Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Stephan Müller
Am Montag, 24. April 2017, 09:07:45 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > I guess we could change the function to indicate that a key is valid > for decryption but not encryption > and have the implementation limiting based on that if there is an > interest in SP800-131A compliance. I

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Stephan Müller
Am Montag, 24. April 2017, 09:04:13 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > > Thanks you for the clarification. As I think is obvious by now I am > not a FIPS expert by any stretch. > > Isn't the requirements on DRBG or KDF invocations pertain to key > generation only? > What happens if you

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Gilad Ben-Yossef
On Mon, Apr 24, 2017 at 9:16 AM, Stephan Müller wrote: > Am Montag, 24. April 2017, 08:06:09 CEST schrieb Gilad Ben-Yossef: > > Hi Gilad, >> >> Well, it turns out there is and we do :-) >> >> This is from crypto/des_generic.c: >> >> /* >> * RFC2451: >> * >> * For

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Stephan Müller
Am Montag, 24. April 2017, 08:16:50 CEST schrieb Stephan Müller: Hi Gilad, > > > > int __des3_ede_setkey(u32 *expkey, u32 *flags, const u8 *key, > > > > unsigned int keylen) > > > > However, this does not check that k1 == k3. In this case DES3 > > becomes 2DES (2-keys

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Stephan Müller
Am Montag, 24. April 2017, 08:06:09 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > > Well, it turns out there is and we do :-) > > This is from crypto/des_generic.c: > > /* > * RFC2451: > * > * For DES-EDE3, there is no known need to reject weak or > * complementation keys. Any weakness

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-24 Thread Gilad Ben-Yossef
On Sun, Apr 23, 2017 at 12:48 PM, Gilad Ben-Yossef wrote: > Hi, > > Thank you for the review. > > On Thu, Apr 20, 2017 at 4:39 PM, Stephan Müller wrote: > >>> +/* The function verifies that tdes keys are not weak.*/ >>> +static int

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-23 Thread Stephan Müller
Am Sonntag, 23. April 2017, 11:48:58 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > I do wonder if there is value in alternate behavior of stopping crypto > API on FIPS error rather than a panic though. I will try to get an > explanation why we do it this way. In FIPS, all crypto function must

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-23 Thread Gilad Ben-Yossef
Hi, Thank you for the review. On Thu, Apr 20, 2017 at 4:39 PM, Stephan Müller wrote: >> +/* The function verifies that tdes keys are not weak.*/ >> +static int ssi_fips_verify_3des_keys(const u8 *key, unsigned int keylen) >> +{ >> +#ifdef CCREE_FIPS_SUPPORT >> +

Re: [PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-20 Thread Stephan Müller
Am Donnerstag, 20. April 2017, 15:13:00 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > +/* The function verifies that tdes keys are not weak.*/ > +static int ssi_fips_verify_3des_keys(const u8 *key, unsigned int keylen) > +{ > +#ifdef CCREE_FIPS_SUPPORT > +tdes_keys_t *tdes_key =

[PATCH v2 6/9] staging: ccree: add FIPS support

2017-04-20 Thread Gilad Ben-Yossef
Add FIPS mode support to CryptoCell driver Signed-off-by: Gilad Ben-Yossef --- drivers/staging/ccree/Kconfig |9 + drivers/staging/ccree/Makefile |1 + drivers/staging/ccree/ssi_aead.c|6 + drivers/staging/ccree/ssi_cipher.c |