Add Linux kernel AF_ALG backend
This is a request for comments for a new accelerated backend supporting GnuTLS. As I am new to the development of GnuTLS, I am especially interested in the following issues:
* Is such patch adding AF_ALG welcome considering
the presence of the cryptodev interface?
* Is patch 1 of the patch set correct?
* Are the correct GnuTLS error codes used?
* The AEAD implementation register only the
aead_encrypt and aead_decrypt functions. Is this
sufficient for all purposes of GnuTLS? Note, the
implementation found for other AEAD backends would
require hacks that I would like to avoid.The Linux kernel offers access to its kernel crypto API with its hardware acceleration implementations using the AF_ALG interface.
This patch set adds support for GnuTLS to use that AF_ALG interface. As the low-level details of the AF_ALG communication with the kernel are not straight forward, this GnuTLS AF_ALG backend uses libkcapi [1] for the low-level interface handling.
The AF_ALG backend offers access to the following cipher implementations of the Linux kernel:
* Symmetric ciphers
* Digest
* Keyed message digest
* AEAD ciphers (CCM and GCM)The current version of libkcapi, version 1.0.0, is needed. Though, a warning will be displayed during compilation as libkcapi misses the constify of one parameter. This is fixed in the current master branch of libkcapi available on Github.
To use the patch set, obtain, compile and install libkcapi followed by compiling the attached patch set with GnuTLS. The configure option of --enable-afalg must be specified during the GnuTLS configure run to enable support for this backend.
Note, the code was tested on Linux kernel 4.13. Test on other kernels (especially 4.14 and pre-4.7) are needed as they exhibit small nuances in the AF_ALG AEAD interface. Libkcapi was successfully tested on those kernels which allow to assume that the GnuTLS AF_ALG backend works equally well.
[1] http://www.chronox.de/libkcapi.html