From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 00:53:16 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CE83EA66; Fri, 14 Nov 2014 00:53:16 +0000 (UTC) Received: from forward4l.mail.yandex.net (forward4l.mail.yandex.net [IPv6:2a02:6b8:0:1819::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C6ACA4; Fri, 14 Nov 2014 00:53:16 +0000 (UTC) Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [84.201.187.145]) by forward4l.mail.yandex.net (Yandex) with ESMTP id 190531440E8F; Fri, 14 Nov 2014 03:53:13 +0300 (MSK) Received: from smtp2h.mail.yandex.net (localhost [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id 8D3E61703976; Fri, 14 Nov 2014 03:53:12 +0300 (MSK) Received: from 84.201.167.97-vpn.dhcp.yndx.net (84.201.167.97-vpn.dhcp.yndx.net [84.201.167.97]) by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id zanu1dxmSn-rBH0erNx; Fri, 14 Nov 2014 03:53:11 +0300 (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: 967a624c-2690-4607-8972-9aacbe2218b8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1415926391; bh=XQOdl5wldJ2nq3H96DodnztqCCVBQTN99100DNGD9wQ=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:Content-Type; b=J8tn0e1By3UPIGCr7ckosi0NK5ojALvf3yrw4/z26BhqdzAjuhEOmoACS3cYX8+Bk CpATJmYuj/uiNXZ5HXhNXXdkgkJPwIIVlniaA5xdhAGG4lozL4TKIDmThmOC0zv8at DA+dgtctJCLBNOKWWmC0J+zTCew4A9czx5JFJ/eo= Authentication-Results: smtp2h.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <54655257.8080705@yandex.ru> Date: Fri, 14 Nov 2014 03:52:39 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org, current@FreeBSD.org Subject: Re: CFR: AES-GCM and OpenCrypto work review References: <20141108042300.GA24601@funkthat.com> In-Reply-To: <20141108042300.GA24601@funkthat.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 00:53:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 08.11.2014 07:23, John-Mark Gurney wrote: > Hello, >=20 > Over the last few months, I've been working on a project to add support= > for AES-GCM and AES-CTR modes to our OpenCrypto framework. The work is= > sponsored by The FreeBSD Foundation and Netgate. >=20 > I plan on committing these patches early next week. If you need more > time for review, please email me privately and I will make delay. >=20 > The code has already been reviewed by Watson Ladd (the software crypto > implementations) and Trevor Perrin (the aesni module part) and I have > integrated these changes into the patch. >=20 > There are two patches, one is the changes for OpenCrypto and the test > framework. The other is the data files used by the test framework. > The data is from NIST's CAVP program, and is about 20MB worth of test > vectors. (I just realized, should we look at compressing these on > disk?) >=20 > Main patch (192KB): > https://www.funkthat.com/~jmg/patches/aes.ipsec.5.patch >=20 > Data files (~20MB): > https://www.funkthat.com/~jmg/patches/aes.ipsec.5.testing.patch >=20 > A list of notable changes in the patch: > - Replacing crypto(4) w/ NetBSD's version + updates > - Lots of man page updates, including CIOCFINDDEV and crypto(7) which > adds specifics about restrictions on the modes. > - Allow sane useage of both _HARDWARE and _SOFTWARE flags. > - Add a timing safe bcmp for MAC comparision. > - Add a software implementation of GCM that uses a four bit lookup > table with parallelization. This algorithm is possibly vulnerable to= > timing attacks, but best known mitigation methods are used. Using > a timing safe version is many times slower. > - Added a CRYPTDEB macro that defaults to off. > - Bring in some of OpenBSD's improvements to the OpenCrypto framework. > - If an mbuf passed to the aesni module is only one segment, don't do > a copy. This needs to be improved to support segmented buffers. > - Remove the CRYPTO_F_REL flag. It was meaningless. It was used but > did not change any behavior. > - Add function crypto_mbuftoiov to convert an mbuf to an iov. This > also converts the software crypto to only use iov's even for a simple= > linear buffer, and so simplifies the processing. > - Add a dtrace probe for errors from the ioctl. > - Add the CIOCCRYPTAEAD ioctl that allows userland processing (testing)= > of AES-GCM and future AEAD modes. >=20 > Future improvements: > - Support IV's longer than 12 bytes for GCM. > - Make AES-NI support segmented buffers (iov or mbuf) so multisegmented= > inputs don't have to be copied. >=20 > I know there are more fixes and future improvements, but can't think of= > them now. I tried your patch with my IPv4 forwarding test. When aesni module is loaded and aes-cbc is used I see growing of `invalid outbound packets` counter in `netstat -sp ipsec` output. And no packets are