From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH] crypto: ensure XTS is only used with ciphers with 16 byte blocks
Date: Fri, 26 Aug 2016 08:47:46 -0400 [thread overview]
Message-ID: <1472215666-13263-1-git-send-email-berrange@redhat.com> (raw)
The XTS cipher mode needs to be used with a cipher which has
a block size of 16 bytes. If a mis-matching block size is used,
the code will either corrupt memory beyond the IV array, or
not fully encrypt/decrypt the IV.
This fixes a memory curruption crash when attempting to use
cast5-128 with xts, since the former has an 8 byte block size.
A test case is added to ensure the cipher creation fails with
such an invalid combination.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/cipher-gcrypt.c | 6 ++++++
crypto/cipher-nettle.c | 12 +++++++-----
tests/test-crypto-cipher.c | 44 ++++++++++++++++++++++++++++++++++++--------
3 files changed, 49 insertions(+), 13 deletions(-)
diff --git a/crypto/cipher-gcrypt.c b/crypto/cipher-gcrypt.c
index ede2f70..3652aa1 100644
--- a/crypto/cipher-gcrypt.c
+++ b/crypto/cipher-gcrypt.c
@@ -192,6 +192,12 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
}
if (cipher->mode == QCRYPTO_CIPHER_MODE_XTS) {
+ if (ctx->blocksize != XTS_BLOCK_SIZE) {
+ error_setg(errp,
+ "Cipher block size %zu must equal XTS block size %d",
+ ctx->blocksize, XTS_BLOCK_SIZE);
+ goto error;
+ }
ctx->iv = g_new0(uint8_t, ctx->blocksize);
}
diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c
index 70909fb..0267da5 100644
--- a/crypto/cipher-nettle.c
+++ b/crypto/cipher-nettle.c
@@ -361,6 +361,13 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
goto error;
}
+ if (mode == QCRYPTO_CIPHER_MODE_XTS &&
+ ctx->blocksize != XTS_BLOCK_SIZE) {
+ error_setg(errp, "Cipher block size %zu must equal XTS block size %d",
+ ctx->blocksize, XTS_BLOCK_SIZE);
+ goto error;
+ }
+
ctx->iv = g_new0(uint8_t, ctx->blocksize);
cipher->opaque = ctx;
@@ -456,11 +463,6 @@ int qcrypto_cipher_decrypt(QCryptoCipher *cipher,
break;
case QCRYPTO_CIPHER_MODE_XTS:
- if (ctx->blocksize != XTS_BLOCK_SIZE) {
- error_setg(errp, "Block size must be %d not %zu",
- XTS_BLOCK_SIZE, ctx->blocksize);
- return -1;
- }
xts_decrypt(ctx->ctx, ctx->ctx_tweak,
ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
ctx->iv, len, out, in);
diff --git a/tests/test-crypto-cipher.c b/tests/test-crypto-cipher.c
index 1b5130d..51e9700 100644
--- a/tests/test-crypto-cipher.c
+++ b/tests/test-crypto-cipher.c
@@ -370,6 +370,17 @@ static QCryptoCipherTestData test_data[] = {
"eb4a427d1923ce3ff262735779a418f2"
"0a282df920147beabe421ee5319d0568",
},
+ {
+ /* Bad config - cast5-128 has 8 byte block size
+ * which is incompatible with XTS
+ */
+ .path = "/crypto/cipher/cast5-xts-128",
+ .alg = QCRYPTO_CIPHER_ALG_CAST5_128,
+ .mode = QCRYPTO_CIPHER_MODE_XTS,
+ .key =
+ "27182818284590452353602874713526"
+ "31415926535897932384626433832795",
+ }
};
@@ -432,15 +443,23 @@ static void test_cipher(const void *opaque)
const QCryptoCipherTestData *data = opaque;
QCryptoCipher *cipher;
- uint8_t *key, *iv, *ciphertext, *plaintext, *outtext;
- size_t nkey, niv, nciphertext, nplaintext;
- char *outtexthex;
+ uint8_t *key, *iv = NULL, *ciphertext = NULL,
+ *plaintext = NULL, *outtext = NULL;
+ size_t nkey, niv = 0, nciphertext = 0, nplaintext = 0;
+ char *outtexthex = NULL;
size_t ivsize, keysize, blocksize;
+ Error *err = NULL;
nkey = unhex_string(data->key, &key);
- niv = unhex_string(data->iv, &iv);
- nciphertext = unhex_string(data->ciphertext, &ciphertext);
- nplaintext = unhex_string(data->plaintext, &plaintext);
+ if (data->iv) {
+ niv = unhex_string(data->iv, &iv);
+ }
+ if (data->ciphertext) {
+ nciphertext = unhex_string(data->ciphertext, &ciphertext);
+ }
+ if (data->plaintext) {
+ nplaintext = unhex_string(data->plaintext, &plaintext);
+ }
g_assert(nciphertext == nplaintext);
@@ -449,8 +468,16 @@ static void test_cipher(const void *opaque)
cipher = qcrypto_cipher_new(
data->alg, data->mode,
key, nkey,
- &error_abort);
- g_assert(cipher != NULL);
+ &err);
+ if (data->plaintext) {
+ g_assert(err == NULL);
+ g_assert(cipher != NULL);
+ } else {
+ g_assert(err != NULL);
+ error_free(err);
+ g_assert(cipher == NULL);
+ goto cleanup;
+ }
keysize = qcrypto_cipher_get_key_len(data->alg);
blocksize = qcrypto_cipher_get_block_len(data->alg);
@@ -498,6 +525,7 @@ static void test_cipher(const void *opaque)
g_assert_cmpstr(outtexthex, ==, data->plaintext);
+ cleanup:
g_free(outtext);
g_free(outtexthex);
g_free(key);
--
2.7.4
next reply other threads:[~2016-08-26 13:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 12:47 Daniel P. Berrange [this message]
2016-08-26 18:21 ` [Qemu-devel] [PATCH] crypto: ensure XTS is only used with ciphers with 16 byte blocks Eric Blake
2016-08-26 18:27 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472215666-13263-1-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).