* [PATCH v6 0/2] generic: test HCTR2 filename encryption
@ 2022-08-09 18:40 Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 1/2] fscrypt-crypt-util: add HCTR2 implementation Nathan Huckleberry
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Nathan Huckleberry @ 2022-08-09 18:40 UTC (permalink / raw)
To: fstests, linux-fscrypt; +Cc: Eric Biggers, Sami Tolvanen, Nathan Huckleberry
HCTR2 is a new wide-block encryption mode that can used for filename encryption
in fscrypt. This patchset adds a reference implementation of HCTR2 to the
fscrypt testing utility and adds tests for filename encryption with HCTR2.
More information on HCTR2 can be found here: "Length-preserving encryption with
HCTR2": https://ia.cr/2021/1441
The patchset introducing HCTR2 to the kernel can be found here:
https://lore.kernel.org/linux-crypto/20220520181501.2159644-1-nhuck@google.com/
Changes in v6:
* Remove unused variable
* Rework cover letter
Changes in v5:
* Added links to relevant references for POLYVAL and HCTR2
* Removed POLYVAL partial block handling
* Referenced HCTR2 commit in test
Changes in v4:
* Add helper functions for HCTR2 hashing
* Fix accumulator alignment bug
* Small style fixes
Changes in v3:
* Consolidate tests into one file
Changes in v2:
* Use POLYVAL multiplication directly instead of using GHASH trick
* Split reference implementation and tests into two patches
* Remove v1 policy tests
* Various small style fixes
Nathan Huckleberry (2):
fscrypt-crypt-util: add HCTR2 implementation
generic: add tests for fscrypt policies with HCTR2
common/encrypt | 2 +
src/fscrypt-crypt-util.c | 357 ++++++++++++++++++++++++++++++++-------
tests/generic/900 | 31 ++++
tests/generic/900.out | 16 ++
4 files changed, 349 insertions(+), 57 deletions(-)
create mode 100755 tests/generic/900
create mode 100644 tests/generic/900.out
--
2.37.1.559.g78731f0fdb-goog
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v6 1/2] fscrypt-crypt-util: add HCTR2 implementation
2022-08-09 18:40 [PATCH v6 0/2] generic: test HCTR2 filename encryption Nathan Huckleberry
@ 2022-08-09 18:40 ` Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 2/2] generic: add tests for fscrypt policies with HCTR2 Nathan Huckleberry
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Nathan Huckleberry @ 2022-08-09 18:40 UTC (permalink / raw)
To: fstests, linux-fscrypt
Cc: Eric Biggers, Sami Tolvanen, Nathan Huckleberry, Eric Biggers
This patch adds an implementation of HCTR2 to the fscrypt testing
utility.
More information on HCTR2 can be found here: "Length-preserving
encryption with HCTR2": https://ia.cr/2021/1441
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Tested-by: Eric Biggers <ebiggers@google.com>
---
common/encrypt | 2 +
src/fscrypt-crypt-util.c | 357 ++++++++++++++++++++++++++++++++-------
2 files changed, 302 insertions(+), 57 deletions(-)
diff --git a/common/encrypt b/common/encrypt
index f90c4ef0..937bb914 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -767,6 +767,7 @@ FSCRYPT_MODE_AES_256_CTS=4
FSCRYPT_MODE_AES_128_CBC=5
FSCRYPT_MODE_AES_128_CTS=6
FSCRYPT_MODE_ADIANTUM=9
+FSCRYPT_MODE_AES_256_HCTR2=10
FSCRYPT_POLICY_FLAG_DIRECT_KEY=0x04
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64=0x08
@@ -785,6 +786,7 @@ _fscrypt_mode_name_to_num()
AES-128-CBC-ESSIV) echo $FSCRYPT_MODE_AES_128_CBC ;;
AES-128-CTS-CBC) echo $FSCRYPT_MODE_AES_128_CTS ;;
Adiantum) echo $FSCRYPT_MODE_ADIANTUM ;;
+ AES-256-HCTR2) echo $FSCRYPT_MODE_AES_256_HCTR2 ;;
*) _fail "Unknown fscrypt mode: $name" ;;
esac
}
diff --git a/src/fscrypt-crypt-util.c b/src/fscrypt-crypt-util.c
index 03cc3c4a..aa75a4d6 100644
--- a/src/fscrypt-crypt-util.c
+++ b/src/fscrypt-crypt-util.c
@@ -37,7 +37,8 @@
/*
* Define to enable the tests of the crypto code in this file. If enabled, you
* must link this program with OpenSSL (-lcrypto) v1.1.0 or later, and your
- * kernel needs CONFIG_CRYPTO_USER_API_SKCIPHER=y and CONFIG_CRYPTO_ADIANTUM=y.
