Add CCM and GCM mode support to AES in pkcs11_softtoken
Currently the AES_[CG]CM modes are only supported within the kernel. Userland utilities (such as IKE, SSH, SSL/TLS) might also want support for this.
The one wrinkle is that the current standard version of pkcs11 (2.20 amendment 3) doesn't define this. The draft of 2.30 however does (but does not specify a value for CKM_AES_[CG]CM, but does define a draft structure for CKM[CG]CM_PARAMS. The draft has been unchanged since 2009, so it is unclear when (if ever) it will become the next version.
A solution would be to use a vendor defined value (such as CKM_ILLUMOS_AES_[CG]CM and CKM_ILLUMOS-AES[CG]CM_PARAMS) and whenever 2.30 is ratified, the Illumos implementation can be mapped to the standard one (either through #defines or support within libpkcs11).
Another solution would be to create a small private header file that is not packaged to define these values and remove it when 2.30 is ratified (though this would obviously prevent anything outside of illumos-gate from being able to utilize this while 2.30 remains in a draft state).
Updated by Electric Monk 10 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit fb2612809ed5f2cb9109db768e63d61f6659f71b Author: Jason King <email@example.com> Date: 2018-12-20T21:51:44.000Z 1228 Add CCM and GCM mode support to AES in pkcs11_softtoken Reviewed by: Dan McDonald <firstname.lastname@example.org> Reviewed by: Robert Mustacchi <email@example.com> Reviewed by: Igor Kozhukhov <firstname.lastname@example.org> Approved by: Richard Lowe <email@example.com>