Hi,
With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
Below are several failures, extracted from different runs:
[ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
[ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
[ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
It looks like the problem is not in CAAM driver.
More exactly, fuzz testing is generating random test vectors and running
them through both SW generic (crypto/xts.c) and CAAM implementation:
-SW generic implementation of xts(aes) does not support ciphertext stealing
and throws -EINVAL when input is not a multiple of AES block size (16B)
-caam has support for ciphertext stealing, and allows for any input size
which results in "unexpectedly succeeded" error messages.
Any suggestion how this should be fixed?
Thanks,
Horia
Hi Horia,
On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
> Hi,
>
> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
>
> Below are several failures, extracted from different runs:
>
> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
>
> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
>
> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
>
> It looks like the problem is not in CAAM driver.
> More exactly, fuzz testing is generating random test vectors and running
> them through both SW generic (crypto/xts.c) and CAAM implementation:
> -SW generic implementation of xts(aes) does not support ciphertext stealing
> and throws -EINVAL when input is not a multiple of AES block size (16B)
> -caam has support for ciphertext stealing, and allows for any input size
> which results in "unexpectedly succeeded" error messages.
>
> Any suggestion how this should be fixed?
>
> Thanks,
> Horia
I don't think drivers should allow inputs the generic implementation doesn't,
since those inputs aren't tested by the crypto self-tests (so how do you know
it's even correct?), and people could accidentally rely on the driver-specific
behavior and then be unable to migrate to another platform or implementation.
So for now I recommend just updating the caam driver to return -EINVAL on XTS
inputs not evenly divisible by the block size.
Of course, if there are actual use cases for XTS with ciphertext stealing in the
kernel, we could add it to all the other implementations too. But I'm not aware
of any currently. Don't all XTS users in the kernel pass whole blocks?
- Eric
On 7/17/2019 1:16 AM, Eric Biggers wrote:
> Hi Horia,
>
> On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
>> Hi,
>>
>> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
>>
>> Below are several failures, extracted from different runs:
>>
>> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
>>
>> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
>>
>> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
>>
>> It looks like the problem is not in CAAM driver.
>> More exactly, fuzz testing is generating random test vectors and running
>> them through both SW generic (crypto/xts.c) and CAAM implementation:
>> -SW generic implementation of xts(aes) does not support ciphertext stealing
>> and throws -EINVAL when input is not a multiple of AES block size (16B)
>> -caam has support for ciphertext stealing, and allows for any input size
>> which results in "unexpectedly succeeded" error messages.
>>
>> Any suggestion how this should be fixed?
>>
>> Thanks,
>> Horia
>
> I don't think drivers should allow inputs the generic implementation doesn't,
> since those inputs aren't tested by the crypto self-tests (so how do you know
How about implementation adding static test vectors and using them to validate
the standard feature set that's not supported by the generic implementation?
> it's even correct?), and people could accidentally rely on the driver-specific
> behavior and then be unable to migrate to another platform or implementation.
>
People could also *intentionally* rely on a driver offering an implementation
that is closer to the spec / standard.
> So for now I recommend just updating the caam driver to return -EINVAL on XTS
> inputs not evenly divisible by the block size.
>
I was hoping for something more constructive...
> Of course, if there are actual use cases for XTS with ciphertext stealing in the
> kernel, we could add it to all the other implementations too. But I'm not aware
> of any currently. Don't all XTS users in the kernel pass whole blocks?
>
That's my guess too.
What about user space relying on offloading and xts working
according to the spec?
Thanks,
Horia
On Wed, Jul 17, 2019 at 05:09:31PM +0000, Horia Geanta wrote:
> On 7/17/2019 1:16 AM, Eric Biggers wrote:
> > Hi Horia,
> >
> > On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
> >> Hi,
> >>
> >> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
> >>
> >> Below are several failures, extracted from different runs:
> >>
> >> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
> >>
> >> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
> >>
> >> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
> >>
> >> It looks like the problem is not in CAAM driver.
> >> More exactly, fuzz testing is generating random test vectors and running
> >> them through both SW generic (crypto/xts.c) and CAAM implementation:
> >> -SW generic implementation of xts(aes) does not support ciphertext stealing
> >> and throws -EINVAL when input is not a multiple of AES block size (16B)
> >> -caam has support for ciphertext stealing, and allows for any input size
> >> which results in "unexpectedly succeeded" error messages.
> >>
> >> Any suggestion how this should be fixed?
> >>
> >> Thanks,
> >> Horia
> >
> > I don't think drivers should allow inputs the generic implementation doesn't,
> > since those inputs aren't tested by the crypto self-tests (so how do you know
> How about implementation adding static test vectors and using them to validate
> the standard feature set that's not supported by the generic implementation?
>
> > it's even correct?), and people could accidentally rely on the driver-specific
> > behavior and then be unable to migrate to another platform or implementation.
> >
> People could also *intentionally* rely on a driver offering an implementation
> that is closer to the spec / standard.
>
> > So for now I recommend just updating the caam driver to return -EINVAL on XTS
> > inputs not evenly divisible by the block size.
> >
> I was hoping for something more constructive...
>
> > Of course, if there are actual use cases for XTS with ciphertext stealing in the
> > kernel, we could add it to all the other implementations too. But I'm not aware
> > of any currently. Don't all XTS users in the kernel pass whole blocks?
> >
> That's my guess too.
>
> What about user space relying on offloading and xts working
> according to the spec?
>
Sure, AF_ALG users could expect ciphertext stealing to work. I don't know of
any actual examples of people saying they want it, but it's possible.
My point is simply that we add this, we need to find a way to support it in all
implementations. It's not helpful to add it to only one specific driver, as
then it's inconsistent and is untestable with the common tests.
- Eric
On Wed, 17 Jul 2019 at 19:28, Eric Biggers <[email protected]> wrote:
>
> On Wed, Jul 17, 2019 at 05:09:31PM +0000, Horia Geanta wrote:
> > On 7/17/2019 1:16 AM, Eric Biggers wrote:
> > > Hi Horia,
> > >
> > > On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote:
> > >> Hi,
> > >>
> > >> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers.
> > >>
> > >> Below are several failures, extracted from different runs:
> > >>
> > >> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, <reimport>0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]"
> > >>
> > >> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]"
> > >>
> > >> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18"
> > >>
> > >> It looks like the problem is not in CAAM driver.
> > >> More exactly, fuzz testing is generating random test vectors and running
> > >> them through both SW generic (crypto/xts.c) and CAAM implementation:
> > >> -SW generic implementation of xts(aes) does not support ciphertext stealing
> > >> and throws -EINVAL when input is not a multiple of AES block size (16B)
> > >> -caam has support for ciphertext stealing, and allows for any input size
> > >> which results in "unexpectedly succeeded" error messages.
> > >>
> > >> Any suggestion how this should be fixed?
> > >>
> > >> Thanks,
> > >> Horia
> > >
> > > I don't think drivers should allow inputs the generic implementation doesn't,
> > > since those inputs aren't tested by the crypto self-tests (so how do you know
> > How about implementation adding static test vectors and using them to validate
> > the standard feature set that's not supported by the generic implementation?
> >
> > > it's even correct?), and people could accidentally rely on the driver-specific
> > > behavior and then be unable to migrate to another platform or implementation.
> > >
> > People could also *intentionally* rely on a driver offering an implementation
> > that is closer to the spec / standard.
> >
> > > So for now I recommend just updating the caam driver to return -EINVAL on XTS
> > > inputs not evenly divisible by the block size.
> > >
> > I was hoping for something more constructive...
> >
> > > Of course, if there are actual use cases for XTS with ciphertext stealing in the
> > > kernel, we could add it to all the other implementations too. But I'm not aware
> > > of any currently. Don't all XTS users in the kernel pass whole blocks?
> > >
> > That's my guess too.
> >
> > What about user space relying on offloading and xts working
> > according to the spec?
> >
>
> Sure, AF_ALG users could expect ciphertext stealing to work. I don't know of
> any actual examples of people saying they want it, but it's possible.
>
> My point is simply that we add this, we need to find a way to support it in all
> implementations. It's not helpful to add it to only one specific driver, as
> then it's inconsistent and is untestable with the common tests.
>
IIRC there are different ways to implement CTS, and the cts template
we have in the kernel (which is used for CBC in some cases) implements
the flavor where the last two blocks are reordered if the input size
is an exact multiple of the block size. If your CTS implementation
does not implement this reordering (which seems to be the case since
it is compatible with plain XTS), it implements CTS in an incompatible
way.
Since the kernel does not support CTS for XTS any way, and since no
AF_ALG users can portably rely on this, I agree with Eric that the
only sensible way to address this is to disable this functionality in
the driver.
On Wed, Jul 17, 2019 at 08:08:27PM +0200, Ard Biesheuvel wrote:
>
> Since the kernel does not support CTS for XTS any way, and since no
> AF_ALG users can portably rely on this, I agree with Eric that the
> only sensible way to address this is to disable this functionality in
> the driver.
But the whole point of XTS is that it supports sizes that are
not multiples of the block size. So implementing it without
supporting ciphertext stealing is just wrong.
So let's fix the generic implementation rather than breaking
the caam driver.
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, 18 Jul 2019 at 08:52, Herbert Xu <[email protected]> wrote:
>
> On Wed, Jul 17, 2019 at 08:08:27PM +0200, Ard Biesheuvel wrote:
> >
> > Since the kernel does not support CTS for XTS any way, and since no
> > AF_ALG users can portably rely on this, I agree with Eric that the
> > only sensible way to address this is to disable this functionality in
> > the driver.
>
> But the whole point of XTS is that it supports sizes that are
> not multiples of the block size. So implementing it without
> supporting ciphertext stealing is just wrong.
>
> So let's fix the generic implementation rather than breaking
> the caam driver.
>
Not just the generic implementation: there are numerous synchronous
and asynchronous implementations of xts(aes) in the kernel that would
have to be fixed, while there are no in-kernel users that actually
rely on CTS. Also, in the cbc case, we support CTS by wrapping it into
another template, i.e., cts(cbc(aes)).
So retroactively redefining what xts(...) means seems like a bad idea
to me. If we want to support XTS ciphertext stealing for the benefit
of userland, let's do so via the existing cts template, and add
support for wrapping XTS to it.
On Thu, Jul 18, 2019 at 09:15:39AM +0200, Ard Biesheuvel wrote:
>
> Not just the generic implementation: there are numerous synchronous
> and asynchronous implementations of xts(aes) in the kernel that would
> have to be fixed, while there are no in-kernel users that actually
> rely on CTS. Also, in the cbc case, we support CTS by wrapping it into
> another template, i.e., cts(cbc(aes)).
>
> So retroactively redefining what xts(...) means seems like a bad idea
> to me. If we want to support XTS ciphertext stealing for the benefit
> of userland, let's do so via the existing cts template, and add
> support for wrapping XTS to it.
XTS without stealing should be renamed as XEX. Sure you can then
wrap it inside cts to form xts but the end result needs to be called
xts.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, 18 Jul 2019 at 09:22, Herbert Xu <[email protected]> wrote:
>
> On Thu, Jul 18, 2019 at 09:15:39AM +0200, Ard Biesheuvel wrote:
> >
> > Not just the generic implementation: there are numerous synchronous
> > and asynchronous implementations of xts(aes) in the kernel that would
> > have to be fixed, while there are no in-kernel users that actually
> > rely on CTS. Also, in the cbc case, we support CTS by wrapping it into
> > another template, i.e., cts(cbc(aes)).
> >
> > So retroactively redefining what xts(...) means seems like a bad idea
> > to me. If we want to support XTS ciphertext stealing for the benefit
> > of userland, let's do so via the existing cts template, and add
> > support for wrapping XTS to it.
>
> XTS without stealing should be renamed as XEX. Sure you can then
> wrap it inside cts to form xts but the end result needs to be called
> xts.
>
If we were adding XTS to the kernel today, then I would agree with
you. But xts() has an established meaning now, and I don't think it
makes sense to update all implementations for a theoretical use case,
given that no portable userland code can rely on the correct semantics
today, since CAAM is the only one that implements them correctly.
In any case, I won't have time to fix the ARM or arm64 implementations
(or review the changes if someone else steps up) until the end of
September.
On 18/07/2019 09:21, Herbert Xu wrote:
> On Thu, Jul 18, 2019 at 09:15:39AM +0200, Ard Biesheuvel wrote:
>>
>> Not just the generic implementation: there are numerous synchronous
>> and asynchronous implementations of xts(aes) in the kernel that would
>> have to be fixed, while there are no in-kernel users that actually
>> rely on CTS. Also, in the cbc case, we support CTS by wrapping it into
>> another template, i.e., cts(cbc(aes)).
>>
>> So retroactively redefining what xts(...) means seems like a bad idea
>> to me. If we want to support XTS ciphertext stealing for the benefit
>> of userland, let's do so via the existing cts template, and add
>> support for wrapping XTS to it.
