Commit 0ee43367 authored by Vladis Dronov's avatar Vladis Dronov Committed by Herbert Xu

crypto: xts - drop xts_check_key()

xts_check_key() is obsoleted by xts_verify_key(). Over time XTS crypto
drivers adopted the newer xts_verify_key() variant, but xts_check_key()
is still used by a number of drivers. Switch drivers to use the newer
xts_verify_key() and make a couple of cleanups. This allows us to drop
xts_check_key() completely and avoid redundancy.
Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
Reviewed-by: default avatarNicolai Stange <nstange@suse.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 1c4428b2
...@@ -474,7 +474,7 @@ static int xts_paes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, ...@@ -474,7 +474,7 @@ static int xts_paes_set_key(struct crypto_skcipher *tfm, const u8 *in_key,
return rc; return rc;
/* /*
* xts_check_key verifies the key length is not odd and makes * xts_verify_key verifies the key length is not odd and makes
* sure that the two keys are not the same. This can be done * sure that the two keys are not the same. This can be done
* on the two protected keys as well * on the two protected keys as well
*/ */
......
...@@ -1879,7 +1879,7 @@ static int atmel_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key, ...@@ -1879,7 +1879,7 @@ static int atmel_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key,
struct atmel_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm); struct atmel_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
int err; int err;
err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); err = xts_verify_key(tfm, key, keylen);
if (err) if (err)
return err; return err;
......
...@@ -1621,7 +1621,7 @@ artpec6_crypto_xts_set_key(struct crypto_skcipher *cipher, const u8 *key, ...@@ -1621,7 +1621,7 @@ artpec6_crypto_xts_set_key(struct crypto_skcipher *cipher, const u8 *key,
crypto_skcipher_ctx(cipher); crypto_skcipher_ctx(cipher);
int ret; int ret;
ret = xts_check_key(&cipher->base, key, keylen); ret = xts_verify_key(cipher, key, keylen);
if (ret) if (ret)
return ret; return ret;
......
...@@ -232,13 +232,12 @@ static int cvm_decrypt(struct skcipher_request *req) ...@@ -232,13 +232,12 @@ static int cvm_decrypt(struct skcipher_request *req)
static int cvm_xts_setkey(struct crypto_skcipher *cipher, const u8 *key, static int cvm_xts_setkey(struct crypto_skcipher *cipher, const u8 *key,
u32 keylen) u32 keylen)
{ {
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); struct cvm_enc_ctx *ctx = crypto_skcipher_ctx(cipher);
struct cvm_enc_ctx *ctx = crypto_tfm_ctx(tfm);
int err; int err;
const u8 *key1 = key; const u8 *key1 = key;
const u8 *key2 = key + (keylen / 2); const u8 *key2 = key + (keylen / 2);
err = xts_check_key(tfm, key, keylen); err = xts_verify_key(cipher, key, keylen);
if (err) if (err)
return err; return err;
ctx->key_len = keylen; ctx->key_len = keylen;
...@@ -289,8 +288,7 @@ static int cvm_validate_keylen(struct cvm_enc_ctx *ctx, u32 keylen) ...@@ -289,8 +288,7 @@ static int cvm_validate_keylen(struct cvm_enc_ctx *ctx, u32 keylen)
static int cvm_setkey(struct crypto_skcipher *cipher, const u8 *key, static int cvm_setkey(struct crypto_skcipher *cipher, const u8 *key,
u32 keylen, u8 cipher_type) u32 keylen, u8 cipher_type)
{ {
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); struct cvm_enc_ctx *ctx = crypto_skcipher_ctx(cipher);
struct cvm_enc_ctx *ctx = crypto_tfm_ctx(tfm);
ctx->cipher_type = cipher_type; ctx->cipher_type = cipher_type;
if (!cvm_validate_keylen(ctx, keylen)) { if (!cvm_validate_keylen(ctx, keylen)) {
......
