Page MenuHomeFreeBSD

cryptosoft: Fix support for variable tag lengths in AES-CCM.
ClosedPublic

Authored by jhb on Sep 24 2021, 6:05 PM.

Details

Summary

The tag length is included as one of the values in the flags byte of
block 0 passed to CBC_MAC, so merely copying the first N bytes is
insufficient.

To avoid adding more sideband data to the CBC MAC software context,
pull the generation of block 0, the AAD length, and AAD padding out of
cbc_mac.c and into cryptosoft.c. This matches how GCM/GMAC are
handled where the length block is constructed in cryptosoft.c and
passed as an input to the Update callback. As a result, the CBC MAC
Update() routine is now much simpler and simply performs the
XOR-and-encrypt step on each input block.

While here, avoid a copy to the staging block in the Update routine
when one or more full blocks are passed as input to the Update
callback.

Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jhb requested review of this revision.Sep 24 2021, 6:05 PM

Tested via the AES-CCM NIST KAT vectors.

sys/dev/cxgbe/crypto/t4_crypto.c
1898

These are duplicated only to mimic cryptosoft.c. I should probably change ccr at some point to allocate an internal software crypto session and feed requests into that rather than duplicating the code here.

sys/opencrypto/cryptosoft.c
639

It is might be worth exposing some variant of these functions publicly as ccr, aesni, and safexcel all have their own routines to build b0 and the AAD length words (not counting that ccr duplicates these exact functions again in its software fallback). Public versions could perhaps take the crp as an argument rather than all the broken out fields.

kithrup_mac.com added a subscriber: kithrup_mac.com.

I approve of simplifying my code.

This revision is now accepted and ready to land.Sep 27 2021, 9:47 PM