5869 Need AES CMAC support in KCF+PKCS11

Review Request #445 - Created April 24, 2017 and updated

Information
Jason King
illumos-gate
5869
Reviewers
general
mbarden

5869 Need AES CMAC support in KCF+PKCS11. From Matt Barden matt.barden@nexenta.com

Ran test suite and was successful for all implemented modes (userland CCM and GCM modes are not yet implemented, so they failed with CKR_MECHANISM_INVALID as expected).

Issues

  • 5
  • 37
  • 4
  • 46
Description From Last Updated
I have not reviewed that this correctly implements the RFC algorithm. I'd appreciate getting someone else to do that. Robert Mustacchi Robert Mustacchi
Seems like we need to get an answer to this XXX. What are the implications of getting a hold on ... Robert Mustacchi Robert Mustacchi
We should make a decision and eliminate the XXX. What are the implications for callers based on the different options ... Robert Mustacchi Robert Mustacchi
I presume it's okay to manipulate these on failure because the caller would need to destroy the context and start ... Robert Mustacchi Robert Mustacchi
Why not just return NULL? If this happened on non-debug that means we'd get something very weird. Robert Mustacchi Robert Mustacchi
Jason King
Jason King
Robert Mustacchi
Robert Mustacchi
Robert Mustacchi
Jason King
Robert Mustacchi
Dan McDonald
Robert Mustacchi

   
usr/src/common/crypto/modes/cbc.c (Diff revisions 4 - 9)
 
 
Why not just return NULL? If this happened on non-debug that means we'd get something very weird.
  1. We could change it to a VERIFY if that'd be better -- this is a function private to cbc.c -- the exposed interfaces(cbc_init_ctx() and cmac_init_ctx() are the only consumers and explicitly pass in the value of mode (as opposed to setting based on passed in parameters). Any invalid value of mode here would be a programming rather than user error.

Dan McDonald

Thanks for addressing my issues.

Loading...