Changes from v1:
* replace some accidental spaces with tabs
In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem
for faster private key operations") we have started to use the additional
primes and coefficients for RSA private key operations. However, these
additional parameters are not present (defined as 0 integers) in the RSA
test vectors.
Some parameters were borrowed from OpenSSL, so I was able to find the
source. I could not find the public source for 1 vector though, so had to
recover the parameters by implementing Appendix C from [1].
[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf
Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations")
Reported-by: Tasmiya Nalatwad <[email protected]>
Signed-off-by: Ignat Korchagin <[email protected]>
---
crypto/testmgr.h | 121 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 100 insertions(+), 21 deletions(-)
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 8e2dce86dd48..f1dffdace219 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -185,7 +185,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
{
#ifndef CONFIG_CRYPTO_FIPS
.key =
- "\x30\x81\x9A" /* sequence of 154 bytes */
+ "\x30\x82\x01\x38" /* sequence of 312 bytes */
"\x02\x01\x00" /* version - integer of 1 byte */
"\x02\x41" /* modulus - integer of 65 bytes */
"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
@@ -199,23 +199,36 @@ static const struct akcipher_testvec rsa_tv_template[] = {
"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"
- "\x02\x01\x00" /* prime1 - integer of 1 byte */
- "\x02\x01\x00" /* prime2 - integer of 1 byte */
- "\x02\x01\x00" /* exponent1 - integer of 1 byte */
- "\x02\x01\x00" /* exponent2 - integer of 1 byte */
- "\x02\x01\x00", /* coefficient - integer of 1 byte */
+ "\x02\x21" /* prime1 - integer of 33 bytes */
+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
+ "\x0D"
+ "\x02\x21" /* prime2 - integer of 33 bytes */
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+ "\x89"
+ "\x02\x20" /* exponent1 - integer of 32 bytes */
+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"
+ "\x02\x21" /* exponent2 - integer of 33 bytes */
+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
+ "\x51"
+ "\x02\x20" /* coefficient - integer of 32 bytes */
+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26",
.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
.c =
"\x63\x1c\xcd\x7b\xe1\x7e\xe4\xde\xc9\xa8\x89\xa1\x74\xcb\x3c\x63"
"\x7d\x24\xec\x83\xc3\x15\xe4\x7f\x73\x05\x34\xd1\xec\x22\xbb\x8a"
"\x5e\x32\x39\x6d\xc1\x1d\x7d\x50\x3b\x9f\x7a\xad\xf0\x2e\x25\x53"
"\x9f\x6e\xbd\x4c\x55\x84\x0c\x9b\xcf\x1a\x4b\x51\x1e\x9e\x0c\x06",
- .key_len = 157,
+ .key_len = 316,
.m_size = 8,
.c_size = 64,
}, {
.key =
- "\x30\x82\x01\x1D" /* sequence of 285 bytes */
+ "\x30\x82\x02\x5B" /* sequence of 603 bytes */
"\x02\x01\x00" /* version - integer of 1 byte */
"\x02\x81\x81" /* modulus - integer of 129 bytes */
"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
@@ -238,12 +251,35 @@ static const struct akcipher_testvec rsa_tv_template[] = {
"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
"\xC1"
- "\x02\x01\x00" /* prime1 - integer of 1 byte */
- "\x02\x01\x00" /* prime2 - integer of 1 byte */
- "\x02\x01\x00" /* exponent1 - integer of 1 byte */
- "\x02\x01\x00" /* exponent2 - integer of 1 byte */
- "\x02\x01\x00", /* coefficient - integer of 1 byte */
- .key_len = 289,
+ "\x02\x41" /* prime1 - integer of 65 bytes */
+ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+ "\x99"
+ "\x02\x41" /* prime2 - integer of 65 bytes */
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+ "\x03"
+ "\x02\x40" /* exponent1 - integer of 64 bytes */
+ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"
+ "\x02\x40" /* exponent2 - integer of 64 bytes */
+ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"
+ "\x02\x41", /* coefficient - integer of 65 bytes */
+ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+ "\xF7",
+ .key_len = 607,
.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
.c =
"\x74\x1b\x55\xac\x47\xb5\x08\x0a\x6e\x2b\x2d\xf7\x94\xb8\x8a\x95"
@@ -259,7 +295,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
}, {
#endif
.key =
- "\x30\x82\x02\x20" /* sequence of 544 bytes */
+ "\x30\x82\x04\xA3" /* sequence of 1187 bytes */
"\x02\x01\x00" /* version - integer of 1 byte */
"\x02\x82\x01\x01\x00" /* modulus - integer of 256 bytes */
"\xDB\x10\x1A\xC2\xA3\xF1\xDC\xFF\x13\x6B\xED\x44\xDF\xF0\x02\x6D"
@@ -296,12 +332,55 @@ static const struct akcipher_testvec rsa_tv_template[] = {
"\x62\xFF\xE9\x46\xB8\xD8\x44\xDB\xA5\xCC\x31\x54\x34\xCE\x3E\x82"
"\xD6\xBF\x7A\x0B\x64\x21\x6D\x88\x7E\x5B\x45\x12\x1E\x63\x8D\x49"
"\xA7\x1D\xD9\x1E\x06\xCD\xE8\xBA\x2C\x8C\x69\x32\xEA\xBE\x60\x71"
- "\x02\x01\x00" /* prime1 - integer of 1 byte */
- "\x02\x01\x00" /* prime2 - integer of 1 byte */
- "\x02\x01\x00" /* exponent1 - integer of 1 byte */
- "\x02\x01\x00" /* exponent2 - integer of 1 byte */
- "\x02\x01\x00", /* coefficient - integer of 1 byte */
- .key_len = 548,
+ "\x02\x81\x81" /* prime1 - integer of 129 bytes */
+ "\x00\xFA\xAC\xE1\x37\x5E\x32\x11\x34\xC6\x72\x58\x2D\x91\x06\x3E"
+ "\x77\xE7\x11\x21\xCD\x4A\xF8\xA4\x3F\x0F\xEF\x31\xE3\xF3\x55\xA0"
+ "\xB9\xAC\xB6\xCB\xBB\x41\xD0\x32\x81\x9A\x8F\x7A\x99\x30\x77\x6C"
+ "\x68\x27\xE2\x96\xB5\x72\xC9\xC3\xD4\x42\xAA\xAA\xCA\x95\x8F\xFF"
+ "\xC9\x9B\x52\x34\x30\x1D\xCF\xFE\xCF\x3C\x56\x68\x6E\xEF\xE7\x6C"
+ "\xD7\xFB\x99\xF5\x4A\xA5\x21\x1F\x2B\xEA\x93\xE8\x98\x26\xC4\x6E"
+ "\x42\x21\x5E\xA0\xA1\x2A\x58\x35\xBB\x10\xE7\xBA\x27\x0A\x3B\xB3"
+ "\xAF\xE2\x75\x36\x04\xAC\x56\xA0\xAB\x52\xDE\xCE\xDD\x2C\x28\x77"
+ "\x03"
+ "\x02\x81\x81" /* prime2 - integer of 129 bytes */
+ "\x00\xDF\xB7\x52\xB6\xD7\xC0\xE2\x96\xE7\xC9\xFE\x5D\x71\x5A\xC4"
+ "\x40\x96\x2F\xE5\x87\xEA\xF3\xA5\x77\x11\x67\x3C\x8D\x56\x08\xA7"
+ "\xB5\x67\xFA\x37\xA8\xB8\xCF\x61\xE8\x63\xD8\x38\x06\x21\x2B\x92"
