From: Stephan Mueller <smueller@chronox.de>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers@google.com>,
Alexander Potapenko <glider@google.com>,
linux-crypto@vger.kernel.org, Kostya Serebryany <kcc@google.com>,
keyrings@vger.kernel.org,
Andrey Konovalov <andreyknvl@google.com>
Subject: Re: x509 parsing bug + fuzzing crypto in the userspace
Date: Fri, 24 Nov 2017 16:03:15 +0100 [thread overview]
Message-ID: <2926823.qMJ9kpMUtP@tauon.chronox.de> (raw)
In-Reply-To: <CACT4Y+Zp39AMymVXB8ZdGA1VRYwRVsouuEXdhY3nmP5oawcfEQ@mail.gmail.com>
Am Freitag, 24. November 2017, 14:49:49 CET schrieb Dmitry Vyukov:
Hi Dmitry,
> I've cooked syzkaller change that teaches it to generate more
> algorithm names. Probably not idea, but much better than was before:
> https://github.com/google/syzkaller/blob/ddf7b3e0655cf6dfeacfe509e477c1486d2
> cc7db/sys/linux/alg.go
I am not as fluent in GO, so I may miss a point here:
{"authencesn", []int{ALG_HASH, ALG_BLKCIPHER}},
{"authenc", []int{ALG_HASH, ALG_BLKCIPHER}},
These both are templates to form an AEAD cipher. They allow you to specify the
block cipher and the hash type.
{"rfc7539esp", []int{ALG_BLKCIPHER, ALG_HASH}},
{"rfc7539", []int{ALG_BLKCIPHER, ALG_HASH}},
{"rfc4543", []int{ALG_AEAD}},
{"rfc4106", []int{ALG_AEAD}},
These are no ciphers per se, but simply formatting mechanisms. For example, to
make use of rfc4106, you must split the IV: the first four bytes need to be
appended to the key and the trailing 8 bytes are used as the IV. Any other
formatting should cause an error. Besides, these implementations should only
work with some AEAD ciphers like GCM.
{"pcrypt", []int{ALG_AEAD}},
{"rfc4309", []int{ALG_AEAD}},
{"gcm", []int{ALG_CIPHER}},
{"gcm_base", []int{ALG_BLKCIPHER, ALG_HASH}},
{"ccm", []int{ALG_CIPHER}},
{"ccm_base", []int{ALG_BLKCIPHER, ALG_HASH}},
{"echainiv", []int{ALG_AEAD}},
{"seqiv", []int{ALG_AEAD}},
These are IV generators and should be used with an AEAD cipher to internally
generate IVs. Note, the use of IV generators have changed with 4.2 (see my
script I sent you as part of this thread).
{"gcm(aes)", nil},
gcm() is also a template that can consume any block cipher, including aes-
generic, serpent, ...
{"gcm_base(ctr(aes-aesni),ghash-generic)", nil},
Again, ctr() is a template that can consume other block ciphers.
{"generic-gcm-aesni", nil},
Does this exist?
{"rfc4106(gcm(aes))", nil},
rfc... is a template that can consume AEAD ciphers.
{"rfc4106-gcm-aesni", nil},
{"__gcm-aes-aesni", nil},
{"__driver-gcm-aes-aesni", nil},
Please specifically test that __driver_... names should NEVER be allocatable
from user space.
// algorithms:
{"cbc(aes)", nil},
cbc() is a template
{"cbc(aes-aesni)", nil},
{"chacha20", nil},
{"chacha20-simd", nil},
{"pcbc(aes)", nil},
{"pcbc-aes-aesni", nil},
{"fpu(pcbc(__aes))", nil},
{"fpu(pcbc(__aes-aesni))", nil},
{"pcbc(__aes)", nil},
{"pcbc(__aes-aesni)", nil},
They are all templates.
{"xts(aes)", nil},
xts() is a template.
Note, starting with 4.9, you must use xts(ecb(aes)).
{"xts-aes-aesni", nil},
{"ctr(aes)", nil},
ctr() is a template
In general, I would rather suggest:
1. identify all templates and mark them what they can consume (other
templates, AEAD, skcipher, hash, ...)
2. identify all ciphers (aes, aes-generic, aes-aesni, ...) and identify their
types (skcipher, hash)
3. mix-n-match templates with the ciphers according to what templates can
consume
Start another test where you arbitrarily mix-n-match templates and ciphers or
even bogus names, NULL, etc.
One word of warning: some cipher names may look like templates, but they are
not: gcm(aes) in arch/x86/crypto/ is a complete cipher and not consisting of
templates. Thus, I would always use the driver names (gcm-aes-aesni for the
given example) to ensure you test exactly the cipher you had in mind.
Word of warning II: There is a bug in the kernel crypto API: if you allocate a
cipher using the driver name that was not registered before, this cipher will
never be available using its "name". /proc/crypto shows you the reason: the
"name" is then identical to the driver name.
Ciao
Stephan
WARNING: multiple messages have this Message-ID (diff)
From: Stephan Mueller <smueller@chronox.de>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers@google.com>,
Alexander Potapenko <glider@google.com>,
linux-crypto@vger.kernel.org, Kostya Serebryany <kcc@google.com>,
keyrings@vger.kernel.org,
Andrey Konovalov <andreyknvl@google.com>
Subject: Re: x509 parsing bug + fuzzing crypto in the userspace
Date: Fri, 24 Nov 2017 15:03:15 +0000 [thread overview]
Message-ID: <2926823.qMJ9kpMUtP@tauon.chronox.de> (raw)
In-Reply-To: <CACT4Y+Zp39AMymVXB8ZdGA1VRYwRVsouuEXdhY3nmP5oawcfEQ@mail.gmail.com>
Am Freitag, 24. November 2017, 14:49:49 CET schrieb Dmitry Vyukov:
Hi Dmitry,
> I've cooked syzkaller change that teaches it to generate more
> algorithm names. Probably not idea, but much better than was before:
> https://github.com/google/syzkaller/blob/ddf7b3e0655cf6dfeacfe509e477c1486d2
> cc7db/sys/linux/alg.go
I am not as fluent in GO, so I may miss a point here:
{"authencesn", []int{ALG_HASH, ALG_BLKCIPHER}},
{"authenc", []int{ALG_HASH, ALG_BLKCIPHER}},
These both are templates to form an AEAD cipher. They allow you to specify the
block cipher and the hash type.
{"rfc7539esp", []int{ALG_BLKCIPHER, ALG_HASH}},
{"rfc7539", []int{ALG_BLKCIPHER, ALG_HASH}},
{"rfc4543", []int{ALG_AEAD}},
{"rfc4106", []int{ALG_AEAD}},
These are no ciphers per se, but simply formatting mechanisms. For example, to
make use of rfc4106, you must split the IV: the first four bytes need to be
appended to the key and the trailing 8 bytes are used as the IV. Any other
formatting should cause an error. Besides, these implementations should only
work with some AEAD ciphers like GCM.
{"pcrypt", []int{ALG_AEAD}},
{"rfc4309", []int{ALG_AEAD}},
{"gcm", []int{ALG_CIPHER}},
{"gcm_base", []int{ALG_BLKCIPHER, ALG_HASH}},
{"ccm", []int{ALG_CIPHER}},
{"ccm_base", []int{ALG_BLKCIPHER, ALG_HASH}},
{"echainiv", []int{ALG_AEAD}},
{"seqiv", []int{ALG_AEAD}},
These are IV generators and should be used with an AEAD cipher to internally
generate IVs. Note, the use of IV generators have changed with 4.2 (see my
script I sent you as part of this thread).
{"gcm(aes)", nil},
gcm() is also a template that can consume any block cipher, including aes-
generic, serpent, ...
{"gcm_base(ctr(aes-aesni),ghash-generic)", nil},
Again, ctr() is a template that can consume other block ciphers.
{"generic-gcm-aesni", nil},
Does this exist?
{"rfc4106(gcm(aes))", nil},
rfc... is a template that can consume AEAD ciphers.
{"rfc4106-gcm-aesni", nil},
{"__gcm-aes-aesni", nil},
{"__driver-gcm-aes-aesni", nil},
Please specifically test that __driver_... names should NEVER be allocatable
from user space.
// algorithms:
{"cbc(aes)", nil},
cbc() is a template
{"cbc(aes-aesni)", nil},
{"chacha20", nil},
{"chacha20-simd", nil},
{"pcbc(aes)", nil},
{"pcbc-aes-aesni", nil},
{"fpu(pcbc(__aes))", nil},
{"fpu(pcbc(__aes-aesni))", nil},
{"pcbc(__aes)", nil},
{"pcbc(__aes-aesni)", nil},
They are all templates.
{"xts(aes)", nil},
xts() is a template.
Note, starting with 4.9, you must use xts(ecb(aes)).
{"xts-aes-aesni", nil},
{"ctr(aes)", nil},
ctr() is a template
In general, I would rather suggest:
1. identify all templates and mark them what they can consume (other
templates, AEAD, skcipher, hash, ...)
2. identify all ciphers (aes, aes-generic, aes-aesni, ...) and identify their
types (skcipher, hash)
3. mix-n-match templates with the ciphers according to what templates can
consume
Start another test where you arbitrarily mix-n-match templates and ciphers or
even bogus names, NULL, etc.
One word of warning: some cipher names may look like templates, but they are
not: gcm(aes) in arch/x86/crypto/ is a complete cipher and not consisting of
templates. Thus, I would always use the driver names (gcm-aes-aesni for the
given example) to ensure you test exactly the cipher you had in mind.
Word of warning II: There is a bug in the kernel crypto API: if you allocate a
cipher using the driver name that was not registered before, this cipher will
never be available using its "name". /proc/crypto shows you the reason: the
"name" is then identical to the driver name.
Ciao
Stephan
next prev parent reply other threads:[~2017-11-24 15:03 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-20 14:10 x509 parsing bug + fuzzing crypto in the userspace Alexander Potapenko
2017-11-20 21:42 ` Eric Biggers
2017-11-20 21:42 ` Eric Biggers
2017-11-21 8:00 ` Dmitry Vyukov
2017-11-21 8:00 ` Dmitry Vyukov
2017-11-21 20:46 ` Eric Biggers
2017-11-21 20:46 ` Eric Biggers
2017-11-22 10:44 ` Dmitry Vyukov
2017-11-22 10:44 ` Dmitry Vyukov
2017-11-22 17:08 ` Stephan Mueller
2017-11-22 17:08 ` Stephan Mueller
2017-11-23 9:32 ` Dmitry Vyukov
2017-11-23 9:32 ` Dmitry Vyukov
2017-11-23 9:35 ` Dmitry Vyukov
2017-11-23 9:35 ` Dmitry Vyukov
2017-11-23 9:37 ` Dmitry Vyukov
2017-11-23 9:37 ` Dmitry Vyukov
2017-11-23 11:10 ` Stephan Mueller
2017-11-23 11:10 ` Stephan Mueller
2017-11-23 11:27 ` Dmitry Vyukov
2017-11-23 11:27 ` Dmitry Vyukov
2017-11-23 11:34 ` Dmitry Vyukov
2017-11-23 11:34 ` Dmitry Vyukov
2017-11-23 12:35 ` Stephan Mueller
2017-11-23 12:35 ` Stephan Mueller
2017-11-24 13:49 ` Dmitry Vyukov
2017-11-24 13:49 ` Dmitry Vyukov
2017-11-24 14:36 ` Stephan Mueller
2017-11-24 14:36 ` Stephan Mueller
2017-11-24 14:55 ` Dmitry Vyukov
2017-11-24 14:55 ` Dmitry Vyukov
2017-11-24 15:13 ` Stephan Mueller
2017-11-24 15:13 ` Stephan Mueller
2017-11-24 15:53 ` Dmitry Vyukov
2017-11-24 15:53 ` Dmitry Vyukov
2017-11-24 16:07 ` Stephan Mueller
2017-11-24 16:07 ` Stephan Mueller
2017-11-24 15:03 ` Stephan Mueller [this message]
2017-11-24 15:03 ` Stephan Mueller
2017-11-24 16:10 ` Dmitry Vyukov
2017-11-24 16:10 ` Dmitry Vyukov
2017-11-24 16:19 ` Stephan Mueller
2017-11-24 16:19 ` Stephan Mueller
2017-11-24 16:25 ` Dmitry Vyukov
2017-11-24 16:25 ` Dmitry Vyukov
2017-11-24 16:31 ` Stephan Mueller
2017-11-24 16:31 ` Stephan Mueller
2017-11-28 9:59 ` Dmitry Vyukov
2017-11-28 9:59 ` Dmitry Vyukov
2017-11-24 16:18 ` Dmitry Vyukov
2017-11-24 16:18 ` Dmitry Vyukov
2017-11-24 16:23 ` Stephan Mueller
2017-11-24 16:23 ` Stephan Mueller
2017-11-23 12:32 ` Stephan Mueller
2017-11-23 12:32 ` Stephan Mueller
2017-11-22 16:54 ` Stephan Mueller
2017-11-22 16:54 ` Stephan Mueller
2017-11-22 17:03 ` Dmitry Vyukov
2017-11-22 17:03 ` Dmitry Vyukov
2017-11-22 17:15 ` Stephan Mueller
2017-11-22 17:15 ` Stephan Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2926823.qMJ9kpMUtP@tauon.chronox.de \
--to=smueller@chronox.de \
--cc=andreyknvl@google.com \
--cc=dvyukov@google.com \
--cc=ebiggers@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.