lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160906132557.GB9055@shodan.usersys.redhat.com>
Date:   Tue, 6 Sep 2016 15:25:57 +0200
From:   Artem Savkov <asavkov@...hat.com>
To:     David Howells <dhowells@...hat.com>
Cc:     Kirill Marinushkin <k.marinushkin@...il.com>,
        paul.gortmaker@...driver.com, james.l.morris@...cle.com,
        keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] security/keys: make BIG_KEYS dependent on stdrng.

On Tue, Sep 06, 2016 at 02:11:56PM +0100, David Howells wrote:
> Artem Savkov <asavkov@...hat.com> wrote:
> 
> > > > -	select CRYPTO
> > > > +	depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)
> > > 
> > > Should those be "==" not "="?
> > 
> > Accodring to Documentation/kbuild/kconfig-language.txt (line 173) it is
> > "=" and I can only see "=" being used in existing Kconfigs.
> 
> Okay.  The other thing is that I have been given a conflicting patch (see
> below).  Is your fix preferable?
> 
> David
> ---
> commit 69ed34b303f87a1a53470dd37149ac1573d79da2
> Author: Kirill Marinushkin <k.marinushkin@...il.com>
> Date: Mon, 8 Aug 2016 23:19:32 +0200
> 
> KEYS: fix big_key dependency
> 
> Signed-off-by: Kirill Marinushkin <k.marinushkin@...il.com>
> cc: David Howells <dhowells@...hat.com>
> cc: Peter Hlavaty <zer0mem@...oo.com>
> cc: Greg KH <gregkh@...uxfoundation.org>
> cc: stable@...r.kernel.org
> ---
>  security/keys/Kconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/keys/Kconfig b/security/keys/Kconfig
> index f826e87..8213221 100644
> --- a/security/keys/Kconfig
> +++ b/security/keys/Kconfig
> @@ -44,7 +44,7 @@ config BIG_KEYS
>  	select CRYPTO
>  	select CRYPTO_AES
>  	select CRYPTO_ECB
> -	select CRYPTO_RNG
> +	select CRYPTO_ANSI_CPRNG
>  	help
>  	  This option provides support for holding large keys within the kernel
>  	  (for example Kerberos ticket caches).  The data may be stored out to

I would argue that locking a user into a specific stdrng implementation
is not something that should be done when there are options available.

-- 
Regards,
  Artem

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