From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Subject: [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation
Date: Sun, 31 Mar 2019 13:04:10 -0700 [thread overview]
Message-ID: <20190331200428.26597-1-ebiggers@kernel.org> (raw)
Hello,
In the crypto API, all implementations of each algorithm are supposed to
produce the same results. However, testing of this is currently limited
to the list of test vectors hardcoded for each algorithm. Although
after recent improvements the self-tests do much more with each test
vector, hardcoded test vectors can never cover all cases.
This series improves the situation by making the self-tests
automatically generate random test vectors using the corresponding
generic implementation, then run them against the algorithm under test.
This detects bugs where the implementations don't match.
These new fuzz tests are behind CONFIG_CRYPTO_MANAGER_EXTRA_TESTS.
As usual, the series begins with fixes for the bugs found, roughly in
order of decreasing importance. Please consider sending the Poly1305
fix to Linus soon.
Patches 12-17 make the testmgr improvements.
Patch 18 makes all templates and generic implementations be registered
earlier so that they're available when optimized implementations are
being tested, when both are built-in. Note that even after this, for
many algorithms it's still possible to make the generic implementation
unset or modular. Thus a missing generic implementation just causes the
comparison tests to be skipped with a warning; they aren't failed.
Also as usual, I've only tested all generic, x86, arm, and arm64
software algorithms. I encourage people to run the tests on drivers and
other architectures, as they will find more bugs.
This series can also be found in git at:
URL: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
Branch: cryptofuzz-vs-generic
Eric Biggers (18):
crypto: x86/poly1305 - fix overflow during partial reduction
crypto: crct10dif-generic - fix use via crypto_shash_digest()
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
crypto: skcipher - restore default skcipher_walk::iv on error
crypto: skcipher - don't WARN on unprocessed data after slow walk step
crypto: chacha20poly1305 - set cra_name correctly
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
crypto: streebog - fix unaligned memory accesses
crypto: cts - don't support empty messages
crypto: arm64/cbcmac - handle empty messages in same way as template
crypto: testmgr - expand ability to test for errors
crypto: testmgr - identify test vectors by name rather than number
crypto: testmgr - add helpers for fuzzing against generic
implementation
crypto: testmgr - fuzz hashes against their generic implementation
crypto: testmgr - fuzz skciphers against their generic implementation
crypto: testmgr - fuzz AEADs against their generic implementation
crypto: run initcalls for generic implementations earlier
arch/arm64/crypto/aes-glue.c | 2 +-
arch/x86/crypto/crct10dif-pclmul_glue.c | 13 +-
arch/x86/crypto/poly1305-avx2-x86_64.S | 14 +-
arch/x86/crypto/poly1305-sse2-x86_64.S | 22 +-
crypto/842.c | 2 +-
crypto/Makefile | 7 +-
crypto/adiantum.c | 2 +-
crypto/aegis128.c | 2 +-
crypto/aegis128l.c | 2 +-
crypto/aegis256.c | 2 +-
crypto/aes_generic.c | 2 +-
crypto/ansi_cprng.c | 2 +-
crypto/anubis.c | 2 +-
crypto/arc4.c | 2 +-
crypto/authenc.c | 2 +-
crypto/authencesn.c | 2 +-
crypto/blowfish_generic.c | 2 +-
crypto/camellia_generic.c | 2 +-
crypto/cast5_generic.c | 2 +-
crypto/cast6_generic.c | 2 +-
crypto/cbc.c | 2 +-
crypto/ccm.c | 40 +-
crypto/cfb.c | 2 +-
crypto/chacha20poly1305.c | 6 +-
crypto/chacha_generic.c | 2 +-
crypto/cmac.c | 2 +-
crypto/crc32_generic.c | 2 +-
crypto/crc32c_generic.c | 2 +-
crypto/crct10dif_generic.c | 13 +-
crypto/crypto_null.c | 2 +-
crypto/ctr.c | 2 +-
crypto/cts.c | 20 +-
crypto/deflate.c | 2 +-
crypto/des_generic.c | 2 +-
crypto/dh.c | 2 +-
crypto/drbg.c | 2 +-
crypto/ecb.c | 2 +-
crypto/ecdh.c | 2 +-
crypto/echainiv.c | 2 +-
crypto/fcrypt.c | 2 +-
crypto/fips.c | 2 +-
crypto/gcm.c | 32 +-
crypto/ghash-generic.c | 2 +-
crypto/hmac.c | 2 +-
crypto/jitterentropy-kcapi.c | 2 +-
crypto/keywrap.c | 2 +-
crypto/khazad.c | 2 +-
crypto/lrw.c | 2 +-
crypto/lz4.c | 2 +-
crypto/lz4hc.c | 2 +-
crypto/lzo-rle.c | 2 +-
crypto/lzo.c | 2 +-
crypto/md4.c | 2 +-
crypto/md5.c | 2 +-
crypto/michael_mic.c | 2 +-
crypto/morus1280.c | 2 +-
crypto/morus640.c | 2 +-
crypto/nhpoly1305.c | 2 +-
crypto/ofb.c | 2 +-
crypto/pcbc.c | 2 +-
crypto/poly1305_generic.c | 2 +-
crypto/rmd128.c | 2 +-
crypto/rmd160.c | 2 +-
crypto/rmd256.c | 2 +-
crypto/rmd320.c | 2 +-
crypto/rsa.c | 2 +-
crypto/salsa20_generic.c | 2 +-
crypto/seed.c | 2 +-
crypto/seqiv.c | 2 +-
crypto/serpent_generic.c | 2 +-
crypto/sha1_generic.c | 2 +-
crypto/sha256_generic.c | 2 +-
crypto/sha3_generic.c | 2 +-
crypto/sha512_generic.c | 2 +-
crypto/skcipher.c | 21 +-
crypto/sm3_generic.c | 2 +-
crypto/sm4_generic.c | 2 +-
crypto/streebog_generic.c | 27 +-
crypto/tcrypt.c | 2 +-
crypto/tea.c | 2 +-
crypto/testmgr.c | 978 +++++++++++++++++++++---
crypto/testmgr.h | 66 +-
crypto/tgr192.c | 2 +-
crypto/twofish_generic.c | 2 +-
crypto/vmac.c | 2 +-
crypto/wp512.c | 2 +-
crypto/xcbc.c | 2 +-
crypto/xts.c | 2 +-
crypto/zstd.c | 2 +-
include/crypto/streebog.h | 5 +-
90 files changed, 1115 insertions(+), 301 deletions(-)
--
2.21.0
next reply other threads:[~2019-03-31 20:05 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-31 20:04 Eric Biggers [this message]
2019-03-31 20:04 ` [RFC/RFT PATCH 01/18] crypto: x86/poly1305 - fix overflow during partial reduction Eric Biggers
2019-04-01 7:52 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 02/18] crypto: crct10dif-generic - fix use via crypto_shash_digest() Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 03/18] crypto: x86/crct10dif-pcl " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 04/18] crypto: skcipher - restore default skcipher_walk::iv on error Eric Biggers
2019-04-08 6:23 ` Herbert Xu
2019-04-08 17:27 ` Eric Biggers
2019-04-09 6:37 ` Herbert Xu
2019-03-31 20:04 ` [RFC/RFT PATCH 05/18] crypto: skcipher - don't WARN on unprocessed data after slow walk step Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 06/18] crypto: chacha20poly1305 - set cra_name correctly Eric Biggers
2019-04-01 7:57 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 07/18] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Eric Biggers
2019-04-01 15:56 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 08/18] crypto: ccm - fix incompatibility between "ccm" and "ccm_base" Eric Biggers
2019-04-02 15:48 ` Sasha Levin
2019-03-31 20:04 ` [RFC/RFT PATCH 09/18] crypto: streebog - fix unaligned memory accesses Eric Biggers
2019-03-31 21:47 ` Vitaly Chikunov
2019-04-02 16:15 ` Vitaly Chikunov
2019-04-02 16:57 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 10/18] crypto: cts - don't support empty messages Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 11/18] crypto: arm64/cbcmac - handle empty messages in same way as template Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 12/18] crypto: testmgr - expand ability to test for errors Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 13/18] crypto: testmgr - identify test vectors by name rather than number Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 14/18] crypto: testmgr - add helpers for fuzzing against generic implementation Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 15/18] crypto: testmgr - fuzz hashes against their " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 16/18] crypto: testmgr - fuzz skciphers " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 17/18] crypto: testmgr - fuzz AEADs " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 18/18] crypto: run initcalls for generic implementations earlier Eric Biggers
2019-04-08 5:53 ` Herbert Xu
2019-04-08 17:44 ` Eric Biggers
2019-04-09 6:24 ` Herbert Xu
2019-04-09 18:16 ` Eric Biggers
2019-04-11 6:26 ` Herbert Xu
2019-04-08 6:44 ` [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190331200428.26597-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).