2019-08-15 09:00:43 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
/*
|
|
|
|
* DES & Triple DES EDE key verification helpers
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef __CRYPTO_INTERNAL_DES_H
|
|
|
|
#define __CRYPTO_INTERNAL_DES_H
|
|
|
|
|
|
|
|
#include <linux/crypto.h>
|
|
|
|
#include <linux/fips.h>
|
|
|
|
#include <crypto/des.h>
|
|
|
|
#include <crypto/aead.h>
|
|
|
|
#include <crypto/skcipher.h>
|
|
|
|
|
|
|
|
/**
|
|
|
|
* crypto_des_verify_key - Check whether a DES key is weak
|
|
|
|
* @tfm: the crypto algo
|
|
|
|
* @key: the key buffer
|
|
|
|
*
|
|
|
|
* Returns -EINVAL if the key is weak and the crypto TFM does not permit weak
|
|
|
|
* keys. Otherwise, 0 is returned.
|
|
|
|
*
|
|
|
|
* It is the job of the caller to ensure that the size of the key equals
|
|
|
|
* DES_KEY_SIZE.
|
|
|
|
*/
|
|
|
|
static inline int crypto_des_verify_key(struct crypto_tfm *tfm, const u8 *key)
|
|
|
|
{
|
2019-08-15 09:01:09 +00:00
|
|
|
struct des_ctx tmp;
|
|
|
|
int err;
|
2019-08-15 09:00:43 +00:00
|
|
|
|
2019-08-15 09:01:09 +00:00
|
|
|
err = des_expand_key(&tmp, key, DES_KEY_SIZE);
|
|
|
|
if (err == -ENOKEY) {
|
|
|
|
if (crypto_tfm_get_flags(tfm) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)
|
|
|
|
err = -EINVAL;
|
|
|
|
else
|
|
|
|
err = 0;
|
|
|
|
}
|
2019-08-15 09:00:43 +00:00
|
|
|
|
2019-08-15 09:01:09 +00:00
|
|
|
if (err)
|
2019-08-15 09:00:43 +00:00
|
|
|
crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
|
|
|
|
|
2019-08-15 09:01:09 +00:00
|
|
|
memzero_explicit(&tmp, sizeof(tmp));
|
2019-08-15 09:00:43 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* RFC2451:
|
|
|
|
*
|
|
|
|
* For DES-EDE3, there is no known need to reject weak or
|
|
|
|
* complementation keys. Any weakness is obviated by the use of
|
|
|
|
* multiple keys.
|
|
|
|
*
|
|
|
|
* However, if the first two or last two independent 64-bit keys are
|
|
|
|
* equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
|
|
|
|
* same as DES. Implementers MUST reject keys that exhibit this
|
|
|
|
* property.
|
|
|
|
*
|
|
|
|
*/
|
2019-08-15 09:01:09 +00:00
|
|
|
static inline int des3_ede_verify_key(const u8 *key, unsigned int key_len,
|
|
|
|
bool check_weak)
|
|
|
|
{
|
|
|
|
int ret = fips_enabled ? -EINVAL : -ENOKEY;
|
|
|
|
u32 K[6];
|
|
|
|
|
|
|
|
memcpy(K, key, DES3_EDE_KEY_SIZE);
|
|
|
|
|
|
|
|
if ((!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
|
|
|
|
!((K[2] ^ K[4]) | (K[3] ^ K[5]))) &&
|
|
|
|
(fips_enabled || check_weak))
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if ((!((K[0] ^ K[4]) | (K[1] ^ K[5]))) && fips_enabled)
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
bad:
|
|
|
|
memzero_explicit(K, DES3_EDE_KEY_SIZE);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
2019-08-15 09:00:43 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* crypto_des3_ede_verify_key - Check whether a DES3-EDE key is weak
|
|
|
|
* @tfm: the crypto algo
|
|
|
|
* @key: the key buffer
|
|
|
|
*
|
|
|
|
* Returns -EINVAL if the key is weak and the crypto TFM does not permit weak
|
|
|
|
* keys or when running in FIPS mode. Otherwise, 0 is returned. Note that some
|
|
|
|
* keys are rejected in FIPS mode even if weak keys are permitted by the TFM
|
|
|
|
* flags.
|
|
|
|
*
|
|
|
|
* It is the job of the caller to ensure that the size of the key equals
|
|
|
|
* DES3_EDE_KEY_SIZE.
|
|
|
|
*/
|
|
|
|
static inline int crypto_des3_ede_verify_key(struct crypto_tfm *tfm,
|
|
|
|
const u8 *key)
|
|
|
|
{
|
2019-08-15 09:01:09 +00:00
|
|
|
int err;
|
2019-08-15 09:00:43 +00:00
|
|
|
|
2019-08-15 09:01:09 +00:00
|
|
|
err = des3_ede_verify_key(key, DES3_EDE_KEY_SIZE,
|
|
|
|
crypto_tfm_get_flags(tfm) &
|
|
|
|
CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
|
|
|
|
if (err)
|
|
|
|
crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_WEAK_KEY);
|
2019-08-15 09:00:43 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int verify_skcipher_des_key(struct crypto_skcipher *tfm,
|
|
|
|
const u8 *key)
|
|
|
|
{
|
|
|
|
return crypto_des_verify_key(crypto_skcipher_tfm(tfm), key);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int verify_skcipher_des3_key(struct crypto_skcipher *tfm,
|
|
|
|
const u8 *key)
|
|
|
|
{
|
|
|
|
return crypto_des3_ede_verify_key(crypto_skcipher_tfm(tfm), key);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int verify_aead_des_key(struct crypto_aead *tfm, const u8 *key,
|
|
|
|
int keylen)
|
|
|
|
{
|
|
|
|
if (keylen != DES_KEY_SIZE) {
|
|
|
|
crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
return crypto_des_verify_key(crypto_aead_tfm(tfm), key);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int verify_aead_des3_key(struct crypto_aead *tfm, const u8 *key,
|
|
|
|
int keylen)
|
|
|
|
{
|
|
|
|
if (keylen != DES3_EDE_KEY_SIZE) {
|
|
|
|
crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
return crypto_des3_ede_verify_key(crypto_aead_tfm(tfm), key);
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* __CRYPTO_INTERNAL_DES_H */
|