>
> XTS without stealing should be renamed as XEX. Sure you can then
> wrap it inside cts to form xts but the end result needs to be called
> xts.
While I fully agree here from the technical point of view,
academically XEX, XEX* is a different mode.
It would create even more confusion.
Couldn't resist, but this is a nice example of what happens when academic,
standardization, and reality meets in one place :)
XTS is already implemented in gcrypt and OpenSSL.
IMO all the implementation should be exactly the same.
I agree with Herbert that the proper way is to implement ciphertext stealing.
Otherwise, it is just incomplete implementation, not a redefining XTS mode!
See the reference in generic code - the 3rd line - link to the IEEE standard.
We do not implement it properly - for more than 12 years!
Reality check - nobody in block layer needs ciphertext stealing, we are always
aligned to block. AF_ALG is a different story, though.
Milan
On Thu, Jul 18, 2019 at 09:28:03AM +0200, Ard Biesheuvel wrote:
>
> If we were adding XTS to the kernel today, then I would agree with
> you. But xts() has an established meaning now, and I don't think it
> makes sense to update all implementations for a theoretical use case,
> given that no portable userland code can rely on the correct semantics
> today, since CAAM is the only one that implements them correctly.
>
> In any case, I won't have time to fix the ARM or arm64 implementations
> (or review the changes if someone else steps up) until the end of
> September.
I'm not asking you or anyone to fix this right away. I'm just
saying that this is the direction we should be moving in.
After all, there is no immediate crisis as all that is broken
today is a fuzz test.
It should be possible to do this without causing performance
regressions for ARM. We could rename the existing xts to a
new name (xek perhaps) and add xts into the cts template as
a wrapper around xek.
That way you don't have to touch the ARM code at all and it
should just work.
PS should we mark xek or whatever it's called as internal so
it isn't visible to user-space?
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> -----Original Message-----
> From: [email protected] <[email protected]> On Behalf Of Milan Broz
> Sent: Thursday, July 18, 2019 9:40 AM
> To: Herbert Xu <[email protected]>; Ard Biesheuvel <[email protected]>
> Cc: Horia Geanta <[email protected]>; [email protected]; [email protected]
> Subject: Re: xts fuzz testing and lack of ciphertext stealing support
>
> On 18/07/2019 09:21, Herbert Xu wrote:
> > On Thu, Jul 18, 2019 at 09:15:39AM +0200, Ard Biesheuvel wrote:
> >>
> >> Not just the generic implementation: there are numerous synchronous
> >> and asynchronous implementations of xts(aes) in the kernel that would
> >> have to be fixed, while there are no in-kernel users that actually
> >> rely on CTS. Also, in the cbc case, we support CTS by wrapping it into
> >> another template, i.e., cts(cbc(aes)).
> >>
> >> So retroactively redefining what xts(...) means seems like a bad idea
> >> to me. If we want to support XTS ciphertext stealing for the benefit
> >> of userland, let's do so via the existing cts template, and add
> >> support for wrapping XTS to it.
> >
> > XTS without stealing should be renamed as XEX. Sure you can then
> > wrap it inside cts to form xts but the end result needs to be called
> > xts.
>
> While I fully agree here from the technical point of view,
> academically XEX, XEX* is a different mode.
> It would create even more confusion.
>
> Couldn't resist, but this is a nice example of what happens when academic,
> standardization, and reality meets in one place :)
>
> XTS is already implemented in gcrypt and OpenSSL.
> IMO all the implementation should be exactly the same.
>
> I agree with Herbert that the proper way is to implement ciphertext stealing.
> Otherwise, it is just incomplete implementation, not a redefining XTS mode!
>
> See the reference in generic code - the 3rd line - link to the IEEE standard.
> We do not implement it properly - for more than 12 years!
>
Full XTS is XEX-TCB-CTS so the proper terminology for "XTS without CTS" would be XEX-TCB.
But the problem there is that TCB and CTS are generic terms that do not imply a specific
implementation for generating the tweak -or- performing the ciphertext stealing.
Only the *full* XTS operation is standardized (as IEEE Std P1619).
In fact, using the current cts template around the current xts template actually does NOT
implement standards compliant XTS at all, as the CTS *implementation* for XTS is
different from the one for CBC as implemented by the current CTS template.
The actual implementation of the ciphertext stealing has (or may have) a security impact,
so the *combined* operation must be cryptanalyzed and adding some random CTS scheme
to some random block cipher mode would be a case of "roll your own crypto" (i.e. bad).
From that perspective - to prevent people from doing cryptographically stupid things -
IMHO it would be better to just pull the CTS into the XTS implementation i.e. make
xts natively support blocks that are not a multiple of (but >=) the cipher blocksize ...
> Reality check - nobody in block layer needs ciphertext stealing, we are always
> aligned to block. AF_ALG is a different story, though.
So you don't support odd sector sizes like 520 , 528, 4112, 4160 or 4224 bytes?
>
> Milan
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On 18/07/2019 12:40, Pascal Van Leeuwen wrote:
...
>> See the reference in generic code - the 3rd line - link to the IEEE standard.
>> We do not implement it properly - for more than 12 years!
>>
>
> Full XTS is XEX-TCB-CTS so the proper terminology for "XTS without CTS" would be XEX-TCB.
> But the problem there is that TCB and CTS are generic terms that do not imply a specific
> implementation for generating the tweak -or- performing the ciphertext stealing.
> Only the *full* XTS operation is standardized (as IEEE Std P1619).
Yes. Also XTS is allowed in FIPS now. Because the current code cannot submit
anything else than aligned blocks, we are ok.
(I hope. Speaking for disk encryption, dm-crypt, only).
> In fact, using the current cts template around the current xts template actually does NOT
> implement standards compliant XTS at all, as the CTS *implementation* for XTS is
> different from the one for CBC as implemented by the current CTS template.
> The actual implementation of the ciphertext stealing has (or may have) a security impact,
> so the *combined* operation must be cryptanalyzed and adding some random CTS scheme
> to some random block cipher mode would be a case of "roll your own crypto" (i.e. bad).
> From that perspective - to prevent people from doing cryptographically stupid things -
> IMHO it would be better to just pull the CTS into the XTS implementation i.e. make
> xts natively support blocks that are not a multiple of (but >=) the cipher blocksize ...
I would definitely prefer adding CTS directly to XTS (as it is in gcrypt or OpenSSL now)
instead of some new compositions.
Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
(That said, I will try to find some volunteer to help with CTS in XTS implementation, if needed.)
>> Reality check - nobody in block layer needs ciphertext stealing, we are always
>> aligned to block. AF_ALG is a different story, though.
>
> So you don't support odd sector sizes like 520 , 528, 4112, 4160 or 4224 bytes?
No. Dm-crypt supports only power of two blocks, up to 4k (IOW: 512, 1024, 2048, 4096 bytes).
(Not more, because of compatible page size - this could be fixed in future though.)
The 520 hw sector is usually 512 + 8 bytes for DIF (data integrity field).
We can emulate something similar with dm-integrity, but the data section (input to encryption)
must be always as specified above (rest is in integrity bio section).
Milan
On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
>
> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
>
> (That said, I will try to find some volunteer to help with CTS in XTS implementation, if needed.)
Well the main advantage of doing it on top of the existing xts is
that you can retain the existing ARM implementations without any
changes. This would also apply to any existing xts drivers that
also don't implement CTS (I'm not aware of the status on these so
someone will need to check them one by one).
But if you were going to volunteer to change them all in one swoop
then it wouldn't matter.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, Jul 18, 2019 at 10:40:54AM +0000, Pascal Van Leeuwen wrote:
>
> In fact, using the current cts template around the current xts template actually does NOT
> implement standards compliant XTS at all, as the CTS *implementation* for XTS is
> different from the one for CBC as implemented by the current CTS template.
The template is just a name. The implementation can do whatever it
wants for each instance. So obviously we would employ a different
implementation for xts compared to cbc.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> > In fact, using the current cts template around the current xts template actually does NOT
> > implement standards compliant XTS at all, as the CTS *implementation* for XTS is
> > different from the one for CBC as implemented by the current CTS template.
>
> The template is just a name. The implementation can do whatever it
> wants for each instance. So obviously we would employ a different
> implementation for xts compared to cbc.
>
Hmmm ... so the generic CTS template would have to figure out whether it is wrapped
around ECB, CBC, XTS or whatever and then adjust to that?
For ECB and CBC I suppose that's techically possible. But then what do I get when I
try to wrap CTS around some block cipher mode it doesn't recognise? Tricky ...
For XTS, you have this additional curve ball being thrown in called the "tweak".
For encryption, the underlying "xts" would need to be able to chain the tweak,
from what I've seen of the source the implementation cannot do that.
For decryption, you actually first need to decrypt the last block with the last
tweak before you can decrypt the 2nd last block with the 2nd last tweak.
Not sure how you intend to handle that with some generic wrapper around "xts".
>
> Cheers,
> --
> Email: Herbert Xu <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Thu, Jul 18, 2019 at 03:43:28PM +0000, Pascal Van Leeuwen wrote:
>
> Hmmm ... so the generic CTS template would have to figure out whether it is wrapped
> around ECB, CBC, XTS or whatever and then adjust to that?
That's not hard to do. Right now cts only supports cbc. IOW
if you pass it anything else it will refuse to instantiate.
> For XTS, you have this additional curve ball being thrown in called the "tweak".
> For encryption, the underlying "xts" would need to be able to chain the tweak,
> from what I've seen of the source the implementation cannot do that.
You simply use the underlying xts for the first n - 2 blocks and
do the last two by hand.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, 18 Jul 2019 at 17:51, Herbert Xu <[email protected]> wrote:
>
> On Thu, Jul 18, 2019 at 03:43:28PM +0000, Pascal Van Leeuwen wrote:
> >
> > Hmmm ... so the generic CTS template would have to figure out whether it is wrapped
> > around ECB, CBC, XTS or whatever and then adjust to that?
>
> That's not hard to do. Right now cts only supports cbc. IOW
> if you pass it anything else it will refuse to instantiate.
>
> > For XTS, you have this additional curve ball being thrown in called the "tweak".
> > For encryption, the underlying "xts" would need to be able to chain the tweak,
> > from what I've seen of the source the implementation cannot do that.
>
> You simply use the underlying xts for the first n - 2 blocks and
> do the last two by hand.
>
OK, so it appears the XTS ciphertext stealing algorithm does not
include the peculiar reordering of the 2 final blocks, which means
that the kernel's implementation of XTS already conforms to the spec
for inputs that are a multiple of the block size.
The reason I am not a fan of making any changes here is that there are
no in-kernel users that require ciphertext stealing for XTS, nor is
anyone aware of any reason why we should be adding it to the userland
interface. So we are basically adding dead code so that we are
theoretically compliant in a way that we will never exercise in
practice.
Note that for software algorithms such as the bit sliced NEON
implementation of AES, which can only operate on 8 AES blocks at a
time, doing the final 2 blocks sequentially is going to seriously
impact performance. This means whatever wrapper we invent around xex()
(or whatever we call it) should go out of its way to ensure that the
common, non-CTS case does not regress in performance, and the special
handling is only invoked when necessary (which will be never).
On Thu, Jul 18, 2019 at 06:19:24PM +0200, Ard Biesheuvel wrote:
>
> Note that for software algorithms such as the bit sliced NEON
> implementation of AES, which can only operate on 8 AES blocks at a
> time, doing the final 2 blocks sequentially is going to seriously
> impact performance. This means whatever wrapper we invent around xex()
> (or whatever we call it) should go out of its way to ensure that the
> common, non-CTS case does not regress in performance, and the special
> handling is only invoked when necessary (which will be never).
Agreed.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> >
> > Hmmm ... so the generic CTS template would have to figure out whether it is wrapped
> > around ECB, CBC, XTS or whatever and then adjust to that?
>
> That's not hard to do. Right now cts only supports cbc. IOW
> if you pass it anything else it will refuse to instantiate.
>
Ah, I see it now:
if (strncmp(alg->base.cra_name, "cbc(", 4))
goto err_drop_spawn;
So you cannot even do cts(xts) at the moment.
> > For XTS, you have this additional curve ball being thrown in called the "tweak".
> > For encryption, the underlying "xts" would need to be able to chain the tweak,
> > from what I've seen of the source the implementation cannot do that.
>
> You simply use the underlying xts for the first n - 2 blocks and
> do the last two by hand.
>
Possible, but then you're basically pulling a generic XTS implementation into cts.c,
since XTS is nothing more than the repeated application of just that.
Same thing would apply to any other mode you eventually need cts for.
But I suppose it would save you the trouble of having to add cts to all individual
optimized software implementations of xts-which-is-not-really-xts, so I can see
WHY you would want to do it that way ...
Tthen there's still the issue of advancing that last tweak. From what I've seen,
the xts implementation does not output the last tweak so you would have to
recompute it locally in cts.c as block_cipher_enc(iv) * alpha^j. Which is wasteful.
