Re: [PATCH RFC v4 2/4] crypto: add PKE API
From: Stephan Mueller
Date: Thu Jun 11 2015 - 21:03:07 EST
Am Thursday 11 June 2015, 12:05:44 schrieb Tadeusz Struk:
Hi Tadeusz,
>+
>+static int akcipher_clone_key(struct crypto_akcipher *tfm,
>+ const struct public_key *pkey)
>+{
>+ int i, ret = 0;
>+
>+ tfm->pkey = kzalloc(sizeof(*tfm->pkey), GFP_KERNEL);
>+
>+ if (!tfm->pkey)
>+ return -ENOMEM;
>+
>+ for (i = 0; i < ARRAY_SIZE(tfm->pkey->mpi); i++) {
>+ if (!pkey->mpi[i])
>+ continue;
>+
>+ if (mpi_copy(&tfm->pkey->mpi[i], pkey->mpi[i])) {
>+ akcipher_free_key(tfm->pkey);
>+ tfm->pkey = NULL;
>+ ret = -ENOMEM;
>+ break;
>+ }
>+ }
>+ return ret;
>+}
The testmgr code can mark an entire cipher implementation as fips_allowed=1 as
already done for RSA. However, unlike with the other ciphers, that flag must
go in conjunction with the used key sizes.
For FIPS mode, the following restrictions apply:
- RSA: 2048/3072
- DSA: L 2048 / N 224; L 2048 / N 256; L 3072 / N 256
- ECDSA: only the NIST curves
Any other key sizes for the given ciphers is not allowed in FIPS mode.
Should that constraint be considered here?
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/