+ * kernel needs CONFIG_CRYPTO_USER_API_SKCIPHER=y, CONFIG_CRYPTO_ADIANTUM=y, and
+ * CONFIG_CRYPTO_HCTR2=y.
*/
#undef ENABLE_ALG_TESTS
@@ -54,7 +55,8 @@ static void usage(FILE *fp)
"resulting ciphertext (or plaintext) to stdout.\n"
"\n"
"CIPHER can be AES-256-XTS, AES-256-CTS-CBC, AES-128-CBC-ESSIV, AES-128-CTS-CBC,\n"
-"or Adiantum. MASTER_KEY must be a hex string long enough for the cipher.\n"
+"Adiantum, or AES-256-HCTR2. MASTER_KEY must be a hex string long enough for\n"
+"the cipher.\n"
"\n"
"WARNING: this program is only meant for testing, not for \"real\" use!\n"
"\n"
@@ -268,7 +270,59 @@ static void rand_bytes(u8 *buf, size_t count)
while (count--)
*buf++ = rand();
}
-#endif
+
+#include <linux/if_alg.h>
+#include <sys/socket.h>
+#define SOL_ALG 279
+static void af_alg_crypt(int algfd, int op, const u8 *key, size_t keylen,
+ const u8 *iv, size_t ivlen,
+ const u8 *src, u8 *dst, size_t datalen)
+{
+ size_t controllen = CMSG_SPACE(sizeof(int)) +
+ CMSG_SPACE(sizeof(struct af_alg_iv) + ivlen);
+ u8 *control = xmalloc(controllen);
+ struct iovec iov = { .iov_base = (u8 *)src, .iov_len = datalen };
+ struct msghdr msg = {
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ .msg_control = control,
+ .msg_controllen = controllen,
+ };
+ struct cmsghdr *cmsg;
+ struct af_alg_iv *algiv;
+ int reqfd;
+
+ memset(control, 0, controllen);
+
+ cmsg = CMSG_FIRSTHDR(&msg);
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ cmsg->cmsg_level = SOL_ALG;
+ cmsg->cmsg_type = ALG_SET_OP;
+ *(int *)CMSG_DATA(cmsg) = op;
+
+ cmsg = CMSG_NXTHDR(&msg, cmsg);
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + ivlen);
+ cmsg->cmsg_level = SOL_ALG;
+ cmsg->cmsg_type = ALG_SET_IV;
+ algiv = (struct af_alg_iv *)CMSG_DATA(cmsg);
+ algiv->ivlen = ivlen;
+ memcpy(algiv->iv, iv, ivlen);
+
+ if (setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, keylen) != 0)
+ die_errno("can't set key on AF_ALG socket");
+
+ reqfd = accept(algfd, NULL, NULL);
+ if (reqfd < 0)
+ die_errno("can't accept() AF_ALG socket");
+ if (sendmsg(reqfd, &msg, 0) != datalen)
+ die_errno("can't sendmsg() AF_ALG request socket");
+ if (xread(reqfd, dst, datalen) != datalen)
+ die("short read from AF_ALG request socket");
+ close(reqfd);
+
+ free(control);
+}
+#endif /* ENABLE_ALG_TESTS */
/*----------------------------------------------------------------------------*
* Finite field arithmetic *
@@ -293,7 +347,7 @@ typedef struct {
} ble128;
/* Multiply a GF(2^128) element by the polynomial 'x' */
-static inline void gf2_128_mul_x(ble128 *t)
+static inline void gf2_128_mul_x_xts(ble128 *t)
{
u64 lo = le64_to_cpu(t->lo);
u64 hi = le64_to_cpu(t->hi);
