[RFC] Using system libraries for crypto in samba

Stefan (metze) Metzmacher metze at samba.org
Tue Jun 2 04:00:10 MDT 2015

Hi Simo,

> during SambaXP we had some discussion about moving away from custom
> crypto code and toward using system provided crypto libraries instead.
> Aside from the burden of maintaining your own crypto one of the
> advantages of system libraries is auditing (against things like side
> channel attacks) and hardware acceleration (libraries like OpenSSL and
> GNUTLS/Nettle have AES-NI support for example).
> So I started looking in what it would take to provide a small shim layer
> in samba to access either library so that the choice is a compile time
> option.
> The top commit in this [1] branch has a Work In Progress implementation
> of such an interface (fully functional and with tests for OpenSSL).
> I have looked at both OpenSSL and GNUTLS to devise an interface that
> could abstract both, then actually implemented it for OpenSSL (which I
> knew would be the most challenging due to the much less cleaner
> interfaces) to see what could actually be done.

> CCM support in OpenSSL has some annoying restrictions (for example it
> can do only one-shot encryption/decryption, chunking is not supported),

Is this documented? Where do you see this limitation in the source?

> and I am not sure what will be required in GNUTLS as apparently CCM
> landed less than 6 months ago, and I do not have support for it even in
> F22 yet.
> Beyond the CCM oddities, one other thing that stands out is that current
> samba code uses in place encryption while these libraries always assume
> separate (but still statically-allocated buffers).

Where do you see that?
e.g. nettle's gcm_crypt() and openssl's CRYPTO_gcm128_encrypt()
seem to support dst == src.

> At least for GCM I do not think this would be a huge problem, but I'd
> like your opinions before I put any other effort into this.

I'd really to avoid malloc calls (even if they're hidden),
e.g. openssl's CRYPTO_gcm128_new() calls OPENSSL_malloc().
Do you know if this is used via the EVP abstraction?
Or is CRYPTO_gcm128_init used with a given structure?

I think we should also provide interfaces which could do chunked
updates of authentication data and payload including inplace
en/decryption everything else is a pain for the callers.

As the ccm and gcm code is written in C anyway I'm wondering if
we could just use the raw aes functions from the external crypto
library and use our own ccm and gcm code (at least as fallback).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150602/e72aaf8b/attachment.pgp>

More information about the samba-technical mailing list