2019-08-15 09:00:43 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
|
/*
|
|
|
|
|
* DES & Triple DES EDE key verification helpers
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __CRYPTO_INTERNAL_DES_H
|
|
|
|
|
#define __CRYPTO_INTERNAL_DES_H
|
|
|
|
|
|
|
|
|
|
#include <linux/crypto.h>
|
|
|
|
|
#include <linux/fips.h>
|
|
|
|
|
#include <crypto/des.h>
|
|
|
|
|
#include <crypto/aead.h>
|
|
|
|
|
#include <crypto/skcipher.h>
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* crypto_des_verify_key - Check whether a DES key is weak
|
|
|
|
|
* @tfm: the crypto algo
|
|
|
|
|
* @key: the key buffer
|
|
|
|
|
*
|
|
|
|
|
* Returns -EINVAL if the key is weak and the crypto TFM does not permit weak
|
|
|
|
|
* keys. Otherwise, 0 is returned.
|
|
|
|
|
*
|
|
|
|
|
* It is the job of the caller to ensure that the size of the key equals
|
|
|
|
|
* DES_KEY_SIZE.
|
|
|
|
|
*/
|
|
|
|
|
static inline int crypto_des_verify_key(struct crypto_tfm *tfm, const u8 *key)
|
|
|
|
|
{
|
2019-08-15 09:01:09 +00:00
|
|
|
struct des_ctx tmp;
|
|
|
|
|
int err;
|
2019-08-15 09:00:43 +00:00
|
|
|
|
2019-08-15 09:01:09 +00:00
|
|
|
err = des_expand_key(&tmp, key, DES_KEY_SIZE);
|
|
|
|
|
if (err == -ENOKEY) {
|
|
|
|
|
if (crypto_tfm_get_flags(tfm) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)
|
|
|
|
|
err = -EINVAL;
|
|
|
|
|
else
|
|
|
|
|
err = 0;
|
|
|
|
|
}
|
|
|
|
|
memzero_explicit(&tmp, sizeof(tmp));
|
2019-08-15 09:00:43 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* RFC2451:
|
|
|
|
|
*
|
|
|
|
|
* For DES-EDE3, there is no known need to reject weak or
|
|
|
|
|
* complementation keys. Any weakness is obviated by the use of
|
|
|
|
|
* multiple keys.
|
|
|
|
|
*
|
|
|
|
|
* However, if the first two or last two independent 64-bit keys are
|
|
|
|
|
* equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
|
|
|
|
|
* same as DES. Implementers MUST reject keys that exhibit this
|
|
|
|
|
* property.
|
|
|
|
|
*
|
|
|
|
|
*/
|
2019-08-15 09:01:09 +00:00
|
|
|
static inline int des3_ede_verify_key(const u8 *key, unsigned int key_len,
|
|
|
|
|
bool check_weak)
|
|
|
|
|
{
|
|
|
|
|
int ret = fips_enabled ? -EINVAL : -ENOKEY;
|
|
|
|
|
u32 K[6];
|
|
|
|
|
|
|
|
|
|
memcpy(K, key, DES3_EDE_KEY_SIZE);
|
|
|
|
|
|
|
|
|
|
if ((!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
|
|
|
|
|
!((K[2] ^ K[4]) | (K[3] ^ K[5]))) &&
|
|
|
|
|
(fips_enabled || check_weak))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
if ((!((K[0] ^ K[4]) | (K[1] ^ K[5]))) && fips_enabled)
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
bad:
|
|
|
|
|
memzero_explicit(K, DES3_EDE_KEY_SIZE);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2019-08-15 09:00:43 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* crypto_des3_ede_verify_key - Check whether a DES3-EDE key is weak
|
|
|
|
|
* @tfm: the crypto algo
|
|
|
|
|
* @key: the key buffer
|
|
|
|
|
*
|
|
|
|
|
* Returns -EINVAL if the key is weak and the crypto TFM does not permit weak
|
|
|
|
|
* keys or when running in FIPS mode. Otherwise, 0 is returned. Note that some
|
|
|
|
|
* keys are rejected in FIPS mode even if weak keys are permitted by the TFM
|
|
|
|
|
* flags.
|
|
|
|
|
*
|
|
|
|
|
* It is the job of the caller to ensure that the size of the key equals
|
|
|
|
|
* DES3_EDE_KEY_SIZE.
|
|
|
|
|
*/
|
|
|
|
|
static inline int crypto_des3_ede_verify_key(struct crypto_tfm *tfm,
|
|
|
|
|
const u8 *key)
|
|
|
|
|
{
|
2019-12-31 03:19:37 +00:00
|
|
|
return des3_ede_verify_key(key, DES3_EDE_KEY_SIZE,
|
|
|
|
|
crypto_tfm_get_flags(tfm) &
|
|
|
|
|
CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
|
2019-08-15 09:00:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int verify_skcipher_des_key(struct crypto_skcipher *tfm,
|
|
|
|
|
const u8 *key)
|
|
|
|
|
{
|
|
|
|
|
return crypto_des_verify_key(crypto_skcipher_tfm(tfm), key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int verify_skcipher_des3_key(struct crypto_skcipher *tfm,
|
|
|
|
|
const u8 *key)
|
|
|
|
|
{
|
|
|
|
|
return crypto_des3_ede_verify_key(crypto_skcipher_tfm(tfm), key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int verify_aead_des_key(struct crypto_aead *tfm, const u8 *key,
|
|
|
|
|
int keylen)
|
|
|
|
|
{
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 03:19:36 +00:00
|
|
|
if (keylen != DES_KEY_SIZE)
|
2019-08-15 09:00:43 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
return crypto_des_verify_key(crypto_aead_tfm(tfm), key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int verify_aead_des3_key(struct crypto_aead *tfm, const u8 *key,
|
|
|
|
|
int keylen)
|
|
|
|
|
{
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 03:19:36 +00:00
|
|
|
if (keylen != DES3_EDE_KEY_SIZE)
|
2019-08-15 09:00:43 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
return crypto_des3_ede_verify_key(crypto_aead_tfm(tfm), key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* __CRYPTO_INTERNAL_DES_H */
|