...@@ -337,12 +337,11 @@ static int nitrox_3des_decrypt(struct skcipher_request *skreq) ...@@ -337,12 +337,11 @@ static int nitrox_3des_decrypt(struct skcipher_request *skreq)
static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher, static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher,
const u8 *key, unsigned int keylen) const u8 *key, unsigned int keylen)
{ {
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(cipher);
struct nitrox_crypto_ctx *nctx = crypto_tfm_ctx(tfm);
struct flexi_crypto_context *fctx; struct flexi_crypto_context *fctx;
int aes_keylen, ret; int aes_keylen, ret;
ret = xts_check_key(tfm, key, keylen); ret = xts_verify_key(cipher, key, keylen);
if (ret) if (ret)
return ret; return ret;
...@@ -362,8 +361,7 @@ static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher, ...@@ -362,8 +361,7 @@ static int nitrox_aes_xts_setkey(struct crypto_skcipher *cipher,
static int nitrox_aes_ctr_rfc3686_setkey(struct crypto_skcipher *cipher, static int nitrox_aes_ctr_rfc3686_setkey(struct crypto_skcipher *cipher,
const u8 *key, unsigned int keylen) const u8 *key, unsigned int keylen)
{ {
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher); struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(cipher);
struct nitrox_crypto_ctx *nctx = crypto_tfm_ctx(tfm);
struct flexi_crypto_context *fctx; struct flexi_crypto_context *fctx;
int aes_keylen; int aes_keylen;
......
...@@ -460,7 +460,7 @@ static int cc_cipher_setkey(struct crypto_skcipher *sktfm, const u8 *key, ...@@ -460,7 +460,7 @@ static int cc_cipher_setkey(struct crypto_skcipher *sktfm, const u8 *key,
} }
if (ctx_p->cipher_mode == DRV_CIPHER_XTS && if (ctx_p->cipher_mode == DRV_CIPHER_XTS &&
xts_check_key(tfm, key, keylen)) { xts_verify_key(sktfm, key, keylen)) {
dev_dbg(dev, "weak XTS key"); dev_dbg(dev, "weak XTS key");
return -EINVAL; return -EINVAL;
} }
......
...@@ -398,7 +398,7 @@ static int otx_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm, ...@@ -398,7 +398,7 @@ static int otx_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm,
const u8 *key1 = key; const u8 *key1 = key;
int ret; int ret;
ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); ret = xts_verify_key(tfm, key, keylen);
if (ret) if (ret)
return ret; return ret;
ctx->key_len = keylen; ctx->key_len = keylen;
......
...@@ -412,7 +412,7 @@ static int otx2_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm, ...@@ -412,7 +412,7 @@ static int otx2_cpt_skcipher_xts_setkey(struct crypto_skcipher *tfm,
const u8 *key1 = key; const u8 *key1 = key;
int ret; int ret;
ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); ret = xts_verify_key(tfm, key, keylen);
if (ret) if (ret)
return ret; return ret;
ctx->key_len = keylen; ctx->key_len = keylen;
......
...@@ -8,23 +8,6 @@ ...@@ -8,23 +8,6 @@
#define XTS_BLOCK_SIZE 16 #define XTS_BLOCK_SIZE 16
static inline int xts_check_key(struct crypto_tfm *tfm,
const u8 *key, unsigned int keylen)
{
/*
* key consists of keys of equal size concatenated, therefore
* the length must be even.
*/
if (keylen % 2)
return -EINVAL;
/* ensure that the AES and tweak key are not identical */
if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2))
return -EINVAL;
return 0;
}
static inline int xts_verify_key(struct crypto_skcipher *tfm, static inline int xts_verify_key(struct crypto_skcipher *tfm,
const u8 *key, unsigned int keylen) const u8 *key, unsigned int keylen)
{ {
...@@ -42,7 +25,10 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm, ...@@ -42,7 +25,10 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm,
if (fips_enabled && keylen != 32 && keylen != 64) if (fips_enabled && keylen != 32 && keylen != 64)
return -EINVAL; return -EINVAL;
/* ensure that the AES and tweak key are not identical */ /*
* Ensure that the AES and tweak key are not identical when
* in FIPS mode or the FORBID_WEAK_KEYS flag is set.
*/
if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & if ((fips_enabled || (crypto_skcipher_get_flags(tfm) &
CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) &&
!crypto_memneq(key, key + (keylen / 2), keylen / 2)) !crypto_memneq(key, key + (keylen / 2), keylen / 2))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment