Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752664AbbEDNQh (ORCPT ); Mon, 4 May 2015 09:16:37 -0400 Received: from mail-bn1bon0110.outbound.protection.outlook.com ([157.56.111.110]:18483 "EHLO na01-bn1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753348AbbEDNQS (ORCPT ); Mon, 4 May 2015 09:16:18 -0400 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=freescale.com; intel.com; dkim=none (message not signed) header.d=none; Message-ID: <55477111.2050803@freescale.com> Date: Mon, 4 May 2015 16:16:01 +0300 From: =?UTF-8?B?SG9yaWEgR2VhbnTEgw==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Tadeusz Struk , CC: , , , , , , , , , , , , , , , Subject: Re: [PATCH RFC 0/2] crypto: Introduce Public Key Encryption API References: <20150430223647.10157.82156.stgit@tstruk-mobl1> In-Reply-To: <20150430223647.10157.82156.stgit@tstruk-mobl1> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:192.88.158.2;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10019020)(979002)(6009001)(339900001)(199003)(479174004)(24454002)(377454003)(189002)(51704005)(6806004)(104016003)(5001770100001)(5001920100001)(4001350100001)(105606002)(120886001)(87936001)(47776003)(65956001)(65806001)(85182001)(106466001)(85426001)(5001960100002)(99136001)(62966003)(77156002)(50986999)(65816999)(87266999)(54356999)(86362001)(76176999)(83506001)(77096005)(117636001)(59896002)(23676002)(46102003)(92566002)(2950100001)(64126003)(50466002)(36756003)(62816006)(217873001)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1102;SCL:1;SRVR:BY2PR03MB393;H:az84smr01.freescale.net;FPR:;SPF:Fail;MLV:ovrnspm;A:1;MX:1;PTR:InfoDomainNonexistent;LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB393; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:BY2PR03MB393;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB393; X-Forefront-PRVS: 05669A7924 X-OriginatorOrg: freescale.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2015 13:16:13.1157 (UTC) X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.158.2];Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB393 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2887 Lines: 66 On 5/1/2015 1:36 AM, Tadeusz Struk wrote: > This patch set introduces a Public Key Encryption API. > What is proposed is a new crypto type called crypto_pke_type > plus new struct pke_alg and struct pke_tfm together with number > of helper functions to register pke type algorithms and allocate > tfm instances. This is to make it similar to how the existing crypto > API works for the ablkcipher, ahash, and aead types. > The operations the new interface will allow to provide are: > > int (*sign)(struct pke_request *pkereq); > int (*verify)(struct pke_request *pkereq); > int (*encrypt)(struct pke_request *pkereq); > int (*decrypt)(struct pke_request *pkereq); Where would be the proper place for keygen operation? > > The benefits it gives comparing to the struct public_key_algorithm > interface are: > - drivers can add many implementations of RSA or DSA > algorithms and user will allocate instances (tfms) of these, base on > algorithm priority, in the same way as it is with the symmetric ciphers. > - the new interface allows for asynchronous implementations that > can use crypto hardware to offload the calculations to. > - integrating it with linux crypto api allows using all its benefits > i.e. managing algorithms using NETLINK_CRYPTO, monitoring implementations > using /proc/crypto. etc > > New helper functions have been added to allocate pke_tfm instances > and invoke the operations to make it easier to use. > For instance to verify a public_signature against a public_key using > the RSA algorithm a user would do: > > struct crypto_pke *tfm = crypto_alloc_pke("rsa", 0, 0); > struct pke_request *req = pke_request_alloc(tfm, GFP_KERNEL); > pke_request_set_crypt(req, pub_key, signature); > int ret = crypto_pke_verify(req); > pke_request_free(req); > crypto_free_pke(tfm); > return ret; > > Additionally existing public_key and rsa code have been reworked to > use the new interface for verifying signed modules. > As part of the rework the enum pkey_algo has been removed as the algorithm > to allocate will be indicated by a string - for instance "rsa" or "dsa", > similarly as it is with the symmetric algs e.g. "aes". > It will also make it easier to extend in the future when new algorithms > will be added. AFAICT algorithms currently map to primitives + encoding methods, which is not flexible. For e.g. current RSA implementation hardcodes the PKCS1-v1_5 encoding method, making it hard to add OAEP(+) etc. One solution would be to map algorithms to primitives only. Encoding methods need to be abstracted somehow, maybe using templates to wrap the algorithms. Regards, Horia -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/