A question about modifying the buffer under authenticated encryption

A question about modifying the buffer under authenticated encryption

[Mikulas Patocka]

Hi

I'm trying to fix some problems in dm-crypt that it may report 
authentication failures when the user reads data with O_DIRECT and 
modifies the read buffer while it is being read.

I'd like to ask you:

1. If the authenticated encryption encrypts a message, reading from 
   buffer1 and writing to buffer2 - and buffer1 changes while reading from 
   it - is it possible that it generates invalid authentication tag?

2. If the authenticated encryption decrypts a message, reading from 
   buffer1 and writing to buffer2 - and buffer2 changes while writing to 
   it - is is possible that it reports authentication tag mismatch?

Mikulas

Re: A question about modifying the buffer under authenticated encryption

[Eric Biggers]

On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> Hi
> 
> I'm trying to fix some problems in dm-crypt that it may report 
> authentication failures when the user reads data with O_DIRECT and 
> modifies the read buffer while it is being read.
> 
> I'd like to ask you:
> 
> 1. If the authenticated encryption encrypts a message, reading from 
>    buffer1 and writing to buffer2 - and buffer1 changes while reading from 
>    it - is it possible that it generates invalid authentication tag?
> 
> 2. If the authenticated encryption decrypts a message, reading from 
>    buffer1 and writing to buffer2 - and buffer2 changes while writing to 
>    it - is is possible that it reports authentication tag mismatch?
> 

Yes, both scenarios are possible.  But it depends on the AEAD algorithm and how
it happens to be implemented, and on whether the data overlaps or not.

This is very much a "don't do that" sort of thing.

- Eric

Re: A question about modifying the buffer under authenticated encryption

[Mikulas Patocka]

On Tue, 6 Feb 2024, Eric Biggers wrote:

> On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> > Hi
> > 
> > I'm trying to fix some problems in dm-crypt that it may report 
> > authentication failures when the user reads data with O_DIRECT and 
> > modifies the read buffer while it is being read.
> > 
> > I'd like to ask you:
> > 
> > 1. If the authenticated encryption encrypts a message, reading from 
> >    buffer1 and writing to buffer2 - and buffer1 changes while reading from 
> >    it - is it possible that it generates invalid authentication tag?
> > 
> > 2. If the authenticated encryption decrypts a message, reading from 
> >    buffer1 and writing to buffer2 - and buffer2 changes while writing to 
> >    it - is is possible that it reports authentication tag mismatch?
> > 
> 
> Yes, both scenarios are possible.  But it depends on the AEAD algorithm and how
> it happens to be implemented, and on whether the data overlaps or not.
> 
> This is very much a "don't do that" sort of thing.
> 
> - Eric

I see. So I will copy the data to a kernel buffer before encryption or 
decryption.

I assume that authenticated encryption or decryption using the same buffer 
as a source and as a destination should be ok. Right?

Mikulas

Re: A question about modifying the buffer under authenticated encryption

[Herbert Xu]

On Wed, Feb 07, 2024 at 01:51:51PM +0100, Mikulas Patocka wrote:
>
> I assume that authenticated encryption or decryption using the same buffer 
> as a source and as a destination should be ok. Right?

Yes, in-place encryption and decryption is OK.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: A question about modifying the buffer under authenticated encryption

[Eric Biggers]

On Wed, Feb 07, 2024 at 01:51:51PM +0100, Mikulas Patocka wrote:
> 
> 
> On Tue, 6 Feb 2024, Eric Biggers wrote:
> 
> > On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> > > Hi
> > > 
> > > I'm trying to fix some problems in dm-crypt that it may report 
> > > authentication failures when the user reads data with O_DIRECT and 
> > > modifies the read buffer while it is being read.
> > > 
> > > I'd like to ask you:
> > > 
> > > 1. If the authenticated encryption encrypts a message, reading from 
> > >    buffer1 and writing to buffer2 - and buffer1 changes while reading from 
> > >    it - is it possible that it generates invalid authentication tag?
> > > 
> > > 2. If the authenticated encryption decrypts a message, reading from 
> > >    buffer1 and writing to buffer2 - and buffer2 changes while writing to 
> > >    it - is is possible that it reports authentication tag mismatch?
> > > 
> > 
> > Yes, both scenarios are possible.  But it depends on the AEAD algorithm and how
> > it happens to be implemented, and on whether the data overlaps or not.
> > 
> > This is very much a "don't do that" sort of thing.
> > 
> > - Eric
> 
> I see. So I will copy the data to a kernel buffer before encryption or 
> decryption.
> 
> I assume that authenticated encryption or decryption using the same buffer 
> as a source and as a destination should be ok. Right?
> 

The crypto_aead API allows the source and destination to overlap, yes.

- Eric

Re: A question about modifying the buffer under authenticated encryption

[Herbert Xu]

On Wed, Feb 07, 2024 at 08:36:10PM -0800, Eric Biggers wrote:
>
> The crypto_aead API allows the source and destination to overlap, yes.

I would prefer to call it in-place rather than overlapping, because
the following is certainly not supported:

	encrypt(src: A, dst: A + 16, len: 160)

Just in case someone gets any funny ideas about the API :)

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt