From: Ard Biesheuvel <ardb@kernel.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-crypto@vger.kernel.org, keescook@chromium.org,
jason@zx2c4.com, herbert@gondor.apana.org.au,
Nikunj A Dadhania <nikunj@amd.com>
Subject: Re: [PATCH v2] crypto: gcmaes - Provide minimal library implementation
Date: Tue, 18 Oct 2022 15:52:49 +0200 [thread overview]
Message-ID: <CAMj1kXF9A4z=_XeT7F-4gVxz7zwgaTqYtoN9G36LSpK9Vr2CFQ@mail.gmail.com> (raw)
In-Reply-To: <Y02c4kfTIj4XZxNV@sol.localdomain>
On Mon, 17 Oct 2022 at 20:20, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Fri, Oct 14, 2022 at 12:47:13PM +0200, Ard Biesheuvel wrote:
> > Note that table based AES implementations are susceptible to known
> > plaintext timing attacks on the encryption key. The AES library already
> > attempts to mitigate this to some extent, but given that the counter
> > mode encryption used by GCM operates exclusively on known plaintext by
> > construction (the IV and therefore the initial counter value are known
> > to an attacker), let's take some extra care to mitigate this, by calling
> > the AES library with interrupts disabled.
>
> Note that crypto/gf128mul.c has no mitigations against timing attacks. I take
> it that is something that needs to be tolerated here?
>
Ah good point - I misremembered and thought that the 'slow' version
without the expanded key uses not table lookups at all.
I can add a patch to address this, it doesn't seem all that difficult
to remove the table lookups and data or key dependent conditionals.
> > diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h
> > index 9d7eff04f224..dfbc381df5ae 100644
> > --- a/include/crypto/gcm.h
> > +++ b/include/crypto/gcm.h
> > @@ -3,6 +3,9 @@
> >
> > #include <linux/errno.h>
> >
> > +#include <crypto/aes.h>
> > +#include <crypto/gf128mul.h>
> > +
> > #define GCM_AES_IV_SIZE 12
> > #define GCM_RFC4106_IV_SIZE 8
> > #define GCM_RFC4543_IV_SIZE 8
> > @@ -60,4 +63,67 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen)
> >
> > return 0;
> > }
> > +
> > +struct gcmaes_ctx {
> > + be128 ghash_key;
> > + struct crypto_aes_ctx aes_ctx;
> > + unsigned int authsize;
> > +};
> > +
> > +/**
> > + * gcmaes_expandkey - Expands the AES and GHASH keys for the GCM-AES key
> > + * schedule
> > + *
> > + * @ctx: The data structure that will hold the GCM-AES key schedule
> > + * @key: The AES encryption input key
> > + * @keysize: The length in bytes of the input key
> > + * @authsize: The size in bytes of the GCM authentication tag
> > + *
> > + * Returns 0 on success, or -EINVAL if @keysize or @authsize contain values
> > + * that are not permitted by the GCM specification.
> > + */
> > +int gcmaes_expandkey(struct gcmaes_ctx *ctx, const u8 *key,
> > + unsigned int keysize, unsigned int authsize);
>
> These comments are duplicated in the .c file too. They should be in just one
> place, probably the .c file since that approach is more common in the kernel.
>
OK
> Also, this seems to be intended to be a kerneldoc comment, but the return value
> isn't documented in the correct format. It needs to be "Return:". Try this:
>
> $ ./scripts/kernel-doc -v -none lib/crypto/gcmaes.c
> lib/crypto/gcmaes.c:35: info: Scanning doc for function gcmaes_expandkey
> lib/crypto/gcmaes.c:48: warning: No description found for return value of 'gcmaes_expandkey'
> lib/crypto/gcmaes.c:114: info: Scanning doc for function gcmaes_encrypt
> lib/crypto/gcmaes.c:142: info: Scanning doc for function gcmaes_decrypt
> lib/crypto/gcmaes.c:162: warning: No description found for return value of 'gcmaes_decrypt'
>
OK, will fix.
> > +config CRYPTO_LIB_GCMAES
> > + tristate
> > + select CRYPTO_GF128MUL
> > + select CRYPTO_LIB_AES
> > + select CRYPTO_LIB_UTILS
>
> Doesn't this mean that crypto/gf128mul.c needs to be moved into lib/crypto/?
>
Probably, I'll address that as well in v3.
Thanks,
Ard.
prev parent reply other threads:[~2022-10-18 13:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-14 10:47 [PATCH v2] crypto: gcmaes - Provide minimal library implementation Ard Biesheuvel
2022-10-17 18:20 ` Eric Biggers
2022-10-18 13:52 ` Ard Biesheuvel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMj1kXF9A4z=_XeT7F-4gVxz7zwgaTqYtoN9G36LSpK9Vr2CFQ@mail.gmail.com' \
--to=ardb@kernel.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jason@zx2c4.com \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=nikunj@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).