Project

General

Profile

Actions

Support #1228

closed

Add CCM and GCM mode support to AES in pkcs11_softtoken

Added by Jason King about 10 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
2011-07-19
Due date:
% Done:

100%

Estimated time:
Tags:
needs-triage
Gerrit CR:

Description

Currently the AES_[CG]CM modes are only supported within the kernel. Userland utilities (such as IKE, SSH, SSL/TLS) might also want support for this.

The one wrinkle is that the current standard version of pkcs11 (2.20 amendment 3) doesn't define this. The draft of 2.30 however does (but does not specify a value for CKM_AES_[CG]CM, but does define a draft structure for CKM[CG]CM_PARAMS. The draft has been unchanged since 2009, so it is unclear when (if ever) it will become the next version.

A solution would be to use a vendor defined value (such as CKM_ILLUMOS_AES_[CG]CM and CKM_ILLUMOS-AES[CG]CM_PARAMS) and whenever 2.30 is ratified, the Illumos implementation can be mapped to the standard one (either through #defines or support within libpkcs11).

Another solution would be to create a small private header file that is not packaged to define these values and remove it when 2.30 is ratified (though this would obviously prevent anything outside of illumos-gate from being able to utilize this while 2.30 remains in a draft state).

Actions

Also available in: Atom PDF