Hi Neil:
Why does the CPRNG select FIPS? It should work with FIPS off
too, no?
commit 27300176d75e4723e2125e745a98a77bf0133f72
Author: Herbert Xu <[email protected]>
Date: Fri Jun 19 20:32:58 2009 +0800
crypto: ansi_cprng - Do not select FIPS
The RNG should work with FIPS disabled.
Signed-off-by: Herbert Xu <[email protected]>
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4dfdd03..03ef1a9 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -782,7 +782,6 @@ config CRYPTO_ANSI_CPRNG
tristate "Pseudo Random Number Generation for Cryptographic modules"
select CRYPTO_AES
select CRYPTO_RNG
- select CRYPTO_FIPS
help
This option enables the generic pseudo random number generator
for cryptographic modules. Uses the Algorithm specified in
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Jun 19, 2009 at 08:34:00PM +0800, Herbert Xu wrote:
> Hi Neil:
>
> Why does the CPRNG select FIPS? It should work with FIPS off
> too, no?
>
Thanks! Thats definately an oversight. Likely I included it because I was
implementing it as part of the FIPS effort. The CPRNG definately works fine,
even if fips is disabled. Although I think the relationship should be reversed,
not just removed, as FIPS support requires the use of the CPRNG. Something like
this:
commit d9645d88d97e81c6528f311ee126df79a0d27501
Author: Neil Horman <[email protected]>
Date: Fri Jun 19 08:52:37 2009 -0400
Fix CPRNG/FIPS dependency
The ANSI CPRNG has no dependence on FIPS support. FIPS support however,
requires the use of the CPRNG. Adjust that depedency relationship in Kconfig
Signed-off-by: Neil Horman <[email protected]>
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4dfdd03..f2002d8 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,6 +23,7 @@ comment "Crypto core or helper"
config CRYPTO_FIPS
bool "FIPS 200 compliance"
+ select CRYPTO_ANSI_CPRNG
help
This options enables the fips boot option which is
required if you want to system to operate in a FIPS 200
@@ -782,7 +783,6 @@ config CRYPTO_ANSI_CPRNG
tristate "Pseudo Random Number Generation for Cryptographic modules"
select CRYPTO_AES
select CRYPTO_RNG
- select CRYPTO_FIPS
help
This option enables the generic pseudo random number generator
for cryptographic modules. Uses the Algorithm specified in
On Fri, Jun 19, 2009 at 08:55:00AM -0400, Neil Horman wrote:
>
> Thanks! Thats definately an oversight. Likely I included it because I was
> implementing it as part of the FIPS effort. The CPRNG definately works fine,
> even if fips is disabled. Although I think the relationship should be reversed,
> not just removed, as FIPS support requires the use of the CPRNG. Something like
> this:
Thanks, I'll add your patch on top.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Jun 19, 2009 at 08:55:00AM -0400, Neil Horman wrote:
>
> Thanks! Thats definately an oversight. Likely I included it because I was
> implementing it as part of the FIPS effort. The CPRNG definately works fine,
> even if fips is disabled. Although I think the relationship should be reversed,
> not just removed, as FIPS support requires the use of the CPRNG. Something like
> this:
>
>
> commit d9645d88d97e81c6528f311ee126df79a0d27501
> Author: Neil Horman <[email protected]>
> Date: Fri Jun 19 08:52:37 2009 -0400
>
> Fix CPRNG/FIPS dependency
>
> The ANSI CPRNG has no dependence on FIPS support. FIPS support however,
> requires the use of the CPRNG. Adjust that depedency relationship in Kconfig
>
> Signed-off-by: Neil Horman <[email protected]>
Hmm, I just noticed that all my crypto modules have been marked
as built-in again because of this patch.
As you're selecting a tristate from a bool, it causes CPRNG
and everything under it to be built-in.
I'm going to revert this patch.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, Aug 13, 2009 at 09:29:55PM +1000, Herbert Xu wrote:
> On Fri, Jun 19, 2009 at 08:55:00AM -0400, Neil Horman wrote:
> >
> > Thanks! Thats definately an oversight. Likely I included it because I was
> > implementing it as part of the FIPS effort. The CPRNG definately works fine,
> > even if fips is disabled. Although I think the relationship should be reversed,
> > not just removed, as FIPS support requires the use of the CPRNG. Something like
> > this:
> >
> >
> > commit d9645d88d97e81c6528f311ee126df79a0d27501
> > Author: Neil Horman <[email protected]>
> > Date: Fri Jun 19 08:52:37 2009 -0400
> >
> > Fix CPRNG/FIPS dependency
> >
> > The ANSI CPRNG has no dependence on FIPS support. FIPS support however,
> > requires the use of the CPRNG. Adjust that depedency relationship in Kconfig
> >
> > Signed-off-by: Neil Horman <[email protected]>
>
> Hmm, I just noticed that all my crypto modules have been marked
> as built-in again because of this patch.
