From: David Howells <dhowells@redhat.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: "Giovanni Cabiddu" <giovanni.cabiddu@intel.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Aymen Sghaier" <aymen.sghaier@nxp.com>,
"Alexandre Torgue" <alexandre.torgue@st.com>,
"Horia Geantă" <horia.geanta@nxp.com>,
qat-linux@intel.com, linux-stm32@st-md-mailman.stormreply.com,
"Gary Hook" <gary.hook@amd.com>,
linux-kernel@vger.kernel.org,
"Tudor Ambarus" <tudor-dan.ambarus@nxp.com>,
dhowells@redhat.com, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org,
"Maxime Coquelin" <mcoquelin.stm32@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
linux-arm-kernel@lists.infradead.org,
"Herbert Xu" <herbert@gondor.apana.org.au>
Subject: Re: [RFC PATCH v2] akcipher: Introduce verify_rsa/verify for public key algorithms
Date: Wed, 16 Jan 2019 17:12:20 +0000 [thread overview]
Message-ID: <24887.1547658740@warthog.procyon.org.uk> (raw)
In-Reply-To: <20190116164703.9267-1-vt@altlinux.org>
Umm... What do I apply this patch to?
In your modified public_key_verify_signature():
> - sg_init_one(&digest_sg, output, outlen);
> - akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size,
> + sg_init_one(&output_sg, output, outlen);
> + akcipher_request_set_crypt(req, &sig_sg, &output_sg, sig->s_size,
> outlen);
Why is the output necessary? It was there for the decoded hash to be placed
in prior to comparison - but now that's not necessary.
> - ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
> + ret = crypto_wait_req(crypto_akcipher_verify(req, sig->digest,
> + sig->digest_size), &cwait);
I see sig->digest is passed in here. Should it be passed in in place of
output_sg above?
> - inst->alg.verify = pkcs1pad_verify;
> + inst->alg.verify_rsa = pkcs1pad_verify;
Is there a reason that pkcs1pad_verify() can't do the comparison?
> - .verify = rsa_verify,
> + .verify_rsa = rsa_verify,
Likewise verify_rsa()?
Granted, this might involve pkcs1pad_verify() dressing up the signature in the
appropriate wrappings and passing it along to verify_rsa() to do the actual
comparison there (ie. what pkcs1pad_verify_complete() does).
> - .verify = caam_rsa_enc,
> + .verify_rsa = caam_rsa_enc,
I presume this is the reason - because this reuses its encrypt operation
directly. But could this instead perform the comparison upon completion, say
in rsa_pub_done()?
> - .verify = qat_rsa_enc,
> + .verify_rsa = qat_rsa_enc,
Again, this could do the comparison, say, in qat_rsa_cb().
David
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-01-16 17:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-16 16:47 [RFC PATCH v2] akcipher: Introduce verify_rsa/verify for public key algorithms Vitaly Chikunov
2019-01-16 17:12 ` David Howells [this message]
2019-01-16 18:27 ` Vitaly Chikunov
2019-01-18 20:41 ` Vitaly Chikunov
2019-01-25 10:00 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24887.1547658740@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=alexandre.torgue@st.com \
--cc=aymen.sghaier@nxp.com \
--cc=davem@davemloft.net \
--cc=gary.hook@amd.com \
--cc=giovanni.cabiddu@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=mcoquelin.stm32@gmail.com \
--cc=qat-linux@intel.com \
--cc=thomas.lendacky@amd.com \
--cc=tudor-dan.ambarus@nxp.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).