Date: Fri, 14 Nov 2014 03:52:39 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-security@FreeBSD.org, current@FreeBSD.org Subject: Re: CFR: AES-GCM and OpenCrypto work review Message-ID: <54655257.8080705@yandex.ru> In-Reply-To: <20141108042300.GA24601@funkthat.com> References: <20141108042300.GA24601@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 08.11.2014 07:23, John-Mark Gurney wrote: > Hello, >=20 > Over the last few months, I've been working on a project to add support= > for AES-GCM and AES-CTR modes to our OpenCrypto framework. The work is= > sponsored by The FreeBSD Foundation and Netgate. >=20 > I plan on committing these patches early next week. If you need more > time for review, please email me privately and I will make delay. >=20 > The code has already been reviewed by Watson Ladd (the software crypto > implementations) and Trevor Perrin (the aesni module part) and I have > integrated these changes into the patch. >=20 > There are two patches, one is the changes for OpenCrypto and the test > framework. The other is the data files used by the test framework. > The data is from NIST's CAVP program, and is about 20MB worth of test > vectors. (I just realized, should we look at compressing these on > disk?) >=20 > Main patch (192KB): > https://www.funkthat.com/~jmg/patches/aes.ipsec.5.patch >=20 > Data files (~20MB): > https://www.funkthat.com/~jmg/patches/aes.ipsec.5.testing.patch >=20 > A list of notable changes in the patch: > - Replacing crypto(4) w/ NetBSD's version + updates > - Lots of man page updates, including CIOCFINDDEV and crypto(7) which > adds specifics about restrictions on the modes. > - Allow sane useage of both _HARDWARE and _SOFTWARE flags. > - Add a timing safe bcmp for MAC comparision. > - Add a software implementation of GCM that uses a four bit lookup > table with parallelization. This algorithm is possibly vulnerable to= > timing attacks, but best known mitigation methods are used. Using > a timing safe version is many times slower. > - Added a CRYPTDEB macro that defaults to off. > - Bring in some of OpenBSD's improvements to the OpenCrypto framework. > - If an mbuf passed to the aesni module is only one segment, don't do > a copy. This needs to be improved to support segmented buffers. > - Remove the CRYPTO_F_REL flag. It was meaningless. It was used but > did not change any behavior. > - Add function crypto_mbuftoiov to convert an mbuf to an iov. This > also converts the software crypto to only use iov's even for a simple= > linear buffer, and so simplifies the processing. > - Add a dtrace probe for errors from the ioctl. > - Add the CIOCCRYPTAEAD ioctl that allows userland processing (testing)= > of AES-GCM and future AEAD modes. >=20 > Future improvements: > - Support IV's longer than 12 bytes for GCM. > - Make AES-NI support segmented buffers (iov or mbuf) so multisegmented= > inputs don't have to be copied. >=20 > I know there are more fixes and future improvements, but can't think of= > them now. I tried your patch with my IPv4 forwarding test. When aesni module is loaded and aes-cbc is used I see growing of `invalid outbound packets` counter in `netstat -sp ipsec` output. And no packets are forwarded. Also while testing I got a panic in aesni_encrypt_cbc(). atal trap 9: general protection fault while in kernel mode cpuid =3D 4; apic id =3D 04 instruction pointer =3D 0x20:0xffffffff80d05c43 stack pointer =3D 0x28:0xfffffe00003f7e70 frame pointer =3D 0x28:0xfffffe00003f7eb0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (irq286: ix0:que 4) The backtrace: #0 doadump (textdump=3D276160512) at pcpu.h:219 #1 0xffffffff80355525 in db_fncall (dummy1=3D<value optimized out>, dummy2=3D<value optimized out>, dummy3=3D<value optimized out>, dummy4=3D<value optimized out>) at /usr/src/sys/ddb/db_command.c:568 #2 0xffffffff8035520d in db_command (cmd_table=3D0x0) at /usr/src/sys/ddb/db_command.c:440 #3 0xffffffff80354f84 in db_command_loop () at /usr/src/sys/ddb/db_command.c:493 #4 0xffffffff80357980 in db_trap (type=3D<value optimized out>, code=3D0= ) at /usr/src/sys/ddb/db_main.c:251 #5 0xffffffff8095c641 in kdb_trap (type=3D9, code=3D0, tf=3D<value optim= ized out>) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80d1edcc in trap_fatal (frame=3D0xfffffe00003f7dc0, eva=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:861 #7 0xffffffff80d1ea6e in trap (frame=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:201 #8 0xffffffff80d04092 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #9 0xffffffff80d05c43 in fpudna () at /usr/src/sys/amd64/amd64/fpu.c:85 #10 0xffffffff80d1e7ae in trap (frame=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:432 #11 0xffffffff80d04092 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #12 0xffffffff8202f96e in aesni_encrypt_cbc (rounds=3D10, key_schedule=3D0xfffff8005603d400, len=3D3, from=3D0xfffff8013b0de65a "E"= , to=3D0xfffff8013b0de65a "E", iv=3D0xfffff8005603d6d0 "=EF=BF=BD#=EF=BF=BD=EF=BF=BD8=EF=BF=BD:n=EF=BF= =BD\r=EF=BF=BD=EF=BF=BD\f=EF=BF=BD=EF=BF=BD=EF=BF=BD\v") at /usr/src/sys/modules/aesni/../../crypto/aesni/aesni_wrap.c:63 #13 0xffffffff820318d0 in aesni_process (dev=3D<value optimized out>, crp=3D0xfffff80109f7bc08, hint=3D<value optimized out>) at /usr/src/sys/modules/aesni/../../crypto/aesni/aesni.c:535 #14 0xffffffff80b170e9 in crypto_dispatch (crp=3D0xfffff80109f7bc08) at /usr/src/sys/opencrypto/crypto.c:807 #15 0xffffffff80b076d6 in esp_output (m=3D<value optimized out>, isr=3D<value optimized out>, mp=3D0x3, skip=3D<value optimized out>, protoff=3D<value optimized out>) at /usr/src/sys/netipsec/xform_esp.c:905 #16 0xffffffff80af7457 in ipsec4_process_packet (m=3D0xfffff8013b0de600, isr=3D<value optimized out>, flags=3D<value optimized out>, tunalready=3D<value optimized out>) at /usr/src/sys/netipsec/ipsec_output.c:594 #17 0xffffffff80a4a0db in ip_ipsec_output (m=3D<value optimized out>, inp=3D<value optimized out>, flags=3D0xfffffe00003f8494, error=3D0xfffffe00003f8490) at /usr/src/sys/netinet/ip_ipsec.c:332 #18 0xffffffff80a4b6b9 in ip_output (m=3D0xfffff8013b0de600, opt=3D<value= optimized out>, flags=3D1, imo=3D<value optimized out>, inp=3D0x0) at /usr/src/sys/netinet/ip_output.c:476 #19 0xffffffff80a485eb in ip_forward (m=3D0xfffff8013b0de600, srcrt=3D<va= lue optimized out>) at /usr/src/sys/netinet/ip_input.c:1571 #20 0xffffffff80a4825e in ip_input (m=3D0xfffff8013b0de600) at /usr/src/sys/netinet/ip_input.c:754 #21 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D<value optimized out>, source=3D<value optimized out>, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #22 0xffffffff809dfb53 in ether_demux (ifp=3D<value optimized out>, m=3D0xfffff8013b0de600) at /usr/src/sys/net/if_ethersubr.c:766 #23 0xffffffff809e0758 in ether_nh_input (m=3D<value optimized out>) at /usr/src/sys/net/if_ethersubr.c:573 #24 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D<value optimized out>, source=3D<value optimized out>, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #25 0xffffffff809dfdb6 in ether_input (ifp=3D<value optimized out>, m=3D0= x0) at /usr/src/sys/net/if_ethersubr.c:674 #26 0xffffffff809e55e5 in vlan_input (ifp=3D0xfffff8000ef3e800, m=3D<valu= e optimized out>) at /usr/src/sys/net/if_vlan.c:1239 #27 0xffffffff809dfac4 in ether_demux (ifp=3D0xfffff8000ef3e800, m=3D0xfffff8013b0de600) at /usr/src/sys/net/if_ethersubr.c:717 #28 0xffffffff809e0758 in ether_nh_input (m=3D<value optimized out>) at /usr/src/sys/net/if_ethersubr.c:573 #29 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D<value optimized out>, source=3D<value optimized out>, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #30 0xffffffff809dfdb6 in ether_input (ifp=3D<value optimized out>, m=3D0= x0) at /usr/src/sys/net/if_ethersubr.c:674 #31 0xffffffff8059f303 in ixgbe_rxeof (que=3D0xfffff8000ef5c1a0) at /usr/src/sys/dev/ixgbe/ixgbe.c:4530 > Ermal (eri) has patches that enable AES-GCM (and I believe AES-CTR) > support for our IPsec. Once these patches have been committed, I'll > work with him to integrate his patch. --=20 WBR, Andrey V. Elsukov --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJUZVJoAAoJEAHF6gQQyKF6gQoH/3BABEMxojQOwmeVo+ZR4Kh1 w3pi23AcHhw4v7fn0H+h0KHwuo4ZfNOJe5KrSSJ9BEt8wEQZnGS2LSQT7FZKDr8b oxUOrt9L2oQmjVLuIBlqbfIyAKPsCPN/Mt86EvBYTKQymWxstfLAct4ogx16SnSc qNKlb7IFONqAWIDfFGkOjLcwJdEq9YHCkPX4/lEurgJ2+BV/ToSl9Veq90HZL7ty fQ5+GYSRmDSYsuDwZQjy0fYYVdELnXYNR3Pzcfd9rr0pMvOsIlP4M29Bi22xvmzY AJzjPilR6Naj6viYr/3gr3bg5SW/g7WUfKnm6XyNGoXTPhPfF+FiMUCi18jLcjs= =PVaI -----END PGP SIGNATURE----- --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54655257.8080705>