Of course this could be solved by redefining xts to output the last tweak
like CBC/CTR output their last IV ... Which would probably give us HW guys
trouble again because our HW cannot do *that* ... (While the HW very likely
*does* implement the cipher text stealing properly, just to be able to boast
about IEEE P1619 compliance ...)
> Cheers,
> --
> Email: Herbert Xu <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
> > > For XTS, you have this additional curve ball being thrown in called the "tweak".
> > > For encryption, the underlying "xts" would need to be able to chain the tweak,
> > > from what I've seen of the source the implementation cannot do that.
> >
> > You simply use the underlying xts for the first n - 2 blocks and
> > do the last two by hand.
> >
>
> OK, so it appears the XTS ciphertext stealing algorithm does not
> include the peculiar reordering of the 2 final blocks, which means
> that the kernel's implementation of XTS already conforms to the spec
> for inputs that are a multiple of the block size.
>
Yes, for XTS you effectively don't do CTS if it's a 16 byte multiple ...
> The reason I am not a fan of making any changes here is that there are
> no in-kernel users that require ciphertext stealing for XTS, nor is
> anyone aware of any reason why we should be adding it to the userland
> interface. So we are basically adding dead code so that we are
> theoretically compliant in a way that we will never exercise in
> practice.
>
You know, having worked on all kinds of workarounds for silly irrelevant
(IMHO) corner cases in the inside-secure hardware driver over the past
months just to keep testmgr happy, this is kind of ironic ...
Cipher text stealing happens to be a *major* part of the XTS specification
(it's not actually XTS without the CTS part!), yet you are suggesting not
to implement it because *you* don't have or know a use case for it.
That seems like a pretty bad argument to me. It's not some minor corner
case that's not supported.The implementation is just *incomplete*
without it.
> Note that for software algorithms such as the bit sliced NEON
> implementation of AES, which can only operate on 8 AES blocks at a
> time, doing the final 2 blocks sequentially is going to seriously
> impact performance. This means whatever wrapper we invent around xex()
> (or whatever we call it) should go out of its way to ensure that the
> common, non-CTS case does not regress in performance, and the special
> handling is only invoked when necessary (which will be never).
>
I pretty much made the same argument about all these driver workarounds
slowing down my driver fast path but that was considered a non-issue.
In this particular case, it should not need to be more than:
if (unlikely(size & 15)) {
xts_with_partial_last_block();
} else {
xts_with_only_full_blocks();
}
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Thu, Jul 18, 2019 at 04:35:26PM +0000, Pascal Van Leeuwen wrote:
>
> Tthen there's still the issue of advancing that last tweak. From what I've seen,
> the xts implementation does not output the last tweak so you would have to
> recompute it locally in cts.c as block_cipher_enc(iv) * alpha^j. Which is wasteful.
> Of course this could be solved by redefining xts to output the last tweak
> like CBC/CTR output their last IV ... Which would probably give us HW guys
> trouble again because our HW cannot do *that* ... (While the HW very likely
> *does* implement the cipher text stealing properly, just to be able to boast
> about IEEE P1619 compliance ...)
If your hardware supports XTS properly then you wouldn't even need
to use this new template. You would directly export the xts
interface.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, 18 Jul 2019 at 19:03, Pascal Van Leeuwen
<[email protected]> wrote:
>
> > > > For XTS, you have this additional curve ball being thrown in called the "tweak".
> > > > For encryption, the underlying "xts" would need to be able to chain the tweak,
> > > > from what I've seen of the source the implementation cannot do that.
> > >
> > > You simply use the underlying xts for the first n - 2 blocks and
> > > do the last two by hand.
> > >
> >
> > OK, so it appears the XTS ciphertext stealing algorithm does not
> > include the peculiar reordering of the 2 final blocks, which means
> > that the kernel's implementation of XTS already conforms to the spec
> > for inputs that are a multiple of the block size.
> >
> Yes, for XTS you effectively don't do CTS if it's a 16 byte multiple ...
>
> > The reason I am not a fan of making any changes here is that there are
> > no in-kernel users that require ciphertext stealing for XTS, nor is
> > anyone aware of any reason why we should be adding it to the userland
> > interface. So we are basically adding dead code so that we are
> > theoretically compliant in a way that we will never exercise in
> > practice.
> >
> You know, having worked on all kinds of workarounds for silly irrelevant
> (IMHO) corner cases in the inside-secure hardware driver over the past
> months just to keep testmgr happy, this is kind of ironic ...
>
> Cipher text stealing happens to be a *major* part of the XTS specification
> (it's not actually XTS without the CTS part!), yet you are suggesting not
> to implement it because *you* don't have or know a use case for it.
> That seems like a pretty bad argument to me. It's not some minor corner
> case that's not supported.The implementation is just *incomplete*
> without it.
>
I would argue that these cases are diametrically opposite: you
proposed to remove support for zero length input vectors from the
entire crypto API to prevent your driver from having to deal with
inputs that the hardware cannot handle.
I am proposing not to add support for cases that we have no need for.
XTS without CTS is indistinguishable from XTS with CTS if the inputs
are always a multiple of the block size, and in 12 years, nobody has
ever raised the issue that our support is limited to that. So what
problem are we fixing by changing this? dm-crypt does not care,
fscrypt does not care, userland does not care (given that it does not
work today and we are only finding out now due to some fuzz test
failing on CAAM)
> > Note that for software algorithms such as the bit sliced NEON
> > implementation of AES, which can only operate on 8 AES blocks at a
> > time, doing the final 2 blocks sequentially is going to seriously
> > impact performance. This means whatever wrapper we invent around xex()
> > (or whatever we call it) should go out of its way to ensure that the
> > common, non-CTS case does not regress in performance, and the special
> > handling is only invoked when necessary (which will be never).
> >
> I pretty much made the same argument about all these driver workarounds
> slowing down my driver fast path but that was considered a non-issue.
>
> In this particular case, it should not need to be more than:
>
> if (unlikely(size & 15)) {
> xts_with_partial_last_block();
> } else {
> xts_with_only_full_blocks();
> }
>
Of course. But why add this at all if it is known to be dead code?
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Friday, July 19, 2019 7:35 AM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Herbert Xu <[email protected]>; Milan Broz <[email protected]>; Horia Geanta <[email protected]>; linux-
> [email protected]; [email protected]
> Subject: Re: xts fuzz testing and lack of ciphertext stealing support
>
> I would argue that these cases are diametrically opposite: you
> proposed to remove support for zero length input vectors from the
> entire crypto API to prevent your driver from having to deal with
> inputs that the hardware cannot handle.
>
I did not propose any such thing - I just proposed to make zero length hash support *optional*
(i.e. don't fail and disable the driver on it) as it's totally irrelevant for 99.99999% of use cases.
(including *all* use cases I consider relevant for HW acceleration)
> I am proposing not to add support for cases that we have no need for.
>
While you are proposing to stick with an implementation that can only deal with 6.25% (1/16th) of
*legal* input data for XTS and fails on the remaining 93.75%. That's hardly a corner case anymore.
> XTS without CTS is indistinguishable from XTS with CTS if the inputs
> are always a multiple of the block size, and in 12 years, nobody has
> ever raised the issue that our support is limited to that. So what
> problem are we fixing by changing this? dm-crypt does not care,
> fscrypt does not care, userland does not care (given that it does not
> work today and we are only finding out now due to some fuzz test
> failing on CAAM)
>
If it's not supported, then it cannot be used. Most people would not start complaining about that,
they would just roll their own locally or they'd give up and/or use something else.
So the fact that it's currently not being used does not mean a whole lot. Also, it does not mean
that there will not be a relevant use case tomorrow. (and I can assure you there *are* definitely
real-life use cases, so I have to assume these are currently handled outside of the base kernel)
In any case, if you try to use XTS you would *expect* it to work for any input >= 16 bytes as that's
how the algorithm is *specified*. Without the CTS part it's simply not XTS.
> > I pretty much made the same argument about all these driver workarounds
> > slowing down my driver fast path but that was considered a non-issue.
> >
> > In this particular case, it should not need to be more than:
> >
> > if (unlikely(size & 15)) {
> > xts_with_partial_last_block();
> > } else {
> > xts_with_only_full_blocks();
> > }
> >
>
> Of course. But why add this at all if it is known to be dead code?
>
But that's just an assumption and assumptions are the root of all evil ;-)
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Fri, 19 Jul 2019 at 09:29, Pascal Van Leeuwen
<[email protected]> wrote:
>
> > -----Original Message-----
> > From: Ard Biesheuvel <[email protected]>
> > Sent: Friday, July 19, 2019 7:35 AM
> > To: Pascal Van Leeuwen <[email protected]>
> > Cc: Herbert Xu <[email protected]>; Milan Broz <[email protected]>; Horia Geanta <[email protected]>; linux-
> > [email protected]; [email protected]
> > Subject: Re: xts fuzz testing and lack of ciphertext stealing support
> >
> > I would argue that these cases are diametrically opposite: you
> > proposed to remove support for zero length input vectors from the
> > entire crypto API to prevent your driver from having to deal with
> > inputs that the hardware cannot handle.
> >
> I did not propose any such thing - I just proposed to make zero length hash support *optional*
> (i.e. don't fail and disable the driver on it) as it's totally irrelevant for 99.99999% of use cases.
> (including *all* use cases I consider relevant for HW acceleration)
>
Fair enough. But it did involve making modifications to the generic
layer, since there are known users of the AF_ALG interface that may
pass zero length inputs (e.g., sha1sum).
> > I am proposing not to add support for cases that we have no need for.
> >
> While you are proposing to stick with an implementation that can only deal with 6.25% (1/16th) of
> *legal* input data for XTS and fails on the remaining 93.75%. That's hardly a corner case anymore.
>
I never said it was a corner case, nor does it make a lot of sense to
reason about fractional compliance, given that 100% of the inputs we
ever encounter are covered by your 6.25% of legal input data.
What i did say was that the moving parts we will add to the code will
never be put into motion, while they do increase the validation space,
and so the value of the contribution will be negative.
Perhaps I should emphasize that my concern is mainly about in-kernel
usage of the sync software ciphers, since they typically have no use
for userland, given that they can simply issue the same instructions
directly. For AF_ALG, I agree that exposing a non-compliant XTS
implementation is a bad idea.
> > XTS without CTS is indistinguishable from XTS with CTS if the inputs
> > are always a multiple of the block size, and in 12 years, nobody has
> > ever raised the issue that our support is limited to that. So what
> > problem are we fixing by changing this? dm-crypt does not care,
> > fscrypt does not care, userland does not care (given that it does not
> > work today and we are only finding out now due to some fuzz test
> > failing on CAAM)
> >
> If it's not supported, then it cannot be used. Most people would not start complaining about that,
> they would just roll their own locally or they'd give up and/or use something else.
> So the fact that it's currently not being used does not mean a whole lot. Also, it does not mean
> that there will not be a relevant use case tomorrow. (and I can assure you there *are* definitely
> real-life use cases, so I have to assume these are currently handled outside of the base kernel)
>
> In any case, if you try to use XTS you would *expect* it to work for any input >= 16 bytes as that's
> how the algorithm is *specified*. Without the CTS part it's simply not XTS.
>
I really don't care what we call it. My point is that we don't need
functionality that we will not use, regardless of how it is called.
> > > I pretty much made the same argument about all these driver workarounds
> > > slowing down my driver fast path but that was considered a non-issue.
> > >
> > > In this particular case, it should not need to be more than:
> > >
> > > if (unlikely(size & 15)) {
> > > xts_with_partial_last_block();
> > > } else {
> > > xts_with_only_full_blocks();
> > > }
> > >
> >
> > Of course. But why add this at all if it is known to be dead code?
> >
> But that's just an assumption and assumptions are the root of all evil ;-)
>
I think it was premature optimization that is the root of all evil, no?
Hi Ard,
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Friday, July 19, 2019 7:15 PM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Herbert Xu <[email protected]>; Milan Broz <[email protected]>; Horia Geanta <[email protected]>; linux-
> [email protected]; [email protected]
> Subject: Re: xts fuzz testing and lack of ciphertext stealing support
>
> On Fri, 19 Jul 2019 at 09:29, Pascal Van Leeuwen
> <[email protected]> wrote:
> >
> > > -----Original Message-----
> > > From: Ard Biesheuvel <[email protected]>
> > > Sent: Friday, July 19, 2019 7:35 AM
> > > To: Pascal Van Leeuwen <[email protected]>
> > > Cc: Herbert Xu <[email protected]>; Milan Broz <[email protected]>; Horia Geanta <[email protected]>; linux-
> > > [email protected]; [email protected]
> > > Subject: Re: xts fuzz testing and lack of ciphertext stealing support
> > >
> > > I would argue that these cases are diametrically opposite: you
> > > proposed to remove support for zero length input vectors from the
> > > entire crypto API to prevent your driver from having to deal with
> > > inputs that the hardware cannot handle.
