Am Dienstag, 5. Juli 2016, 13:44:05 schrieb Ondrej Mosnáček: Hi Ondrej, > Hi, > > I'm trying to experimentally implement the GCM-SIV AEAD algorithm from > [1] for the Linux crypto API and I've ran into a problem... > > Basically, the encryption/decryption process starts by deriving a > so-called "record-encryption key" from the nonce (by encrypting it > using another key) and this key is then used to encrypt the plaintext > in CTR mode and to encrypt the final authentication tag (otherwise it > works similarly to GCM). I have not yet looked into [1], but it sounds like a specific GCM case, just like RFC4106 formatting. Did you consider the structure discussion in [4] and add a specific handler like the rfc4106() handler on top of GCM? [4] https://www.kernel.org/doc/htmldocs/crypto-API/ch02s07.html > > Since the API is asynchronous and multiple requests can be executed in > parallel over a single cipher handle (according to [2]), I need to > have a separate underlying cipher handle for each AEAD request. > > Now this is a problem, because aead_request has no init/destroy > mechanism where I could allocate/free the cipher handle, which means I > would have to do this inside the encrypt/decrypt function. AFAIK, > allocating with GFP_KERNEL inside encrypt/decrypt functions is > problematic, as they may be called from an atomic context. > > Besides, it seems that also the crypto_*_setkey functions are not > guaranteed to be atomic [3], and I will need to call such function > either way... OTOH, the CTR mode/AES driver should not really need to > allocate any memory there, so this may be tolerable... > > Does anyone have any ideas how to deal with this? > > BTW, for justification of deriving the key from the nonce see section > 9 of [1]. I don't really like the design decision, but there seems to > be no better way to achieve the same property... > > Thanks, > Ondrej Mosnáček > > [1] https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-01 > [2] https://www.kernel.org/doc/htmldocs/crypto-API/ch05s03.html > [3] https://www.spinics.net/lists/linux-crypto/msg17733.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html