Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2365612imu; Sat, 12 Jan 2019 23:58:37 -0800 (PST) X-Google-Smtp-Source: ALg8bN4w0cb0/gbOPn/RIZp2enAheigRq8i+fZkg6tsIWPhJem9glBg5sLUykQ0e6QJcfFYTxCWj X-Received: by 2002:a17:902:2ac3:: with SMTP id j61mr21122719plb.185.1547366317647; Sat, 12 Jan 2019 23:58:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547366317; cv=none; d=google.com; s=arc-20160816; b=pdZLo0U2S1W5V4B5XiwVrxZ99kTU2NKCBKQKRBqQ/jk24SVPwv/Z65lVm4hVafnYQp IIzHiWI5MSsviqqpBFNORw8ot9GGCLf9XhJQCfqvNH540xdJVXQkgpyn0VbBTujmlyxi XK9EPYeSb1uTras7pZTN7GrTAHbtHRQReW1qqTIG0Fh0B4Ay7sFWzDWFBcbP8E86O5Bt 43uFoqHBXMlTt5QbVcanL0u0x2a57FZmHV/IknPojbGWt+vUA8T9KvngfoU0t7D5Rj1h zswz0yHqUy1c0bDW7jAUk+k4mx0fSUp/enCIpfAWZlXNxmeKujGl/V74L4m6FPaBWyHl Lsfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Kv7YpH7UFC824CoWKI87SXAHQztivulsiD1lK0fyIxk=; b=gYNhnD/XfB9I6uT5Egop4LX9l6XDvaHl3LelKKfdfceQjH/xjs9rFPfniaBY/fxhOD upOhoLJQVYvdPXGtf65Hs+F5XCFBG1HdLq4n3XvmTh0GF6082PoD0O7B4Ff6vNBfB7Zb GhU4w2oWqTG+porOFn+2vTyRnz8dsy3fA+nydT9SYfc6m8zyG3o0Bcu17bp8dk7t+TtG dUAhhfYC6tdTbDk3XHEmiSeEmBnDlWzp5/a5mnY7uOP6iZSGfKG00pHqaIoGEJFgf00G CvznQy1BV3eX6mh2i5YtvuqWftAE6xTQ6a1akPO1R/odi6auAhWVEMCHC7DSkFclg9OQ R1gA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=dKE4iCyq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z5si22066237pgh.469.2019.01.12.23.58.19; Sat, 12 Jan 2019 23:58:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=dKE4iCyq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726449AbfAMH5K (ORCPT + 99 others); Sun, 13 Jan 2019 02:57:10 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.166]:30429 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbfAMH5K (ORCPT ); Sun, 13 Jan 2019 02:57:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1547366227; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=Kv7YpH7UFC824CoWKI87SXAHQztivulsiD1lK0fyIxk=; b=dKE4iCyqB3GN+dcsvbUBxfkJKJ//RymWMIehgSlP+45fou41JSNQ8T2H/+twCIGjf+ nQN5DkH9f4Tz7RByJTl8YiIigXNys/PazEJCT6kuzBpg1JsEJAr2U1m3q87FK/KaYtps pQFA1sP8v3/+VhAawdQ6fAwcYXsMC8V8+nU51uT4UmKanX8ROxupEUGcHMUpGlaVUM9u wNgbK5C0+1KZD9uKNi5hP7l2QhkqJnT2VjUSl3jxEfbSjH/902ZNuuIzTcuATBH/M5q0 15uSiPDFoGW0rF8VJYsDwOYobpjSEjPfZxyus7mVJyhKbFxgsyrpr2X5XEMmA1WragWu 9OJQ== X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9x2YdNp5Oujd4kpMBvCE=" X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 44.9 DYNA|AUTH) with ESMTPSA id 309bcfv0D7uXkgw (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Sun, 13 Jan 2019 08:56:33 +0100 (CET) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: Herbert Xu Cc: Eric Biggers , James Bottomley , Andy Lutomirski , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn , Andy Lutomirski , linux-crypto@vger.kernel.org Subject: Re: [PATCH 4/6] crypto: hkdf - RFC5869 Key Derivation Function Date: Sun, 13 Jan 2019 08:56:32 +0100 Message-ID: <9795894.APlZEWIbOH@positron.chronox.de> In-Reply-To: <20190112095535.36rh3ptnrf7yxacv@gondor.apana.org.au> References: <20190103143227.9138-1-jlee@suse.com> <20190112051252.GA639@sol.localdomain> <20190112095535.36rh3ptnrf7yxacv@gondor.apana.org.au> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Samstag, 12. Januar 2019, 10:55:35 CET schrieb Herbert Xu: Hi Herbert, > On Fri, Jan 11, 2019 at 09:12:54PM -0800, Eric Biggers wrote: > > Hi Stephan, > >=20 > > On Fri, Jan 11, 2019 at 08:10:39PM +0100, Stephan M=FCller wrote: > > > The RFC5869 compliant Key Derivation Function is implemented as a > > > random number generator considering that it behaves like a determinis= tic > > > RNG. > >=20 > > Thanks for the proof of concept! I guess it ended up okay. But can you > > explain more the benefits of using the crypto_rng interface, as opposed > > to just some crypto_hkdf_*() helper functions that are exported for > > modules to use? > I agree. I see no benefit in adding this through the RNG API as > opposed to just providing it as a helper. If some form of hardware > acceleration were to eventuate in the future we could always revisit > this. The advantages for using the kernel crypto API to add KDFs as opposed to=20 adding helper wrappers are the following in my view: =2D employment of the kernel crypto API testmgr - invocation of the testmgr= is=20 transparent and thus already provided without any additional code to link t= o=20 it =2D FIPS 140-2 compliance: To mark a KDF as FIPS 140-2 approved cipher, it = must=20 be subject to a known-answer self test (implemented by the testmgr) as well= as=20 to an enforcement of the integrity check verification. In FIPS 140-2 mode, = the=20 kernel crypto API panic()s when a kernel crypto API module is loaded and it= s=20 signature does not check out. As this is only relevant for crypto modules (= and=20 not arbitrary other kernel modules), this is implemented with the invocatio= ns=20 the crypto_register_alg as well as crypto_register_template functions. Thus= ,=20 when using a wrapper code to implement the KDF, they can per definition not= be=20 =46IPS 140-2 approved. =2D The invoker of a KDF has one consistent API. This implies that the KDF= =20 selection now becomes more of a "configuration" choice. For example, when y= ou=20 look at the KDF use case for the keys subsystem (security/keys/dh.c),=20 selecting the type of KDF would only necessitate a change of a string=20 referencing the KDF. A lot of people somehow favor the extract-and-expand K= DFs=20 over the traditional KDFs. Now, that the RFC5869 HKDF is also approved as p= er=20 SP800-56A rev3, I could see that folks may want to switch to HKDF for the k= ey=20 management. When we have a common API, this choice could even be left to th= e=20 caller. The question may arise why to plug the KDFs into RNGs. The answer is quite= =20 simple: KDFs are a form of random number generator. In that they take some= =20 input for initialization (aka seed, salt, key, personalization string). The= n=20 they produce pseudo-random bit sequences of arbitrary length. Possibly the= =20 generation operation can be modified by providing some additional input to = be=20 used by the generation process (aka label, context, info string, additional= =20 information string). Thus, the RNG interface is a natural fit for the KDFs. Ciao Stephan