-aes.c:     err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen);

It already has one check qualified by fips_enabled:

        /* ensure that the AES and tweak key are not identical */
        if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2))
                return -EINVAL;

Should that implement the same key length restrictions?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