Re: [PATCH] crypto: aesni - disable "by8" AVX CTR optimization

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Yonan <james@openvpn.net>
To: Mathias Krause <minipli@googlemail.com>,
	Chandramouli Narayanan <mouli@linux.intel.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Romain Francoise <romain@orebokech.com>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Subject: Re: [PATCH] crypto: aesni - disable "by8" AVX CTR optimization
Date: Tue, 16 Dec 2014 14:49:51 -0700	[thread overview]
Message-ID: <5490A8FF.2040906@openvpn.net> (raw)
In-Reply-To: <548F35D0.1020503@openvpn.net>

On 15/12/2014 12:26, James Yonan wrote:
> Mathias,
>
>>> I'm seeing some anomalous results with the "by8" AVX CTR optimization in
>>> 3.18.
>>
>> the patch you're replying to actually *disabled* the "by8" variant for
>> v3.17 as it had another bug related to wrong counter handling in GCM.
>> The fix for that particular issue only made it to v3.18, so the code
>> got re-enabled only for v3.18. But it looks like that there's yet
>> another bug :/
>
> Right, I should have clarified that I initially suspected the "by8"
> variant was to blame because your patch that disables it resolves the
> discrepancy.
>
>>> In particular, crypto_aead_encrypt appears to produce different
>>> ciphertext
>>> from the same plaintext depending on whether or not the optimization is
>>> enabled.
>>>
>>> See the attached patch to tcrypt that demonstrates the discrepancy.
>>
>> I can reproduce your observations, so I can confirm the difference,
>> when using the "by8" variant compared to other AES implementations.
>> When applying this very patch (commit 7da4b29d496b ("crypto: aesni -
>> disable "by8" AVX CTR optimization")) -- the patch that disables the
>> "by8" variant -- on top of v3.18 the discrepancies are gone. So the
>> behavior is bound to the "by8" optimization, only.
>
> Right -- this is exactly what I'm seeing as well.
>
>> As it was Chandramouli, who contributed the code, maybe he has a clue
>> what's wrong here. Chandramouli?
>
> A few more observations:
>
> * Encryption produces bad ciphertext only when the size of plaintext
> exceeds a certain threshold.  In test_aead_encrypt_consistency in the
> tcrypt patch, I found that data_size must be >= 128 to produce bad
> ciphertext.
>
> * Encrypting then decrypting data always gets back to the original
> plaintext, no matter what the size.
>
> * The bad ciphertext from encryption is only evident when the same
> encrypt operation is performed on a different AES implementation and the
> ciphertexts are compared.
>
> * When the encrypt operation produces bad ciphertext, the generated auth
> tag is actually correct, so another AES implementation that decrypts the
> ciphertext will end up with corrupted plaintext that succeeds
> authentication.

Another interesting observation:

* bug only occurs when key size is 128 bits, not 192 or 256.

James

next prev parent reply	other threads:[~2014-12-16 21:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-15  8:36 v3.17-rc5: alg: skcipher: Test 4 failed on encryption for ctr-aes-aesni Romain Francoise
2014-09-16 20:01 ` Romain Francoise
2014-09-17 11:29   ` Herbert Xu
2014-09-21 22:28     ` Mathias Krause
2014-09-24 22:23       ` chandramouli narayanan
2014-09-25  6:27         ` Mathias Krause
2014-09-23 20:31     ` [PATCH] crypto: aesni - disable "by8" AVX CTR optimization Mathias Krause
2014-12-11  8:52       ` James Yonan
2014-12-14 17:41         ` Mathias Krause
2014-12-15 19:26           ` James Yonan
2014-12-16 21:49             ` James Yonan [this message]
2014-12-30 21:29               ` Mathias Krause
2014-09-17 20:10   ` v3.17-rc5: alg: skcipher: Test 4 failed on encryption for ctr-aes-aesni Mathias Krause
2014-09-17 20:17     ` Mathias Krause

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5490A8FF.2040906@openvpn.net \
    --to=james@openvpn.net \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=minipli@googlemail.com \
    --cc=mouli@linux.intel.com \
    --cc=romain@orebokech.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.