Page MenuHomeFreeBSD

ossl: Add AES-GCM implementation for ARMv7 NEON
Needs ReviewPublic

Authored by mkoz_semihalf.com on Thu, Nov 17, 2:51 PM.

Details

Reviewers
wma
mw
kd
jhb
Summary

Add GCM implementation based on OSSL source code.
Implementation uses dedicated neon functions (gcm_init_neon,
gcm_ghash_neon, gcm_gmult_neon) provided in assembly code.
Works with 128bit key and 16bytes tag.
Tested on armada388-clearfog with NISTs vector set.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

sys/crypto/openssl/ossl.c
160

style(9) wants to keep this blank line

sys/crypto/openssl/ossl_aes.c
61

Given the amount of modifications needed for GCM vs CBC compared to the duplication, I think it would be cleaner to have a separate osal_aes_gcm and leave osal_aes_cbc as-is. It's also worth it I think given the point is accelerated crypto to avoid at least some branches that way by using dedicated functions for the different modes.

112

This will not work with stream ciphers like GCM where payloads are not a multiple of the block size.

163
166
167

Tag mismatches should fail with EBADMSG not EINVAL

Please remove the file mode change to tests/sys/opencrypto/runtests.sh.

sys/crypto/openssl/ossl.h
70

I'm not sure if we need the Htable to be this big.
It's main use case is to precompute different values of H, so that later we can apply calculate ghash on multiple blocks at the same time.
From what I can see gcm_init_neon uses only a single value of H, so uint128_t Htable[1]; should be sufficient.
With a smaller context we might not need to increase the size kernel stack. (D37441)

Fix typo
Separate function for ossl_aes_cbc and ossl_aes_gcm
Revert tests/sys/opencrypto/runtests.sh
Change return EINVAL to EBADMSG
Decrease Htable size to single 128bit value

TODO: fix to work with stream ciphers