> > >
> > I did not propose any such thing - I just proposed to make zero length hash support *optional*
> > (i.e. don't fail and disable the driver on it) as it's totally irrelevant for 99.99999% of use cases.
> > (including *all* use cases I consider relevant for HW acceleration)
> >
>
> Fair enough. But it did involve making modifications to the generic
> layer, since there are known users of the AF_ALG interface that may
> pass zero length inputs (e.g., sha1sum).
>
Which is why I gave up and grudgingly implemented those workarounds ;-)
But they complicate the driver by orders of a magnitude and for that the
same validation argument you give below applies: there's now a lot more
- and worse: a lot more complicated! - code to validate in this driver.
While I seriously question the value of that contribution as well: I don't
expect this driver to ever be used for these corner cases, as you would
simply never *select* it for the applications that might hit them (or, if
you try it an run into trouble, just select another implementation). So
its really just there to keep testmgr happy and nothing else (IMHO).
Also: hardware may have a lot more "problematic" limitations that are not
currently hit by testmgr. The limitations that are hit are kind of arbitrary.
(and I'm not going to shoot myself in the foot by going into detail there ;-)
> > > I am proposing not to add support for cases that we have no need for.
> > >
> > While you are proposing to stick with an implementation that can only deal with 6.25% (1/16th) of
> > *legal* input data for XTS and fails on the remaining 93.75%. That's hardly a corner case anymore.
> >
>
> I never said it was a corner case, nor does it make a lot of sense to
> reason about fractional compliance, given that 100% of the inputs we
> ever encounter are covered by your 6.25% of legal input data.
>
> What i did say was that the moving parts we will add to the code will
> never be put into motion, while they do increase the validation space,
> and so the value of the contribution will be negative.
>
How can you be so sure that it will never be used?
> Perhaps I should emphasize that my concern is mainly about in-kernel
> usage of the sync software ciphers, since they typically have no use
> for userland, given that they can simply issue the same instructions
> directly. For AF_ALG, I agree that exposing a non-compliant XTS
> implementation is a bad idea.
>
And my concern is that I want to accelerate xts but I will now have to
cripple my driver to return -EINVAL on non-multiple-of-16 inputs while
my hardware can actually handle that just fine, just because the actual
"reference" implementation is not compliant. And if I don't match its
(incorrect!) behavior *I* will be the one being failed by testmgr.
Which seems rather unfair :-(
Note that I'm not just interested in providing support to existing
implementations, I may want to support additional features to provide
to my customers that they can use from their own drivers/applications
they build on top of it (which do not exist yet at this moment)
> > > XTS without CTS is indistinguishable from XTS with CTS if the inputs
> > > are always a multiple of the block size, and in 12 years, nobody has
> > > ever raised the issue that our support is limited to that. So what
> > > problem are we fixing by changing this? dm-crypt does not care,
> > > fscrypt does not care, userland does not care (given that it does not
> > > work today and we are only finding out now due to some fuzz test
> > > failing on CAAM)
> > >
> > If it's not supported, then it cannot be used. Most people would not start complaining about that,
> > they would just roll their own locally or they'd give up and/or use something else.
> > So the fact that it's currently not being used does not mean a whole lot. Also, it does not mean
> > that there will not be a relevant use case tomorrow. (and I can assure you there *are* definitely
> > real-life use cases, so I have to assume these are currently handled outside of the base kernel)
> >
> > In any case, if you try to use XTS you would *expect* it to work for any input >= 16 bytes as that's
> > how the algorithm is *specified*. Without the CTS part it's simply not XTS.
> >
>
> I really don't care what we call it. My point is that we don't need
> functionality that we will not use, regardless of how it is called.
>
If you make an implementation that is considered (e.g. by testmgr for fuzz testing)
to be the golden reference, then it'd better be fully compliant with the relevant
specification(s). I guess that's the real point I'm trying to make.
Now a fully compliant implementation would get penalized for being fully compliant.
> > > > I pretty much made the same argument about all these driver workarounds
> > > > slowing down my driver fast path but that was considered a non-issue.
> > > >
> > > > In this particular case, it should not need to be more than:
> > > >
> > > > if (unlikely(size & 15)) {
> > > > xts_with_partial_last_block();
> > > > } else {
> > > > xts_with_only_full_blocks();
> > > > }
> > > >
> > >
> > > Of course. But why add this at all if it is known to be dead code?
> > >
> > But that's just an assumption and assumptions are the root of all evil ;-)
> >
>
> I think it was premature optimization that is the root of all evil, no?
You are talking to a guy who used to prefer to use hand-optimized assembly
for *everything* :-D There's no such thing as time wasted on optimization!
(if it wasn't useful, at least it was fun to do! :-P)
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
>
> > From that perspective - to prevent people from doing cryptographically stupid things -
> > IMHO it would be better to just pull the CTS into the XTS implementation i.e. make
> > xts natively support blocks that are not a multiple of (but >=) the cipher blocksize ...
>
> I would definitely prefer adding CTS directly to XTS (as it is in gcrypt or OpenSSL now)
> instead of some new compositions.
>
> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
>
Can't the "missing modules in initramfs" issue be solved by using a
MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
(There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
but that was simply a bug, which was fixed.)
Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
this a non-issue.
Anyway, I agree that the partial block support, if added, should just be made
available under the name "xts", as people would expect. It doesn't need a new
name.
- Eric
On 20/07/2019 08:58, Eric Biggers wrote:
> On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
>> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
>> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
>> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
>> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
>>
>
> Can't the "missing modules in initramfs" issue be solved by using a
> MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
>
> (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> but that was simply a bug, which was fixed.)
Sure, and it is solved now. (Some systems with a hardcoded list of modules
have to be manually updated etc., but that is just bad design).
It can be done properly from the beginning.
I just want to say that that switching to XEX looks like wasting time to me
for no additional benefit.
Fully implementing XTS does make much more sense for me, even though it is long-term
the effort and the only user, for now, would be testmgr.
So, there are no users because it does not work. It makes no sense
to implement it, because there are no users... (sorry, sounds like catch 22 :)
(Maybe someone can use it for keyslot encryption for keys not aligned to
block size, dunno. Actually, some filesystem encryption could have use for it.)
> Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> this a non-issue.
If it is not available for users, I really see no reason to introduce XEX when
it is just XTS with full blocks.
If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
people are already confused enough that 256bit key in AES-XTS means AES-128...
So the examples, hints, man pages need to be updated, at least.
Milan
On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
>
> On 20/07/2019 08:58, Eric Biggers wrote:
> > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> >>
> >
> > Can't the "missing modules in initramfs" issue be solved by using a
> > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> >
> > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > but that was simply a bug, which was fixed.)
>
> Sure, and it is solved now. (Some systems with a hardcoded list of modules
> have to be manually updated etc., but that is just bad design).
> It can be done properly from the beginning.
>
> I just want to say that that switching to XEX looks like wasting time to me
> for no additional benefit.
>
> Fully implementing XTS does make much more sense for me, even though it is long-term
> the effort and the only user, for now, would be testmgr.
>
> So, there are no users because it does not work. It makes no sense
> to implement it, because there are no users... (sorry, sounds like catch 22 :)
>
> (Maybe someone can use it for keyslot encryption for keys not aligned to
> block size, dunno. Actually, some filesystem encryption could have use for it.)
>
> > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > this a non-issue.
>
> If it is not available for users, I really see no reason to introduce XEX when
> it is just XTS with full blocks.
>
> If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> people are already confused enough that 256bit key in AES-XTS means AES-128...
> So the examples, hints, man pages need to be updated, at least.
>
OK, consider me persuaded. We are already exposing xts(...) to
userland, and since we already implement a proper subset of true XTS,
it will be simply a matter of making sure that the existing XTS
implementations don't regress in performance on the non-CTS code
paths.
It would be useful, though, to have some generic helper functions,
e.g., like the one we have for CBC, or the one I recently proposed for
CTS, so that existing implementations (such as the bit sliced AES) can
easily be augmented with a CTS code path (but performance may not be
optimal in those cases). For the ARM implementations based on AES
instructions, it should be reasonably straight forward to implement it
close to optimally by reusing some of the code I added for CBC-CTS
(but I won't get around to doing that for a while). If there are any
volunteers for looking into the generic or x86/AES-NI implementations,
please come forward :-) Also, if any of the publications that were
quoted in this thread have suitable test vectors, that would be good
to know.
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Sunday, July 21, 2019 11:50 AM
> To: Milan Broz <[email protected]>
> Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> >
> > On 20/07/2019 08:58, Eric Biggers wrote:
> > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > >>
> > >
> > > Can't the "missing modules in initramfs" issue be solved by using a
> > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > >
> > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > but that was simply a bug, which was fixed.)
> >
> > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > have to be manually updated etc., but that is just bad design).
> > It can be done properly from the beginning.
> >
> > I just want to say that that switching to XEX looks like wasting time to me
> > for no additional benefit.
> >
> > Fully implementing XTS does make much more sense for me, even though it is long-term
> > the effort and the only user, for now, would be testmgr.
> >
> > So, there are no users because it does not work. It makes no sense
> > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> >
> > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > block size, dunno. Actually, some filesystem encryption could have use for it.)
> >
> > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > this a non-issue.
> >
> > If it is not available for users, I really see no reason to introduce XEX when
> > it is just XTS with full blocks.
> >
> > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > So the examples, hints, man pages need to be updated, at least.
> >
>
> OK, consider me persuaded. We are already exposing xts(...) to
> userland, and since we already implement a proper subset of true XTS,
> it will be simply a matter of making sure that the existing XTS
> implementations don't regress in performance on the non-CTS code
> paths.
>
> It would be useful, though, to have some generic helper functions,
> e.g., like the one we have for CBC, or the one I recently proposed for
> CTS, so that existing implementations (such as the bit sliced AES) can
> easily be augmented with a CTS code path (but performance may not be
> optimal in those cases). For the ARM implementations based on AES
> instructions, it should be reasonably straight forward to implement it
> close to optimally by reusing some of the code I added for CBC-CTS
> (but I won't get around to doing that for a while). If there are any
> volunteers for looking into the generic or x86/AES-NI implementations,
> please come forward :-) Also, if any of the publications that were
> quoted in this thread have suitable test vectors, that would be good
> to know.
Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
comes to providing test vectors, barely scratching the surface of any corner cases, but
at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
that is not a multiple of 16 bytes")
Besides that, I'd be happy to generate some testvectors from our defacto-standard
implementation ;-)
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
<[email protected]> wrote:
>
> > -----Original Message-----
> > From: Ard Biesheuvel <[email protected]>
> > Sent: Sunday, July 21, 2019 11:50 AM
> > To: Milan Broz <[email protected]>
> > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > [email protected]; Horia Geanta <[email protected]>
> > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> >
> > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > >
> > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > >>
> > > >
> > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > >
> > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > but that was simply a bug, which was fixed.)
> > >
> > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > have to be manually updated etc., but that is just bad design).
> > > It can be done properly from the beginning.
> > >
> > > I just want to say that that switching to XEX looks like wasting time to me
> > > for no additional benefit.
> > >
> > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > the effort and the only user, for now, would be testmgr.
> > >
> > > So, there are no users because it does not work. It makes no sense
> > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > >
> > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > >
> > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > this a non-issue.
> > >
> > > If it is not available for users, I really see no reason to introduce XEX when
> > > it is just XTS with full blocks.
> > >
> > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > So the examples, hints, man pages need to be updated, at least.
> > >
> >
> > OK, consider me persuaded. We are already exposing xts(...) to
> > userland, and since we already implement a proper subset of true XTS,
> > it will be simply a matter of making sure that the existing XTS
> > implementations don't regress in performance on the non-CTS code
> > paths.
> >
> > It would be useful, though, to have some generic helper functions,
> > e.g., like the one we have for CBC, or the one I recently proposed for
> > CTS, so that existing implementations (such as the bit sliced AES) can
> > easily be augmented with a CTS code path (but performance may not be
> > optimal in those cases). For the ARM implementations based on AES
> > instructions, it should be reasonably straight forward to implement it
> > close to optimally by reusing some of the code I added for CBC-CTS
> > (but I won't get around to doing that for a while). If there are any
> > volunteers for looking into the generic or x86/AES-NI implementations,
> > please come forward :-) Also, if any of the publications that were
> > quoted in this thread have suitable test vectors, that would be good
> > to know.
>
> Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> comes to providing test vectors, barely scratching the surface of any corner cases, but
> at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> that is not a multiple of 16 bytes")
>
Actually, that spec has a couple of test vectors. Unfortunately, they
are all rather short (except the last one in the 'no multiple of 16
bytes' paragraph, but unfortunately, that one is in fact a multiple of
16 bytes)
I added them here [0] along with an arm64 implementation for the AES
instruction based driver. Could you please double check that these
work against your driver? That would establish a ground truth against
which we can implement the generic version as well.
