From: Stephan Mueller <smueller@chronox.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Rafael Aquini <aquini@redhat.com>,
aris@redhat.com, Fengguang Wu <fengguang.wu@intel.com>,
Jet Chen <jet.chen@intel.com>, Su Tao <tao.su@intel.com>,
Yuanhan Liu <yuanhan.liu@intel.com>, LKP <lkp@01.org>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] DRBG: fix memory corruption for AES192
Date: Fri, 04 Jul 2014 05:32:56 +0200 [thread overview]
Message-ID: <5597906.Ka0eDGbAv1@myon.chronox.de> (raw)
In-Reply-To: <20140704030810.GA22255@gondor.apana.org.au>
Am Freitag, 4. Juli 2014, 11:08:10 schrieb Herbert Xu:
Hi Herbert,
> On Tue, Jul 01, 2014 at 05:08:48PM +0200, Stephan Mueller wrote:
> > For the CTR DRBG, the drbg_state->scratchpad temp buffer (i.e. the
> > memory location immediately before the drbg_state->tfm variable
> > is the buffer that the BCC function operates on. BCC operates
> > blockwise. Making the temp buffer drbg_statelen(drbg) in size is
> > sufficient when the DRBG state length is a multiple of the block
> > size. For AES192 this is not the case and the length for temp is
> > insufficient (yes, that also means for such ciphers, the final
> > output of all BCC rounds are truncated before used to update the
> > state of the DRBG!!).
> >
> > The patch enlarges the temp buffer from drbg_statelen to
> > drbg_statelen + drbg_blocklen to have sufficient space.
> >
> > Reported-by: Fengguang Wu <fengguang.wu@intel.com>
> > Signed-off-by: Stephan Mueller <smueller@chronox.de>
>
> I have applied just this patch out of your series. You patches
> depend on the previous four patches which I have not yet applied
> since there are still outstanding issues with two of them.
Thank you.
The raised issues are for patches [1] and [2].
The issue around [1] is whether there is Kconfig solution for the problem of
selecting at least one or more than one configure option from a set of
options. This should avoid having a module init function with returns an
error. The selection of DRBG cores shall allow the user to compile the DRBG to
suit his needs and reduce the footprint of the DRBG. Since at least one DRBG
core must be selected as otherwise the DRBG is meaningless. Unfortunately I
have not found a solution with Kconfig and all given suggestions also did not
lead to a solution. So, if anybody has a suggestion on how to solve the issue,
I will try it out.
Regarding [2], the issue is that ARRAY_SIZE returns different variable types
on different platforms (e.g. unsigned long on x86_64 vs unsigned int on i386).
Thus I have to use a type cast. This issue may be fixed by forcing a
particular type to ARRAY_SIZE. Such change, however, may have quite some
ripple effects throughout the kernel. Therefore, IMHO such a patch should not
be made in the realm of the DRBG patchset and the type cast should be allowed.
[1] https://lkml.org/lkml/2014/6/28/489
[2] https://lkml.org/lkml/2014/6/28/492
--
Ciao
Stephan
WARNING: multiple messages have this Message-ID (diff)
From: Stephan Mueller <smueller@chronox.de>
To: lkp@lists.01.org
Subject: Re: [PATCH 3/4] DRBG: fix memory corruption for AES192
Date: Fri, 04 Jul 2014 05:32:56 +0200 [thread overview]
Message-ID: <5597906.Ka0eDGbAv1@myon.chronox.de> (raw)
In-Reply-To: <20140704030810.GA22255@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 2462 bytes --]
Am Freitag, 4. Juli 2014, 11:08:10 schrieb Herbert Xu:
Hi Herbert,
> On Tue, Jul 01, 2014 at 05:08:48PM +0200, Stephan Mueller wrote:
> > For the CTR DRBG, the drbg_state->scratchpad temp buffer (i.e. the
> > memory location immediately before the drbg_state->tfm variable
> > is the buffer that the BCC function operates on. BCC operates
> > blockwise. Making the temp buffer drbg_statelen(drbg) in size is
> > sufficient when the DRBG state length is a multiple of the block
> > size. For AES192 this is not the case and the length for temp is
> > insufficient (yes, that also means for such ciphers, the final
> > output of all BCC rounds are truncated before used to update the
> > state of the DRBG!!).
> >
> > The patch enlarges the temp buffer from drbg_statelen to
> > drbg_statelen + drbg_blocklen to have sufficient space.
> >
> > Reported-by: Fengguang Wu <fengguang.wu@intel.com>
> > Signed-off-by: Stephan Mueller <smueller@chronox.de>
>
> I have applied just this patch out of your series. You patches
> depend on the previous four patches which I have not yet applied
> since there are still outstanding issues with two of them.
Thank you.
The raised issues are for patches [1] and [2].
The issue around [1] is whether there is Kconfig solution for the problem of
selecting at least one or more than one configure option from a set of
options. This should avoid having a module init function with returns an
error. The selection of DRBG cores shall allow the user to compile the DRBG to
suit his needs and reduce the footprint of the DRBG. Since at least one DRBG
core must be selected as otherwise the DRBG is meaningless. Unfortunately I
have not found a solution with Kconfig and all given suggestions also did not
lead to a solution. So, if anybody has a suggestion on how to solve the issue,
I will try it out.
Regarding [2], the issue is that ARRAY_SIZE returns different variable types
on different platforms (e.g. unsigned long on x86_64 vs unsigned int on i386).
Thus I have to use a type cast. This issue may be fixed by forcing a
particular type to ARRAY_SIZE. Such change, however, may have quite some
ripple effects throughout the kernel. Therefore, IMHO such a patch should not
be made in the realm of the DRBG patchset and the type cast should be allowed.
[1] https://lkml.org/lkml/2014/6/28/489
[2] https://lkml.org/lkml/2014/6/28/492
--
Ciao
Stephan
next prev parent reply other threads:[~2014-07-04 3:34 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-01 15:06 [PATCH 0/4] DRBG: Fixes for code review comments Stephan Mueller
2014-07-01 15:15 ` Stephan Mueller
2014-07-01 15:07 ` [PATCH 1/4] DRBG: Select correct DRBG core for stdrng Stephan Mueller
2014-07-01 15:13 ` Stephan Mueller
2014-07-01 15:07 ` [PATCH 4/4] DRBG: HMAC-SHA1 DRBG has crypto strength of 128 bits Stephan Mueller
2014-07-01 15:09 ` Stephan Mueller
2014-07-01 15:07 ` [PATCH 2/4] DRBG: Mix a time stamp into DRBG state Stephan Mueller
2014-07-01 15:11 ` Stephan Mueller
2014-07-01 15:08 ` [PATCH 3/4] DRBG: fix memory corruption for AES192 Stephan Mueller
2014-07-01 15:09 ` Stephan Mueller
2014-07-04 3:08 ` Herbert Xu
2014-07-04 3:08 ` Herbert Xu
2014-07-04 3:32 ` Stephan Mueller [this message]
2014-07-04 3:32 ` Stephan Mueller
2014-07-04 3:12 ` Herbert Xu
2014-07-04 3:12 ` Herbert Xu
2014-07-04 3:36 ` Stephan Mueller
2014-07-04 3:36 ` Stephan Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5597906.Ka0eDGbAv1@myon.chronox.de \
--to=smueller@chronox.de \
--cc=aquini@redhat.com \
--cc=aris@redhat.com \
--cc=fengguang.wu@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=jet.chen@intel.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@01.org \
--cc=tao.su@intel.com \
--cc=yuanhan.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.