From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
To: Milan Broz <gmazyland@gmail.com>,
Pascal van Leeuwen <pascalvanl@gmail.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Cc: "rsnel@cube.dyndns.org" <rsnel@cube.dyndns.org>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: RE: [PATCH] crypto: xts - Add support for Cipher Text Stealing
Date: Tue, 6 Aug 2019 19:36:59 +0000 [thread overview]
Message-ID: <MN2PR20MB29734CFE2795639436C3CC91CAD50@MN2PR20MB2973.namprd20.prod.outlook.com> (raw)
In-Reply-To: <5bf9d0be-3ba4-8903-f1b9-93aa32106274@gmail.com>
Milan,
Thanks for trying :-)
> -----Original Message-----
> From: Milan Broz <gmazyland@gmail.com>
> Sent: Tuesday, August 6, 2019 8:35 PM
> To: Pascal van Leeuwen <pascalvanl@gmail.com>; linux-crypto@vger.kernel.org
> Cc: rsnel@cube.dyndns.org; herbert@gondor.apana.org.au; davem@davemloft.net; Pascal Van
> Leeuwen <pvanleeuwen@verimatrix.com>
> Subject: Re: [PATCH] crypto: xts - Add support for Cipher Text Stealing
>
> On 06/08/2019 08:55, Pascal van Leeuwen wrote:
> > This adds support for Cipher Text Stealing for data blocks that are not an
> > integer multiple of the cipher block size in size, bringing it fully in
> > line with the IEEE P1619/D16 standard.
> >
> > This has been tested with the AES-XTS test vectors from the IEEE P1619/D16
> > specification as well as some additional test vectors supplied to the
> > linux_crypto mailing list previously. It has also been fuzzed against
> > Inside Secure AES-XTS hardware which has been actively used in the field
> > for more than a decade already.
> >
> > Signed-off-by: Pascal van Leeuwen <pvanleeuwen@verimatrix.com>
>
> Wow, it was quick... thanks for this! :)
>
> I tried to test with my wrapper through AF_ALG (with the discussed test vectors),
> but it crashed my 32bit i686 VM (Linus tree with your patch applied)
>
Ok, I have to admit I only tried it on one particular kernel configuration.
I don't really have the time nor the resources (I also have to work on this
machine, so I need it to be stable ...) to really try other configurations.
> To reproduce it, run this "kernel" af_alg branch of extracted cryptsetup vector testsuite:
> https://github.com/mbroz/cryptsetup_backend_test/tree/kernel
>
I'll try that tomorrow if I can get it to work without too much effort.
> (output) ...
> CIPHER vector 00: [aes-ecb,128bits][serpent-ecb,128bits]
> CIPHER vector 01: [aes-cbc,128bits][serpent-cbc,128bits]
> CIPHER vector 02: [aes-ecb,256bits][serpent-ecb,256bits]
> CIPHER vector 03: [aes-cbc,256bits][serpent-cbc,256bits]
> CIPHER vector 04: [aes-xts,256bits][serpent-xts,256bits]
> CIPHER vector 05: [aes-xts,512bits][serpent-xts,512bits]
> CIPHER vector 06: [xchacha12,aes-adiantum,256bits][xchacha20,aes-adiantum,256bits]
> Segmentation fault
>
I also noticed some algorithms that I don't think I have configured into my
kernel at the moment (never occurred to me really, I try not to touch my kernel
config so I don't break it and I wasn't originally interested in these as I can't
think of any use case for them), maybe I should try enabling those with my kernel
first.
I know there's part of the code I can't hit with xts(aes), but I also didn't know
how to otherwise hit it, maybe one of these does hit that and reveals a bug there.
>
> (If you cannot reproduce it, I'll check it tomorrow. It is quite possible
> I have a bug in wrapper, but it should definitely not OOPS the kernel...
> moreover, this crash is possible from a user context)
>
> Thanks,
> Milan
>
>
> OOPS log here:
>
> kernel: detected buffer overflow in memcpy
>
Ok, so I probably messed up some length somewhere :-)
Let's see if I can spot it by careful review ...