+ "\x09\xA6\x39\x3A\xEA\xA8\xB4\x45\x4B\x36\x10\x4C\xE4\x00\x66\x71"
+ "\x65\xF8\x0B\x94\x59\x4F\x8C\xFD\xD5\x34\xA2\xE7\x62\x84\x0A\xA7"
+ "\xBB\xDB\xD9\x8A\xCD\x05\xE1\xCC\x57\x7B\xF1\xF1\x1F\x11\x9D\xBA"
+ "\x3E\x45\x18\x99\x1B\x41\x64\x43\xEE\x97\x5D\x77\x13\x5B\x74\x69"
+ "\x73\x87\x95\x05\x07\xBE\x45\x07\x17\x7E\x4A\x69\x22\xF3\xDB\x05"
+ "\x39"
+ "\x02\x81\x80" /* exponent1 - integer of 128 bytes */
+ "\x5E\xD8\xDC\xDA\x53\x44\xC4\x67\xE0\x92\x51\x34\xE4\x83\xA5\x4D"
+ "\x3E\xDB\xA7\x9B\x82\xBB\x73\x81\xFC\xE8\x77\x4B\x15\xBE\x17\x73"
+ "\x49\x9B\x5C\x98\xBC\xBD\x26\xEF\x0C\xE9\x2E\xED\x19\x7E\x86\x41"
+ "\x1E\x9E\x48\x81\xDD\x2D\xE4\x6F\xC2\xCD\xCA\x93\x9E\x65\x7E\xD5"
+ "\xEC\x73\xFD\x15\x1B\xA2\xA0\x7A\x0F\x0D\x6E\xB4\x53\x07\x90\x92"
+ "\x64\x3B\x8B\xA9\x33\xB3\xC5\x94\x9B\x4C\x5D\x9C\x7C\x46\xA4\xA5"
+ "\x56\xF4\xF3\xF8\x27\x0A\x7B\x42\x0D\x92\x70\x47\xE7\x42\x51\xA9"
+ "\xC2\x18\xB1\x58\xB1\x50\x91\xB8\x61\x41\xB6\xA9\xCE\xD4\x7C\xBB"
+ "\x02\x81\x80" /* exponent2 - integer of 128 bytes */
+ "\x54\x09\x1F\x0F\x03\xD8\xB6\xC5\x0C\xE8\xB9\x9E\x0C\x38\x96\x43"
+ "\xD4\xA6\xC5\x47\xDB\x20\x0E\xE5\xBD\x29\xD4\x7B\x1A\xF8\x41\x57"
+ "\x49\x69\x9A\x82\xCC\x79\x4A\x43\xEB\x4D\x8B\x2D\xF2\x43\xD5\xA5"
+ "\xBE\x44\xFD\x36\xAC\x8C\x9B\x02\xF7\x9A\x03\xE8\x19\xA6\x61\xAE"
+ "\x76\x10\x93\x77\x41\x04\xAB\x4C\xED\x6A\xCC\x14\x1B\x99\x8D\x0C"
+ "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7"
+ "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29"
+ "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31"
+ "\x02\x81\x81", /* coefficient - integer of 129 bytes */
+ "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78"
+ "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70"
+ "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77"
+ "\x5E\x0B\x4E\x5E\x03\x31\x30\xDF\xD6\xAE\x85\xD0\x81\xBB\x61\xC7"
+ "\xB1\x04\x5A\xC4\x6D\x56\x1C\xD9\x64\xE7\x85\x7F\x88\x91\xC9\x60"
+ "\x28\x05\xE2\xC6\x24\x8F\xDD\x61\x64\xD8\x09\xDE\x7E\xD3\x4A\x61"
+ "\x1A\xD3\x73\x58\x4B\xD8\xA0\x54\x25\x48\x83\x6F\x82\x6C\xAF\x36"
+ "\x51\x2A\x5D\x14\x2F\x41\x25\x00\xDD\xF8\xF3\x95\xFE\x31\x25\x50"
+ "\x12",
+ .key_len = 1191,
.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
.c =
"\xb2\x97\x76\xb4\xae\x3e\x38\x3c\x7e\x64\x1f\xcc\xa2\x7f\xf6\xbe"
--
2.36.1
On Mon, Jul 04, 2022 at 11:38:40AM +0100, Ignat Korchagin wrote:
> Changes from v1:
> * replace some accidental spaces with tabs
>
> In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem
> for faster private key operations") we have started to use the additional
> primes and coefficients for RSA private key operations. However, these
> additional parameters are not present (defined as 0 integers) in the RSA
> test vectors.
>
> Some parameters were borrowed from OpenSSL, so I was able to find the
> source. I could not find the public source for 1 vector though, so had to
> recover the parameters by implementing Appendix C from [1].
>
> [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf
>
> Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations")
> Reported-by: Tasmiya Nalatwad <[email protected]>
> Signed-off-by: Ignat Korchagin <[email protected]>
> ---
> crypto/testmgr.h | 121 +++++++++++++++++++++++++++++++++++++++--------
> 1 file changed, 100 insertions(+), 21 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Hi Ignat,
On Mon, Jul 04, 2022 at 11:38:40AM +0100, Ignat Korchagin wrote:
> Changes from v1:
> * replace some accidental spaces with tabs
>
> In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem
> for faster private key operations") we have started to use the additional
> primes and coefficients for RSA private key operations. However, these
> additional parameters are not present (defined as 0 integers) in the RSA
> test vectors.
>
> Some parameters were borrowed from OpenSSL, so I was able to find the
> source. I could not find the public source for 1 vector though, so had to
> recover the parameters by implementing Appendix C from [1].
>
> [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf
>
> Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations")
> Reported-by: Tasmiya Nalatwad <[email protected]>
> Signed-off-by: Ignat Korchagin <[email protected]>
The rsa-generic self-tests are still failing even after this commit.
Additionally, there is now a KASAN out-of-bounds warning:
[ 3.199954] ==================================================================
[ 3.199961] BUG: KASAN: global-out-of-bounds in test_akcipher_one (crypto/testmgr.c:3996)
[ 3.199972] Read of size 607 at addr ffffffff82fae860 by task cryptomgr_test/352
[ 3.199977]
[ 3.199985] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014
[ 3.199989] Call Trace:
[ 3.199990] <TASK>
[ 3.199993] show_stack (arch/x86/kernel/dumpstack.c:313)
[ 3.199999] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
[ 3.200004] print_address_description.constprop.0 (mm/kasan/report.c:314)
[ 3.200010] print_report.cold (mm/kasan/report.c:430)
[ 3.200015] ? test_akcipher_one (crypto/testmgr.c:3996)
[ 3.200019] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 3.200022] ? test_akcipher_one (crypto/testmgr.c:3996)
[ 3.200026] kasan_check_range (mm/kasan/generic.c:190)
[ 3.200030] memcpy (mm/kasan/shadow.c:65)
[ 3.200033] test_akcipher_one (crypto/testmgr.c:3996)
[ 3.200038] ? test_shash_vec_cfg (crypto/testmgr.c:3968)
[ 3.200043] ? crypto_create_tfm_node (crypto/api.c:501)
[ 3.200049] ? crypto_alloc_tfm_node (crypto/api.c:589)
[ 3.200053] alg_test_akcipher (crypto/testmgr.c:4158 crypto/testmgr.c:4181)
[ 3.200057] alg_test (crypto/testmgr.c:5790)
[ 3.200061] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5341)
[ 3.200067] ? alg_test_crc32c (crypto/testmgr.c:5745)
[ 3.200071] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5709)
[ 3.200075] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
[ 3.200080] ? __kthread_parkme (./include/linux/instrumented.h:71 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:134 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
[ 3.200084] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
[ 3.200089] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383)
[ 3.200093] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
[ 3.200097] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:51 (discriminator 22))
[ 3.200102] ? __kasan_check_read (mm/kasan/shadow.c:32)
[ 3.200106] ? __kthread_parkme (./arch/x86/include/asm/bitops.h:207 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
[ 3.200109] ? crypto_unregister_scomps (crypto/algboss.c:177)
[ 3.200113] cryptomgr_test (crypto/algboss.c:187)
[ 3.200117] kthread (kernel/kthread.c:376)
[ 3.200120] ? kthread_exit (kernel/kthread.c:335)
[ 3.200123] ret_from_fork (arch/x86/entry/entry_64.S:308)
[ 3.200128] </TASK>
[ 3.200130]
[ 3.200131] The buggy address belongs to the variable:
[ 3.200132] ecdsa_nist_p192_tv_template+0x360/0x1a20
[ 3.200137]
[ 3.200138] Memory state around the buggy address:
[ 3.200140] ffffffff82fae900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.200143] ffffffff82fae980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.200146] >ffffffff82faea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
