From: Herbert Xu <herbert@gondor.apana.org.au>
To: Richard van Schagen <vschagen@cs.com>
Cc: linux-crypto@vger.kernel.org
Subject: Re: Hardware ANSI X9.31 PRNG, handling multiple context?
Date: Thu, 9 Jan 2020 13:13:26 +0800 [thread overview]
Message-ID: <20200109051326.axgvplafz3h5pflf@gondor.apana.org.au> (raw)
In-Reply-To: <2345369f0bf4169a1ec792545df7d409dd7fecd1.camel@cs.com>
Richard van Schagen <vschagen@cs.com> wrote:
> As part of my EIP93 crypto module I would like to implement the PRNG.
> This is intented to be used to automaticly insert an IV for IPSEC /
> full ESP processing, but can be used "just as PRNG" and its full ANSI
> X9.31 compliant.
>
> Looking over the code in "ansi_cprng.c" I can implement the none "FIPS"
> part since it doesnt require a reseed everytime. For full FIPS it needs
> to be seeded by the user which means if I do this in Hardware I can not
> "switch" seeds or reseed with another one from another context becasue
> that would not give the expected results.
>
> Is it acceptable to only implement "none-fips" and/or return an error
> (-EBUSY ?) when more than 1 call occurs to "cra_init" before the
> previous user called "cra_exit" ?
Yes you could certainly add such a PRNG. However, please don't make
cra_init return an error. Instead you should make all tfms of your
PRNG use the same underlying hardware PRNG. IOW it's as if users
of those tfms are actually using just one tfm.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2020-01-09 5:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2345369f0bf4169a1ec792545df7d409dd7fecd1.camel.ref@cs.com>
2019-12-31 2:43 ` Hardware ANSI X9.31 PRNG, handling multiple context? Richard van Schagen
2020-01-09 5:13 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200109051326.axgvplafz3h5pflf@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=vschagen@cs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).