lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 18 Sep 2017 11:04:55 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Stephan Mueller <smueller@...onox.de>
Cc:     "Jason A. Donenfeld" <Jason@...c4.com>,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org,
        dhowells@...hat.com, ebiggers3@...il.com,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Kirill Marinushkin <k.marinushkin@...il.com>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Ilhan Gurel <ilhan.gurel@...il.com>, security@...nel.org,
        stable@...r.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH v4] security/keys: rewrite all of
 big_key crypto

On Mon, Sep 18, 2017 at 10:49:56AM +0200, Stephan Mueller wrote:
> Am Samstag, 16. September 2017, 15:00:34 CEST schrieb Jason A. Donenfeld:
> 
> Hi Jason,
> 
> > This started out as just replacing the use of crypto/rng with
> > get_random_bytes_wait, 
> 
> This change is a challenge. The use of the kernel crypto API's DRNG has been 
> made to allow FIPS 140-2 compliance. Otherwise, the entire key generation 
> logic will not be using the right(TM) DRNG. Thus, I would not suggest to 
> replace that for a stable tree.

Why not?  What is the issue here, there is only one "DRNG" in the kernel
now (and probably for a long time...)

> Note, I am currently working on a pluggable DRNG apporach for /dev/random and 
> /dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG 
> API. It is ready and I will air that solution shortly. Yet, it needs work to 
> be integrated upstream (and approval from Ted Tso).

We don't postpone work for potential future patches that might or might
not ever happen or get merged.  That's how NetBSD died...

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