From: "Van Leeuwen, Pascal" <pvanleeuwen@rambus.com>
To: Gilad Ben-Yossef <gilad@benyossef.com>,
Stephan Mueller <smueller@chronox.de>
Cc: Eric Biggers <ebiggers@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
David Miller <davem@davemloft.net>,
Ofir Drang <Ofir.Drang@arm.com>
Subject: RE: Possible issue with new inauthentic AEAD in extended crypto tests
Date: Mon, 10 Feb 2020 08:03:40 +0000 [thread overview]
Message-ID: <CY4PR0401MB3652A1930E7D1CFC921C700FC3190@CY4PR0401MB3652.namprd04.prod.outlook.com> (raw)
In-Reply-To: <7f68982502574b03931e7caad965e76f@MN2PR20MB2973.namprd20.prod.outlook.com>
> -----Original Message-----
> From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf Of Gilad Ben-Yossef
> Sent: Sunday, February 9, 2020 9:05 AM
> To: Stephan Mueller <smueller@chronox.de>
> Cc: Eric Biggers <ebiggers@kernel.org>; Herbert Xu <herbert@gondor.apana.org.au>; Linux Crypto Mailing List <linux-
> crypto@vger.kernel.org>; Geert Uytterhoeven <geert@linux-m68k.org>; David Miller <davem@davemloft.net>; Ofir Drang
> <Ofir.Drang@arm.com>
> Subject: Re: Possible issue with new inauthentic AEAD in extended crypto tests
>
> <<< External Email >>>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the
> sender/sender address and know the content is safe.
>
>
> On Fri, Feb 7, 2020 at 2:30 PM Stephan Mueller <smueller@chronox.de> wrote:
> >
> > Am Freitag, 7. Februar 2020, 12:50:51 CET schrieb Gilad Ben-Yossef:
> >
> > Hi Gilad,
> >
> > >
> > > It is correct, but is it smart?
> > >
> > > Either we require the same IV to be passed twice as we do today, in which
> > > case passing different IV should fail in a predictable manner OR we should
> > > define the operation is taking two IV like structures - one as the IV and
> > > one as bytes in the associated data and have the IPsec code use it in a
> > > specific way of happen to pass the same IV in both places.
> > >
> > > I don't care either way - but right now the tests basically relies on
> > > undefined behaviour
> > > which is always a bad thing, I think.
> >
> > I am not sure about the motivation of this discussion: we have exactly one
> > user of the RFC4106 implementation: IPSec. Providing the IV/AAD is efficient
> > as the rfc4106 template intents to require the data in a format that requires
> > minimal processing on the IPSec side to bring it in the right format.
> >
>
> The motivation for this discussion is that our current test suite for
> RFC4106 generates test messages where req->iv is different than the
> copy in the associated data.
>
Interesting ... this must be a recent change then, because that's not what
I remember and it's also not in the current 5.6-rc1 tree from Linus.
So what would you expect then? That it takes the IV from req->iv and
totally ignores the AAD data part? That would be the only behavor making
sense for rfc4106 specifically. Leaves the question why you would allow
the application to supply totally random data to the ciphersuite.
But then what about rfc4543 where you have the same API (presumably
rfc4106 was aligned with that?) but you MUST have req->iv matching that
AAD data otherwise you're not compliant with that RFC. (regardless of
whether that 'might be useful' - the name would be wrong then)
> This is not per my interpretation of RFC 4106, this is not the API as
> is described in the header files and finally it is not per the use
> case of the single user of RFC 4106 in the kernel and right now these
> tests
> causes the ccree driver to fail these tests.
>
Agree
> Again, I am *not* suggesting or discussing changing the API.
>
The API just needs some clarification in this area. It makes sense to
_require_ req->iv and the IV part at the end of the AAD buffer to be
_identical_ such that the driver can _assume_ this to be the case.
Considering these ciphersuites are really specific to IPsec ESP.
> I am asking the very practical question if it makes sense to me to
> delve into understanding why this use case is failing versus fixing
> the test suite to test what we actually use.
>
> Gilad
>
> --
> Gilad Ben-Yossef
> Chief Coffee Drinker
>
> values of β will give rise to dom!
Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953
Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.
** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **
Rambus Inc.<http://www.rambus.com>
next prev parent reply other threads:[~2020-02-10 8:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-27 8:04 Possible issue with new inauthentic AEAD in extended crypto tests Gilad Ben-Yossef
2020-01-28 2:34 ` Eric Biggers
2020-01-28 3:15 ` Stephan Mueller
2020-01-28 3:38 ` Herbert Xu
2020-01-28 7:24 ` Gilad Ben-Yossef
2020-01-28 21:12 ` Eric Biggers
2020-01-29 11:28 ` Gilad Ben-Yossef
[not found] ` <2f3e874fae2242d99f4e4095ae42eb75@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-01-29 13:28 ` Van Leeuwen, Pascal
2020-02-05 14:48 ` Gilad Ben-Yossef
2020-02-07 7:27 ` Eric Biggers
2020-02-07 7:56 ` Stephan Mueller
2020-02-07 11:50 ` Gilad Ben-Yossef
2020-02-07 12:29 ` Stephan Mueller
2020-02-09 8:04 ` Gilad Ben-Yossef
[not found] ` <7f68982502574b03931e7caad965e76f@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-02-10 8:03 ` Van Leeuwen, Pascal [this message]
[not found] ` <3b65754206a049e596efeb76619eef5c@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-02-07 14:30 ` Van Leeuwen, Pascal
[not found] ` <70156395ce424f41949feb13fd9f978b@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-02-07 14:07 ` Van Leeuwen, Pascal
2020-02-07 14:29 ` Stephan Mueller
2020-02-07 15:36 ` Van Leeuwen, Pascal
[not found] ` <0795c353d60547539d23cd6db805f579@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-02-07 15:50 ` Van Leeuwen, Pascal
2020-02-09 8:09 ` Gilad Ben-Yossef
2020-02-10 8:05 ` Van Leeuwen, Pascal
2020-02-10 11:04 ` Herbert Xu
[not found] ` <b5a529fd1abd46ea881b18c387fcd4dc@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-01-29 0:18 ` Van Leeuwen, Pascal
2020-01-29 1:26 ` Stephan Mueller
[not found] ` <11489dad16d64075939db69181b5ecbb@MN2PR20MB2973.namprd20.prod.outlook.com>
2020-01-29 8:40 ` Van Leeuwen, Pascal
2020-01-29 12:54 ` Stephan Mueller
2020-01-29 13:42 ` Van Leeuwen, Pascal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR0401MB3652A1930E7D1CFC921C700FC3190@CY4PR0401MB3652.namprd04.prod.outlook.com \
--to=pvanleeuwen@rambus.com \
--cc=Ofir.Drang@arm.com \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=geert@linux-m68k.org \
--cc=gilad@benyossef.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).