Re: [PATCH] crypto: gcm - Provide minimal library implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 10 Oct 2022 at 10:25, Nikunj A. Dadhania <nikunj@xxxxxxx> wrote:
>
>
>
> On 10/10/22 13:45, Ard Biesheuvel wrote:
> > On Mon, 10 Oct 2022 at 09:27, Nikunj A. Dadhania <nikunj@xxxxxxx> wrote:
> >>
> >> Hi Ard,
> >>
> >> On 07/10/22 20:51, Ard Biesheuvel wrote:
> >>> Implement a minimal library version of GCM based on the existing library
> >>> implementations of AES and multiplication in GF(2^128). Using these
> >>> primitives, GCM can be implemented in a straight-forward manner.
> >>>
> >>> GCM has a couple of sharp edges, i.e., the amount of input data
> >>> processed with the same initialization vector (IV) should be capped to
> >>> protect the counter from 32-bit rollover (or carry), and the size of the
> >>> authentication tag should be fixed for a given key. [0]
> >>>
> >>> The former concern is addressed trivially, given that the function call
> >>> API uses 32-bit signed types for the input lengths. It is still up to
> >>> the caller to avoid IV reuse in general, but this is not something we
> >>> can police at the implementation level.
> >>>
> >>> As for the latter concern, let's make the authentication tag size part
> >>> of the key schedule, and only permit it to be configured as part of the
> >>> key expansion routine.
> >>>
> >>> Note that table based AES implementations are susceptible to known
> >>> plaintext timing attacks on the encryption key. The AES library already
> >>> attempts to mitigate this to some extent, but given that the counter
> >>> mode encryption used by GCM operates exclusively on known plaintext by
> >>> construction (the IV and therefore the initial counter value are known
> >>> to an attacker), let's take some extra care to mitigate this, by calling
> >>> the AES library with interrupts disabled.
> >>>
> >>>
> >>> Cc: "Nikunj A. Dadhania" <nikunj@xxxxxxx>
> >>> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> >>> ---
...
> >> The gcm_mac computation seems to be broken in this version. When I receive the encrypted
> >> packet back from the security processor the authtag does not match. Will debug further
> >> and report back.
> >>
> >
> > Sorry to hear that. If you find out what's wrong, can you please
> > provide a test vector that reproduces it so we can add it to the list?
>
> My bad, it was wrong crypt_len that I was sending. Working fine now.
>
> Tested-by: Nikunj A Dadhania <nikunj@xxxxxxx>

OK, good to know - thanks.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux