Skip to content

GitLab

    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    • Menu
    Projects Groups Snippets
  • Get a free trial
  • Sign up
  • Login
  • Sign in / Register
  • GnuTLS GnuTLS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 242
    • Issues 242
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gnutls
  • GnuTLSGnuTLS
  • Issues
  • #308
Closed
Open
Created Oct 15, 2017 by Stephan Mueller@smuellerDDDeveloper

Add Linux kernel AF_ALG backend

This is a request for comments for a new accelerated backend supporting GnuTLS. As I am new to the development of GnuTLS, I am especially interested in the following issues:

* Is such patch adding AF_ALG welcome considering
  the presence of the cryptodev interface?

* Is patch 1 of the patch set correct?

* Are the correct GnuTLS error codes used?

* The AEAD implementation register only the
  aead_encrypt and aead_decrypt functions. Is this
  sufficient for all purposes of GnuTLS? Note, the
  implementation found for other AEAD backends would
  require hacks that I would like to avoid.

The Linux kernel offers access to its kernel crypto API with its hardware acceleration implementations using the AF_ALG interface.

This patch set adds support for GnuTLS to use that AF_ALG interface. As the low-level details of the AF_ALG communication with the kernel are not straight forward, this GnuTLS AF_ALG backend uses libkcapi [1] for the low-level interface handling.

The AF_ALG backend offers access to the following cipher implementations of the Linux kernel:

* Symmetric ciphers

* Digest

* Keyed message digest

* AEAD ciphers (CCM and GCM)

The current version of libkcapi, version 1.0.0, is needed. Though, a warning will be displayed during compilation as libkcapi misses the constify of one parameter. This is fixed in the current master branch of libkcapi available on Github.

To use the patch set, obtain, compile and install libkcapi followed by compiling the attached patch set with GnuTLS. The configure option of --enable-afalg must be specified during the GnuTLS configure run to enable support for this backend.

Note, the code was tested on Linux kernel 4.13. Test on other kernels (especially 4.14 and pre-4.7) are needed as they exhibit small nuances in the AF_ALG AEAD interface. Libkcapi was successfully tested on those kernels which allow to assume that the GnuTLS AF_ALG backend works equally well.

[1] http://www.chronox.de/libkcapi.html

0001-Allow-registering-ciphers-with-higher-priority.patch

0002-Add-AF_ALG-acceleration.patch

Assignee
Assign to
Time tracking