@@ -302,6 +356,38 @@ static inline void gf2_128_mul_x(ble128 *t)
t->lo = cpu_to_le64((lo << 1) ^ ((hi & (1ULL << 63)) ? 0x87 : 0));
}
+static inline void gf2_128_mul_x_polyval(ble128 *t)
+{
+ u64 lo = le64_to_cpu(t->lo);
+ u64 hi = le64_to_cpu(t->hi);
+ u64 lo_reducer = (hi & (1ULL << 63)) ? 1 : 0;
+ u64 hi_reducer = (hi & (1ULL << 63)) ? 0xc2ULL << 56 : 0;
+
+ t->hi = cpu_to_le64(((hi << 1) | (lo >> 63)) ^ hi_reducer);
+ t->lo = cpu_to_le64((lo << 1) ^ lo_reducer);
+}
+
+static void gf2_128_mul_polyval(ble128 *r, const ble128 *b)
+{
+ int i;
+ ble128 p;
+ u64 lo = le64_to_cpu(b->lo);
+ u64 hi = le64_to_cpu(b->hi);
+
+ memset(&p, 0, sizeof(p));
+ for (i = 0; i < 64; i++) {
+ if (lo & (1ULL << i))
+ xor((u8 *)&p, (u8 *)&p, (u8 *)r, sizeof(p));
+ gf2_128_mul_x_polyval(r);
+ }
+ for (i = 0; i < 64; i++) {
+ if (hi & (1ULL << i))
+ xor((u8 *)&p, (u8 *)&p, (u8 *)r, sizeof(p));
+ gf2_128_mul_x_polyval(r);
+ }
+ *r = p;
+}
+
/*----------------------------------------------------------------------------*
* Group arithmetic *
*----------------------------------------------------------------------------*/
@@ -901,6 +987,47 @@ static void test_hkdf_sha512(void)
}
#endif /* ENABLE_ALG_TESTS */
+/*----------------------------------------------------------------------------*
+ * POLYVAL *
+ *----------------------------------------------------------------------------*/
+
+/*
+ * Reference: "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption"
+ * https://datatracker.ietf.org/doc/html/rfc8452
+ */
+
+#define POLYVAL_KEY_SIZE 16
+#define POLYVAL_BLOCK_SIZE 16
+
+static void polyval_update(const u8 key[POLYVAL_KEY_SIZE],
+ const u8 *msg, size_t msglen,
+ u8 accumulator[POLYVAL_BLOCK_SIZE])
+{
+ ble128 h;
+ ble128 aligned_accumulator;
+ // x^{-128} = x^127 + x^124 + x^121 + x^114 + 1
+ static const ble128 inv128 = {
+ cpu_to_le64(1),
+ cpu_to_le64(0x9204ULL << 48)
+ };
+
+ /* Partial block support is not necessary for HCTR2 */
+ ASSERT(msglen % POLYVAL_BLOCK_SIZE == 0);
+
+ memcpy(&h, key, POLYVAL_BLOCK_SIZE);
+ memcpy(&aligned_accumulator, accumulator, POLYVAL_BLOCK_SIZE);
+ gf2_128_mul_polyval(&h, &inv128);
+
+ while (msglen > 0) {
+ xor((u8 *)&aligned_accumulator, (u8 *)&aligned_accumulator, msg,
+ POLYVAL_BLOCK_SIZE);
+ gf2_128_mul_polyval(&aligned_accumulator, &h);
+ msg += POLYVAL_BLOCK_SIZE;
+ msglen -= POLYVAL_BLOCK_SIZE;
+ }
+ memcpy(accumulator, &aligned_accumulator, POLYVAL_BLOCK_SIZE);
+}
+
/*----------------------------------------------------------------------------*
* AES encryption modes *
*----------------------------------------------------------------------------*/
@@ -924,7 +1051,7 @@ static void aes_256_xts_crypt(const u8 key[2 * AES_256_KEY_SIZE],
else
aes_encrypt(&cipher_key, &dst[i], &dst[i]);
xor(&dst[i], &dst[i], (const u8 *)&t, AES_BLOCK_SIZE);
- gf2_128_mul_x(&t);
+ gf2_128_mul_x_xts(&t);
}
}
@@ -1173,6 +1300,167 @@ static void aes_128_cts_cbc_decrypt(const u8 key[AES_128_KEY_SIZE],
aes_cts_cbc_decrypt(key, AES_128_KEY_SIZE, iv, src, dst, nbytes);
}
+/*
+ * Reference: "Length-preserving encryption with HCTR2"
+ * https://ia.cr/2021/1441
+ */
+
+static void aes_256_xctr_crypt(const u8 key[AES_256_KEY_SIZE],
+ const u8 iv[AES_BLOCK_SIZE], const u8 *src,
+ u8 *dst, size_t nbytes)
+{
+ struct aes_key k;
+ union {
+ u8 bytes[AES_BLOCK_SIZE];
+ __le64 ctr;
+ } blk;
+ size_t i;
+
+ aes_setkey(&k, key, AES_256_KEY_SIZE);
+
+ for (i = 0; i < nbytes; i += AES_BLOCK_SIZE) {
+ memcpy(blk.bytes, iv, AES_BLOCK_SIZE);
+ blk.ctr ^= cpu_to_le64((i / AES_BLOCK_SIZE) + 1);
+ aes_encrypt(&k, blk.bytes, blk.bytes);
+ xor(&dst[i], blk.bytes, &src[i], MIN(AES_BLOCK_SIZE, nbytes - i));
+ }
+}
+
+/*
+ * Reference: "Length-preserving encryption with HCTR2"
+ * https://ia.cr/2021/1441
+ */
+
+#define HCTR2_IV_SIZE 32
+static void hctr2_hash_iv(const u8 hbar[POLYVAL_KEY_SIZE],
+ const u8 iv[HCTR2_IV_SIZE], size_t msglen,
+ u8 digest[POLYVAL_BLOCK_SIZE])
+{
+ le128 tweaklen_blk = {
+ .lo = cpu_to_le64(HCTR2_IV_SIZE * 8 * 2 + 2 +
+ (msglen % AES_BLOCK_SIZE != 0))
+ };
+
+ memset(digest, 0, POLYVAL_BLOCK_SIZE);
+ polyval_update(hbar, (u8 *)&tweaklen_blk, POLYVAL_BLOCK_SIZE, digest);
+ polyval_update(hbar, iv, HCTR2_IV_SIZE, digest);
+}
+
+static void hctr2_hash_message(const u8 hbar[POLYVAL_KEY_SIZE],
+ const u8 *msg, size_t msglen,
+ u8 digest[POLYVAL_BLOCK_SIZE])
+{
+ size_t remainder = msglen % AES_BLOCK_SIZE;
+ u8 padded_block[POLYVAL_BLOCK_SIZE] = {0};
+
+ polyval_update(hbar, msg, msglen - remainder, digest);
+ if (remainder) {
+ memcpy(padded_block, &msg[msglen - remainder], remainder);
+ padded_block[remainder] = 1;
+ polyval_update(hbar, padded_block, POLYVAL_BLOCK_SIZE, digest);
+ }
+}
+
+static void aes_256_hctr2_crypt(const u8 key[AES_256_KEY_SIZE],
+ const u8 iv[HCTR2_IV_SIZE], const u8 *src,
+ u8 *dst, size_t nbytes, bool decrypting)
+{
+ struct aes_key k;
+ u8 hbar[AES_BLOCK_SIZE] = {0};
+ u8 L[AES_BLOCK_SIZE] = {1};
+ size_t bulk_bytes = nbytes - AES_BLOCK_SIZE;
+ u8 digest[POLYVAL_BLOCK_SIZE];
+ const u8 *M = src;
+ const u8 *N = src + AES_BLOCK_SIZE;
+ u8 MM[AES_BLOCK_SIZE];
+ u8 UU[AES_BLOCK_SIZE];
+ u8 S[AES_BLOCK_SIZE];
+ u8 *U = dst;
+ u8 *V = dst + AES_BLOCK_SIZE;
+
+ ASSERT(nbytes >= AES_BLOCK_SIZE);
+ aes_setkey(&k, key, AES_256_KEY_SIZE);
+
+ aes_encrypt(&k, hbar, hbar);
+ aes_encrypt(&k, L, L);
+
+ hctr2_hash_iv(hbar, iv, bulk_bytes, digest);
