From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.01.org
Subject: Re: [PATCH v3 1/5] cipher: Update for current kernel akcipher interface
Date: Mon, 13 Jun 2016 17:51:54 -0500 [thread overview]
Message-ID: <575F390A.8080007@gmail.com> (raw)
In-Reply-To: <alpine.OSX.2.20.1606131423090.9168@mjmartin-mac01.wa.intel.com>
[-- Attachment #1: Type: text/plain, Size: 1983 bytes --]
Hi Mat,
>>
>> Do we still need to know the key size in order to provide a proper
>> buffer for certain implementations?
>
> We won't have a direct need for it within ELL (keyctl will provide the
> key length for TLS purposes). If this isn't part of the
> l_asymmetric_cipher API, the key length information is available from
> l_key if the key is loaded there. l_asymmetric_cipher users would be no
> worse off then normal AF_ALG akcipher users in terms of choosing optimal
> read buffer sizes.
>
> Long term, we could implement a getsockopt call to get the key length -
> but it seems worthwhile to trim the ASN.1 parser out of ELL in the near
> term.
My feeling is, lets make asymmetric ciphers work for now, at least until
the key stuff is ready. So we can keep the ASN.1 parser to get the key
length for now, with an eye to migrate it to getsockopt when that
feature is added to the kernel.
> I'd like to change it to use one socket for asymmetric ciphers, in which
> case the check would be up to the kernel (unless we keep track of the
> key type just for this purpose). This significantly streamlines the
> common case.
>
Since the only asymmetric cipher is RSA, we might be getting lucky here.
I have no problem moving to a single socket semantic, as long as the
kernel guarantees that this will work for all akcipher algorithms.
I assumed a single socket was fine for skcipher as well, but was proven
wrong. The current semantics in the kernel are weird. You almost have
to know the underlying algorithm implementation in order to do the right
thing.
>
> One socket is working ok for akcipher, even having four different
> operations on that one socket.
>
Because there's no 'state'. In RC4 results of an operation are carried
into the subsequent operation(s). Highly unlikely that any akciphers
will work this way, but who knows. The semantics need to be nailed down
in the docs.
Regards,
-Denis
next prev parent reply other threads:[~2016-06-13 22:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-10 17:09 [PATCH v3 1/5] cipher: Update for current kernel akcipher interface Mat Martineau
2016-06-10 17:09 ` [PATCH v3 2/5] unit: Update for akcipher changes Mat Martineau
2016-06-10 17:09 ` [PATCH v3 3/5] cipher: Return result length from asymmetric cipher Mat Martineau
2016-06-13 20:59 ` Mat Martineau
2016-06-10 17:09 ` [PATCH v3 4/5] unit: Check asymmetric cipher result lengths Mat Martineau
2016-06-10 17:09 ` [PATCH v3 5/5] unit: Check decryption against known ciphertext Mat Martineau
2016-06-13 17:49 ` [PATCH v3 1/5] cipher: Update for current kernel akcipher interface Denis Kenzior
2016-06-13 20:56 ` Mat Martineau
2016-06-13 21:13 ` Denis Kenzior
2016-06-13 22:29 ` Mat Martineau
2016-06-13 22:51 ` Denis Kenzior [this message]
2016-06-14 17:37 ` Mat Martineau
2016-06-14 18:49 ` Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=575F390A.8080007@gmail.com \
--to=denkenz@gmail.com \
--cc=ell@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.