Worth updating the comment to match

This should probably not be included in this changeset.

/* FALLTHROUGH */ (style(9))

Seems like this should use one of the AES_CCM_IV_LEN or AES_GCM_IV_LEN. I'd also suggest adding a _Static_assert that the two macro values are identical.

This seems redundant due to line 550-551 below.

After this change, we're missing a check that the MAC matches the cipher. I.e., CRYPTO_AES_NIST_GCM_16 + CRYPTO_AES_CCM_CBC_MAC (or the other way around) is invalid, but undetected.

This condition is tautologically true (due to lines 539 and 551 above) and can be removed (or asserted, if you prefer).

Can you refresh my memory on why this is needed? (Maybe that suggests it's worth a comment in the code.)

It may not be implemented for CCM (yet), but this deserves at least a comment mentioning decrypt_multi. I'd suggest adding an assert, something like:

if (isccm) {
    KASSERT(exf->encrypt_multi == NULL, "assume CCM is single-block only");
    exf->decrypt(...);
}

Preemptively implementing decrypt_multi would also be harmless, if maybe silly:

if (isccm) {
    if (exf->decrypt_multi == NULL)
        exf->decrypt(...);
    else
        exf->decrypt_multi(..., len);
}

(If someone were to implement multi-block mode for CCM and forget to change this decrypt() call to a decrypt_multi(), len may exceed blksz and only the first blksz bytes of len would be decrypted here.)

exf->reinit != NULL (style(9))

But is it possible for reinit to be NULL for CCM? I wouldn't think so or you wouldn't be adding this logic. So maybe KASSERT is more appropriate than the condition.

You're probably more familiar with CCM than me. Do we need to decrypt a second time?

Nitpicky and not especially important, but I'd probably put the CCM cases adjacent to each other.

I know the GCM/ICM example above does not, but please use C99 initializers. If you want them all to match, I'd be happy change icm/gcm first.

style(9) puts whitespace between these lines.

Casting caddr_t directly to a struct pointer may produce warnings. If it does, I'd use (void *) in place of the explicit struct cast. Not a big deal, I get that you cribbed it from icm/gcm directly above.

Maybe AES_CCM_IV_LEN instead of GCM

This comment should be updated.

I'd probably convert many of these const char * -> const void * to avoid a lot of the casts required for OpenSSL.

For reasons that are not clear to me, the OpenSSL manual page for EVP_CIPHER_CTX_ctrl documents these as you have named them. But the canonical names in the header and used internally are EVP_CTRL_AEAD_SET_IVLEN / EVP_CTRL_AEAD_SET_TAG. Ok as-is, but I wouldn't object to the AEAD names.

The canonical spelling of this seems to be EVP_CTRL_AEAD_GET_TAG. If you prefer, there is also the CCM-specific spelling EVP_CTRL_CCM_GET_TAG. But either way, GCM is probably not the best option.

The ioctl error case does not do FSESSION, and I think both exit cleanups should be consistent.

Of course, FSESSION is redundant with close() — otherwise a userspace program could leak kernel resources after it exits, which is not permitted.

If iv_len will just be the default OpenSSL IV length, why do we set it in openssl_ccm_encrypt()? GCM doesn't.

Changing it to "GCM/CCM".

This is actually in D18592. I can change it back to the #if 0; I have it this way because I had a kernel config that defined it. As was mentioned elsewhere, it should probably be a sysctl, but I shouldn't do that in this change request. I can do it later.

I don't disagree but that wasn't my line of code.

Huh? I'm not sure what you mean there..

Holdover, and I *thought* about changing it, but hadn't gotten around to it. Until now.

I'll add a comment to the effect, but: CBC auth is done on the unencrypted data, while GCM auth is done on the encrypted data. This is a really bad algorithm design.

I'll add the assert.

Hm, no, it's not possible for it to be NULL for ccm. So let's make it an assert.

Sadly yes. Because we have to authenticate the data first, before it can be decrypted. GCM uses the encrypted data for authentication, so it's both faster and more secure; CCM+CBC uses the plain-text data for authentication.

Easy enough to do. I was grouping them based on encryption vs authentication.

Done. I didn't change the others.

I think I had a blank line there before, but it was before I changed my emacs macros so it had a tab in it, and got deleted when I was cleaning such things up. Fixed.

Gonna blame bad eyes here -- the C and G looked alike.

Done

I was cribbing from the openssl_gcm_encrypt function, which uses const char *.

I got the constants from the man pages :).

Guess what I copied from :). Changed it to AEAD.

Going back to, "that's what the gcm test case does."

Because technically CCM can have a variable IV length. I did not have it variable for my implementation because the OCF framework doesn't really have enough communication for that (larger IV length means shorter message length, and vice versa). I can change it, if you want, but in this case, that is what was in my head when I wrote this.

Ok, I'll change it to EVP_CTRL_AEAD_SET_TAG. (Diff incoming)

Understood, but it's now part of CCM via case CRYPTO_AES_CCM_16 fallthrough.

At lines 550-551, we exit if we didn't find both a crde and crda. Therefore, we only need to set isccm for one of the crds — crde or crda. It is redundant to set it twice.

Thanks! :)

Yeah, they're tough for me to tell apart too. Thanks!

Yeah, I mean, cribbing a prior example doesn't totally remove the expectation of critical thought. It's good to follow an existing pattern when it makes sense, but if it doesn't, it doesn't.

Sure, it can. But this code doesn't really check the property you want (EVP_CIPHER_iv_length(cipher) == AES_CCM_IV_LEN) but instead sets the iv length to the value it already had (just a convoluted form of set_iv_len(cipher, get_iv_len(cipher))). I would be supportive of either:

1. Removing the explicit set iv_length and adding a check to verify openssl's EVP_CIPHER_iv_length() matches AES_CCM_IV_LEN, or
2. Removing EVP_CIPHER_iv_length() and always explicitly setting iv length to AES_CCM_IV_LEN.

But the current construction doesn't make sense to me.

(The #ifdef CRYPTO_DEBUG was from D18592, but the #define CRYPTO_DEBUG 1 was new in this revision and what my comment was referring to.)

Looks good now

Oh, I see.

_None_ of the code in cryptocheck.c does that. But I'll change it.

Oh, I was looking at the wrong code.

I wondered about making it a warn, but the (again :)) gcm function does a sanity check, and only prints out a message if verbose. So that's what I went with. I do think both should be warns.