RE: [PATCH 1/4] crypto: xts - restrict key lengths to approved values in FIPS mode

[Elliott, Robert (Servers)]

> diff --git a/include/crypto/xts.h b/include/crypto/xts.h
...
> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher
> *tfm,
>  	if (keylen % 2)
>  		return -EINVAL;
> 
> +	/*
> +	 * In FIPS mode only a combined key length of either 256 or
> +	 * 512 bits is allowed, c.f. FIPS 140-3 IG C.I.
> +	 */
> +	if (fips_enabled && keylen != 32 && keylen != 64)
> +		return -EINVAL;
> +
>  	/* ensure that the AES and tweak key are not identical */
>  	if ((fips_enabled || (crypto_skcipher_get_flags(tfm) &
>  			      CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) &&
> --
> 2.38.0

arch/s390/crypto/aes_s390.c has similar lines:

static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key,
                           unsigned int key_len)
{
        struct s390_xts_ctx *xts_ctx = crypto_skcipher_ctx(tfm);
        unsigned long fc;
        int err;

        err = xts_fallback_setkey(tfm, in_key, key_len);
        if (err)
                return err;

        /* In fips mode only 128 bit or 256 bit keys are valid */
        if (fips_enabled && key_len != 32 && key_len != 64)
                return -EINVAL;


xts_fallback_setkey will now enforce that rule when setting up the
fallback algorithm keys, which makes the xts_aes_set_key check
unreachable.

If that fallback setup were not present, then a call to xts_verify_key
might be preferable to enforce any other rules like the WEAK_KEYS
rule.