diff options
| author | Simon Tatham <anakin@pobox.com> | 2022-08-16 20:36:58 +0300 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2022-08-16 22:33:58 +0300 |
| commit | c1a2114b28125572cf54c393bd51a6a39c4f00bd (patch) | |
| tree | a2d19e138c864668d7fc5345b1edcd6ea901e383 /ssh.h | |
| parent | fd840f0dfef5af558f78b9c668b4b71fe64b2ff9 (diff) | |
Implement AES-GCM using the @openssh.com protocol IDs.
I only recently found out that OpenSSH defined their own protocol IDs
for AES-GCM, defined to work the same as the standard ones except that
they fixed the semantics for how you select the linked cipher+MAC pair
during key exchange.
(RFC 5647 defines protocol ids for AES-GCM in both the cipher and MAC
namespaces, and requires that you MUST select both or neither - but
this contradicts the selection policy set out in the base SSH RFCs,
and there's no discussion of how you resolve a conflict between them!
OpenSSH's answer is to do it the same way ChaCha20-Poly1305 works,
because that will ensure the two suites don't fight.)
People do occasionally ask us for this linked cipher/MAC pair, and now
I know it's actually feasible, I've implemented it, including a pair
of vector implementations for x86 and Arm using their respective
architecture extensions for multiplying polynomials over GF(2).
Unlike ChaCha20-Poly1305, I've kept the cipher and MAC implementations
in separate objects, with an arm's-length link between them that the
MAC uses when it needs to encrypt single cipher blocks to use as the
inputs to the MAC algorithm. That enables the cipher and the MAC to be
independently selected from their hardware-accelerated versions, just
in case someone runs on a system that has polynomial multiplication
instructions but not AES acceleration, or vice versa.
There's a fourth implementation of the GCM MAC, which is a pure
software implementation of the same algorithm used in the vectorised
versions. It's too slow to use live, but I've kept it in the code for
future testing needs, and because it's a convenient place to dump my
design comments.
The vectorised implementations are fairly crude as far as optimisation
goes. I'm sure serious x86 _or_ Arm optimisation engineers would look
at them and laugh. But GCM is a fast MAC compared to HMAC-SHA-256
(indeed compared to HMAC-anything-at-all), so it should at least be
good enough to use. And we've got a working version with some tests
now, so if someone else wants to improve them, they can.
Diffstat (limited to 'ssh.h')
| -rw-r--r-- | ssh.h | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -1072,6 +1072,10 @@ extern const ssh_cipheralg ssh_aes256_sdctr; extern const ssh_cipheralg ssh_aes256_sdctr_ni; extern const ssh_cipheralg ssh_aes256_sdctr_neon; extern const ssh_cipheralg ssh_aes256_sdctr_sw; +extern const ssh_cipheralg ssh_aes256_gcm; +extern const ssh_cipheralg ssh_aes256_gcm_ni; +extern const ssh_cipheralg ssh_aes256_gcm_neon; +extern const ssh_cipheralg ssh_aes256_gcm_sw; extern const ssh_cipheralg ssh_aes256_cbc; extern const ssh_cipheralg ssh_aes256_cbc_ni; extern const ssh_cipheralg ssh_aes256_cbc_neon; @@ -1080,6 +1084,10 @@ extern const ssh_cipheralg ssh_aes192_sdctr; extern const ssh_cipheralg ssh_aes192_sdctr_ni; extern const ssh_cipheralg ssh_aes192_sdctr_neon; extern const ssh_cipheralg ssh_aes192_sdctr_sw; +extern const ssh_cipheralg ssh_aes192_gcm; +extern const ssh_cipheralg ssh_aes192_gcm_ni; +extern const ssh_cipheralg ssh_aes192_gcm_neon; +extern const ssh_cipheralg ssh_aes192_gcm_sw; extern const ssh_cipheralg ssh_aes192_cbc; extern const ssh_cipheralg ssh_aes192_cbc_ni; extern const ssh_cipheralg ssh_aes192_cbc_neon; @@ -1088,6 +1096,10 @@ extern const ssh_cipheralg ssh_aes128_sdctr; extern const ssh_cipheralg ssh_aes128_sdctr_ni; extern const ssh_cipheralg ssh_aes128_sdctr_neon; extern const ssh_cipheralg ssh_aes128_sdctr_sw; +extern const ssh_cipheralg ssh_aes128_gcm; +extern const ssh_cipheralg ssh_aes128_gcm_ni; +extern const ssh_cipheralg ssh_aes128_gcm_neon; +extern const ssh_cipheralg ssh_aes128_gcm_sw; extern const ssh_cipheralg ssh_aes128_cbc; extern const ssh_cipheralg ssh_aes128_cbc_ni; extern const ssh_cipheralg ssh_aes128_cbc_neon; @@ -1103,6 +1115,7 @@ extern const ssh2_ciphers ssh2_aes; extern const ssh2_ciphers ssh2_blowfish; extern const ssh2_ciphers ssh2_arcfour; extern const ssh2_ciphers ssh2_ccp; +extern const ssh2_ciphers ssh2_aesgcm; extern const ssh_hashalg ssh_md5; extern const ssh_hashalg ssh_sha1; extern const ssh_hashalg ssh_sha1_ni; @@ -1163,12 +1176,20 @@ extern const ssh2_macalg ssh_hmac_sha1_96; extern const ssh2_macalg ssh_hmac_sha1_96_buggy; extern const ssh2_macalg ssh_hmac_sha256; extern const ssh2_macalg ssh2_poly1305; +extern const ssh2_macalg ssh2_aesgcm_mac; +extern const ssh2_macalg ssh2_aesgcm_mac_sw; +extern const ssh2_macalg ssh2_aesgcm_mac_ref_poly; +extern const ssh2_macalg ssh2_aesgcm_mac_clmul; +extern const ssh2_macalg ssh2_aesgcm_mac_neon; extern const ssh_compression_alg ssh_zlib; /* Special constructor: BLAKE2b can be instantiated with any hash * length up to 128 bytes */ ssh_hash *blake2b_new_general(unsigned hashlen); +/* Special test function for AES-GCM */ +void aesgcm_set_prefix_lengths(ssh2_mac *mac, size_t skip, size_t aad); + /* * On some systems, you have to detect hardware crypto acceleration by * asking the local OS API rather than OS-agnostically asking the CPU @@ -1176,6 +1197,7 @@ ssh_hash *blake2b_new_general(unsigned hashlen); * platform subdirectory. */ bool platform_aes_neon_available(void); +bool platform_pmull_neon_available(void); bool platform_sha256_neon_available(void); bool platform_sha1_neon_available(void); bool platform_sha512_neon_available(void); |