Re: sync rijndael-alg-fst.c with OpenBSD

[Taylor R Campbell <campbell+netbsd-tech-crypto%mumble.net@localhost>]

   Date: Fri, 30 Sep 2016 22:36:13 +0100
   From: Alexander Nasonov <alnsn%yandex.ru@localhost>

   OpenBSD made a change in 2014 and it looks important enough:
   [...]
   This includes a commit made by Andy Polyakov <appro at openssl ! org>
   to the OpenSSL source tree on Wed, 28 Jun 2006 with the following
   message: "Mitigate cache-collision timing attack on last round."
   [...]
   I'm running my system on cgd disk configured with aes-cbc and the new
   code works so far. I even screwed my system up enough (ddb didn't like
   my breakpoint) to trigger fsck on all my cgd partitions.

It's not clear to me that this makes a meaningful improvement in
security.  The AES code is still full of secret-dependent array
indexing, which is the basic problem -- maybe one or two particular
arrays are a little smaller and thus have slightly reduced cache
footprint, but that's all.

There are better ways to thwart the attack this change attempts to
mitigate.  Here are two examples:

1. Implement AES-NI in the kernel and teach cgd(4) to use it.
   Requires saving and restoring the SSE state in kernel threads --
   I'm not sure offhand what the status of that on x86 is.

2. Add support for a block cipher that is not designed to leak secrets
   through timing like AES is, such as Threefish.  Here's some
   portable C code for Threefish:

   http://mumble.net/~campbell/tmp/threefish.c
   http://mumble.net/~campbell/tmp/threefish.h

That said, it isn't obvious to me that this change is harmful either.
If you want to make it, could you also add an AES self-test with a few
known-answer test vectors, like we have for ChaCha20 in
sys/crypto/cprng_fast/cprng_fast.c?