diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2019-04-11 10:51:15 +0200 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2019-04-18 16:15:00 +0200 |
commit | aa113da291e430916ed423b71c4bb7ae193af928 (patch) | |
tree | d8325159acd5abf46b508d2d5dbbe2aad4eac6be /drivers | |
parent | crypto: omap - Forbid 2-key 3DES in FIPS mode (diff) | |
download | linux-aa113da291e430916ed423b71c4bb7ae193af928.tar.xz linux-aa113da291e430916ed423b71c4bb7ae193af928.zip |
crypto: picoxcell - Forbid 2-key 3DES in FIPS mode
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode.
It also removes an unnecessary key length checks that are already
performed by the crypto API.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to '')
-rw-r--r-- | drivers/crypto/picoxcell_crypto.c | 33 |
1 files changed, 26 insertions, 7 deletions
diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c index 1b3acdeffede..975582b82a23 100644 --- a/drivers/crypto/picoxcell_crypto.c +++ b/drivers/crypto/picoxcell_crypto.c @@ -753,11 +753,6 @@ static int spacc_des_setkey(struct crypto_ablkcipher *cipher, const u8 *key, struct spacc_ablk_ctx *ctx = crypto_tfm_ctx(tfm); u32 tmp[DES_EXPKEY_WORDS]; - if (len > DES3_EDE_KEY_SIZE) { - crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); - return -EINVAL; - } - if (unlikely(!des_ekey(tmp, key)) && (crypto_ablkcipher_get_flags(cipher) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) { @@ -772,6 +767,30 @@ static int spacc_des_setkey(struct crypto_ablkcipher *cipher, const u8 *key, } /* + * Set the 3DES key for a block cipher transform. This also performs weak key + * checking if the transform has requested it. + */ +static int spacc_des3_setkey(struct crypto_ablkcipher *cipher, const u8 *key, + unsigned int len) +{ + struct spacc_ablk_ctx *ctx = crypto_ablkcipher_ctx(cipher); + u32 flags; + int err; + + flags = crypto_ablkcipher_get_flags(cipher); + err = __des3_verify_key(&flags, key); + if (unlikely(err)) { + crypto_ablkcipher_set_flags(cipher, flags); + return err; + } + + memcpy(ctx->key, key, len); + ctx->key_len = len; + + return 0; +} + +/* * Set the key for an AES block cipher. Some key lengths are not supported in * hardware so this must also check whether a fallback is needed. */ @@ -1353,7 +1372,7 @@ static struct spacc_alg ipsec_engine_algs[] = { .cra_type = &crypto_ablkcipher_type, .cra_module = THIS_MODULE, .cra_ablkcipher = { - .setkey = spacc_des_setkey, + .setkey = spacc_des3_setkey, .encrypt = spacc_ablk_encrypt, .decrypt = spacc_ablk_decrypt, .min_keysize = DES3_EDE_KEY_SIZE, @@ -1380,7 +1399,7 @@ static struct spacc_alg ipsec_engine_algs[] = { .cra_type = &crypto_ablkcipher_type, .cra_module = THIS_MODULE, .cra_ablkcipher = { - .setkey = spacc_des_setkey, + .setkey = spacc_des3_setkey, .encrypt = spacc_ablk_encrypt, .decrypt = spacc_ablk_decrypt, .min_keysize = DES3_EDE_KEY_SIZE, |