[RFC] Using system libraries for crypto in samba
Stefan (metze) Metzmacher
metze at samba.org
Tue Jun 2 04:00:10 MDT 2015
> during SambaXP we had some discussion about moving away from custom
> crypto code and toward using system provided crypto libraries instead.
> Aside from the burden of maintaining your own crypto one of the
> advantages of system libraries is auditing (against things like side
> channel attacks) and hardware acceleration (libraries like OpenSSL and
> GNUTLS/Nettle have AES-NI support for example).
> So I started looking in what it would take to provide a small shim layer
> in samba to access either library so that the choice is a compile time
> The top commit in this  branch has a Work In Progress implementation
> of such an interface (fully functional and with tests for OpenSSL).
> I have looked at both OpenSSL and GNUTLS to devise an interface that
> could abstract both, then actually implemented it for OpenSSL (which I
> knew would be the most challenging due to the much less cleaner
> interfaces) to see what could actually be done.
> CCM support in OpenSSL has some annoying restrictions (for example it
> can do only one-shot encryption/decryption, chunking is not supported),
Is this documented? Where do you see this limitation in the source?
> and I am not sure what will be required in GNUTLS as apparently CCM
> landed less than 6 months ago, and I do not have support for it even in
> F22 yet.
> Beyond the CCM oddities, one other thing that stands out is that current
> samba code uses in place encryption while these libraries always assume
> separate (but still statically-allocated buffers).
Where do you see that?
e.g. nettle's gcm_crypt() and openssl's CRYPTO_gcm128_encrypt()
seem to support dst == src.
> At least for GCM I do not think this would be a huge problem, but I'd
> like your opinions before I put any other effort into this.
I'd really to avoid malloc calls (even if they're hidden),
e.g. openssl's CRYPTO_gcm128_new() calls OPENSSL_malloc().
Do you know if this is used via the EVP abstraction?
Or is CRYPTO_gcm128_init used with a given structure?
I think we should also provide interfaces which could do chunked
updates of authentication data and payload including inplace
en/decryption everything else is a pain for the callers.
As the ccm and gcm code is written in C anyway I'm wondering if
we could just use the raw aes functions from the external crypto
library and use our own ccm and gcm code (at least as fallback).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: OpenPGP digital signature
More information about the samba-technical