* A question about modifying the buffer under authenticated encryption
@ 2024-02-06 21:46 Mikulas Patocka
2024-02-07 0:47 ` Eric Biggers
0 siblings, 1 reply; 6+ messages in thread
From: Mikulas Patocka @ 2024-02-06 21:46 UTC (permalink / raw)
To: Herbert Xu, David S. Miller; +Cc: linux-crypto, dm-devel
Hi
I'm trying to fix some problems in dm-crypt that it may report
authentication failures when the user reads data with O_DIRECT and
modifies the read buffer while it is being read.
I'd like to ask you:
1. If the authenticated encryption encrypts a message, reading from
buffer1 and writing to buffer2 - and buffer1 changes while reading from
it - is it possible that it generates invalid authentication tag?
2. If the authenticated encryption decrypts a message, reading from
buffer1 and writing to buffer2 - and buffer2 changes while writing to
it - is is possible that it reports authentication tag mismatch?
Mikulas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: A question about modifying the buffer under authenticated encryption
2024-02-06 21:46 A question about modifying the buffer under authenticated encryption Mikulas Patocka
@ 2024-02-07 0:47 ` Eric Biggers
2024-02-07 12:51 ` Mikulas Patocka
0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2024-02-07 0:47 UTC (permalink / raw)
To: Mikulas Patocka; +Cc: Herbert Xu, David S. Miller, linux-crypto, dm-devel
On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> Hi
>
> I'm trying to fix some problems in dm-crypt that it may report
> authentication failures when the user reads data with O_DIRECT and
> modifies the read buffer while it is being read.
>
> I'd like to ask you:
>
> 1. If the authenticated encryption encrypts a message, reading from
> buffer1 and writing to buffer2 - and buffer1 changes while reading from
> it - is it possible that it generates invalid authentication tag?
>
> 2. If the authenticated encryption decrypts a message, reading from
> buffer1 and writing to buffer2 - and buffer2 changes while writing to
> it - is is possible that it reports authentication tag mismatch?
>
Yes, both scenarios are possible. But it depends on the AEAD algorithm and how
it happens to be implemented, and on whether the data overlaps or not.
This is very much a "don't do that" sort of thing.
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: A question about modifying the buffer under authenticated encryption
2024-02-07 0:47 ` Eric Biggers
@ 2024-02-07 12:51 ` Mikulas Patocka
2024-02-08 3:42 ` Herbert Xu
2024-02-08 4:36 ` Eric Biggers
0 siblings, 2 replies; 6+ messages in thread
From: Mikulas Patocka @ 2024-02-07 12:51 UTC (permalink / raw)
To: Eric Biggers; +Cc: Herbert Xu, David S. Miller, linux-crypto, dm-devel
On Tue, 6 Feb 2024, Eric Biggers wrote:
> On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> > Hi
> >
> > I'm trying to fix some problems in dm-crypt that it may report
> > authentication failures when the user reads data with O_DIRECT and
> > modifies the read buffer while it is being read.
> >
> > I'd like to ask you:
> >
> > 1. If the authenticated encryption encrypts a message, reading from
> > buffer1 and writing to buffer2 - and buffer1 changes while reading from
> > it - is it possible that it generates invalid authentication tag?
> >
> > 2. If the authenticated encryption decrypts a message, reading from
> > buffer1 and writing to buffer2 - and buffer2 changes while writing to
> > it - is is possible that it reports authentication tag mismatch?
> >
>
> Yes, both scenarios are possible. But it depends on the AEAD algorithm and how
> it happens to be implemented, and on whether the data overlaps or not.
>
> This is very much a "don't do that" sort of thing.
>
> - Eric
I see. So I will copy the data to a kernel buffer before encryption or
decryption.
I assume that authenticated encryption or decryption using the same buffer
as a source and as a destination should be ok. Right?
Mikulas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: A question about modifying the buffer under authenticated encryption
2024-02-07 12:51 ` Mikulas Patocka
@ 2024-02-08 3:42 ` Herbert Xu
2024-02-08 4:36 ` Eric Biggers
1 sibling, 0 replies; 6+ messages in thread
From: Herbert Xu @ 2024-02-08 3:42 UTC (permalink / raw)
To: Mikulas Patocka; +Cc: Eric Biggers, David S. Miller, linux-crypto, dm-devel
On Wed, Feb 07, 2024 at 01:51:51PM +0100, Mikulas Patocka wrote:
>
> I assume that authenticated encryption or decryption using the same buffer
> as a source and as a destination should be ok. Right?
Yes, in-place encryption and decryption is OK.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: A question about modifying the buffer under authenticated encryption
2024-02-07 12:51 ` Mikulas Patocka
2024-02-08 3:42 ` Herbert Xu
@ 2024-02-08 4:36 ` Eric Biggers
2024-02-08 4:40 ` Herbert Xu
1 sibling, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2024-02-08 4:36 UTC (permalink / raw)
To: Mikulas Patocka; +Cc: Herbert Xu, David S. Miller, linux-crypto, dm-devel
On Wed, Feb 07, 2024 at 01:51:51PM +0100, Mikulas Patocka wrote:
>
>
> On Tue, 6 Feb 2024, Eric Biggers wrote:
>
> > On Tue, Feb 06, 2024 at 10:46:59PM +0100, Mikulas Patocka wrote:
> > > Hi
> > >
> > > I'm trying to fix some problems in dm-crypt that it may report
> > > authentication failures when the user reads data with O_DIRECT and
> > > modifies the read buffer while it is being read.
> > >
> > > I'd like to ask you:
> > >
> > > 1. If the authenticated encryption encrypts a message, reading from
> > > buffer1 and writing to buffer2 - and buffer1 changes while reading from
> > > it - is it possible that it generates invalid authentication tag?
> > >
> > > 2. If the authenticated encryption decrypts a message, reading from
> > > buffer1 and writing to buffer2 - and buffer2 changes while writing to
> > > it - is is possible that it reports authentication tag mismatch?
> > >
> >
> > Yes, both scenarios are possible. But it depends on the AEAD algorithm and how
> > it happens to be implemented, and on whether the data overlaps or not.
> >
> > This is very much a "don't do that" sort of thing.
> >
> > - Eric
>
> I see. So I will copy the data to a kernel buffer before encryption or
> decryption.
>
> I assume that authenticated encryption or decryption using the same buffer
> as a source and as a destination should be ok. Right?
>
The crypto_aead API allows the source and destination to overlap, yes.
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: A question about modifying the buffer under authenticated encryption
2024-02-08 4:36 ` Eric Biggers
@ 2024-02-08 4:40 ` Herbert Xu
0 siblings, 0 replies; 6+ messages in thread
From: Herbert Xu @ 2024-02-08 4:40 UTC (permalink / raw)
To: Eric Biggers; +Cc: Mikulas Patocka, David S. Miller, linux-crypto, dm-devel
On Wed, Feb 07, 2024 at 08:36:10PM -0800, Eric Biggers wrote:
>
> The crypto_aead API allows the source and destination to overlap, yes.
I would prefer to call it in-place rather than overlapping, because
the following is certainly not supported:
encrypt(src: A, dst: A + 16, len: 160)
Just in case someone gets any funny ideas about the API :)
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-02-08 4:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 21:46 A question about modifying the buffer under authenticated encryption Mikulas Patocka
2024-02-07 0:47 ` Eric Biggers
2024-02-07 12:51 ` Mikulas Patocka
2024-02-08 3:42 ` Herbert Xu
2024-02-08 4:36 ` Eric Biggers
2024-02-08 4:40 ` Herbert Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.