lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <593f51b1-8c51-1994-623d-f5a591891d8a@c-s.fr>
Date:   Thu, 16 May 2019 15:32:38 +0200
From:   Christophe Leroy <christophe.leroy@....fr>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     Horia Geanta <horia.geanta@....com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>
Subject: Re: [PATCH] crypto: talitos - fix skcipher failure due to wrong
 output IV



Le 16/05/2019 à 04:30, Eric Biggers a écrit :
> On Wed, May 15, 2019 at 08:49:48PM +0200, Christophe Leroy wrote:
>>
>>
>> Le 15/05/2019 à 16:05, Horia Geanta a écrit :
>>> On 5/15/2019 3:29 PM, Christophe Leroy wrote:
>>>> Selftests report the following:
>>>>
>>>> [    2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
>>>> [    2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
>>>> [    3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
>>>> [    3.043185] 00000000: fe dc ba 98 76 54 32 10
>>>> [    3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
>>>> [    3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
>>>>
>>>> This above dumps show that the actual output IV is indeed the input IV.
>>>> This is due to the IV not being copied back into the request.
>>>>
>>>> This patch fixes that.
>>>>
>>>> Signed-off-by: Christophe Leroy <christophe.leroy@....fr>
>>> Reviewed-by: Horia Geantă <horia.geanta@....com>
>>
>> It's missing a Fixes: tag and a Cc: to stable.
>>
>> I'll resend tomorrow.
>>
>>>
>>> While here, could you please check ecb mode (which by definition does not have
>>> an IV) is behaving correctly?
>>> Looking in driver_algs[] list of crypto algorithms supported by talitos,
>>> ecb(aes,des,3des) are declared with ivsize != 0.
>>
>> According to /proc/crypto, test are passed for ecb.
>>
> 
> Did you try enabling CONFIG_CRYPTO_MANAGER_EXTRA_TESTS?  There is now a check
> that the driver's ivsize matches the generic implementation's:
> 
>          if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
>                  pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
>                         driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
>                  err = -EINVAL;
>                  goto out;
>          }
> 
> For ECB that means the ivsize must be 0.
> 
> AFAICS the talitos driver even accesses the IV for ECB, which is wrong; and the
> only reason this isn't crashing the self-tests already is that they are confused
> by the declared ivsize being nonzero so they don't pass NULL as they should.
> 

Ok, thanks. I'll try and run EXTRA TESTS as soon as I get the current 
test all fixed.

For the time being, I'm having a problem that I'm a bit lost with:

AEAD decryption fails at the moment for out-of-line tests, and the 
reason is that the ICV (used to do the SW compare with the expected one) 
is generated after the decrypted data.
It works perfectly when src == dst, because the src has space for it, 
but when the dst is different, the dst length is smaller so the ICV is 
generated outside the sg list, and the comparison fails because the 
comparison is done with the last bytes of the last segment of dst sg 
list (which corresponds to the end of decrypted data in that case).

What I'm having hard time with it that it seems that when the sg list 
has several elements, it uses an out of line area for generating the ICV 
but not when the sg list has only one element. I'm really wondering why.

Thanks
Christophe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