| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Feb 2016 11:42:14 +0000 From: David Howells <dhowells@...hat.com> To: Andrew Zaborowski <balrogg@...glemail.com> Cc: dhowells@...hat.com, Tadeusz Struk <tadeusz.struk@...el.com>, keyrings@...r.kernel.org, linux-security-module@...r.kernel.org, zohar@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org, Linux Crypto Mailing List <linux-crypto@...r.kernel.org> Subject: Re: [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer Andrew Zaborowski <balrogg@...glemail.com> wrote: > Without overhauling akcipher you could modify pkcs1pad so that sign > takes the hash as input, adds the DER struct in front of it to build > the signature, and the verify operation could at most check that the > DER string matches the hash type and return the hash. But I think > RFC2437 suggests that you rather compare the signatures, not the > hashes. Whilst that is true about what RFC2437 shows, I wonder how strict it wants to be about that rather than it just being a convenient way of describing the algorithm. The advantage of doing it the way the RFC suggests is that you get to use the EMSA-PKCS1-V1_5-ENCODE operation twice, thereby saving code and only having one place for bugs to occur instead of two - but you can argue this either way. That said, I would be okay with it returning just the message hash with the padding stripped off, providing the padding is validated in the crypto layer, if that's necessary. David
Powered by blists - more mailing lists