From: Tadeusz Struk <tadeusz.struk@intel.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>
Cc: linux-kernel@vger.kernel.org, keescook@chromium.org,
jwboyer@redhat.com, richard@nod.at, steved@redhat.com,
qat-linux@intel.com, dhowells@redhat.com,
linux-crypto@vger.kernel.org, james.l.morris@oracle.com,
jkosina@suse.cz, zohar@linux.vnet.ibm.com, davem@davemloft.net,
vgoyal@redhat.com
Subject: Re: [PATCH RFC v4 2/4] crypto: add PKE API
Date: Fri, 12 Jun 2015 07:24:10 -0700 [thread overview]
Message-ID: <557AEB8A.2040708@intel.com> (raw)
In-Reply-To: <20150612024246.GA30982@gondor.apana.org.au>
On 06/11/2015 07:42 PM, Herbert Xu wrote:
>> The testmgr code can mark an entire cipher implementation as fips_allowed=1 as
>> > already done for RSA. However, unlike with the other ciphers, that flag must
>> > go in conjunction with the used key sizes.
>> >
>> > For FIPS mode, the following restrictions apply:
>> >
>> > - RSA: 2048/3072
>> >
>> > - DSA: L 2048 / N 224; L 2048 / N 256; L 3072 / N 256
>> >
>> > - ECDSA: only the NIST curves
>> >
>> > Any other key sizes for the given ciphers is not allowed in FIPS mode.
>> >
>> > Should that constraint be considered here?
> Yes. However it should be placed into a helper that everybody
> can call so that future hardware implementations can also make
> the same checks.
I will make the algorithm marked as fips allowed always and then fail in setkey if fips is enabled
and the given key doesn't meet the fips requirement.
Thanks
next prev parent reply other threads:[~2015-06-12 14:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-11 19:05 [PATCH RFC v4 0/4] crypto: Introduce Public Key Encryption API Tadeusz Struk
2015-06-11 19:05 ` [PATCH RFC v4 1/4] MPILIB: add mpi_read_buf(), mpi_copy() and mpi_get_size() helpers Tadeusz Struk
2015-06-12 2:44 ` Herbert Xu
2015-06-12 16:21 ` Stephan Mueller
2015-06-12 18:59 ` Tadeusz Struk
2015-06-11 19:05 ` [PATCH RFC v4 2/4] crypto: add PKE API Tadeusz Struk
2015-06-12 1:00 ` Stephan Mueller
2015-06-12 2:42 ` Herbert Xu
2015-06-12 2:45 ` Herbert Xu
2015-06-12 14:24 ` Tadeusz Struk [this message]
2015-06-12 2:59 ` Herbert Xu
2015-06-12 6:50 ` Tadeusz Struk
2015-06-12 6:56 ` Herbert Xu
2015-06-11 19:05 ` [PATCH RFC v4 3/4] crypto: rsa: add a new rsa generic implementation Tadeusz Struk
2015-06-11 19:05 ` [PATCH RFC v4 4/4] crypto: add tests vectors for RSA Tadeusz Struk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=557AEB8A.2040708@intel.com \
--to=tadeusz.struk@intel.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=james.l.morris@oracle.com \
--cc=jkosina@suse.cz \
--cc=jwboyer@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qat-linux@intel.com \
--cc=richard@nod.at \
--cc=smueller@chronox.de \
--cc=steved@redhat.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox