From: Eric Biggers <ebiggers@kernel.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH v2 0/7] crypto: fuzz algorithms against their generic implementation
Date: Fri, 12 Apr 2019 19:40:33 -0700 [thread overview]
Message-ID: <20190413024032.GA5859@sol.localdomain> (raw)
In-Reply-To: <CAKv+Gu_CyA1NnkMFN9zJ4kJ5ACo5FD_ZvBAqcWu07WiWD0A93g@mail.gmail.com>
On Fri, Apr 12, 2019 at 02:04:20PM -0700, Ard Biesheuvel wrote:
> On Thu, 11 Apr 2019 at 22:00, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > Hello,
> >
> > In the crypto API, all implementations of each algorithm are supposed to
> > produce the same results. However, testing of this is currently limited
> > to the list of test vectors hardcoded for each algorithm. Although
> > after recent improvements the self-tests do much more with each test
> > vector, hardcoded test vectors can never cover all cases.
> >
> > This series improves the situation by making the self-tests
> > automatically generate random test vectors using the corresponding
> > generic implementation, then run them against the algorithm under test.
> > This detects bugs where the implementations don't match.
> >
> > This has already found many bugs and inconsistencies, including an
> > integer overflow bug in the x86_64 implementation of Poly1305.
> >
> > These new fuzz tests are behind CONFIG_CRYPTO_MANAGER_EXTRA_TESTS.
> >
> > Patch 1-6 are the testmgr changes themselves. Patch 7 makes the generic
> > implementations be registered earlier so that they're available when
> > optimized implementations are being tested, when both are built-in.
> > Note that even after this, for many algorithms it's still possible to
> > make the generic implementation unset or modular. Thus a missing
> > generic implementation just causes the comparison tests to be skipped
> > with a warning; they aren't failed.
> >
> > So far I've tested all generic, x86, arm, and arm64 algorithms, plus
> > some PowerPC algorithms. I have not tested hardware drivers. I
> > encourage people to run the tests on drivers and other architectures, as
> > they will find more bugs.
> >
> > This can also be found in git at:
> >
> > URL: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
> > Branch: cryptofuzz-vs-generic
> >
> > Changed since v1:
> >
> > - Make cryptomgr use arch_initcall(), so we don't rely on the order
> > in which the object files are linked.
> >
> > - Show the expected error code when a test fails due to the wrong
> > error code being returned.
> >
> > - Generate zero-length associated data more often for AEADs
> > (about 1/4 of the time rather than about 1/256 of the time).
> >
> > - A few other minor cleanups.
> >
> > Eric Biggers (7):
> > crypto: testmgr - expand ability to test for errors
> > crypto: testmgr - identify test vectors by name rather than number
> > crypto: testmgr - add helpers for fuzzing against generic
> > implementation
> > crypto: testmgr - fuzz hashes against their generic implementation
> > crypto: testmgr - fuzz skciphers against their generic implementation
> > crypto: testmgr - fuzz AEADs against their generic implementation
> > crypto: run initcalls for generic implementations earlier
> >
>
> This looks alright to me, but I have to admit I did not look at every
> patch in great detail. I did put it through kernelci, though, and it
> built and booted fine on all systems.
>
> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
Thanks Ard. Note that the logs from the kernelci run do show new test failures
in two drivers:
alg: skcipher: ecb-aes-s5p encryption failed on test vector \"random: len=0 klen=32\"; expected_error=0, actual_error=-22, cfg=\"random: inplace use_final src_divs=[<flush>73.70%@alignmask+4049, 11.97%@+3977, <reimport,nosimd>3.65%@+4013, <reimport>10.68%@alignmask+12] iv_offset=4\"
alg: skcipher: cbc-aes-s5p encryption failed on test vector \"random: len=0 klen=32\"; expected_error=0, actual_error=-22, cfg=\"random: use_finup src_divs=[<reimport>100.0%@+22] dst_divs=[100.0%@+258]\"
alg: skcipher: blocksize for ctr-aes-s5p (16) doesn't match generic impl (1)
alg: skcipher: ecb-aes-rk encryption failed on test vector \"random: len=0 klen=32\"; expected_error=0, actual_error=-22, cfg=\"random: inplace use_digest src_divs=[100.0%@alignmask+2107] iv_offset=38\"
So, unlike the generic implementations, the s5p-sss driver doesn't allow empty
messages for AES-ECB and AES-CBC, and it sets cra_blocksize for AES-CTR to 16
bytes rather than 1. (It's supposed to be set to 1 for all stream ciphers.)
And the Rockchip crypto driver doesn't allow empty messages for AES-ECB.
None of these appear super important, but the tests seem to be working as
intended to find them, and they'll need to be fixed.
- Eric
next prev parent reply other threads:[~2019-04-13 2:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-12 4:57 [PATCH v2 0/7] crypto: fuzz algorithms against their generic implementation Eric Biggers
2019-04-12 4:57 ` [PATCH v2 1/7] crypto: testmgr - expand ability to test for errors Eric Biggers
2019-04-12 4:57 ` [PATCH v2 2/7] crypto: testmgr - identify test vectors by name rather than number Eric Biggers
2019-04-12 4:57 ` [PATCH v2 3/7] crypto: testmgr - add helpers for fuzzing against generic implementation Eric Biggers
2019-04-12 4:57 ` [PATCH v2 4/7] crypto: testmgr - fuzz hashes against their " Eric Biggers
2019-04-12 4:57 ` [PATCH v2 5/7] crypto: testmgr - fuzz skciphers " Eric Biggers
2019-04-12 4:57 ` [PATCH v2 6/7] crypto: testmgr - fuzz AEADs " Eric Biggers
2019-04-12 4:57 ` [PATCH v2 7/7] crypto: run initcalls for generic implementations earlier Eric Biggers
2019-04-12 21:04 ` [PATCH v2 0/7] crypto: fuzz algorithms against their generic implementation Ard Biesheuvel
2019-04-13 2:40 ` Eric Biggers [this message]
2019-04-18 14:26 ` Herbert Xu
2019-04-26 16:35 ` Horia Geanta
2019-04-26 16:54 ` Eric Biggers
2019-04-27 15:24 ` Horia Geanta
2019-04-27 17:02 ` Eric Biggers
2019-05-02 13:19 ` Horia Geanta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190413024032.GA5859@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).