[0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> Besides that, I'd be happy to generate some testvectors from our defacto-standard
> implementation ;-)
>
One or two larger ones would be useful, yes.
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Monday, July 22, 2019 6:43 PM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
> <[email protected]> wrote:
> >
> > > -----Original Message-----
> > > From: Ard Biesheuvel <[email protected]>
> > > Sent: Sunday, July 21, 2019 11:50 AM
> > > To: Milan Broz <[email protected]>
> > > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected];
> linux-
> > > [email protected]; Horia Geanta <[email protected]>
> > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> > >
> > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > > >
> > > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > > >>
> > > > >
> > > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > > >
> > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > > but that was simply a bug, which was fixed.)
> > > >
> > > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > > have to be manually updated etc., but that is just bad design).
> > > > It can be done properly from the beginning.
> > > >
> > > > I just want to say that that switching to XEX looks like wasting time to me
> > > > for no additional benefit.
> > > >
> > > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > > the effort and the only user, for now, would be testmgr.
> > > >
> > > > So, there are no users because it does not work. It makes no sense
> > > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > > >
> > > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > > >
> > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > > this a non-issue.
> > > >
> > > > If it is not available for users, I really see no reason to introduce XEX when
> > > > it is just XTS with full blocks.
> > > >
> > > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > > So the examples, hints, man pages need to be updated, at least.
> > > >
> > >
> > > OK, consider me persuaded. We are already exposing xts(...) to
> > > userland, and since we already implement a proper subset of true XTS,
> > > it will be simply a matter of making sure that the existing XTS
> > > implementations don't regress in performance on the non-CTS code
> > > paths.
> > >
> > > It would be useful, though, to have some generic helper functions,
> > > e.g., like the one we have for CBC, or the one I recently proposed for
> > > CTS, so that existing implementations (such as the bit sliced AES) can
> > > easily be augmented with a CTS code path (but performance may not be
> > > optimal in those cases). For the ARM implementations based on AES
> > > instructions, it should be reasonably straight forward to implement it
> > > close to optimally by reusing some of the code I added for CBC-CTS
> > > (but I won't get around to doing that for a while). If there are any
> > > volunteers for looking into the generic or x86/AES-NI implementations,
> > > please come forward :-) Also, if any of the publications that were
> > > quoted in this thread have suitable test vectors, that would be good
> > > to know.
> >
> > Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> > comes to providing test vectors, barely scratching the surface of any corner cases, but
> > at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> > that is not a multiple of 16 bytes")
> >
>
> Actually, that spec has a couple of test vectors. Unfortunately, they
> are all rather short (except the last one in the 'no multiple of 16
> bytes' paragraph, but unfortunately, that one is in fact a multiple of
> 16 bytes)
>
Yes, as usual it's very limited and does not cover all the interesting cases.
It's still better than nothing, though.
The fact that the last one actually *is* a multiple of 16 is quite hilarious, I
had not spotted that myself yet ...
> I added them here [0] along with an arm64 implementation for the AES
> instruction based driver. Could you please double check that these
> work against your driver? That would establish a ground truth against
> which we can implement the generic version as well.
>
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
>
I'd be happy to do that except that adding XTS support to the driver is still
on my todo list. I was actually waiting for some of my earlier patches to be
acked as the situation is becoming rather unmanageable for me ...
But I suppose I can give it a shot anyway - adding XTS should be relatively
simple compare to, say, adding AES-GCM. But I'm sure I'll somehow regret
saying that.
> > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > implementation ;-)
> >
>
> One or two larger ones would be useful, yes.
>
It was more or less a joke as how would you know them to be correct?
(not that I don't trust my hardware, of course ...)
If it's just for playing around, I can provide some larger vectors, no problem.
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
Ard,
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Monday, July 22, 2019 6:43 PM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
> <[email protected]> wrote:
> >
> > > -----Original Message-----
> > > From: Ard Biesheuvel <[email protected]>
> > > Sent: Sunday, July 21, 2019 11:50 AM
> > > To: Milan Broz <[email protected]>
> > > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > > [email protected]; Horia Geanta <[email protected]>
> > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> > >
> > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > > >
> > > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > > >>
> > > > >
> > > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > > >
> > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > > but that was simply a bug, which was fixed.)
> > > >
> > > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > > have to be manually updated etc., but that is just bad design).
> > > > It can be done properly from the beginning.
> > > >
> > > > I just want to say that that switching to XEX looks like wasting time to me
> > > > for no additional benefit.
> > > >
> > > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > > the effort and the only user, for now, would be testmgr.
> > > >
> > > > So, there are no users because it does not work. It makes no sense
> > > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > > >
> > > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > > >
> > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > > this a non-issue.
> > > >
> > > > If it is not available for users, I really see no reason to introduce XEX when
> > > > it is just XTS with full blocks.
> > > >
> > > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > > So the examples, hints, man pages need to be updated, at least.
> > > >
> > >
> > > OK, consider me persuaded. We are already exposing xts(...) to
> > > userland, and since we already implement a proper subset of true XTS,
> > > it will be simply a matter of making sure that the existing XTS
> > > implementations don't regress in performance on the non-CTS code
> > > paths.
> > >
> > > It would be useful, though, to have some generic helper functions,
> > > e.g., like the one we have for CBC, or the one I recently proposed for
> > > CTS, so that existing implementations (such as the bit sliced AES) can
> > > easily be augmented with a CTS code path (but performance may not be
> > > optimal in those cases). For the ARM implementations based on AES
> > > instructions, it should be reasonably straight forward to implement it
> > > close to optimally by reusing some of the code I added for CBC-CTS
> > > (but I won't get around to doing that for a while). If there are any
> > > volunteers for looking into the generic or x86/AES-NI implementations,
> > > please come forward :-) Also, if any of the publications that were
> > > quoted in this thread have suitable test vectors, that would be good
> > > to know.
> >
> > Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> > comes to providing test vectors, barely scratching the surface of any corner cases, but
> > at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> > that is not a multiple of 16 bytes")
> >
>
> Actually, that spec has a couple of test vectors. Unfortunately, they
> are all rather short (except the last one in the 'no multiple of 16
> bytes' paragraph, but unfortunately, that one is in fact a multiple of
> 16 bytes)
>
> I added them here [0] along with an arm64 implementation for the AES
> instruction based driver. Could you please double check that these
> work against your driver? That would establish a ground truth against
> which we can implement the generic version as well.
>
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
>
I'm working on my XTS implementation now and I noticed something funny with the test
vectors. The new CTS ones you added here, I can perfectly trace back to the IEEE spec,
they match byte-for-byte.
However, the ones that already existed puzzle me. The input data matches vectors from
the IEEE spec, however the expected output cipher text does NOT ????
Case in point, the very first vector, which has a key of all zeroes, a sector number (IV)
or all zeroes and an all zeroes plaintext of 32 bytes, which matches the 1st spec vector:
testmgr.h expects:
"\x4b\xc9\x44\x4a\x11\xa3\xef\xac"
"\x30\x74\xe4\x44\x52\x77\x97\x43"
"\xa7\x60\xb2\x45\x2e\xf9\x00\x90"
"\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0"
But the specification expects:
917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
Which also happens to be what our hardware does ...
Did you notice the same thing with your implementation? Am I missing something??
> > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > implementation ;-)
> >
>
> One or two larger ones would be useful, yes.
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
Ah, ugh, my bad. Ignore my previous mail below. Turns out the tf_xts_tv_template I was looking
at is for xts(twofish) not xts(aes) ... which was not immediately obvious from the name, for me.
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
> -----Original Message-----
> From: [email protected] <[email protected]> On Behalf Of Pascal Van Leeuwen
> Sent: Wednesday, July 24, 2019 2:23 PM
> To: Ard Biesheuvel <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: RE: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> Ard,
>
> > -----Original Message-----
> > From: Ard Biesheuvel <[email protected]>
> > Sent: Monday, July 22, 2019 6:43 PM
> > To: Pascal Van Leeuwen <[email protected]>
> > Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > [email protected]; Horia Geanta <[email protected]>
> > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> >
> > On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
> > <[email protected]> wrote:
> > >
> > > > -----Original Message-----
> > > > From: Ard Biesheuvel <[email protected]>
> > > > Sent: Sunday, July 21, 2019 11:50 AM
> > > > To: Milan Broz <[email protected]>
> > > > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected];
> linux-
> > > > [email protected]; Horia Geanta <[email protected]>
> > > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> > > >
> > > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > > > >
> > > > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > > > >>
> > > > > >
> > > > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > > > >
> > > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > > > but that was simply a bug, which was fixed.)
> > > > >
> > > > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > > > have to be manually updated etc., but that is just bad design).
> > > > > It can be done properly from the beginning.
> > > > >
> > > > > I just want to say that that switching to XEX looks like wasting time to me
> > > > > for no additional benefit.
> > > > >
> > > > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > > > the effort and the only user, for now, would be testmgr.
> > > > >
> > > > > So, there are no users because it does not work. It makes no sense
> > > > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > > > >
> > > > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > > > >
> > > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > > > this a non-issue.
> > > > >
> > > > > If it is not available for users, I really see no reason to introduce XEX when
> > > > > it is just XTS with full blocks.
> > > > >
> > > > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > > > So the examples, hints, man pages need to be updated, at least.
> > > > >
> > > >
> > > > OK, consider me persuaded. We are already exposing xts(...) to
> > > > userland, and since we already implement a proper subset of true XTS,
> > > > it will be simply a matter of making sure that the existing XTS
> > > > implementations don't regress in performance on the non-CTS code
> > > > paths.
> > > >
> > > > It would be useful, though, to have some generic helper functions,
> > > > e.g., like the one we have for CBC, or the one I recently proposed for
> > > > CTS, so that existing implementations (such as the bit sliced AES) can
> > > > easily be augmented with a CTS code path (but performance may not be
> > > > optimal in those cases). For the ARM implementations based on AES
> > > > instructions, it should be reasonably straight forward to implement it
> > > > close to optimally by reusing some of the code I added for CBC-CTS
> > > > (but I won't get around to doing that for a while). If there are any
> > > > volunteers for looking into the generic or x86/AES-NI implementations,
> > > > please come forward :-) Also, if any of the publications that were
> > > > quoted in this thread have suitable test vectors, that would be good
> > > > to know.
> > >
> > > Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> > > comes to providing test vectors, barely scratching the surface of any corner cases, but
> > > at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> > > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> > > that is not a multiple of 16 bytes")
> > >
> >
> > Actually, that spec has a couple of test vectors. Unfortunately, they
> > are all rather short (except the last one in the 'no multiple of 16
> > bytes' paragraph, but unfortunately, that one is in fact a multiple of
> > 16 bytes)
> >
> > I added them here [0] along with an arm64 implementation for the AES
> > instruction based driver. Could you please double check that these
> > work against your driver? That would establish a ground truth against
> > which we can implement the generic version as well.
> >
> > [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> >
> I'm working on my XTS implementation now and I noticed something funny with the test
> vectors. The new CTS ones you added here, I can perfectly trace back to the IEEE spec,
> they match byte-for-byte.
>
> However, the ones that already existed puzzle me. The input data matches vectors from
> the IEEE spec, however the expected output cipher text does NOT ????
>
> Case in point, the very first vector, which has a key of all zeroes, a sector number (IV)
> or all zeroes and an all zeroes plaintext of 32 bytes, which matches the 1st spec vector:
> testmgr.h expects:
> "\x4b\xc9\x44\x4a\x11\xa3\xef\xac"
> "\x30\x74\xe4\x44\x52\x77\x97\x43"
> "\xa7\x60\xb2\x45\x2e\xf9\x00\x90"
> "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0"
>
> But the specification expects:
> 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
>
> Which also happens to be what our hardware does ...
>
> Did you notice the same thing with your implementation? Am I missing something??
>
> > > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > > implementation ;-)
> > >
> >
> > One or two larger ones would be useful, yes.
>
> Regards,
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
> http://www.insidesecure.com
>
>
Ard,
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Monday, July 22, 2019 6:43 PM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
> <[email protected]> wrote:
> >
> > > -----Original Message-----
> > > From: Ard Biesheuvel <[email protected]>
> > > Sent: Sunday, July 21, 2019 11:50 AM
> > > To: Milan Broz <[email protected]>
> > > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > > [email protected]; Horia Geanta <[email protected]>
> > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> > >
> > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > > >
> > > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > > >>
> > > > >
> > > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > > >
> > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > > but that was simply a bug, which was fixed.)
> > > >
> > > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > > have to be manually updated etc., but that is just bad design).
> > > > It can be done properly from the beginning.
> > > >
> > > > I just want to say that that switching to XEX looks like wasting time to me
> > > > for no additional benefit.
> > > >
> > > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > > the effort and the only user, for now, would be testmgr.
> > > >
> > > > So, there are no users because it does not work. It makes no sense
> > > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > > >
> > > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > > >
> > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > > this a non-issue.
