Page MenuHomeFreeBSD

Reject AES-GCM and AES-CCM sessions with per-op keys.
AbandonedPublic

Authored by jhb on Dec 30 2020, 12:49 AM.

Details

Reviewers
jmg
cem
Summary

The implementations of AES-GCM and AES-CCM in cryptosoft don't support
per-op keys (crp_cipher_key), so reject sessions that don't use a
static key for the session.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 35776
Build 32665: arc lint + arc unit

Event Timeline

cem added inline comments.
sys/opencrypto/cryptosoft.c
1276–1277

Maybe add a comment about this being an implementation limitation?

This revision is now accepted and ready to land.Dec 30 2020, 2:16 AM

Hmm, looking at xform_aes_icm.c, it seems that the key schedule can't be safely shared between operations regardless as the iv is stored in the context. What would really be nice would be to store the context on the stack, but otherwise, a per-session mutex should be used to protect the context. Getting a single session to use concurrent operations across threads seems hard, though if GELI ever used ccm or gcm perhaps that could happen. However, given that honoring crp_cipher_key wouldn't make the races "worse", I think it might be better to just add the simple change to support crp_cipher_key instead of this change.