From: Vitaly Chikunov <vt@altlinux.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: dhowells@redhat.com, davem@davemloft.net,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] akcipher: Introduce verify2 for public key algorithms
Date: Fri, 4 Jan 2019 13:20:36 +0300 [thread overview]
Message-ID: <20190104102035.42qwwv4komjvnswh@sole.flsd.net> (raw)
In-Reply-To: <20181213101233.6t7d5mxxkkavo46h@gondor.apana.org.au>
On Thu, Dec 13, 2018 at 06:12:33PM +0800, Herbert Xu wrote:
> Vitaly Chikunov <vt@altlinux.org> wrote:
> > Current akcipher .verify() just decrypts signature to uncover message
> > hash, which is then verified in upper level public_key_verify_signature
> > by memcmp with the expected signature value, which is never passed into
> > verify().
> >
> > This approach is incompatible with ECDSA algorithms, because, to verify
> > a signature ECDSA algorithm also needs a hash value as input; also, hash
> > is used in ECDSA (together with a signature divided into halves `r||s`),
> > not to produce hash, but to produce a number, which is then compared to
> > `r` (first part of the signature) to determine if the signature is
> > correct. Thus, for ECDSA, nor requirements of .verify() itself, nor its
> > output expectations in public_key_verify_signature aren't satisfied.
> >
> > Make alternative .verify2() call which gets hash value and produce
> > complete signature check (without any output, thus max_size() call will
> > not be needed for verify2() operation).
> >
> > If .verify2() call is present, it should be used in place of .verify().
> >
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
>
> We should convert all existing users to this interface and not
> have both verify/verify2 forever.
This will be hard to do since there is at least tree device that use
this interface (and who know how much out of tree):
drivers$ git grep cra_name.*rsa
crypto/caam/caampkc.c: .cra_name = "rsa",
crypto/ccp/ccp-crypto-rsa.c: .cra_name = "rsa",
crypto/qat/qat_common/qat_asym_algs.c: .cra_name = "rsa",
Interface seems to be designed that verify() call is interchangeable
with encrypt().
Two verify does not seem that bad since there is common code for the old
interface that removes code duplication and simplifies driver
implementation (RSA drivers only need to implement encrypt).
But, I would remove scatterlist from the new interface. Signature
verification is not some multi-block encryption. And basically,
public_key_verify_signature just doing sg_init_one for both required
src/dst buffers.
ps. And also, in the future, I would allow akcipher to access `struct
public_key` and `struct public_key_signature` so it could distinguish
when the key is already validated and skip expensive validation other
time verify2 is used with the same key. Or maybe flag 'key validation is
needed' should be maintained outside of akcipher and passed to it in the
request.
>
> Thanks,
> --
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
WARNING: multiple messages have this Message-ID (diff)
From: Vitaly Chikunov <vt@altlinux.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: dhowells@redhat.com, davem@davemloft.net,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] akcipher: Introduce verify2 for public key algorithms
Date: Fri, 04 Jan 2019 10:20:36 +0000 [thread overview]
Message-ID: <20190104102035.42qwwv4komjvnswh@sole.flsd.net> (raw)
In-Reply-To: <20181213101233.6t7d5mxxkkavo46h@gondor.apana.org.au>
On Thu, Dec 13, 2018 at 06:12:33PM +0800, Herbert Xu wrote:
> Vitaly Chikunov <vt@altlinux.org> wrote:
> > Current akcipher .verify() just decrypts signature to uncover message
> > hash, which is then verified in upper level public_key_verify_signature
> > by memcmp with the expected signature value, which is never passed into
> > verify().
> >
> > This approach is incompatible with ECDSA algorithms, because, to verify
> > a signature ECDSA algorithm also needs a hash value as input; also, hash
> > is used in ECDSA (together with a signature divided into halves `r||s`),
> > not to produce hash, but to produce a number, which is then compared to
> > `r` (first part of the signature) to determine if the signature is
> > correct. Thus, for ECDSA, nor requirements of .verify() itself, nor its
> > output expectations in public_key_verify_signature aren't satisfied.
> >
> > Make alternative .verify2() call which gets hash value and produce
> > complete signature check (without any output, thus max_size() call will
> > not be needed for verify2() operation).
> >
> > If .verify2() call is present, it should be used in place of .verify().
> >
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
>
> We should convert all existing users to this interface and not
> have both verify/verify2 forever.
This will be hard to do since there is at least tree device that use
this interface (and who know how much out of tree):
drivers$ git grep cra_name.*rsa
crypto/caam/caampkc.c: .cra_name = "rsa",
crypto/ccp/ccp-crypto-rsa.c: .cra_name = "rsa",
crypto/qat/qat_common/qat_asym_algs.c: .cra_name = "rsa",
Interface seems to be designed that verify() call is interchangeable
with encrypt().
Two verify does not seem that bad since there is common code for the old
interface that removes code duplication and simplifies driver
implementation (RSA drivers only need to implement encrypt).
But, I would remove scatterlist from the new interface. Signature
verification is not some multi-block encryption. And basically,
public_key_verify_signature just doing sg_init_one for both required
src/dst buffers.
ps. And also, in the future, I would allow akcipher to access `struct
public_key` and `struct public_key_signature` so it could distinguish
when the key is already validated and skip expensive validation other
time verify2 is used with the same key. Or maybe flag 'key validation is
needed' should be maintained outside of akcipher and passed to it in the
request.
>
> Thanks,
> --
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2019-01-04 10:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 16:59 [RFC PATCH] akcipher: Introduce verify2 for public key algorithms Vitaly Chikunov
2018-12-11 16:59 ` Vitaly Chikunov
2018-12-13 10:12 ` Herbert Xu
2018-12-13 10:12 ` Herbert Xu
2019-01-04 10:20 ` Vitaly Chikunov [this message]
2019-01-04 10:20 ` Vitaly Chikunov
2019-01-16 16:22 ` David Howells
2018-12-13 10:26 ` Tudor.Ambarus
2018-12-13 10:26 ` Tudor.Ambarus
2018-12-13 11:58 ` Vitaly Chikunov
2018-12-13 11:58 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104102035.42qwwv4komjvnswh@sole.flsd.net \
--to=vt@altlinux.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.