> > > >
> > > > If it is not available for users, I really see no reason to introduce XEX when
> > > > it is just XTS with full blocks.
> > > >
> > > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > > So the examples, hints, man pages need to be updated, at least.
> > > >
> > >
> > > OK, consider me persuaded. We are already exposing xts(...) to
> > > userland, and since we already implement a proper subset of true XTS,
> > > it will be simply a matter of making sure that the existing XTS
> > > implementations don't regress in performance on the non-CTS code
> > > paths.
> > >
> > > It would be useful, though, to have some generic helper functions,
> > > e.g., like the one we have for CBC, or the one I recently proposed for
> > > CTS, so that existing implementations (such as the bit sliced AES) can
> > > easily be augmented with a CTS code path (but performance may not be
> > > optimal in those cases). For the ARM implementations based on AES
> > > instructions, it should be reasonably straight forward to implement it
> > > close to optimally by reusing some of the code I added for CBC-CTS
> > > (but I won't get around to doing that for a while). If there are any
> > > volunteers for looking into the generic or x86/AES-NI implementations,
> > > please come forward :-) Also, if any of the publications that were
> > > quoted in this thread have suitable test vectors, that would be good
> > > to know.
> >
> > Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> > comes to providing test vectors, barely scratching the surface of any corner cases, but
> > at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> > that is not a multiple of 16 bytes")
> >
>
> Actually, that spec has a couple of test vectors. Unfortunately, they
> are all rather short (except the last one in the 'no multiple of 16
> bytes' paragraph, but unfortunately, that one is in fact a multiple of
> 16 bytes)
>
> I added them here [0] along with an arm64 implementation for the AES
> instruction based driver. Could you please double check that these
> work against your driver?
>
I got XTS working with the inside-secure driver and these (and all other) vectors pass :-)
> That would establish a ground truth against
> which we can implement the generic version as well.
>
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
>
> > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > implementation ;-)
> >
>
> One or two larger ones would be useful, yes.
>
I'll see if I can extract some suitable vectors from our verification suite ...
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Wed, 24 Jul 2019 at 19:10, Pascal Van Leeuwen
<[email protected]> wrote:
>
> Ard,
>
> > -----Original Message-----
> > From: Ard Biesheuvel <[email protected]>
> > Sent: Monday, July 22, 2019 6:43 PM
> > To: Pascal Van Leeuwen <[email protected]>
> > Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > [email protected]; Horia Geanta <[email protected]>
> > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> >
> > On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen
> > <[email protected]> wrote:
> > >
> > > > -----Original Message-----
> > > > From: Ard Biesheuvel <[email protected]>
> > > > Sent: Sunday, July 21, 2019 11:50 AM
> > > > To: Milan Broz <[email protected]>
> > > > Cc: Pascal Van Leeuwen <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > > > [email protected]; Horia Geanta <[email protected]>
> > > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> > > >
> > > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <[email protected]> wrote:
> > > > >
> > > > > On 20/07/2019 08:58, Eric Biggers wrote:
> > > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > > > > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > > > > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > > > > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > > > > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > > > > >>
> > > > > >
> > > > > > Can't the "missing modules in initramfs" issue be solved by using a
> > > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > > > > >
> > > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > > > > but that was simply a bug, which was fixed.)
> > > > >
> > > > > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > > > > have to be manually updated etc., but that is just bad design).
> > > > > It can be done properly from the beginning.
> > > > >
> > > > > I just want to say that that switching to XEX looks like wasting time to me
> > > > > for no additional benefit.
> > > > >
> > > > > Fully implementing XTS does make much more sense for me, even though it is long-term
> > > > > the effort and the only user, for now, would be testmgr.
> > > > >
> > > > > So, there are no users because it does not work. It makes no sense
> > > > > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> > > > >
> > > > > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > > > > block size, dunno. Actually, some filesystem encryption could have use for it.)
> > > > >
> > > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > > > > this a non-issue.
> > > > >
> > > > > If it is not available for users, I really see no reason to introduce XEX when
> > > > > it is just XTS with full blocks.
> > > > >
> > > > > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > > > > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > > > > So the examples, hints, man pages need to be updated, at least.
> > > > >
> > > >
> > > > OK, consider me persuaded. We are already exposing xts(...) to
> > > > userland, and since we already implement a proper subset of true XTS,
> > > > it will be simply a matter of making sure that the existing XTS
> > > > implementations don't regress in performance on the non-CTS code
> > > > paths.
> > > >
> > > > It would be useful, though, to have some generic helper functions,
> > > > e.g., like the one we have for CBC, or the one I recently proposed for
> > > > CTS, so that existing implementations (such as the bit sliced AES) can
> > > > easily be augmented with a CTS code path (but performance may not be
> > > > optimal in those cases). For the ARM implementations based on AES
> > > > instructions, it should be reasonably straight forward to implement it
> > > > close to optimally by reusing some of the code I added for CBC-CTS
> > > > (but I won't get around to doing that for a while). If there are any
> > > > volunteers for looking into the generic or x86/AES-NI implementations,
> > > > please come forward :-) Also, if any of the publications that were
> > > > quoted in this thread have suitable test vectors, that would be good
> > > > to know.
> > >
> > > Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
> > > comes to providing test vectors, barely scratching the surface of any corner cases, but
> > > at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
> > > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
> > > that is not a multiple of 16 bytes")
> > >
> >
> > Actually, that spec has a couple of test vectors. Unfortunately, they
> > are all rather short (except the last one in the 'no multiple of 16
> > bytes' paragraph, but unfortunately, that one is in fact a multiple of
> > 16 bytes)
> >
> > I added them here [0] along with an arm64 implementation for the AES
> > instruction based driver. Could you please double check that these
> > work against your driver?
> >
> I got XTS working with the inside-secure driver and these (and all other) vectors pass :-)
>
Excellent, thanks for the report. May I add your Tested-by when I post
the patch? (just the one that adds the test vectors)
> > That would establish a ground truth against
> > which we can implement the generic version as well.
> >
> > [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> >
> > > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > > implementation ;-)
> > >
> >
> > One or two larger ones would be useful, yes.
> >
> I'll see if I can extract some suitable vectors from our verification suite ...
>
Great. Once available, I'll run them against my implementations and report back.
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Thursday, July 25, 2019 8:22 AM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> > >
> > > Actually, that spec has a couple of test vectors. Unfortunately, they
> > > are all rather short (except the last one in the 'no multiple of 16
> > > bytes' paragraph, but unfortunately, that one is in fact a multiple of
> > > 16 bytes)
> > >
> > > I added them here [0] along with an arm64 implementation for the AES
> > > instruction based driver. Could you please double check that these
> > > work against your driver?
> > >
> > I got XTS working with the inside-secure driver and these (and all other) vectors pass :-)
> >
>
> Excellent, thanks for the report. May I add your Tested-by when I post
> the patch? (just the one that adds the test vectors)
>
Sure, feel free
> > > That would establish a ground truth against
> > > which we can implement the generic version as well.
> > >
> > > [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> > >
> > > > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > > > implementation ;-)
> > > >
> > >
> > > One or two larger ones would be useful, yes.
> > >
> > I'll see if I can extract some suitable vectors from our verification suite ...
> >
>
> Great. Once available, I'll run them against my implementations and report back.
>
Just wondering ... do you have any particular requirements on the sizes?
From my implementation's perspective, it doesn't make a whole lot of sense to test vectors
of more than 3 times the cipher block size, but then I realized that you probably need
larger vectors due to the loop unrolling you do for the vector implementations?
You also don't want them to be too big as they take up space in the kernel image ...
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com
On Thu, 25 Jul 2019 at 10:49, Pascal Van Leeuwen
<[email protected]> wrote:
>
>
> > -----Original Message-----
> > From: Ard Biesheuvel <[email protected]>
> > Sent: Thursday, July 25, 2019 8:22 AM
> > To: Pascal Van Leeuwen <[email protected]>
> > Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> > [email protected]; Horia Geanta <[email protected]>
> > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> >
> > > >
> > > > Actually, that spec has a couple of test vectors. Unfortunately, they
> > > > are all rather short (except the last one in the 'no multiple of 16
> > > > bytes' paragraph, but unfortunately, that one is in fact a multiple of
> > > > 16 bytes)
> > > >
> > > > I added them here [0] along with an arm64 implementation for the AES
> > > > instruction based driver. Could you please double check that these
> > > > work against your driver?
> > > >
> > > I got XTS working with the inside-secure driver and these (and all other) vectors pass :-)
> > >
> >
> > Excellent, thanks for the report. May I add your Tested-by when I post
> > the patch? (just the one that adds the test vectors)
> >
> Sure, feel free
>
Thanks
> > > > That would establish a ground truth against
> > > > which we can implement the generic version as well.
> > > >
> > > > [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> > > >
> > > > > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > > > > implementation ;-)
> > > > >
> > > >
> > > > One or two larger ones would be useful, yes.
> > > >
> > > I'll see if I can extract some suitable vectors from our verification suite ...
> > >
> >
> > Great. Once available, I'll run them against my implementations and report back.
> >
> Just wondering ... do you have any particular requirements on the sizes?
> From my implementation's perspective, it doesn't make a whole lot of sense to test vectors
> of more than 3 times the cipher block size, but then I realized that you probably need
> larger vectors due to the loop unrolling you do for the vector implementations?
> You also don't want them to be too big as they take up space in the kernel image ...
>
We have code that operates on 1 block, 3 blocks (ARM), 4-5 blocks
(arm64) or 8 blocks (ARM,arm64) at a time. However, the most important
thing is to test the handover between the block based loop and the
epilogue that operates on the final 17-31 bytes when ciphertext
stealing is being done.
So ideally, we'd have 1 full block + 1 full/1 partial, 3 full blocks +
1 full/1 partial, and so on for 4, 5 and 8 blocks, to cover all the
code flows, but since the unrolled routines all support arbitrary
block counts (and so the handover between the multiblock and the
single block handling is already covered), just having the first two
would be sufficient IMO.
Ard,
> -----Original Message-----
> From: Ard Biesheuvel <[email protected]>
> Sent: Thursday, July 25, 2019 10:02 AM
> To: Pascal Van Leeuwen <[email protected]>
> Cc: Milan Broz <[email protected]>; Herbert Xu <[email protected]>; [email protected]; linux-
> [email protected]; Horia Geanta <[email protected]>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> > > > > One or two larger ones would be useful, yes.
> > > > >
> > > > I'll see if I can extract some suitable vectors from our verification suite ...
> > > >
> > >
> > > Great. Once available, I'll run them against my implementations and report back.
> > >
> > Just wondering ... do you have any particular requirements on the sizes?
> > From my implementation's perspective, it doesn't make a whole lot of sense to test vectors
> > of more than 3 times the cipher block size, but then I realized that you probably need
> > larger vectors due to the loop unrolling you do for the vector implementations?
> > You also don't want them to be too big as they take up space in the kernel image ...
> >
>
> We have code that operates on 1 block, 3 blocks (ARM), 4-5 blocks
> (arm64) or 8 blocks (ARM,arm64) at a time. However, the most important
> thing is to test the handover between the block based loop and the
> epilogue that operates on the final 17-31 bytes when ciphertext
> stealing is being done.
>
> So ideally, we'd have 1 full block + 1 full/1 partial, 3 full blocks +
> 1 full/1 partial, and so on for 4, 5 and 8 blocks, to cover all the
> code flows, but since the unrolled routines all support arbitrary
> block counts (and so the handover between the multiblock and the
> single block handling is already covered), just having the first two
> would be sufficient IMO.
>
Ok, find below a patch file that adds your vectors from the specification
plus my set of additional vectors covering all CTS alignments combined
with the block sizes you desired. Please note though that these vectors
are from our in-house home-grown model so no warranties.
They do run fine on the inside-secure driver + HW though, and I hereby
donate them to the public domain i.e. feel free to use them as you see fit.
(in case Outlook 365 messed up the patch below, it's also available from
my public Git: https://github.com/pvanleeuwen/linux-cryptodev.git,
branch is_driver_patch2)
--
This patch adds testvectors for AES-XTS that cover data inputs that are
not a multiple of 16 bytes and therefore require cipher text stealing
(CTS) to be applied. Vectors were added to cover all possible alignments
combined with various interesting (i.e. for vector implementations working
on 3,4,5 or 8 AES blocks in parallel) lengths.