> kernel: ------------[ cut here ]------------
> kernel: kernel BUG at lib/string.c:1115!
> kernel: invalid opcode: 0000 [#1] PREEMPT SMP
> kernel: CPU: 1 PID: 2303 Comm: tst Not tainted 5.3.0-rc3+ #572
> kernel: Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform,
> BIOS 6.00 04/13/2018
> kernel: EIP: fortify_panic+0xe/0x19
> kernel: Code: b6 00 00 00 00 8b 45 e4 83 c4 10 5b 5e 29 f8 5f 5d c3 0f b6 c2 0f b6 f3 29 f0
> eb ce 55 89 e5 50 68 70 03 8d c1 e8 cc 27 a6 ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 89 e5
> 57 56 53 89 d3 83 ec 04
> kernel: EAX: 00000022 EBX: f1418dc8 ECX: f40ab784 EDX: 00000001
> kernel: ESI: f317a318 EDI: 00000020 EBP: f0c2bdf4 ESP: f0c2bdec
> kernel: DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286
> kernel: CR0: 80050033 CR2: b7f543a0 CR3: 30e2a000 CR4: 00140690
> kernel: Call Trace:
> kernel: encrypt_finish_cts.cold+0xa/0xa
> kernel: encrypt+0xe7/0x100
> kernel: crypto_skcipher_encrypt+0xe/0x20
> kernel: skcipher_recvmsg+0x2f5/0x390 [algif_skcipher]
> kernel: sock_read_iter+0x86/0xd0
> kernel: __vfs_read+0x140/0x1f0
> kernel: vfs_read+0x8b/0x150
> kernel: ksys_read+0x5c/0xd0
> kernel: sys_read+0x11/0x20
> kernel: do_int80_syscall_32+0x4b/0x1a0
> kernel: entry_INT80_32+0xfb/0xfb
> kernel: EIP: 0xb7f64092
> kernel: Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3
> 2c 00 00 00 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00
> 8b 1c 24 c3 8d b4 26 00
> kernel: EAX: ffffffda EBX: 00000004 ECX: bfde1d3c EDX: 00000025
> kernel: ESI: b7f57000 EDI: 00000000 EBP: bfde1cb8 ESP: bfde1bcc
> kernel: DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000282
> kernel: Modules linked in: nhpoly1305 chacha_generic adiantum poly1305_generic
> serpent_sse2_i586 serpent_generic glue_helper algif_skcipher rmd160 wp512 sha512_generic
> sha1_generic algif_hash af_alg loop dm_mod pktcdvd crc32_pclmul crc32c_intel aesni_intel
> aes_i586 crypto_simd cryptd ata_piix
> kernel: ---[ end trace 29d18b04feffc139 ]---
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com
next prev parent reply other threads:[~2019-08-06 19:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-06 6:55 [PATCH] crypto: xts - Add support for Cipher Text Stealing Pascal van Leeuwen
2019-08-06 18:34 ` Milan Broz
2019-08-06 19:36 ` Pascal Van Leeuwen [this message]
2019-08-07 8:15 ` Pascal Van Leeuwen
2019-08-07 11:19 ` Milan Broz
2019-08-07 11:27 ` Pascal Van Leeuwen
2019-08-07 11:41 ` Milan Broz
2019-08-07 15:13 ` Pascal Van Leeuwen
2019-08-07 17:24 ` Milan Broz
2019-08-07 20:26 ` Pascal Van Leeuwen
2019-08-07 20:32 ` Ondrej Mosnáček
2019-08-07 21:13 ` Pascal Van Leeuwen
2019-08-08 4:35 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR20MB29734CFE2795639436C3CC91CAD50@MN2PR20MB2973.namprd20.prod.outlook.com \
--to=pvanleeuwen@verimatrix.com \
--cc=davem@davemloft.net \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=pascalvanl@gmail.com \
--cc=rsnel@cube.dyndns.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).