From: Eric Biggers <ebiggers@kernel.org>
To: Horia Geanta <horia.geanta@nxp.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"dm-devel@redhat.com" <dm-devel@redhat.com>
Subject: Re: xts fuzz testing and lack of ciphertext stealing support
Date: Wed, 17 Jul 2019 10:28:24 -0700 [thread overview]
Message-ID: <20190717172823.GA205944@gmail.com> (raw)
In-Reply-To: <VI1PR0402MB34857BBB18C2BB8CBA2DEC7198C90@VI1PR0402MB3485.eurprd04.prod.outlook.com>
On Wed, Jul 17, 2019 at 05:09:31PM +0000, Horia Geanta wrote:
> On 7/17/2019 1:16 AM, Eric Biggers wrote:
> > Hi Horia,
> >
> > On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
> >> Hi,
> >>
> >> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
> >>
> >> Below are several failures, extracted from different runs:
> >>
> >> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
> >>
> >> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
> >>
> >> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
> >>
> >> It looks like the problem is not in CAAM driver.
> >> More exactly, fuzz testing is generating random test vectors and running
> >> them through both SW generic (crypto/xts.c) and CAAM implementation:
> >> -SW generic implementation of xts(aes) does not support ciphertext stealing
> >> and throws -EINVAL when input is not a multiple of AES block size (16B)
> >> -caam has support for ciphertext stealing, and allows for any input size
> >> which results in "unexpectedly succeeded" error messages.
> >>
> >> Any suggestion how this should be fixed?
> >>
> >> Thanks,
> >> Horia
> >
> > I don't think drivers should allow inputs the generic implementation doesn't,
> > since those inputs aren't tested by the crypto self-tests (so how do you know
> How about implementation adding static test vectors and using them to validate
> the standard feature set that's not supported by the generic implementation?
>
> > it's even correct?), and people could accidentally rely on the driver-specific
> > behavior and then be unable to migrate to another platform or implementation.
> >
> People could also *intentionally* rely on a driver offering an implementation
> that is closer to the spec / standard.
>
> > So for now I recommend just updating the caam driver to return -EINVAL on XTS
> > inputs not evenly divisible by the block size.
> >
> I was hoping for something more constructive...
>
> > Of course, if there are actual use cases for XTS with ciphertext stealing in the
> > kernel, we could add it to all the other implementations too. But I'm not aware
> > of any currently. Don't all XTS users in the kernel pass whole blocks?
> >
> That's my guess too.
>
> What about user space relying on offloading and xts working
> according to the spec?
>
Sure, AF_ALG users could expect ciphertext stealing to work. I don't know of
any actual examples of people saying they want it, but it's possible.
My point is simply that we add this, we need to find a way to support it in all
implementations. It's not helpful to add it to only one specific driver, as
then it's inconsistent and is untestable with the common tests.
- Eric
next prev parent reply other threads:[~2019-07-17 17:28 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 17:46 xts fuzz testing and lack of ciphertext stealing support Horia Geanta
2019-07-16 22:16 ` Eric Biggers
2019-07-17 17:09 ` Horia Geanta
2019-07-17 17:28 ` Eric Biggers [this message]
2019-07-17 18:08 ` Ard Biesheuvel
2019-07-18 6:52 ` Herbert Xu
2019-07-18 7:15 ` Ard Biesheuvel
2019-07-18 7:21 ` Herbert Xu
2019-07-18 7:28 ` Ard Biesheuvel
2019-07-18 7:50 ` Herbert Xu
2019-07-18 7:40 ` Milan Broz
2019-07-18 10:40 ` Pascal Van Leeuwen
2019-07-18 11:19 ` Milan Broz
2019-07-18 15:27 ` Herbert Xu
2019-07-20 6:58 ` [dm-devel] " Eric Biggers
2019-07-20 7:35 ` Milan Broz
2019-07-21 9:50 ` Ard Biesheuvel
2019-07-22 9:44 ` Pascal Van Leeuwen
2019-07-22 16:43 ` Ard Biesheuvel
2019-07-22 22:46 ` Pascal Van Leeuwen
2019-07-24 12:23 ` Pascal Van Leeuwen
2019-07-24 12:50 ` Pascal Van Leeuwen
2019-07-24 16:10 ` Pascal Van Leeuwen
2019-07-25 6:22 ` Ard Biesheuvel
2019-07-25 7:49 ` Pascal Van Leeuwen
2019-07-25 8:01 ` Ard Biesheuvel
2019-07-26 10:31 ` Pascal Van Leeuwen
2019-07-26 19:59 ` Horia Geanta
2019-07-26 21:43 ` Pascal Van Leeuwen
2019-07-27 5:39 ` Ard Biesheuvel
2019-07-27 12:56 ` Pascal Van Leeuwen
2019-07-27 16:04 ` Milan Broz
2019-08-04 8:36 ` Ard Biesheuvel
[not found] ` <20f4832e-e3af-e3c2-d946-13bf8c367a60@nxp.com>
2019-08-07 15:51 ` Horia Geanta
2019-08-07 20:57 ` Pascal Van Leeuwen
2019-08-08 14:50 ` Horia Geanta
2019-08-09 8:35 ` Pascal Van Leeuwen
2019-08-08 13:43 ` Pascal Van Leeuwen
2019-08-08 18:01 ` Horia Geanta
2019-08-09 2:48 ` Herbert Xu
2019-08-09 6:45 ` Ard Biesheuvel
2019-08-09 7:44 ` Horia Geanta
2019-08-09 17:49 ` Ard Biesheuvel
2019-08-09 20:57 ` Pascal Van Leeuwen
2019-08-10 4:39 ` Ard Biesheuvel
2019-08-11 11:12 ` Milan Broz
2019-08-11 20:34 ` Eric Biggers
2019-08-11 21:39 ` Pascal Van Leeuwen
2019-08-11 21:29 ` Pascal Van Leeuwen
2019-08-12 4:51 ` Herbert Xu
2019-08-11 21:15 ` Pascal Van Leeuwen
2019-08-11 22:24 ` Ard Biesheuvel
2019-08-12 1:04 ` Pascal Van Leeuwen
2019-07-18 15:29 ` Herbert Xu
2019-07-18 15:43 ` Pascal Van Leeuwen
2019-07-18 15:51 ` Herbert Xu
2019-07-18 16:19 ` Ard Biesheuvel
2019-07-18 16:22 ` Herbert Xu
2019-07-18 17:03 ` Pascal Van Leeuwen
2019-07-19 5:34 ` Ard Biesheuvel
2019-07-19 7:29 ` Pascal Van Leeuwen
2019-07-19 17:14 ` Ard Biesheuvel
2019-07-19 20:07 ` Pascal Van Leeuwen
2019-07-18 16:35 ` Pascal Van Leeuwen
2019-07-19 1:47 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190717172823.GA205944@gmail.com \
--to=ebiggers@kernel.org \
--cc=dm-devel@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).