[ 3.200147] ^
[ 3.200150] ffffffff82faea80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 02 f9 f9 f9
[ 3.200152] ffffffff82faeb00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.200154] ==================================================================
[ 3.200155] Disabling lock debugging due to kernel taint
[ 3.200190] alg: akcipher: test 2 failed for rsa-generic, err=-74
[ 3.200194] ------------[ cut here ]------------
[ 3.200196] alg: self-tests for rsa-generic (rsa) failed (rc=-74)
[ 3.200220] WARNING: CPU: 2 PID: 352 at crypto/testmgr.c:5804 alg_test (crypto/testmgr.c:5804 (discriminator 1))
[ 3.246192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014
[ 3.247679] RIP: 0010:alg_test (crypto/testmgr.c:5804 (discriminator 1))
[ 3.248367] Code: 0f 85 e7 f8 d0 00 48 8b 95 c8 fe ff ff 44 89 c1 48 c7 c7 a0 a8 f4 82 44 89 85 c4 fe ff ff 48 8b b5 d0 fe ff ff e8 f
Code starting with the faulting instruction
===========================================
0: 0f 85 e7 f8 d0 00 jne 0xd0f8ed
6: 48 8b 95 c8 fe ff ff mov -0x138(%rbp),%rdx
d: 44 89 c1 mov %r8d,%ecx
10: 48 c7 c7 a0 a8 f4 82 mov $0xffffffff82f4a8a0,%rdi
17: 44 89 85 c4 fe ff ff mov %r8d,-0x13c(%rbp)
1e: 48 8b b5 d0 fe ff ff mov -0x130(%rbp),%rsi
25: e8 .byte 0xe8
26: 0f .byte 0xf
[ 3.251371] RSP: 0018:ffffc900023afd90 EFLAGS: 00010286
[ 3.252226] RAX: 0000000000000000 RBX: 1ffff92000475fb9 RCX: 0000000000000000
[ 3.253380] RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffff52000475fa2
[ 3.254552] RBP: ffffc900023afef0 R08: 0000000000000001 R09: ffff88806d5275cb
[ 3.255718] R10: ffffed100daa4eb9 R11: 000000000000000a R12: 00000000000000b8
[ 3.256871] R13: 00000000000000b9 R14: 00000000000000b8 R15: 00000000000000b9
[ 3.258042] FS: 0000000000000000(0000) GS:ffff88806d500000(0000) knlGS:0000000000000000
[ 3.259350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.260272] CR2: 0000000000000000 CR3: 0000000003415000 CR4: 00000000003506e0
[ 3.261448] Call Trace:
[ 3.261869] <TASK>
[ 3.262220] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5341)
[ 3.262966] ? alg_test_crc32c (crypto/testmgr.c:5745)
[ 3.263628] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5709)
[ 3.264340] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
[ 3.265151] ? __kthread_parkme (./include/linux/instrumented.h:71 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:134 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
[ 3.265823] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
[ 3.266578] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383)
[ 3.267301] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
[ 3.268103] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:51 (discriminator 22))
[ 3.268782] ? __kasan_check_read (mm/kasan/shadow.c:32)
[ 3.269468] ? __kthread_parkme (./arch/x86/include/asm/bitops.h:207 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
[ 3.270142] ? crypto_unregister_scomps (crypto/algboss.c:177)
[ 3.270954] cryptomgr_test (crypto/algboss.c:187)
[ 3.270961] kthread (kernel/kthread.c:376)
[ 3.270967] ? kthread_exit (kernel/kthread.c:335)
[ 3.270971] ret_from_fork (arch/x86/entry/entry_64.S:308)
[ 3.270976] </TASK>
[ 3.270978] irq event stamp: 265
[ 3.270980] hardirqs last enabled at (265): _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
[ 3.270987] hardirqs last disabled at (264): _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:108 kernel/locking/spinlock.c:162)
[ 3.270992] softirqs last enabled at (0): copy_process (kernel/fork.c:2186)
[ 3.270999] softirqs last disabled at (0): 0x0
[ 3.271002] ---[ end trace 0000000000000000 ]---
Hi Eric,
On Sat, Jul 16, 2022 at 7:16 AM Eric Biggers <[email protected]> wrote:
>
> Hi Ignat,
>
> On Mon, Jul 04, 2022 at 11:38:40AM +0100, Ignat Korchagin wrote:
> > Changes from v1:
> > * replace some accidental spaces with tabs
> >
> > In commit f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem
> > for faster private key operations") we have started to use the additional
> > primes and coefficients for RSA private key operations. However, these
> > additional parameters are not present (defined as 0 integers) in the RSA
> > test vectors.