+ hctr2_hash_message(hbar, N, bulk_bytes, digest);
+
+ xor(MM, M, digest, AES_BLOCK_SIZE);
+
+ if (decrypting)
+ aes_decrypt(&k, MM, UU);
+ else
+ aes_encrypt(&k, MM, UU);
+
+ xor(S, MM, UU, AES_BLOCK_SIZE);
+ xor(S, L, S, AES_BLOCK_SIZE);
+
+ aes_256_xctr_crypt(key, S, N, V, bulk_bytes);
+
+ hctr2_hash_iv(hbar, iv, bulk_bytes, digest);
+ hctr2_hash_message(hbar, V, bulk_bytes, digest);
+
+ xor(U, UU, digest, AES_BLOCK_SIZE);
+}
+
+static void aes_256_hctr2_encrypt(const u8 key[AES_256_KEY_SIZE],
+ const u8 iv[HCTR2_IV_SIZE], const u8 *src,
+ u8 *dst, size_t nbytes)
+{
+ aes_256_hctr2_crypt(key, iv, src, dst, nbytes, false);
+}
+
+static void aes_256_hctr2_decrypt(const u8 key[AES_256_KEY_SIZE],
+ const u8 iv[HCTR2_IV_SIZE], const u8 *src,
+ u8 *dst, size_t nbytes)
+{
+ aes_256_hctr2_crypt(key, iv, src, dst, nbytes, true);
+}
+
+#ifdef ENABLE_ALG_TESTS
+#include <linux/if_alg.h>
+#include <sys/socket.h>
+static void test_aes_256_hctr2(void)
+{
+ int algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ struct sockaddr_alg addr = {
+ .salg_type = "skcipher",
+ .salg_name = "hctr2(aes)",
+ };
+ unsigned long num_tests = NUM_ALG_TEST_ITERATIONS;
+
+ if (algfd < 0)
+ die_errno("can't create AF_ALG socket");
+ if (bind(algfd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+ die_errno("can't bind AF_ALG socket to HCTR2 algorithm");
+
+ while (num_tests--) {
+ u8 key[AES_256_KEY_SIZE];
+ u8 iv[HCTR2_IV_SIZE];
+ u8 ptext[4096];
+ u8 ctext[sizeof(ptext)];
+ u8 ref_ctext[sizeof(ptext)];
+ u8 decrypted[sizeof(ptext)];
+ const size_t datalen = 16 + (rand() % (sizeof(ptext) - 15));
+
+ rand_bytes(key, sizeof(key));
+ rand_bytes(iv, sizeof(iv));
+ rand_bytes(ptext, datalen);
+
+ aes_256_hctr2_encrypt(key, iv, ptext, ctext, datalen);
+ af_alg_crypt(algfd, ALG_OP_ENCRYPT, key, sizeof(key),
+ iv, sizeof(iv), ptext, ref_ctext, datalen);
+ ASSERT(memcmp(ctext, ref_ctext, datalen) == 0);
+
+ aes_256_hctr2_decrypt(key, iv, ctext, decrypted, datalen);
+ ASSERT(memcmp(ptext, decrypted, datalen) == 0);
+ }
+ close(algfd);
+}
+#endif /* ENABLE_ALG_TESTS */
+
/*----------------------------------------------------------------------------*
* XChaCha12 stream cipher *
*----------------------------------------------------------------------------*/
@@ -1500,58 +1788,6 @@ static void adiantum_decrypt(const u8 key[ADIANTUM_KEY_SIZE],
}
#ifdef ENABLE_ALG_TESTS
-#include <linux/if_alg.h>
-#include <sys/socket.h>
-#define SOL_ALG 279
-static void af_alg_crypt(int algfd, int op, const u8 *key, size_t keylen,
- const u8 *iv, size_t ivlen,
- const u8 *src, u8 *dst, size_t datalen)
-{
- size_t controllen = CMSG_SPACE(sizeof(int)) +
- CMSG_SPACE(sizeof(struct af_alg_iv) + ivlen);
- u8 *control = xmalloc(controllen);
- struct iovec iov = { .iov_base = (u8 *)src, .iov_len = datalen };
- struct msghdr msg = {
- .msg_iov = &iov,
- .msg_iovlen = 1,
- .msg_control = control,
- .msg_controllen = controllen,
- };
- struct cmsghdr *cmsg;
- struct af_alg_iv *algiv;
- int reqfd;
-
- memset(control, 0, controllen);
-
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- cmsg->cmsg_level = SOL_ALG;
- cmsg->cmsg_type = ALG_SET_OP;
- *(int *)CMSG_DATA(cmsg) = op;
-
- cmsg = CMSG_NXTHDR(&msg, cmsg);
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + ivlen);
- cmsg->cmsg_level = SOL_ALG;
- cmsg->cmsg_type = ALG_SET_IV;
- algiv = (struct af_alg_iv *)CMSG_DATA(cmsg);
- algiv->ivlen = ivlen;
- memcpy(algiv->iv, iv, ivlen);
-
- if (setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, keylen) != 0)
- die_errno("can't set key on AF_ALG socket");
-
- reqfd = accept(algfd, NULL, NULL);
- if (reqfd < 0)
- die_errno("can't accept() AF_ALG socket");
- if (sendmsg(reqfd, &msg, 0) != datalen)
- die_errno("can't sendmsg() AF_ALG request socket");
- if (xread(reqfd, dst, datalen) != datalen)
- die("short read from AF_ALG request socket");
- close(reqfd);
-
- free(control);
-}
-
static void test_adiantum(void)
{
int algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
@@ -1675,6 +1911,12 @@ static const struct fscrypt_cipher {
.decrypt = aes_128_cts_cbc_decrypt,
.keysize = AES_128_KEY_SIZE,
.min_input_size = AES_BLOCK_SIZE,
+ }, {
+ .name = "AES-256-HCTR2",
+ .encrypt = aes_256_hctr2_encrypt,
+ .decrypt = aes_256_hctr2_decrypt,
+ .keysize = AES_256_KEY_SIZE,
+ .min_input_size = AES_BLOCK_SIZE,
}, {
.name = "Adiantum",
.encrypt = adiantum_encrypt,
@@ -1980,6 +2222,7 @@ int main(int argc, char *argv[])
test_aes_256_xts();
test_aes_256_cts_cbc();
test_adiantum();
+ test_aes_256_hctr2();
#endif
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
--
2.37.1.559.g78731f0fdb-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v6 2/2] generic: add tests for fscrypt policies with HCTR2
2022-08-09 18:40 [PATCH v6 0/2] generic: test HCTR2 filename encryption Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 1/2] fscrypt-crypt-util: add HCTR2 implementation Nathan Huckleberry
@ 2022-08-09 18:40 ` Nathan Huckleberry
2022-08-09 18:48 ` [PATCH v6 0/2] generic: test HCTR2 filename encryption Eric Biggers
2022-08-11 16:23 ` Zorro Lang
3 siblings, 0 replies; 5+ messages in thread
From: Nathan Huckleberry @ 2022-08-09 18:40 UTC (permalink / raw)
To: fstests, linux-fscrypt
Cc: Eric Biggers, Sami Tolvanen, Nathan Huckleberry, Eric Biggers
This patch adds fscrypt policy tests for filename encryption using
HCTR2.
More information on HCTR2 can be found here: "Length-preserving
encryption with HCTR2" https://ia.cr/2021/1441
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Tested-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/900 | 31 +++++++++++++++++++++++++++++++
tests/generic/900.out | 16 ++++++++++++++++
2 files changed, 47 insertions(+)
create mode 100755 tests/generic/900
create mode 100644 tests/generic/900.out
diff --git a/tests/generic/900 b/tests/generic/900
new file mode 100755
index 00000000..1ff7c512
--- /dev/null
+++ b/tests/generic/900
@@ -0,0 +1,31 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2022 Google LLC
+#
+# FS QA Test No. generic/900
+#
+# Verify ciphertext for v2 encryption policies that use AES-256-XTS to encrypt
+# file contents and AES-256-HCTR2 to encrypt file names.
+#
+# HCTR2 was introduced in kernel commit 6b2a51ff03bf ("fscrypt: Add HCTR2
+# support for filename encryption")
+#
+. ./common/preamble
+_begin_fstest auto quick encrypt
+
+# Import common functions.
+. ./common/filter
+. ./common/encrypt
+
+# real QA test starts here
+_supported_fs generic
+
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-HCTR2 v2
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-HCTR2 \
+ v2 iv_ino_lblk_32
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-HCTR2 \
+ v2 iv_ino_lblk_64
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/900.out b/tests/generic/900.out
new file mode 100644
index 00000000..a87c80b3
--- /dev/null
+++ b/tests/generic/900.out
@@ -0,0 +1,16 @@
+QA output created by 900
+
+Verifying ciphertext with parameters:
+ contents_encryption_mode: AES-256-XTS
+ filenames_encryption_mode: AES-256-HCTR2
+ options: v2
+
+Verifying ciphertext with parameters:
+ contents_encryption_mode: AES-256-XTS
+ filenames_encryption_mode: AES-256-HCTR2
+ options: v2 iv_ino_lblk_32
+
+Verifying ciphertext with parameters:
+ contents_encryption_mode: AES-256-XTS
+ filenames_encryption_mode: AES-256-HCTR2
+ options: v2 iv_ino_lblk_64
--
2.37.1.559.g78731f0fdb-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v6 0/2] generic: test HCTR2 filename encryption
2022-08-09 18:40 [PATCH v6 0/2] generic: test HCTR2 filename encryption Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 1/2] fscrypt-crypt-util: add HCTR2 implementation Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 2/2] generic: add tests for fscrypt policies with HCTR2 Nathan Huckleberry
@ 2022-08-09 18:48 ` Eric Biggers
2022-08-11 16:23 ` Zorro Lang
3 siblings, 0 replies; 5+ messages in thread
From: Eric Biggers @ 2022-08-09 18:48 UTC (permalink / raw)
To: Nathan Huckleberry; +Cc: fstests, linux-fscrypt, Sami Tolvanen
On Tue, Aug 09, 2022 at 11:40:35AM -0700, Nathan Huckleberry wrote:
> HCTR2 is a new wide-block encryption mode that can used for filename encryption
> in fscrypt. This patchset adds a reference implementation of HCTR2 to the
> fscrypt testing utility and adds tests for filename encryption with HCTR2.
>
> More information on HCTR2 can be found here: "Length-preserving encryption with
> HCTR2": https://ia.cr/2021/1441
>
> The patchset introducing HCTR2 to the kernel can be found here:
> https://lore.kernel.org/linux-crypto/20220520181501.2159644-1-nhuck@google.com/
Thanks Huck. Zorro already applied v5 to the for-next branch, with the
chunk_size variable removed (which is the only code you changed in v6), and with
generic/900 renamed to its final name of generic/693. See
https://lore.kernel.org/fstests/20220807155112.E0989C433D6@smtp.kernel.org/T/#u
So I think everything is good to go already.
- Eric
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v6 0/2] generic: test HCTR2 filename encryption
2022-08-09 18:40 [PATCH v6 0/2] generic: test HCTR2 filename encryption Nathan Huckleberry
` (2 preceding siblings ...)
2022-08-09 18:48 ` [PATCH v6 0/2] generic: test HCTR2 filename encryption Eric Biggers
@ 2022-08-11 16:23 ` Zorro Lang
3 siblings, 0 replies; 5+ messages in thread
From: Zorro Lang @ 2022-08-11 16:23 UTC (permalink / raw)
To: Nathan Huckleberry; +Cc: fstests, linux-fscrypt
On Tue, Aug 09, 2022 at 11:40:35AM -0700, Nathan Huckleberry wrote:
> HCTR2 is a new wide-block encryption mode that can used for filename encryption
> in fscrypt. This patchset adds a reference implementation of HCTR2 to the
> fscrypt testing utility and adds tests for filename encryption with HCTR2.
>
> More information on HCTR2 can be found here: "Length-preserving encryption with
> HCTR2": https://ia.cr/2021/1441
>
> The patchset introducing HCTR2 to the kernel can be found here:
> https://lore.kernel.org/linux-crypto/20220520181501.2159644-1-nhuck@google.com/
>
> Changes in v6:
> * Remove unused variable
> * Rework cover letter
I've merged your v5 patchset. So feel free to send bug fix patches if you
found more issues.
Thanks,
Zorro
>
> Changes in v5:
> * Added links to relevant references for POLYVAL and HCTR2
> * Removed POLYVAL partial block handling
> * Referenced HCTR2 commit in test
>
> Changes in v4:
> * Add helper functions for HCTR2 hashing
> * Fix accumulator alignment bug
> * Small style fixes
>
> Changes in v3:
> * Consolidate tests into one file
>
> Changes in v2:
> * Use POLYVAL multiplication directly instead of using GHASH trick
> * Split reference implementation and tests into two patches
> * Remove v1 policy tests
> * Various small style fixes
>
> Nathan Huckleberry (2):
> fscrypt-crypt-util: add HCTR2 implementation
> generic: add tests for fscrypt policies with HCTR2
>
> common/encrypt | 2 +
> src/fscrypt-crypt-util.c | 357 ++++++++++++++++++++++++++++++++-------
> tests/generic/900 | 31 ++++
> tests/generic/900.out | 16 ++
> 4 files changed, 349 insertions(+), 57 deletions(-)
> create mode 100755 tests/generic/900
> create mode 100644 tests/generic/900.out
>
> --
> 2.37.1.559.g78731f0fdb-goog
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-11 16:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-09 18:40 [PATCH v6 0/2] generic: test HCTR2 filename encryption Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 1/2] fscrypt-crypt-util: add HCTR2 implementation Nathan Huckleberry
2022-08-09 18:40 ` [PATCH v6 2/2] generic: add tests for fscrypt policies with HCTR2 Nathan Huckleberry
2022-08-09 18:48 ` [PATCH v6 0/2] generic: test HCTR2 filename encryption Eric Biggers
2022-08-11 16:23 ` Zorro Lang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.