CFR: AES-GCM and OpenCrypto work review

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Fri, 7 Nov 2014 20:23:00 -0800
Hello,

Over the last few months, I've been working on a project to add support
for AES-GCM and AES-CTR modes to our OpenCrypto framework.  The work is
sponsored by The FreeBSD Foundation and Netgate.

I plan on committing these patches early next week.  If you need more
time for review, please email me privately and I will make delay.

The code has already been reviewed by Watson Ladd (the software crypto
implementations) and Trevor Perrin (the aesni module part) and I have
integrated these changes into the patch.

There are two patches, one is the changes for OpenCrypto and the test
framework.  The other is the data files used by the test framework.
The data is from NIST's CAVP program, and is about 20MB worth of test
vectors.  (I just realized, should we look at compressing these on
disk?)

Main patch (192KB):
https://www.funkthat.com/~jmg/patches/aes.ipsec.5.patch

Data files (~20MB):
https://www.funkthat.com/~jmg/patches/aes.ipsec.5.testing.patch

A list of notable changes in the patch:
- Replacing crypto(4) w/ NetBSD's version + updates
- Lots of man page updates, including CIOCFINDDEV and crypto(7) which
  adds specifics about restrictions on the modes.
- Allow sane useage of both _HARDWARE and _SOFTWARE flags.
- Add a timing safe bcmp for MAC comparision.
- Add a software implementation of GCM that uses a four bit lookup
  table with parallelization.  This algorithm is possibly vulnerable to
  timing attacks, but best known mitigation methods are used.  Using
  a timing safe version is many times slower.
- Added a CRYPTDEB macro that defaults to off.
- Bring in some of OpenBSD's improvements to the OpenCrypto framework.
- If an mbuf passed to the aesni module is only one segment, don't do
  a copy.  This needs to be improved to support segmented buffers.
- Remove the CRYPTO_F_REL flag.  It was meaningless.  It was used but
  did not change any behavior.
- Add function crypto_mbuftoiov to convert an mbuf to an iov.  This
  also converts the software crypto to only use iov's even for a simple
  linear buffer, and so simplifies the processing.
- Add a dtrace probe for errors from the ioctl.
- Add the CIOCCRYPTAEAD ioctl that allows userland processing (testing)
  of AES-GCM and future AEAD modes.

Future improvements:
- Support IV's longer than 12 bytes for GCM.
- Make AES-NI support segmented buffers (iov or mbuf) so multisegmented
  inputs don't have to be copied.

I know there are more fixes and future improvements, but can't think of
them now.

Ermal (eri) has patches that enable AES-GCM (and I believe AES-CTR)
support for our IPsec.  Once these patches have been committed, I'll
work with him to integrate his patch.

Thanks.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
Received on Sat Nov 08 2014 - 03:23:03 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC