Intel GCM: __driver-gcm-aes-aesni setkey missing

Intel GCM: __driver-gcm-aes-aesni setkey missing

[Stephan Mueller]

Hi Gabriele, Adrian, Tadeusz, Aidan,

during testing of my algif_aead patch with the different GCM implementations I 
am able to trigger a kernel crash from user space using __driver-gcm-aes-
aesni.

As I hope that algif_aead is going to be included, unprivileged userspace 
would then reliably crash the kernel -- with the current kernel code, 
userspace has no interface to trigger the issue.

Looking into the kernel code I think I see where the issue is. The crash 
happens when setkey is invoked. The kernel crypto API defines setkey as the 
following:

static inline int crypto_aead_setkey(struct crypto_aead *tfm, const u8 *key,
                                     unsigned int keylen)
{
        struct aead_tfm *crt = crypto_aead_crt(tfm);

        return crt->setkey(crt->base, key, keylen);
}

This means that the kernel crypto API expects that ciphers always implement a 
setkey callback.

However, __driver-gcm-aes-aesni does not implement a setkey:

                .aead = {
                        .encrypt        = __driver_rfc4106_encrypt,
                        .decrypt        = __driver_rfc4106_decrypt,
                },

As I am not sure what the purpose of __driver-gcm-aes-aesni is (only a backend 
for RFC4106 GCM or a regular cipher), I did not yet create a patch. IMHO there 
are two solutions:

- either create a valid setkey callback so that a key is set

- or create a noop setkey that returns -EOPNOTSUPP which effectively disables 
that cipher for regular consumption.

Note, if it is only a backend for the RFC4106 implementation, may I ask why 
__driver-gcm-aes-aesni is implemented as a separate cipher that is registered 
with the kernel crypto API?

-- 
Ciao
Stephan

Re: Intel GCM: __driver-gcm-aes-aesni setkey missing

[Tadeusz Struk]

Hi Stephan,
On 01/17/2015 10:23 AM, Stephan Mueller wrote:
> during testing of my algif_aead patch with the different GCM implementations I 
> am able to trigger a kernel crash from user space using __driver-gcm-aes-
> aesni.
> 
> As I hope that algif_aead is going to be included, unprivileged userspace 
> would then reliably crash the kernel -- with the current kernel code, 
> userspace has no interface to trigger the issue.

Yes, that's a problem.

> 
> As I am not sure what the purpose of __driver-gcm-aes-aesni is (only a backend 
> for RFC4106 GCM or a regular cipher), I did not yet create a patch. IMHO there 
> are two solutions:
> 
> - either create a valid setkey callback so that a key is set
> 
> - or create a noop setkey that returns -EOPNOTSUPP which effectively disables 
> that cipher for regular consumption.

__driver-gcm-aes-aesni is only a helper for rfc4106-gcm-aesni and it
never supposed to be used on it's own. I think implementing a setkey
function that only returns an error would be a good solution for this.
Another question is what if someone will ignore the error or skip the
setsockopt(ALG_SET_KEY) altogether and still call the sendmsg() and
read() to trigger encrypt()?

> Note, if it is only a backend for the RFC4106 implementation, may I ask why 
> __driver-gcm-aes-aesni is implemented as a separate cipher that is registered 
> with the kernel crypto API?

This is because we need to have one instance of the helper tfm with its
context per each of the rfc4106-gcm-aesni tfm instance and that was one
convenient way to do this.

Tadeusz

Re: Intel GCM: __driver-gcm-aes-aesni setkey missing

[Stephan Mueller]

Am Samstag, 17. Januar 2015, 17:37:06 schrieb Tadeusz Struk:

Hi Tadeusz,

> Hi Stephan,
> 
> On 01/17/2015 10:23 AM, Stephan Mueller wrote:
> > during testing of my algif_aead patch with the different GCM
> > implementations I am able to trigger a kernel crash from user space using
> > __driver-gcm-aes- aesni.
> > 
> > As I hope that algif_aead is going to be included, unprivileged userspace
> > would then reliably crash the kernel -- with the current kernel code,
> > userspace has no interface to trigger the issue.
> 
> Yes, that's a problem.
> 
> > As I am not sure what the purpose of __driver-gcm-aes-aesni is (only a
> > backend for RFC4106 GCM or a regular cipher), I did not yet create a
> > patch. IMHO there are two solutions:
> > 
> > - either create a valid setkey callback so that a key is set
> > 
> > - or create a noop setkey that returns -EOPNOTSUPP which effectively
> > disables that cipher for regular consumption.
> 
> __driver-gcm-aes-aesni is only a helper for rfc4106-gcm-aesni and it
> never supposed to be used on it's own. I think implementing a setkey
> function that only returns an error would be a good solution for this.

Ok, I will send a patch shortly.

> Another question is what if someone will ignore the error or skip the
> setsockopt(ALG_SET_KEY) altogether and still call the sendmsg() and
> read() to trigger encrypt()?

Using my libkcapi [1] test bench, I disabled key and IV submission for 
symmetric ciphers (tested cbc(aes) which invokes your AESNI code path on my 
box -- and gcm(aes) and ccm(aes) which again both use the AESNI core and the C 
implementation of GCM and CCM).

All tests with missing keys and IVs:

- showed a successful encryption / decryption with the CBC mode

- returned the error code of either ENOKEY or EINVAL for GCM / CCM 
encryption/decryption

There is no crash/BUG/WARN observed.

> 
> > Note, if it is only a backend for the RFC4106 implementation, may I ask
> > why
> > __driver-gcm-aes-aesni is implemented as a separate cipher that is
> > registered with the kernel crypto API?
> 
> This is because we need to have one instance of the helper tfm with its
> context per each of the rfc4106-gcm-aesni tfm instance and that was one
> convenient way to do this.

Then I concur with you that having a setkey function returning an error is the 
right way.
> 
> Tadeusz
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


-- 
Ciao
Stephan