| Message ID | 2082192.jPI8ve1O8G@positron.chronox.de (mailing list archive) |
|---|---|
| Headers | show |
| Series | General Key Derivation Function Support | expand |
Am Mittwoch, 16. Januar 2019, 12:06:54 CET schrieb Stephan Müller: Hi Herbert, > Changes v2: > * Incorporation of all comments from Eric Biggers > > Stephan Mueller (6): > crypto: add template handling for RNGs > crypto: kdf - SP800-108 Key Derivation Function > crypto: kdf - add known answer tests > crypto: hkdf - HMAC-based Extract-and-Expand KDF > crypto: hkdf - add known answer tests > crypto: tcrypt - add KDF test invocation > > crypto/Kconfig | 13 + > crypto/Makefile | 2 + > crypto/hkdf.c | 272 +++++++++++++++++++ > crypto/kdf_sp800108.c | 491 ++++++++++++++++++++++++++++++++++ > crypto/rng.c | 44 +++ > crypto/tcrypt.c | 8 + > crypto/testmgr.c | 245 +++++++++++++++++ > crypto/testmgr.h | 198 ++++++++++++++ > include/crypto/internal/rng.h | 26 ++ > 9 files changed, 1299 insertions(+) > create mode 100644 crypto/hkdf.c > create mode 100644 crypto/kdf_sp800108.c Do you happen to have any comments on this patch set? Ciao Stephan
On Mon, Jan 28, 2019 at 11:07:28AM +0100, Stephan Mueller wrote: > Am Mittwoch, 16. Januar 2019, 12:06:54 CET schrieb Stephan Müller: > > Hi Herbert, > > > Changes v2: > > * Incorporation of all comments from Eric Biggers > > > > Stephan Mueller (6): > > crypto: add template handling for RNGs > > crypto: kdf - SP800-108 Key Derivation Function > > crypto: kdf - add known answer tests > > crypto: hkdf - HMAC-based Extract-and-Expand KDF > > crypto: hkdf - add known answer tests > > crypto: tcrypt - add KDF test invocation > > > > crypto/Kconfig | 13 + > > crypto/Makefile | 2 + > > crypto/hkdf.c | 272 +++++++++++++++++++ > > crypto/kdf_sp800108.c | 491 ++++++++++++++++++++++++++++++++++ > > crypto/rng.c | 44 +++ > > crypto/tcrypt.c | 8 + > > crypto/testmgr.c | 245 +++++++++++++++++ > > crypto/testmgr.h | 198 ++++++++++++++ > > include/crypto/internal/rng.h | 26 ++ > > 9 files changed, 1299 insertions(+) > > create mode 100644 crypto/hkdf.c > > create mode 100644 crypto/kdf_sp800108.c > > Do you happen to have any comments on this patch set? I'm still not convinced why this needs to go into the crypto API instead of being hosted in a helper which should achieve pretty much the same result. Thanks,
Am Mittwoch, 30. Januar 2019, 11:08:54 CET schrieb Herbert Xu: Hi Herbert, > I'm still not convinced why this needs to go into the crypto API > instead of being hosted in a helper which should achieve pretty > much the same result. How do you propose to handle the FIPS 140-2 related requirements of enforcing the integrity test result and the known-answer self tests? Thanks Stephan
On Wed, Jan 30, 2019 at 03:39:10PM +0100, Stephan Mueller wrote: > Am Mittwoch, 30. Januar 2019, 11:08:54 CET schrieb Herbert Xu: > > Hi Herbert, > > > I'm still not convinced why this needs to go into the crypto API > > instead of being hosted in a helper which should achieve pretty > > much the same result. > > How do you propose to handle the FIPS 140-2 related requirements of enforcing > the integrity test result and the known-answer self tests? We could easily add self-tests for the helper. Cheers,
Am Freitag, 8. Februar 2019, 08:45:58 CET schrieb Herbert Xu:
Hi Herbert,
> We could easily add self-tests for the helper.
Thanks for the clarification. And do you have a suggestion how we can should
ensure that the self-tests are run only once?
Also, shall we add the signature verification enforcemnt to the helper as
well?
Ciao
Stephan
On Fri, Feb 08, 2019 at 09:00:59AM +0100, Stephan Mueller wrote: > > Thanks for the clarification. And do you have a suggestion how we can should > ensure that the self-tests are run only once? Making it run at kernel init time should be good enough. > Also, shall we add the signature verification enforcemnt to the helper as > well? What do you mean by that? Cheers,
Am Freitag, 8. Februar 2019, 09:05:47 CET schrieb Herbert Xu: Hi Herbert, > > > Also, shall we add the signature verification enforcemnt to the helper as > > well? > > What do you mean by that? We need to invoke the function crypto_check_module_sig when the module is loaded. Do you have any concerns invoking it from the module init function? Ciao Stephan
On Fri, Feb 08, 2019 at 09:17:50AM +0100, Stephan Mueller wrote: > > > > > Also, shall we add the signature verification enforcemnt to the helper as > > > well? > > > > What do you mean by that? > > We need to invoke the function crypto_check_module_sig when the module is > loaded. Do you have any concerns invoking it from the module init function? Which module's signature are you going to check? If it's the underlying crypto API modules then wouldn't they have been checked already when they were registered? Cheers,