Signed-off-by: Pascal van Leeuwen <[email protected]>
---
crypto/testmgr.h | 368 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 368 insertions(+)
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 105f2ce..1046e47 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -15594,6 +15594,374 @@ struct len_range_sel {
"\xc4\xf3\x6f\xfd\xa9\xfc\xea\x70"
"\xb9\xc6\xe6\x93\xe1\x48\xc1\x51",
.len = 512,
+ }, { /* XTS-AES 15 */
+ .key = "\xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8"
+ "\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0"
+ "\xbf\xbe\xbd\xbc\xbb\xba\xb9\xb8"
+ "\xb7\xb6\xb5\xb4\xb3\xb2\xb1\xb0",
+ .klen = 32,
+ .iv = "\x9a\x78\x56\x34\x12\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .ptext = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10",
+ .ctext = "\x6c\x16\x25\xdb\x46\x71\x52\x2d"
+ "\x3d\x75\x99\x60\x1d\xe7\xca\x09"
+ "\xed",
+ .len = 17,
+ }, { /* XTS-AES 16 */
+ .key = "\xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8"
+ "\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0"
+ "\xbf\xbe\xbd\xbc\xbb\xba\xb9\xb8"
+ "\xb7\xb6\xb5\xb4\xb3\xb2\xb1\xb0",
+ .klen = 32,
+ .iv = "\x9a\x78\x56\x34\x12\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .ptext = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10\x11",
+ .ctext = "\xd0\x69\x44\x4b\x7a\x7e\x0c\xab"
+ "\x09\xe2\x44\x47\xd2\x4d\xeb\x1f"
+ "\xed\xbf",
+ .len = 18,
+ }, { /* XTS-AES 17 */
+ .key = "\xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8"
+ "\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0"
+ "\xbf\xbe\xbd\xbc\xbb\xba\xb9\xb8"
+ "\xb7\xb6\xb5\xb4\xb3\xb2\xb1\xb0",
+ .klen = 32,
+ .iv = "\x9a\x78\x56\x34\x12\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .ptext = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10\x11\x12",
+ .ctext = "\xe5\xdf\x13\x51\xc0\x54\x4b\xa1"
+ "\x35\x0b\x33\x63\xcd\x8e\xf4\xbe"
+ "\xed\xbf\x9d",
+ .len = 19,
+ }, { /* XTS-AES 18 */
+ .key = "\xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8"
+ "\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0"
+ "\xbf\xbe\xbd\xbc\xbb\xba\xb9\xb8"
+ "\xb7\xb6\xb5\xb4\xb3\xb2\xb1\xb0",
+ .klen = 32,
+ .iv = "\x9a\x78\x56\x34\x12\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .ptext = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10\x11\x12\x13",
+ .ctext = "\x9d\x84\xc8\x13\xf7\x19\xaa\x2c"
+ "\x7b\xe3\xf6\x61\x71\xc7\xc5\xc2"
+ "\xed\xbf\x9d\xac",
+ .len = 20,
+ /* Additional vectors to increase CTS coverage */
+ }, { /* 1 block + 21 bytes */
+ .key = "\xa1\x34\x0e\x49\x38\xfd\x8b\xf6"
+ "\x45\x60\x67\x07\x0f\x50\xa8\x2b"
+ "\xa8\xf1\xfe\x7e\xf4\xf0\x47\xcd"
+ "\xfd\x91\x78\xf9\x14\x8b\x7d\x27"
+ "\x0e\xdc\xca\xe6\xf4\xfc\xd7\x4f"
+ "\x19\x8c\xd0\xe6\x9e\x2f\xf8\x75"
+ "\xb5\xe2\x48\x00\x4f\x07\xd9\xa1"
+ "\x42\xbc\x9d\xfc\x17\x98\x00\x48",
+ .klen = 64,
+ .iv = "\xcb\x35\x47\x5a\x7a\x06\x28\xb9"
+ "\x80\xf5\xa7\xe6\x8a\x23\x42\xf8",
+ .ptext = "\x04\x52\xc8\x7f\xb0\x5a\x12\xc5"
+ "\x96\x47\x6b\xf4\xbc\x2e\xdb\x74"
+ "\xd2\x20\x24\x32\xe5\x84\xb6\x25"
+ "\x4c\x2f\x96\xc7\x55\x9c\x90\x6f"
+ "\x0e\x96\x94\x68\xf4",
+ .ctext = "\x6a\x2d\x57\xb8\x72\x49\x10\x6b"
+ "\x5b\x5a\xc9\x92\xab\x59\x79\x36"
+ "\x7a\x01\x95\xf7\xdd\xcb\x3f\xbf"
+ "\xb2\xe3\x7e\x35\xe3\x11\x04\x68"
+ "\x28\xc3\x70\x6a\xe1",
+ .len = 37,
+ }, { /* 3 blocks + 22 bytes */
+ .key = "\xf7\x87\x75\xdf\x36\x20\xe7\xcb"
+ "\x20\x5d\x49\x96\x81\x3d\x1d\x80"
+ "\xc7\x18\x7e\xbf\x2a\x0f\x79\xba"
+ "\x06\xb5\x4b\x63\x03\xfb\xb8\x49"
+ "\x93\x2d\x85\x5b\x95\x1f\x78\xea"
+ "\x7c\x1e\xf5\x5d\x02\xc6\xec\xb0"
+ "\xf0\xaa\x3d\x0a\x04\xe1\x67\x80"
+ "\x2a\xbe\x4e\x73\xc9\x11\xcc\x6c",
+ .klen = 64,
+ .iv = "\xeb\xba\x55\x24\xfc\x8f\x25\x7c"
+ "\x66\xf9\x04\x03\xcc\xb1\xf4\x84",
+ .ptext = "\x40\x75\x1b\x72\x2a\xc8\xbf\xef"
+ "\x0c\x92\x3e\x19\xc5\x09\x07\x38"
+ "\x4d\x87\x5c\xb8\xd6\x4f\x1a\x39"
+ "\x8c\xee\xa5\x22\x41\x12\xe1\x22"
+ "\xb5\x4b\xd7\xeb\x02\xfa\xaa\xf8"
+ "\x94\x47\x04\x5d\x8a\xb5\x40\x12"
+ "\x04\x62\x3d\xe4\x19\x8a\xeb\xb3"
+ "\xf9\xa3\x7d\xb6\xeb\x57\xf9\xb8"
+ "\x7f\xa8\xfa\x2d\x75\x2d",
+ .ctext = "\x46\x6d\xe5\x35\x5d\x22\x42\x33"
+ "\xf7\xb8\xfb\xc0\xcb\x18\xad\xa4"
+ "\x75\x6c\xc6\x38\xbb\xd4\xa1\x32"
+ "\x00\x05\x06\xd9\xc9\x17\xd9\x4f"
+ "\x1a\xf6\x24\x64\x27\x8a\x4a\xad"
+ "\x88\xa0\x86\xb7\xf9\x33\xaf\xa8"
+ "\x0e\x83\xd8\x0e\x88\xa2\x81\x79"
+ "\x65\x2e\x3e\x84\xaf\xa1\x46\x7d"
+ "\xa9\x91\xf8\x17\x82\x8d",
+ .len = 70,
+ }, { /* 4 blocks + 23 bytes */
+ .key = "\x48\x09\xab\x48\xd6\xca\x7d\xb1"
+ "\x90\xa0\x00\xd8\x33\x8a\x20\x79"
+ "\x7c\xbc\x0c\x0c\x5f\x41\xbc\xbc"
+ "\x82\xaf\x41\x81\x23\x93\xcb\xc7"
+ "\x61\x7b\x83\x13\x16\xb1\x3e\x7c"
+ "\xcc\xae\xda\xca\x78\xc7\xab\x18"
+ "\x69\xb6\x58\x3e\x5c\x19\x5f\xed"
+ "\x7b\xcf\x70\xb9\x76\x00\xd8\xc9",
+ .klen = 64,
+ .iv = "\x2e\x20\x36\xf4\xa3\x22\x5d\xd8"
+ "\x38\x49\x82\xbf\x6c\x56\xd9\x3b",
+ .ptext = "\x79\x3c\x73\x99\x65\x21\xe1\xb9"
+ "\xa0\xfd\x22\xb2\x57\xc0\x7f\xf4"
+ "\x7f\x97\x36\xaf\xf8\x8d\x73\xe1"
+ "\x0d\x85\xe9\xd5\x3d\x82\xb3\x49"
+ "\x89\x25\x30\x1f\x0d\xca\x5c\x95"
+ "\x64\x31\x02\x17\x11\x08\x8f\x32"
+ "\xbc\x37\x23\x4f\x03\x98\x91\x4a"
+ "\x50\xe2\x58\xa8\x9b\x64\x09\xe0"
+ "\xce\x99\xc9\xb0\xa8\x21\x73\xb7"
+ "\x2d\x4b\x19\xba\x81\x83\x99\xce"
+ "\xa0\x7a\xd0\x9f\x27\xf6\x8a",
+ .ctext = "\xf9\x12\x76\x21\x06\x1e\xe4\x4b"
+ "\xf9\x94\x38\x29\x0f\xee\xcb\x13"
+ "\xa3\xc3\x50\xe3\xc6\x29\x9d\xcf"
+ "\x6f\x6a\x0a\x25\xab\x44\xf6\xe4"
+ "\x71\x29\x75\x3b\x07\x1c\xfc\x1a"
+ "\x75\xd4\x84\x58\x7f\xc4\xf3\xf7"
+ "\x8f\x7c\x7a\xdc\xa2\xa3\x95\x38"
+ "\x15\xdf\x3b\x9c\xdd\x24\xb4\x0b"
+ "\xa8\x97\xfa\x5f\xee\x58\x00\x0d"
+ "\x23\xc9\x8d\xee\xc2\x3f\x27\xd8"
+ "\xd4\x43\xa5\xf8\x25\x71\x3f",
+ .len = 87,
+ }, { /* 5 blocks + 24 bytes */
+ .key = "\x8c\xf4\x4c\xe5\x91\x8f\x72\xe9"
+ "\x2f\xf8\xc0\x3c\x87\x76\x16\xa4"
+ "\x20\xab\x66\x39\x34\x10\xd6\x91"
+ "\xf1\x99\x2c\xf1\xd6\xc3\xda\x38"
+ "\xed\x2a\x4c\x80\xf4\xa5\x56\x28"
+ "\x1a\x1c\x79\x72\x6c\x93\x08\x86"
+ "\x8f\x8a\xaa\xcd\xf1\x8c\xca\xe7"
+ "\x0a\xe8\xee\x0c\x1c\xc2\xa8\xea",
+ .klen = 64,
+ .iv = "\x9a\x9e\xbc\xe4\xc9\xf3\xef\x9f"
+ "\xff\x82\x0e\x22\x8f\x80\x42\x76",
+ .ptext = "\xc1\xde\x66\x1a\x7e\x60\xd3\x3b"
+ "\x66\xd6\x29\x86\x99\xc6\xd7\xc8"
+ "\x29\xbf\x00\x57\xab\x21\x06\x24"
+ "\xd0\x92\xef\xe6\xb5\x1e\x20\xb9"
+ "\xb7\x7b\xd7\x18\x88\xf8\xd7\xe3"
+ "\x90\x61\xcd\x73\x2b\xa1\xb5\xc7"
+ "\x33\xef\xb5\xf2\x45\xf6\x92\x53"
+ "\x91\x98\xf8\x5a\x20\x75\x4c\xa8"
+ "\xf1\xf6\x01\x26\xbc\xba\x4c\xac"
+ "\xcb\xc2\x6d\xb6\x2c\x3c\x38\x61"
+ "\xe3\x98\x7f\x3e\x98\xbd\xec\xce"
+ "\xc0\xb5\x74\x23\x43\x24\x7b\x7e"
+ "\x3f\xed\xcb\xda\x88\x67\x6f\x9a",
+ .ctext = "\xeb\xdc\x6a\xb7\xd9\x5f\xa7\xfc"
+ "\x48\x75\x10\xef\xca\x65\xdc\x88"
+ "\xd0\x23\xde\x17\x5f\x3b\x61\xa2"
+ "\x15\x13\x81\x81\xf8\x57\x8b\x2a"
