Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-14 Thread Herbert Xu 
On Thu, Feb 14, 2019 at 09:54:47PM -0800, Eric Biggers wrote:
>
> Sure, but the bar shouldn't be so low that new implementations of insecure
> algorithms the world is moving away from are accepted without a real use case.
> We should be moving towards removing these algorithms instead.  The original 
> DES
> is especially bad as it only has a 56-bit key.  I'd like to better understand
> if/why people claim to not only still need these algorithms in 2019, but also
> need brand new implementations of them.

If we're going to remove DES then we should remove all implementations
of it and not single out a single driver.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-14 Thread Eric Biggers 
On Fri, Feb 15, 2019 at 01:24:42PM +0800, Herbert Xu wrote:
> On Wed, Feb 13, 2019 at 10:51:36AM -0800, Eric Biggers wrote:
> >
> > You are claiming you need DES-ECB, 3DES-ECB, *and* ARC4 for that?
> > 
> > Which one is it actually, if any?
> 
> Since these are existing algorithms in the crypto API and we're
> simply adding them to the driver I think the bar of acceptance
> is lower than if it were a completely new addition to the kernel.
> 
> Thanks,
> -- 
> Email: Herbert Xu 
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Sure, but the bar shouldn't be so low that new implementations of insecure
algorithms the world is moving away from are accepted without a real use case.
We should be moving towards removing these algorithms instead.  The original DES
is especially bad as it only has a 56-bit key.  I'd like to better understand
if/why people claim to not only still need these algorithms in 2019, but also
need brand new implementations of them.

- Eric

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-14 Thread Herbert Xu 
On Wed, Feb 13, 2019 at 10:51:36AM -0800, Eric Biggers wrote:
>
> You are claiming you need DES-ECB, 3DES-ECB, *and* ARC4 for that?
> 
> Which one is it actually, if any?

Since these are existing algorithms in the crypto API and we're
simply adding them to the driver I think the bar of acceptance
is lower than if it were a completely new addition to the kernel.

Thanks,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-14 Thread Herbert Xu 
On Fri, Feb 08, 2019 at 03:50:06PM +0200, Iuliana Prodan wrote:
> This patch set adds ecb mode support for aes, des, 3des and arc4 ciphers.
> skcipher implementation is reused, making sure to handle the no IV case.
> 
> While here:
> -fix a DMA API issue where initial src/dst_nents are used instead of nents
> returned by dma_map_sg()
> -export arc4 defines in a common header
> -update cbc des and 3des to check for weak keys 
> 
> Iuliana Prodan (4):
>   crypto: caam - use mapped_{src,dst}_nents for job descriptor
>   crypto: export arc4 defines
>   crypto: caam - add ecb(*) support
>   crypto: caam - weak key checking for cbc des, 3des
> 
>  crypto/arc4.c  |   5 +-
>  drivers/crypto/bcm/cipher.h|   4 +-
>  drivers/crypto/caam/Kconfig|   1 +
>  drivers/crypto/caam/caamalg.c  | 215 
> -
>  drivers/crypto/caam/caamalg_desc.c |  18 ++--
>  drivers/crypto/caam/compat.h   |   1 +
>  include/crypto/arc4.h  |  13 +++
>  7 files changed, 195 insertions(+), 62 deletions(-)
>  create mode 100644 include/crypto/arc4.h

All applied.  Thanks.
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-14 Thread Horia Geanta 
On 2/8/2019 3:51 PM, Iuliana Prodan wrote:
> This patch set adds ecb mode support for aes, des, 3des and arc4 ciphers.
> skcipher implementation is reused, making sure to handle the no IV case.
> 
For the series:
Reviewed-by: Horia Geantă 

Thanks,
Horia

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-13 Thread Eric Biggers 
On Wed, Feb 13, 2019 at 06:45:16PM +, Horia Geanta wrote:
> On 2/9/2019 11:52 PM, Eric Biggers wrote:
> > Do you have an actual use case for adding more DES, 3DES, and ARC4
> > implementations, or are you simply adding them because the hardware happens 
> > to
> > supports it?  These old ciphers are insecure, so IMO more implementations 
> > should
> > only be added if there is a real use case where they're absolutely needed.
> > 
> One legit use case is PIN encryption in Point of Sale solution.
> 
> Horia

You are claiming you need DES-ECB, 3DES-ECB, *and* ARC4 for that?

Which one is it actually, if any?

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-13 Thread Horia Geanta 
On 2/9/2019 11:52 PM, Eric Biggers wrote:
> Do you have an actual use case for adding more DES, 3DES, and ARC4
> implementations, or are you simply adding them because the hardware happens to
> supports it?  These old ciphers are insecure, so IMO more implementations 
> should
> only be added if there is a real use case where they're absolutely needed.
> 
One legit use case is PIN encryption in Point of Sale solution.

Horia

Re: [PATCH 0/4] crypto: caam - add ecb mode support

2019-02-09 Thread Eric Biggers 
Hi Iuliana,

On Fri, Feb 08, 2019 at 03:50:06PM +0200, Iuliana Prodan wrote:
> This patch set adds ecb mode support for aes, des, 3des and arc4 ciphers.
> skcipher implementation is reused, making sure to handle the no IV case.
> 
> While here:
> -fix a DMA API issue where initial src/dst_nents are used instead of nents
> returned by dma_map_sg()
> -export arc4 defines in a common header
> -update cbc des and 3des to check for weak keys 
> 
> Iuliana Prodan (4):
>   crypto: caam - use mapped_{src,dst}_nents for job descriptor
>   crypto: export arc4 defines
>   crypto: caam - add ecb(*) support
>   crypto: caam - weak key checking for cbc des, 3des
> 

Do you have an actual use case for adding more DES, 3DES, and ARC4
implementations, or are you simply adding them because the hardware happens to
supports it?  These old ciphers are insecure, so IMO more implementations should
only be added if there is a real use case where they're absolutely needed.

- Eric

[PATCH 0/4] crypto: caam - add ecb mode support

2019-02-08 Thread Iuliana Prodan 
This patch set adds ecb mode support for aes, des, 3des and arc4 ciphers.
skcipher implementation is reused, making sure to handle the no IV case.

While here:
-fix a DMA API issue where initial src/dst_nents are used instead of nents
returned by dma_map_sg()
-export arc4 defines in a common header
-update cbc des and 3des to check for weak keys 

Iuliana Prodan (4):
  crypto: caam - use mapped_{src,dst}_nents for job descriptor
  crypto: export arc4 defines
  crypto: caam - add ecb(*) support
  crypto: caam - weak key checking for cbc des, 3des

 crypto/arc4.c  |   5 +-
 drivers/crypto/bcm/cipher.h|   4 +-
 drivers/crypto/caam/Kconfig|   1 +
 drivers/crypto/caam/caamalg.c  | 215 -
 drivers/crypto/caam/caamalg_desc.c |  18 ++--
 drivers/crypto/caam/compat.h   |   1 +
 include/crypto/arc4.h  |  13 +++
 7 files changed, 195 insertions(+), 62 deletions(-)
 create mode 100644 include/crypto/arc4.h

-- 
2.1.0