From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH v2 00/15] crypto: improved skcipher, aead, and hash tests
Date: Thu, 31 Jan 2019 23:51:35 -0800 [thread overview]
Message-ID: <20190201075150.18644-1-ebiggers@kernel.org> (raw)
Hello,
Crypto algorithms must produce the same output for the same input
regardless of data layout, i.e. how the src and dst scatterlists are
divided into chunks and how each chunk is aligned. Request flags such
as CRYPTO_TFM_REQ_MAY_SLEEP must not affect the result either.
However, testing of this currently has many gaps. For example,
individual algorithms are responsible for providing their own chunked
test vectors. But many don't bother to do this or test only one or two
cases, providing poor test coverage. Also, other things such as buffers
spanning a page boundary, misaligned IVs, and CRYPTO_TFM_REQ_MAY_SLEEP
are never tested at all.
Test code is also duplicated between the chunked and non-chunked cases,
making it difficult to make other improvements.
To improve the situation, this patch series basically moves the chunk
descriptions into the testmgr itself so that they are shared by all
algorithms. However, it's done in an extensible way via a new struct
'testvec_config', which describes not just the scaled chunk lengths but
also all other aspects of the crypto operation besides the data itself
such as the buffer alignments, the request flags, whether the operation
is in-place or not, the IV alignment, and for hash algorithms when to do
each update() and when to use finup() vs. final() vs. digest().
Then, this patch series makes skcipher, aead, and hash algorithms be
tested against a list of default testvec_configs, replacing the current
test code. This improves overall test coverage, without reducing test
performance too much. Note that the test vectors themselves are not
changed, except for removing the chunk lists.
This series also adds randomized fuzz tests, enabled by a new kconfig
option intended for developer use only, where skcipher, aead, and hash
algorithms are tested against many randomly generated testvec_configs.
This provides much more comprehensive test coverage.
I've run these improved tests on x86, arm32, and arm64 with all crypto
algorithms enabled, and they have already found many bugs. Patches 1-7
and the patches from Ard Biesheuvel fix most of the bugs found so far.
A bug was also detected in the Rockchip crypto driver which remains to
be fixed. Also many AEADs incorrectly change aead_request::base.tfm,
but for now I'm temporarily working around that in the tests as I plan
to fix it later after the other types of bugs are addressed.
If anyone reading this has access to systems with other architectures or
crypto drivers that may not have been tested yet, you can help by
applying these patches on your system, enabling
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS, and reporting or fixing any test
failures.
This patch series can also be found in git at
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
branch "testmgr-improvements".
Changed since v1:
- Made CONFIG_CRYPTO_MANAGER_EXTRA_TESTS depend on CONFIG_DEBUG_KERNEL.
- Improved commit description of AEGIS and MORUS fixes.
- A few very minor cleanups to the test code.
Eric Biggers (15):
crypto: aegis - fix handling chunked inputs
crypto: morus - fix handling chunked inputs
crypto: x86/aegis - fix handling chunked inputs and MAY_SLEEP
crypto: x86/morus - fix handling chunked inputs and MAY_SLEEP
crypto: x86/aesni-gcm - fix crash on empty plaintext
crypto: ahash - fix another early termination in hash walk
crypto: arm64/aes-neonbs - fix returning final keystream block
crypto: testmgr - add testvec_config struct and helper functions
crypto: testmgr - introduce CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
crypto: testmgr - implement random testvec_config generation
crypto: testmgr - convert skcipher testing to use testvec_configs
crypto: testmgr - convert aead testing to use testvec_configs
crypto: testmgr - convert hash testing to use testvec_configs
crypto: testmgr - check for skcipher_request corruption
crypto: testmgr - check for aead_request corruption
arch/arm64/crypto/aes-neonbs-core.S | 8 +-
arch/x86/crypto/aegis128-aesni-glue.c | 38 +-
arch/x86/crypto/aegis128l-aesni-glue.c | 38 +-
arch/x86/crypto/aegis256-aesni-glue.c | 38 +-
arch/x86/crypto/aesni-intel_glue.c | 13 +-
arch/x86/crypto/morus1280_glue.c | 40 +-
arch/x86/crypto/morus640_glue.c | 39 +-
crypto/Kconfig | 10 +
crypto/aegis128.c | 14 +-
crypto/aegis128l.c | 14 +-
crypto/aegis256.c | 14 +-
crypto/ahash.c | 14 +-
crypto/morus1280.c | 13 +-
crypto/morus640.c | 13 +-
crypto/testmgr.c | 2549 +++++++++++++-----------
crypto/testmgr.h | 407 +---
16 files changed, 1556 insertions(+), 1706 deletions(-)
--
2.20.1
next reply other threads:[~2019-02-01 7:52 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-01 7:51 Eric Biggers [this message]
2019-02-01 7:51 ` [PATCH v2 01/15] crypto: aegis - fix handling chunked inputs Eric Biggers
2019-02-05 9:31 ` Ondrej Mosnacek
2019-02-01 7:51 ` [PATCH v2 02/15] crypto: morus " Eric Biggers
2019-02-05 9:30 ` Ondrej Mosnacek
2019-02-01 7:51 ` [PATCH v2 03/15] crypto: x86/aegis - fix handling chunked inputs and MAY_SLEEP Eric Biggers
2019-02-05 9:31 ` Ondrej Mosnacek
2019-02-01 7:51 ` [PATCH v2 04/15] crypto: x86/morus " Eric Biggers
2019-02-05 9:32 ` Ondrej Mosnacek
2019-02-01 7:51 ` [PATCH v2 05/15] crypto: x86/aesni-gcm - fix crash on empty plaintext Eric Biggers
2019-02-01 7:51 ` [PATCH v2 06/15] crypto: ahash - fix another early termination in hash walk Eric Biggers
2019-02-01 7:51 ` [PATCH v2 07/15] crypto: arm64/aes-neonbs - fix returning final keystream block Eric Biggers
2019-02-01 7:51 ` [PATCH v2 08/15] crypto: testmgr - add testvec_config struct and helper functions Eric Biggers
2019-02-01 7:51 ` [PATCH v2 09/15] crypto: testmgr - introduce CONFIG_CRYPTO_MANAGER_EXTRA_TESTS Eric Biggers
2019-02-01 7:51 ` [PATCH v2 10/15] crypto: testmgr - implement random testvec_config generation Eric Biggers
2019-02-01 7:51 ` [PATCH v2 11/15] crypto: testmgr - convert skcipher testing to use testvec_configs Eric Biggers
2019-02-01 7:51 ` [PATCH v2 12/15] crypto: testmgr - convert aead " Eric Biggers
2019-02-01 7:51 ` [PATCH v2 13/15] crypto: testmgr - convert hash " Eric Biggers
2019-08-29 15:32 ` Christophe Leroy
2019-08-29 15:58 ` Eric Biggers
2019-02-01 7:51 ` [PATCH v2 14/15] crypto: testmgr - check for skcipher_request corruption Eric Biggers
2019-02-01 7:51 ` [PATCH v2 15/15] crypto: testmgr - check for aead_request corruption Eric Biggers
2019-02-08 7:47 ` [PATCH v2 00/15] crypto: improved skcipher, aead, and hash tests Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190201075150.18644-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).