From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Horia Geanta <horia.geanta@nxp.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"dm-devel@redhat.com" <dm-devel@redhat.com>
Subject: Re: xts fuzz testing and lack of ciphertext stealing support
Date: Wed, 17 Jul 2019 20:08:27 +0200 [thread overview]
Message-ID: <CAKv+Gu__offPaWvyURJr8v56ig58q-Deo16QhP26EJ32uf5m3w@mail.gmail.com> (raw)
In-Reply-To: <20190717172823.GA205944@gmail.com>
On Wed, 17 Jul 2019 at 19:28, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Wed, Jul 17, 2019 at 05:09:31PM +0000, Horia Geanta wrote:
> > On 7/17/2019 1:16 AM, Eric Biggers wrote:
> > > Hi Horia,
> > >
> > > On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
> > >> Hi,
> > >>
> > >> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
> > >>
> > >> Below are several failures, extracted from different runs:
> > >>
> > >> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
> > >>
> > >> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
> > >>
> > >> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
> > >>
> > >> It looks like the problem is not in CAAM driver.
> > >> More exactly, fuzz testing is generating random test vectors and running
> > >> them through both SW generic (crypto/xts.c) and CAAM implementation:
> > >> -SW generic implementation of xts(aes) does not support ciphertext stealing
> > >> and throws -EINVAL when input is not a multiple of AES block size (16B)
> > >> -caam has support for ciphertext stealing, and allows for any input size
> > >> which results in "unexpectedly succeeded" error messages.
> > >>
> > >> Any suggestion how this should be fixed?
> > >>
> > >> Thanks,
> > >> Horia
> > >
> > > I don't think drivers should allow inputs the generic implementation doesn't,
> > > since those inputs aren't tested by the crypto self-tests (so how do you know
> > How about implementation adding static test vectors and using them to validate
> > the standard feature set that's not supported by the generic implementation?
> >
> > > it's even correct?), and people could accidentally rely on the driver-specific
> > > behavior and then be unable to migrate to another platform or implementation.
> > >
> > People could also *intentionally* rely on a driver offering an implementation
> > that is closer to the spec / standard.
> >
> > > So for now I recommend just updating the caam driver to return -EINVAL on XTS
> > > inputs not evenly divisible by the block size.
> > >
> > I was hoping for something more constructive...
> >
> > > Of course, if there are actual use cases for XTS with ciphertext stealing in the
> > > kernel, we could add it to all the other implementations too. But I'm not aware
> > > of any currently. Don't all XTS users in the kernel pass whole blocks?
> > >
> > That's my guess too.
> >
> > What about user space relying on offloading and xts working
> > according to the spec?
> >
>
> Sure, AF_ALG users could expect ciphertext stealing to work. I don't know of
> any actual examples of people saying they want it, but it's possible.
>
> My point is simply that we add this, we need to find a way to support it in all
> implementations. It's not helpful to add it to only one specific driver, as
> then it's inconsistent and is untestable with the common tests.
>
IIRC there are different ways to implement CTS, and the cts template
we have in the kernel (which is used for CBC in some cases) implements
the flavor where the last two blocks are reordered if the input size
is an exact multiple of the block size. If your CTS implementation
does not implement this reordering (which seems to be the case since
it is compatible with plain XTS), it implements CTS in an incompatible
way.
Since the kernel does not support CTS for XTS any way, and since no
AF_ALG users can portably rely on this, I agree with Eric that the
only sensible way to address this is to disable this functionality in
the driver.
next prev parent reply other threads:[~2019-07-17 18:08 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 17:46 xts fuzz testing and lack of ciphertext stealing support Horia Geanta
2019-07-16 22:16 ` Eric Biggers
2019-07-17 17:09 ` Horia Geanta
2019-07-17 17:28 ` Eric Biggers
2019-07-17 18:08 ` Ard Biesheuvel [this message]
2019-07-18 6:52 ` Herbert Xu
2019-07-18 7:15 ` Ard Biesheuvel
2019-07-18 7:21 ` Herbert Xu
2019-07-18 7:28 ` Ard Biesheuvel
2019-07-18 7:50 ` Herbert Xu
2019-07-18 7:40 ` Milan Broz
2019-07-18 10:40 ` Pascal Van Leeuwen
2019-07-18 11:19 ` Milan Broz
2019-07-18 15:27 ` Herbert Xu
2019-07-20 6:58 ` [dm-devel] " Eric Biggers
2019-07-20 7:35 ` Milan Broz
2019-07-21 9:50 ` Ard Biesheuvel
2019-07-22 9:44 ` Pascal Van Leeuwen
2019-07-22 16:43 ` Ard Biesheuvel
2019-07-22 22:46 ` Pascal Van Leeuwen
2019-07-24 12:23 ` Pascal Van Leeuwen
2019-07-24 12:50 ` Pascal Van Leeuwen
2019-07-24 16:10 ` Pascal Van Leeuwen
2019-07-25 6:22 ` Ard Biesheuvel
2019-07-25 7:49 ` Pascal Van Leeuwen
2019-07-25 8:01 ` Ard Biesheuvel
2019-07-26 10:31 ` Pascal Van Leeuwen
2019-07-26 19:59 ` Horia Geanta
2019-07-26 21:43 ` Pascal Van Leeuwen
2019-07-27 5:39 ` Ard Biesheuvel
2019-07-27 12:56 ` Pascal Van Leeuwen
2019-07-27 16:04 ` Milan Broz
2019-08-04 8:36 ` Ard Biesheuvel
[not found] ` <20f4832e-e3af-e3c2-d946-13bf8c367a60@nxp.com>
2019-08-07 15:51 ` Horia Geanta
2019-08-07 20:57 ` Pascal Van Leeuwen
2019-08-08 14:50 ` Horia Geanta
2019-08-09 8:35 ` Pascal Van Leeuwen
2019-08-08 13:43 ` Pascal Van Leeuwen
2019-08-08 18:01 ` Horia Geanta
2019-08-09 2:48 ` Herbert Xu
2019-08-09 6:45 ` Ard Biesheuvel
2019-08-09 7:44 ` Horia Geanta
2019-08-09 17:49 ` Ard Biesheuvel
2019-08-09 20:57 ` Pascal Van Leeuwen
2019-08-10 4:39 ` Ard Biesheuvel
2019-08-11 11:12 ` Milan Broz
2019-08-11 20:34 ` Eric Biggers
2019-08-11 21:39 ` Pascal Van Leeuwen
2019-08-11 21:29 ` Pascal Van Leeuwen
2019-08-12 4:51 ` Herbert Xu
2019-08-11 21:15 ` Pascal Van Leeuwen
2019-08-11 22:24 ` Ard Biesheuvel
2019-08-12 1:04 ` Pascal Van Leeuwen
2019-07-18 15:29 ` Herbert Xu
2019-07-18 15:43 ` Pascal Van Leeuwen
2019-07-18 15:51 ` Herbert Xu
2019-07-18 16:19 ` Ard Biesheuvel
2019-07-18 16:22 ` Herbert Xu
2019-07-18 17:03 ` Pascal Van Leeuwen
2019-07-19 5:34 ` Ard Biesheuvel
2019-07-19 7:29 ` Pascal Van Leeuwen
2019-07-19 17:14 ` Ard Biesheuvel
2019-07-19 20:07 ` Pascal Van Leeuwen
2019-07-18 16:35 ` Pascal Van Leeuwen
2019-07-19 1:47 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu__offPaWvyURJr8v56ig58q-Deo16QhP26EJ32uf5m3w@mail.gmail.com \
--to=ard.biesheuvel@linaro.org \
--cc=dm-devel@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).