forwarded. Also while testing I got a panic in aesni_encrypt_cbc(). atal trap 9: general protection fault while in kernel mode cpuid =3D 4; apic id =3D 04 instruction pointer =3D 0x20:0xffffffff80d05c43 stack pointer =3D 0x28:0xfffffe00003f7e70 frame pointer =3D 0x28:0xfffffe00003f7eb0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (irq286: ix0:que 4) The backtrace: #0 doadump (textdump=3D276160512) at pcpu.h:219 #1 0xffffffff80355525 in db_fncall (dummy1=3D, dummy2=3D, dummy3=3D, dummy4=3D) at /usr/src/sys/ddb/db_command.c:568 #2 0xffffffff8035520d in db_command (cmd_table=3D0x0) at /usr/src/sys/ddb/db_command.c:440 #3 0xffffffff80354f84 in db_command_loop () at /usr/src/sys/ddb/db_command.c:493 #4 0xffffffff80357980 in db_trap (type=3D, code=3D0= ) at /usr/src/sys/ddb/db_main.c:251 #5 0xffffffff8095c641 in kdb_trap (type=3D9, code=3D0, tf=3D) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80d1edcc in trap_fatal (frame=3D0xfffffe00003f7dc0, eva=3D) at /usr/src/sys/amd64/amd64/trap.c:861 #7 0xffffffff80d1ea6e in trap (frame=3D) at /usr/src/sys/amd64/amd64/trap.c:201 #8 0xffffffff80d04092 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #9 0xffffffff80d05c43 in fpudna () at /usr/src/sys/amd64/amd64/fpu.c:85 #10 0xffffffff80d1e7ae in trap (frame=3D) at /usr/src/sys/amd64/amd64/trap.c:432 #11 0xffffffff80d04092 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #12 0xffffffff8202f96e in aesni_encrypt_cbc (rounds=3D10, key_schedule=3D0xfffff8005603d400, len=3D3, from=3D0xfffff8013b0de65a "E"= , to=3D0xfffff8013b0de65a "E", iv=3D0xfffff8005603d6d0 "=EF=BF=BD#=EF=BF=BD=EF=BF=BD8=EF=BF=BD:n=EF=BF= =BD\r=EF=BF=BD=EF=BF=BD\f=EF=BF=BD=EF=BF=BD=EF=BF=BD\v") at /usr/src/sys/modules/aesni/../../crypto/aesni/aesni_wrap.c:63 #13 0xffffffff820318d0 in aesni_process (dev=3D, crp=3D0xfffff80109f7bc08, hint=3D) at /usr/src/sys/modules/aesni/../../crypto/aesni/aesni.c:535 #14 0xffffffff80b170e9 in crypto_dispatch (crp=3D0xfffff80109f7bc08) at /usr/src/sys/opencrypto/crypto.c:807 #15 0xffffffff80b076d6 in esp_output (m=3D, isr=3D, mp=3D0x3, skip=3D, protoff=3D) at /usr/src/sys/netipsec/xform_esp.c:905 #16 0xffffffff80af7457 in ipsec4_process_packet (m=3D0xfffff8013b0de600, isr=3D, flags=3D, tunalready=3D) at /usr/src/sys/netipsec/ipsec_output.c:594 #17 0xffffffff80a4a0db in ip_ipsec_output (m=3D, inp=3D, flags=3D0xfffffe00003f8494, error=3D0xfffffe00003f8490) at /usr/src/sys/netinet/ip_ipsec.c:332 #18 0xffffffff80a4b6b9 in ip_output (m=3D0xfffff8013b0de600, opt=3D, flags=3D1, imo=3D, inp=3D0x0) at /usr/src/sys/netinet/ip_output.c:476 #19 0xffffffff80a485eb in ip_forward (m=3D0xfffff8013b0de600, srcrt=3D) at /usr/src/sys/netinet/ip_input.c:1571 #20 0xffffffff80a4825e in ip_input (m=3D0xfffff8013b0de600) at /usr/src/sys/netinet/ip_input.c:754 #21 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D, source=3D, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #22 0xffffffff809dfb53 in ether_demux (ifp=3D, m=3D0xfffff8013b0de600) at /usr/src/sys/net/if_ethersubr.c:766 #23 0xffffffff809e0758 in ether_nh_input (m=3D) at /usr/src/sys/net/if_ethersubr.c:573 #24 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D, source=3D, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #25 0xffffffff809dfdb6 in ether_input (ifp=3D, m=3D0= x0) at /usr/src/sys/net/if_ethersubr.c:674 #26 0xffffffff809e55e5 in vlan_input (ifp=3D0xfffff8000ef3e800, m=3D) at /usr/src/sys/net/if_vlan.c:1239 #27 0xffffffff809dfac4 in ether_demux (ifp=3D0xfffff8000ef3e800, m=3D0xfffff8013b0de600) at /usr/src/sys/net/if_ethersubr.c:717 #28 0xffffffff809e0758 in ether_nh_input (m=3D) at /usr/src/sys/net/if_ethersubr.c:573 #29 0xffffffff809e7be1 in netisr_dispatch_src (proto=3D, source=3D, m=3D0xfffff8013b0de65a) at /usr/src/sys/net/netisr.c:968 #30 0xffffffff809dfdb6 in ether_input (ifp=3D, m=3D0= x0) at /usr/src/sys/net/if_ethersubr.c:674 #31 0xffffffff8059f303 in ixgbe_rxeof (que=3D0xfffff8000ef5c1a0) at /usr/src/sys/dev/ixgbe/ixgbe.c:4530 > Ermal (eri) has patches that enable AES-GCM (and I believe AES-CTR) > support for our IPsec. Once these patches have been committed, I'll > work with him to integrate his patch. --=20 WBR, Andrey V. Elsukov --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJUZVJoAAoJEAHF6gQQyKF6gQoH/3BABEMxojQOwmeVo+ZR4Kh1 w3pi23AcHhw4v7fn0H+h0KHwuo4ZfNOJe5KrSSJ9BEt8wEQZnGS2LSQT7FZKDr8b oxUOrt9L2oQmjVLuIBlqbfIyAKPsCPN/Mt86EvBYTKQymWxstfLAct4ogx16SnSc qNKlb7IFONqAWIDfFGkOjLcwJdEq9YHCkPX4/lEurgJ2+BV/ToSl9Veq90HZL7ty fQ5+GYSRmDSYsuDwZQjy0fYYVdELnXYNR3Pzcfd9rr0pMvOsIlP4M29Bi22xvmzY AJzjPilR6Naj6viYr/3gr3bg5SW/g7WUfKnm6XyNGoXTPhPfF+FiMUCi18jLcjs= =PVaI -----END PGP SIGNATURE----- --mIJ8gMC0hbLng2nPMX2ha3xC2gE3kxrGc--