>
> As you're selecting a tristate from a bool, it causes CPRNG
> and everything under it to be built-in.
>
> I'm going to revert this patch.
>
Is there a good way to select a tristate from a bool? The logic is the right
thing to do above, it just seems the mechanism comes up a bit short
Neil
> Cheers,
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, Aug 13, 2009 at 10:41:56AM -0400, Neil Horman wrote:
>
> Is there a good way to select a tristate from a bool? The logic is the right
> thing to do above, it just seems the mechanism comes up a bit short
I suppose you could turn FIPS itself into a tristate. As it
should be used in just one spot, that would be easy to fix up.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Aug 14, 2009 at 01:13:40PM +1000, Herbert Xu wrote:
> On Thu, Aug 13, 2009 at 10:41:56AM -0400, Neil Horman wrote:
> >
> > Is there a good way to select a tristate from a bool? The logic is the right
> > thing to do above, it just seems the mechanism comes up a bit short
>
> I suppose you could turn FIPS itself into a tristate. As it
> should be used in just one spot, that would be easy to fix up.
>
> Cheers,
Yeah, I suppose, it just seemed like a hack to me, since it really is a logical
boolean, and we use it as such. Ok, I'll look at fixing this soon. Thanks!
Neil
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Aug 14, 2009 at 06:58:29AM -0400, Neil Horman wrote:
>
> Yeah, I suppose, it just seemed like a hack to me, since it really is a logical
> boolean, and we use it as such. Ok, I'll look at fixing this soon. Thanks!
Well it wouldn't be the first time we had to hack around Kconfig
logic, just look at those *2 symbols in crypto/Kconfig :)
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Aug 14, 2009 at 09:13:55PM +1000, Herbert Xu wrote:
> On Fri, Aug 14, 2009 at 06:58:29AM -0400, Neil Horman wrote:
> >
> > Yeah, I suppose, it just seemed like a hack to me, since it really is a logical
> > boolean, and we use it as such. Ok, I'll look at fixing this soon. Thanks!
>
> Well it wouldn't be the first time we had to hack around Kconfig
> logic, just look at those *2 symbols in crypto/Kconfig :)
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
What about something like this? It defaults the CPRNG to m and makes FIPS
dependent on the CPRNG. That way you get a module build by default, but you can
change it to y manually during config and still satisfy the dependency, and if
you select N it disables FIPS as well. I rather like that better than making
FIPS a tristate. I just tested it out here and it seems to work well. Let me
know what you think
Neil
Signed-off-by: Neil Horman <[email protected]>
Kconfig | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 1db0995..7623442 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,11 +23,13 @@ comment "Crypto core or helper"
config CRYPTO_FIPS
bool "FIPS 200 compliance"
+ depends on CRYPTO_ANSI_CPRNG
help
This options enables the fips boot option which is
required if you want to system to operate in a FIPS 200
certification. You should say no unless you know what
- this is.
+ this is. Note that CRYPTO_ANSI_CPRNG is requred if this
+ option is selected
config CRYPTO_ALGAPI
tristate
@@ -787,12 +789,14 @@ comment "Random Number Generation"
config CRYPTO_ANSI_CPRNG
tristate "Pseudo Random Number Generation for Cryptographic modules"
+ default m
select CRYPTO_AES
select CRYPTO_RNG
help
This option enables the generic pseudo random number generator
for cryptographic modules. Uses the Algorithm specified in
- ANSI X9.31 A.2.4
+ ANSI X9.31 A.2.4. Not this option must be enabled if CRYPTO_FIPS
+ is selected
source "drivers/crypto/Kconfig"
On Fri, Aug 14, 2009 at 11:39:30AM -0400, Neil Horman wrote:
>
> What about something like this? It defaults the CPRNG to m and makes FIPS
> dependent on the CPRNG. That way you get a module build by default, but you can
> change it to y manually during config and still satisfy the dependency, and if
> you select N it disables FIPS as well. I rather like that better than making
> FIPS a tristate. I just tested it out here and it seems to work well. Let me
> know what you think
>
> Signed-off-by: Neil Horman <[email protected]>
Looks good to me. Patch applied.
Thanks Neil,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt