CCM-AES Compatibility

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello list,

I hope it is ok to ask a question on how to use the crypto API in the Linux
kernel, even though the list appears to be mostly PATCH mails.

I am currently porting some code from Solaris kernel to Linux, which uses
"SUN_CKM_AES_CCM" mech, with ivsize of 12, and hmac computed of len 16.


Looking in tcrypt.c tester, which appears to be the only example that I can
find, I should be using AEAD. But I must admit I could not get my AEAD
example to work. My test code calls crypto_aead_encrypt() and I get -22
back (EINVAL).

http://www.lundman.net/ccm-aes-test.c

But, since ivsize is 16, and there are no API calls to change it to 12,
perhaps I will not be able to use the supplied ccm-aes? Is it a lost cause?
Will I be pasting in the entire AES sources that I need into my module?



Going over the Solaris sources, they appear to call regular AES, then call
the ccm_encrypt_final() function:

         * For CCM mode, aes_ccm_encrypt_final() will take care of any
         * left-over unprocessed data, and compute the MAC
	*/
        if (aes_ctx->ac_flags & CCM_MODE) {
                ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
                    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
}


Which makes me think that perhaps I can do the same on Linux. Ignore AEAD
(which I can not get to work) and use blkcipher "cbc(aes)" instead. Then
port in the ccm_encrypt_final() sources over, which calls final, and
computes the hmac. Could that work? Any examples?

I would very much appreciate some hints here,

Lund


ps. Some peculiarities that I came across are:

1) aead_request_set_assoc() takes a scatterlist *, and a length. And
scatterlist is a pointer, and length. Seems redundant, do I set both, or is
one ignored?

2) crypto_blkcipher_set_iv() takes a pointer and length, which implies you
can set the "ivsize", but length is only used in the iv copy. "->ivsize" is
not modified, and remains the original value. Is it useful to be able to
only partially set the iv?











-- 
Jorgen Lundman       | <lundman@xxxxxxxxxxx>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux