diff mbox series

[RFC,01/30] crypto: des/3des_ede - add new helpers to verify key length

Message ID 20190622003112.31033-2-ard.biesheuvel@linaro.org
State New
Headers show
Series crypto: DES/3DES cleanup | expand

Commit Message

Ard Biesheuvel June 22, 2019, 12:30 a.m. UTC
The recently added helper routines to perform key strength validation
of 3ede_keys is slightly inadequate, since it doesn't check the key
length, and it comes in two versions, neither of which are highly
useful for anything other than skciphers (and many users still use the
older blkcipher interfaces).

So let's add a new helper and, considering that this is a helper function
that is only intended to be used by crypto code itself, put it in a new
des.h header under crypto/internal.

While at it, implement a similar helper for single DES, so that we can
replace the pattern of calling des_ekey() into a temp buffer that occurs
in many drivers in drivers/crypto.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

---
 crypto/des_generic.c          | 13 ---
 include/crypto/internal/des.h | 85 ++++++++++++++++++++
 2 files changed, 85 insertions(+), 13 deletions(-)

-- 
2.20.1

Comments

Herbert Xu June 22, 2019, 5:06 a.m. UTC | #1
On Sat, Jun 22, 2019 at 02:30:43AM +0200, Ard Biesheuvel wrote:
> The recently added helper routines to perform key strength validation

> of 3ede_keys is slightly inadequate, since it doesn't check the key

> length, and it comes in two versions, neither of which are highly


The skcipher helper doesn't need to check the key length because
it's the responsibility of the crypto API to check the key length
through min_keysize/max_keysize.

But yes if you're going to do a helper for lib/des then you'd need
to check the key length but please keep it separate from the skcipher
helper.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Ard Biesheuvel June 22, 2019, 7:46 a.m. UTC | #2
On Sat, 22 Jun 2019 at 07:06, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>

> On Sat, Jun 22, 2019 at 02:30:43AM +0200, Ard Biesheuvel wrote:

> > The recently added helper routines to perform key strength validation

> > of 3ede_keys is slightly inadequate, since it doesn't check the key

> > length, and it comes in two versions, neither of which are highly

>

> The skcipher helper doesn't need to check the key length because

> it's the responsibility of the crypto API to check the key length

> through min_keysize/max_keysize.

>

> But yes if you're going to do a helper for lib/des then you'd need

> to check the key length but please keep it separate from the skcipher

> helper.

>


Ah yes, I had missed the fact that skcipher checks the lengths
already. But actually, that applies equally to ablkcipher and cipher,
so only aead instantiations need to perform the length check
explicitly.

I will drop the key_len arg from these helper routines, but I'd still
like to convert the skcipher helper into a generic helper that takes a
struct crypto_tfm*.

I'll also add some better documentation of the API in the next rev.
diff mbox series

Patch

diff --git a/crypto/des_generic.c b/crypto/des_generic.c
index d7a88b4fa611..c94a303da4dd 100644
--- a/crypto/des_generic.c
+++ b/crypto/des_generic.c
@@ -846,19 +846,6 @@  static void des_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
 	d[1] = cpu_to_le32(L);
 }
 
-/*
- * RFC2451:
- *
- *   For DES-EDE3, there is no known need to reject weak or
- *   complementation keys.  Any weakness is obviated by the use of
- *   multiple keys.
- *
- *   However, if the first two or last two independent 64-bit keys are
- *   equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
- *   same as DES.  Implementers MUST reject keys that exhibit this
- *   property.
- *
- */
 int __des3_ede_setkey(u32 *expkey, u32 *flags, const u8 *key,
 		      unsigned int keylen)
 {
diff --git a/include/crypto/internal/des.h b/include/crypto/internal/des.h
new file mode 100644
index 000000000000..e33b32c496cd
--- /dev/null
+++ b/include/crypto/internal/des.h
@@ -0,0 +1,85 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * DES & Triple DES EDE key verification helpers
+ */
+
+#ifndef __CRYPTO_INTERNAL_DES_H
+#define __CRYPTO_INTERNAL_DES_H
+
+#include <linux/crypto.h>
+#include <linux/fips.h>
+#include <crypto/des.h>
+
+static inline int crypto_des_verify_key(struct crypto_tfm *tfm, const u8 *key,
+					unsigned int key_len)
+{
+	u32 tmp[DES_EXPKEY_WORDS];
+	int err = -EINVAL;
+
+	if (key_len != DES_KEY_SIZE) {
+		crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+
+	if (!des_ekey(tmp, key) &&
+	    (fips_enabled || (crypto_tfm_get_flags(tfm) &
+			      CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)))
+		goto bad;
+
+	err = 0;
+out:
+	memzero_explicit(tmp, sizeof(tmp));
+	return err;
+
+bad:
+	crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
+	goto out;
+}
+
+/*
+ * RFC2451:
+ *
+ *   For DES-EDE3, there is no known need to reject weak or
+ *   complementation keys.  Any weakness is obviated by the use of
+ *   multiple keys.
+ *
+ *   However, if the first two or last two independent 64-bit keys are
+ *   equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
+ *   same as DES.  Implementers MUST reject keys that exhibit this
+ *   property.
+ *
+ */
+static inline int crypto_des3_ede_verify_key(struct crypto_tfm *tfm,
+					     const u8 *key,
+					     unsigned int key_len)
+{
+	int err = -EINVAL;
+	u32 K[6];
+
+	if (key_len != DES3_EDE_KEY_SIZE) {
+		crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+
+	memcpy(K, key, DES3_EDE_KEY_SIZE);
+
+	if ((!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
+	     !((K[2] ^ K[4]) | (K[3] ^ K[5]))) &&
+	    (fips_enabled || (crypto_tfm_get_flags(tfm) &
+		              CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)))
+		goto bad;
+
+	if ((!((K[0] ^ K[4]) | (K[1] ^ K[5]))) && fips_enabled)
+		goto bad;
+
+	err = 0;
+out:
+	memzero_explicit(K, DES3_EDE_KEY_SIZE);
+	return err;
+
+bad:
+	crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
+	goto out;
+}
+
+#endif /* __CRYPTO_INTERNAL_DES_H */