+ "\xe2\xc8\x49\xd1\xba\xed\xd6\xcb"
+ "\xed\x6f\x26\x69\x9b\xd2\xd2\x91"
+ "\x4e\xd7\x81\x20\x66\x38\x0c\x62"
+ "\x60\xcd\x01\x36\x97\x22\xf0\x5c"
+ "\xcf\x53\xc6\x58\xf5\x8b\x48\x0c"
+ "\xa5\x50\xc2\x73\xf9\x70\x60\x09"
+ "\x22\x69\xf3\x71\x74\x5d\xc9\xa0"
+ "\x9c\x79\xf9\xc4\x87\xac\xd7\x4b"
+ "\xac\x3c\xc6\xda\x81\x7a\xdd\x14",
+ .len = 104,
+ }, { /* 8 blocks + 25 bytes */
+ .key = "\x70\x18\x09\x93\x10\x3a\x0c\xa9"
+ "\x02\x0b\x11\x10\xae\x34\x98\xdb"
+ "\x10\xb5\xee\x8c\x49\xbc\x52\x8e"
+ "\x4b\xf7\x0a\x36\x16\x8a\xf7\x06"
+ "\xb5\x94\x52\x54\xb9\xc1\x4d\x20"
+ "\xa2\xf0\x6e\x19\x7f\x67\x1e\xaa"
+ "\x94\x6c\xee\x54\x19\xfc\x96\x95"
+ "\x04\x85\x00\x53\x7c\x39\x5f\xeb",
+ .klen = 64,
+ .iv = "\x36\x87\x8f\x9d\x74\xe9\x52\xfb"
+ "\xe1\x76\x16\x99\x61\x86\xec\x8f",
+ .ptext = "\x95\x08\xee\xfe\x87\xb2\x4f\x93"
+ "\x01\xee\xf3\x77\x0d\xbb\xfb\x26"
+ "\x3e\xb3\x34\x20\xee\x51\xd6\x40"
+ "\xb1\x64\xae\xd9\xfd\x71\x8f\x93"
+ "\xa5\x85\xff\x74\xcc\xd3\xfd\x5e"
+ "\xc2\xfc\x49\xda\xa8\x3a\x94\x29"
+ "\xa2\x59\x90\x34\x26\xbb\xa0\x34"
+ "\x5d\x47\x33\xf2\xa8\x77\x90\x98"
+ "\x8d\xfd\x38\x60\x23\x1e\x50\xa1"
+ "\x67\x4d\x8d\x09\xe0\x7d\x30\xe3"
+ "\xdd\x39\x91\xd4\x70\x68\xbb\x06"
+ "\x4e\x11\xb2\x26\x0a\x85\x73\xf6"
+ "\x37\xb6\x15\xd0\x77\xee\x43\x7b"
+ "\x77\x13\xe9\xb9\x84\x2b\x34\xab"
+ "\x49\xc1\x27\x91\x2e\xa3\xca\xe5"
+ "\xa7\x79\x45\xba\x36\x97\x49\x44"
+ "\xf7\x57\x9b\xd7\xac\xb3\xfd\x6a"
+ "\x1c\xd1\xfc\x1c\xdf\x6f\x94\xac"
+ "\x95\xf4\x50\x7a\xc8\xc3\x8c\x60"
+ "\x3c",
+ .ctext = "\xb6\xc8\xf9\x5d\x35\x5a\x0a\x33"
+ "\x2b\xd3\x5a\x18\x09\x1c\x1b\x0b"
+ "\x2a\x0e\xde\xf6\x0d\x04\xa6\xb3"
+ "\xa8\xe8\x1b\x86\x29\x58\x75\x56"
+ "\xab\xab\xbf\xbe\x1f\xb4\xc4\xf3"
+ "\xde\x1a\xb0\x87\x69\xac\x5b\x0c"
+ "\x1b\xb7\xc7\x24\xa4\x47\xe7\x81"
+ "\x2c\x0a\x82\xf9\x18\x5d\xe6\x09"
+ "\xe3\x65\x36\x54\x3d\x8a\x3a\x64"
+ "\x34\xf4\x34\x7f\x26\x3c\x1e\x3b"
+ "\x5a\x13\xdf\x7f\xa8\x2d\x81\xce"
+ "\xfa\xad\xd0\xb1\xca\xfa\xc3\x55"
+ "\x94\xc8\xb8\x16\x7e\xff\x44\x88"
+ "\xb4\x47\x4b\xfe\xda\x60\x68\x2e"
+ "\xfc\x70\xb5\xe3\xf3\xe9\x46\x22"
+ "\x1d\x98\x66\x09\x0f\xed\xbb\x20"
+ "\x7b\x8c\x2a\xff\x45\x62\xde\x9b"
+ "\x20\x2e\x6c\xb4\xe4\x26\x03\x72"
+ "\x8a\xb4\x19\xc9\xb1\xcf\x9d\x86"
+ "\xa3",
+ .len = 153,
+ }, { /* 0 blocks + 26 bytes */
+ .key = "\x5a\x38\x3f\x9c\x0c\x53\x17\x6c"
+ "\x60\x72\x23\x26\xba\xfe\xa1\xb7"
+ "\x03\xa8\xfe\xa0\x7c\xff\x78\x4c"
+ "\x7d\x84\x2f\x24\x84\x77\xec\x6f"
+ "\x88\xc8\x36\xe2\xcb\x52\x3c\xb4"
+ "\x39\xac\x37\xfa\x41\x8b\xc4\x59"
+ "\x24\x03\xe1\x51\xc9\x54\x7d\xb7"
+ "\xa3\xde\x91\x44\x8d\x16\x97\x22",
+ .klen = 64,
+ .iv = "\xfb\x7f\x3d\x60\x26\x0a\x3a\x3d"
+ "\xa5\xa3\x45\xf2\x24\x67\xfa\x6e",
+ .ptext = "\xfb\x56\x97\x65\x7c\xd8\x6c\x3c"
+ "\x5d\xd3\xea\xa6\xa4\x83\xf7\x9d"
+ "\x9d\x89\x2c\x85\xb8\xd9\xd4\xf0"
+ "\x1a\xad",
+ .ctext = "\xc9\x9b\x4b\xf2\xf7\x0f\x23\xfe"
+ "\xc3\x93\x88\xa1\xb3\x88\xab\xd6"
+ "\x26\x78\x82\xa6\x6b\x0b\x76\xad"
+ "\x21\x5e",
+ .len = 26,
+ }, { /* 0 blocks + 27 bytes */
+ .key = "\xc0\xcf\x57\xa2\x3c\xa2\x4b\xf6"
+ "\x5d\x36\x7b\xd7\x1d\x16\xc3\x2f"
+ "\x50\xc6\x0a\xb2\xfd\xe8\x24\xfc"
+ "\x33\xcf\x73\xfd\xe0\xe9\xa5\xd1"
+ "\x98\xfc\xd6\x16\xdd\xfd\x6d\xab"
+ "\x44\xbc\x37\x9d\xab\x5b\x1d\xf2"
+ "\x6f\x5d\xbe\x6b\x14\x14\xc7\x74"
+ "\xbb\x91\x24\x4b\x52\xcb\x78\x31",
+ .klen = 64,
+ .iv = "\x5c\xc1\x3d\xb6\xa1\x6a\x2d\x1f"
+ "\xee\x75\x19\x4b\x04\xfa\xe1\x7e",
+ .ptext = "\x02\x95\x3a\xab\xac\x3b\xcd\xcd"
+ "\x63\xc7\x4c\x7c\xe5\x75\xee\x03"
+ "\x94\xc7\xff\xe8\xe0\xe9\x86\x2a"
+ "\xd3\xc7\xe4",
+ .ctext = "\x8e\x84\x76\x8b\xc1\x47\x55\x15"
+ "\x5e\x51\xb3\xe2\x3f\x72\x4d\x20"
+ "\x09\x3f\x4f\xb1\xce\xf4\xb0\x14"
+ "\xf6\xa7\xb3",
+ .len = 27,
+ }, { /* 0 blocks + 28 bytes */
+ .key = "\x0b\x5b\x1d\xc8\xb1\x3f\x8f\xcd"
+ "\x87\xd2\x58\x28\x36\xc6\x34\xfb"
+ "\x04\xe8\xf1\xb7\x91\x30\xda\x75"
+ "\x66\x4a\x72\x90\x09\x39\x02\x19"
+ "\x62\x2d\xe9\x24\x95\x0e\x87\x43"
+ "\x4c\xc7\x96\xe4\xc9\x31\x6a\x13"
+ "\x16\x10\xef\x34\x9b\x98\x19\xf1"
+ "\x8b\x14\x38\x3f\xf8\x75\xcc\x76",
+ .klen = 64,
+ .iv = "\x0c\x2c\x55\x2c\xda\x40\xe1\xab"
+ "\xa6\x34\x66\x7a\xa4\xa3\xda\x90",
+ .ptext = "\xbe\x84\xd3\xfe\xe6\xb4\x29\x67"
+ "\xfd\x29\x78\x41\x3d\xe9\x81\x4e"
+ "\x3c\xf9\xf4\xf5\x3f\xd8\x0e\xcd"
+ "\x63\x73\x65\xf3",
+ .ctext = "\xd0\xa0\x16\x5f\xf9\x85\xd0\x63"
+ "\x9b\x81\xa1\x15\x93\xb3\x62\x36"
+ "\xec\x93\x0e\x14\x07\xf2\xa9\x38"
+ "\x80\x33\xc0\x20",
+ .len = 28,
+ }, { /* 0 blocks + 29 bytes */
+ .key = "\xdc\x4c\xdc\x20\xb1\x34\x89\xa4"
+ "\xd0\xb6\x77\x05\xea\x0c\xcc\x68"
+ "\xb1\xd6\xf7\xfd\xa7\x0a\x5b\x81"
+ "\x2d\x4d\xa3\x65\xd0\xab\xa1\x02"
+ "\x85\x4b\x33\xea\x51\x16\x50\x12"
+ "\x3b\x25\xba\x13\xba\x7c\xbb\x3a"
+ "\xe4\xfd\xb3\x9c\x88\x8b\xb8\x30"
+ "\x7a\x97\xcf\x95\x5d\x69\x7b\x1d",
+ .klen = 64,
+ .iv = "\xe7\x69\xed\xd2\x54\x5d\x4a\x29"
+ "\xb2\xd7\x60\x90\xa0\x0b\x0d\x3a",
+ .ptext = "\x37\x22\x11\x62\xa0\x74\x92\x62"
+ "\x40\x4e\x2b\x0a\x8b\xab\xd8\x28"
+ "\x8a\xd2\xeb\xa5\x8e\xe1\x42\xc8"
+ "\x49\xef\x9a\xec\x1b",
+ .ctext = "\x7c\x66\x72\x6b\xe3\xc3\x57\x71"
+ "\x37\x13\xce\x1f\x6b\xff\x13\x87"
+ "\x65\xa7\xa1\xc5\x23\x7f\xca\x40"
+ "\x82\xbf\x2f\xc0\x2a",
+ .len = 29,
+ }, { /* 0 blocks + 30 bytes */
+ .key = "\x72\x9a\xf5\x53\x55\xdd\x0f\xef"
+ "\xfc\x75\x6f\x03\x88\xc8\xba\x88"
+ "\xb7\x65\x89\x5d\x03\x86\x21\x22"
+ "\xb8\x42\x87\xd9\xa9\x83\x9e\x9c"
+ "\xca\x28\xa1\xd2\xb6\xd0\xa6\x6c"
+ "\xf8\x57\x42\x7c\x73\xfc\x7b\x0a"
+ "\xbc\x3c\x57\x7b\x5a\x39\x61\x55"
+ "\xb7\x25\xe9\xf1\xc4\xbb\x04\x28",
+ .klen = 64,
+ .iv = "\x8a\x38\x22\xba\xea\x5e\x1d\xa4"
+ "\x31\x18\x12\x5c\x56\x0c\x12\x50",
+ .ptext = "\x06\xfd\xbb\xa9\x2e\x56\x05\x5f"
+ "\xf2\xa7\x36\x76\x26\xd3\xb3\x49"
+ "\x7c\xe2\xe3\xbe\x1f\x65\xd2\x17"
+ "\x65\xe2\xb3\x0e\xb1\x93",
+ .ctext = "\xae\x1f\x19\x7e\x3b\xb3\x65\xcb"
+ "\x14\x70\x6b\x3c\xa0\x63\x95\x94"
+ "\x56\x52\xe1\xb4\x14\xca\x21\x13"
+ "\xb5\x03\x3f\xfe\xc9\x9f",
+ .len = 30,
+ }, { /* 0 blocks + 31 bytes */
+ .key = "\xce\x06\x45\x53\x25\x81\xd2\xb2"
+ "\xdd\xc9\x57\xfe\xbb\xf6\x83\x07"
+ "\x28\xd8\x2a\xff\x53\xf8\x57\xc6"
+ "\x63\x50\xd4\x3e\x2a\x54\x37\x51"
+ "\x07\x3b\x23\x63\x3c\x31\x57\x0d"
+ "\xd3\x59\x20\xf2\xd0\x85\xac\xc5"
+ "\x3f\xa1\x74\x90\x0a\x3f\xf4\x10"
+ "\x12\xf0\x1b\x2b\xef\xcb\x86\x74",
+ .klen = 64,
+ .iv = "\x6d\x3e\x62\x94\x75\x43\x74\xea"
+ "\xed\x4a\xa6\xde\xba\x55\x83\x38",
+ .ptext = "\x6a\xe6\xa3\x66\x7e\x78\xef\x42"
+ "\x8b\x28\x08\x24\xda\xd4\xd6\x42"
+ "\x3d\xb6\x48\x7e\x51\xa6\x92\x65"
+ "\x98\x86\x26\x98\x37\x42\xa5",
+ .ctext = "\x64\xc6\xfc\x60\x21\x87\x7a\xf5"
+ "\xc3\x1d\xba\x41\x3c\x9c\x8c\xe8"
+ "\x2d\x93\xf0\x02\x95\x6d\xfe\x8d"
+ "\x68\x17\x05\x75\xc0\xd3\xa8",
+ .len = 31,
}
};
--
1.8.3.1
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
http://www.insidesecure.com