lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 05 Jan 2023 12:16:30 +0100
From:   Nicolai Stange <nstange@...e.de>
To:     Vladis Dronov <vdronov@...hat.com>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        "David S . Miller" <davem@...emloft.net>,
        Nicolai Stange <nstange@...e.de>,
        Elliott Robert <elliott@....com>,
        Stephan Mueller <smueller@...onox.de>,
        Eric Biggers <ebiggers@...gle.com>,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 3/6] crypto: xts - drop redundant xts key check

Hi Vladis,

the patch subject prefix is a bit misleading IMO, it kind of suggests
that this patch would apply to the generic crypto/xts.c. How about using
a format similar to e.g. the one from commit 7988fb2c03c8 ("crypto:
s390/aes - convert to skcipher API"), i.e.

  "crypto: s390/aes - drop redundant xts key check"

?

Vladis Dronov <vdronov@...hat.com> writes:

> xts_fallback_setkey() in xts_aes_set_key() will now enforce key size
> rule in FIPS mode when setting up the fallback algorithm keys,

I think it would be nice to make it more explicit why/how
xts_fallback_setkey() happens to enforce the key size rules now.

Perhaps amend the above sentence by something like

  "xts_fallback_setkey() in xts_aes_set_key() will now implictly enforce
   the key size rule in FIPS mode by means of invoking the generic xts
   implementation with its key checks for setting up the fallback
   algorithm,"

?

> which makes the check in xts_aes_set_key() redundant or
> unreachable. So just drop this check.
>
> xts_fallback_setkey() now makes a key size check in xts_verify_key():
>
> xts_fallback_setkey()
>   crypto_skcipher_setkey() [ skcipher_setkey_unaligned() ]
>     cipher->setkey() { .setkey = xts_setkey }
>       xts_setkey()
>         xts_verify_key()
>
> Signed-off-by: Vladis Dronov <vdronov@...hat.com>
> ---
>  arch/s390/crypto/aes_s390.c | 4 ----
>  1 file changed, 4 deletions(-)
>
> diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
> index 526c3f40f6a2..c773820e4af9 100644
> --- a/arch/s390/crypto/aes_s390.c
> +++ b/arch/s390/crypto/aes_s390.c
> @@ -398,10 +398,6 @@ static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key,
>  	if (err)
>  		return err;
>  
> -	/* In fips mode only 128 bit or 256 bit keys are valid */
> -	if (fips_enabled && key_len != 32 && key_len != 64)
> -		return -EINVAL;
> -

The change itself looks good, but it might be worth adding a comment
right at the invocation of xts_fallback_setkey() that this includes an
implicit xts_verify_key() check? So that if anybody ever was about to
remove the xts_fallback_setkey() for some reason in the future, it would
give a clear indication that xts_verify_key() needs to get called
directly instead?

Thanks!

Nicolai

>  	/* Pick the correct function code based on the key length */
>  	fc = (key_len == 32) ? CPACF_KM_XTS_128 :
>  	     (key_len == 64) ? CPACF_KM_XTS_256 : 0;

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
(HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