On Tue, Sep 06, 2016 at 07:16:13PM +0100, David Howells wrote:
> Kirill Marinushkin <[email protected]> wrote:
>
> > IMO, the preferable fix depends on your future plan.
> > If you plan to continue using both ANSI X9.31 DRNG and DRBG - I agree with the
> > patch suggested by Artem Savkov.
> > If you plan to reduce using ANSI X9.31 DRNG and use DRBG more widely - I
> > suggest my patch.
>
> No such plans, TBH.
I agre with Kirill here, so if we are not trying to reduce ANSI X9.31
DRNG usage can we move on with the suggested patch, or are there any
issues with it that need addressing?
--
Regards,
Artem
Artem Savkov <[email protected]> wrote:
> > > IMO, the preferable fix depends on your future plan.
> > > If you plan to continue using both ANSI X9.31 DRNG and DRBG - I agree with the
> > > patch suggested by Artem Savkov.
> > > If you plan to reduce using ANSI X9.31 DRNG and use DRBG more widely - I
> > > suggest my patch.
> >
> > No such plans, TBH.
>
> I agre with Kirill here, so if we are not trying to reduce ANSI X9.31
> DRNG usage can we move on with the suggested patch, or are there any
> issues with it that need addressing?
Which suggested patch? One of Kirill's (there are at least two) or yours?
Note that we *also* need the "KEYS: Sort out big_key initialisation" patch -
just changing the Kconfig is not sufficient a fix in and of itself.
David
On Mon, Oct 24, 2016 at 03:50:54PM +0100, David Howells wrote:
> Artem Savkov <[email protected]> wrote:
>
> > > > IMO, the preferable fix depends on your future plan.
> > > > If you plan to continue using both ANSI X9.31 DRNG and DRBG - I agree with the
> > > > patch suggested by Artem Savkov.
> > > > If you plan to reduce using ANSI X9.31 DRNG and use DRBG more widely - I
> > > > suggest my patch.
> > >
> > > No such plans, TBH.
> >
> > I agre with Kirill here, so if we are not trying to reduce ANSI X9.31
> > DRNG usage can we move on with the suggested patch, or are there any
> > issues with it that need addressing?
>
> Which suggested patch? One of Kirill's (there are at least two) or yours?
I suggest mine, since it is more flexible.
> Note that we *also* need the "KEYS: Sort out big_key initialisation" patch -
> just changing the Kconfig is not sufficient a fix in and of itself.
Right, I see it also changes the Kconfig, so we might be better off with
v2 of "KEYS: Sort out big_key initialisation" with "depends on
(CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)" in Kconfig.
--
Regards,
Artem
Artem Savkov <[email protected]> wrote:
> > Which suggested patch? One of Kirill's (there are at least two) or yours?
>
> I suggest mine, since it is more flexible.
Fine by me.
> > Note that we *also* need the "KEYS: Sort out big_key initialisation" patch -
> > just changing the Kconfig is not sufficient a fix in and of itself.
>
> Right, I see it also changes the Kconfig
No, it doesn't. It only changes big_key.c
David