> >
> > Some parameters were borrowed from OpenSSL, so I was able to find the
> > source. I could not find the public source for 1 vector though, so had to
> > recover the parameters by implementing Appendix C from [1].
> >
> > [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf
> >
> > Fixes: f145d411a67e ("crypto: rsa - implement Chinese Remainder Theorem for faster private key operations")
> > Reported-by: Tasmiya Nalatwad <[email protected]>
> > Signed-off-by: Ignat Korchagin <[email protected]>
>
> The rsa-generic self-tests are still failing even after this commit.
> Additionally, there is now a KASAN out-of-bounds warning:
I can see that the test vector has an extra comma in the middle (my
typo). Not sure why it didn't affect my testing and other folks'
testing, who reported the original error. Will send a fix.
Ignat
> [ 3.199954] ==================================================================
> [ 3.199961] BUG: KASAN: global-out-of-bounds in test_akcipher_one (crypto/testmgr.c:3996)
> [ 3.199972] Read of size 607 at addr ffffffff82fae860 by task cryptomgr_test/352
> [ 3.199977]
> [ 3.199985] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014
> [ 3.199989] Call Trace:
> [ 3.199990] <TASK>
> [ 3.199993] show_stack (arch/x86/kernel/dumpstack.c:313)
> [ 3.199999] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
> [ 3.200004] print_address_description.constprop.0 (mm/kasan/report.c:314)
> [ 3.200010] print_report.cold (mm/kasan/report.c:430)
> [ 3.200015] ? test_akcipher_one (crypto/testmgr.c:3996)
> [ 3.200019] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
> [ 3.200022] ? test_akcipher_one (crypto/testmgr.c:3996)
> [ 3.200026] kasan_check_range (mm/kasan/generic.c:190)
> [ 3.200030] memcpy (mm/kasan/shadow.c:65)
> [ 3.200033] test_akcipher_one (crypto/testmgr.c:3996)
> [ 3.200038] ? test_shash_vec_cfg (crypto/testmgr.c:3968)
> [ 3.200043] ? crypto_create_tfm_node (crypto/api.c:501)
> [ 3.200049] ? crypto_alloc_tfm_node (crypto/api.c:589)
> [ 3.200053] alg_test_akcipher (crypto/testmgr.c:4158 crypto/testmgr.c:4181)
> [ 3.200057] alg_test (crypto/testmgr.c:5790)
> [ 3.200061] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5341)
> [ 3.200067] ? alg_test_crc32c (crypto/testmgr.c:5745)
> [ 3.200071] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5709)
> [ 3.200075] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> [ 3.200080] ? __kthread_parkme (./include/linux/instrumented.h:71 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:134 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
> [ 3.200084] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
> [ 3.200089] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383)
> [ 3.200093] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> [ 3.200097] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:51 (discriminator 22))
> [ 3.200102] ? __kasan_check_read (mm/kasan/shadow.c:32)
> [ 3.200106] ? __kthread_parkme (./arch/x86/include/asm/bitops.h:207 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
> [ 3.200109] ? crypto_unregister_scomps (crypto/algboss.c:177)
> [ 3.200113] cryptomgr_test (crypto/algboss.c:187)
> [ 3.200117] kthread (kernel/kthread.c:376)
> [ 3.200120] ? kthread_exit (kernel/kthread.c:335)
> [ 3.200123] ret_from_fork (arch/x86/entry/entry_64.S:308)
> [ 3.200128] </TASK>
> [ 3.200130]
> [ 3.200131] The buggy address belongs to the variable:
> [ 3.200132] ecdsa_nist_p192_tv_template+0x360/0x1a20
> [ 3.200137]
> [ 3.200138] Memory state around the buggy address:
> [ 3.200140] ffffffff82fae900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 3.200143] ffffffff82fae980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 3.200146] >ffffffff82faea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
> [ 3.200147] ^
> [ 3.200150] ffffffff82faea80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 02 f9 f9 f9
> [ 3.200152] ffffffff82faeb00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
> [ 3.200154] ==================================================================
> [ 3.200155] Disabling lock debugging due to kernel taint
> [ 3.200190] alg: akcipher: test 2 failed for rsa-generic, err=-74
> [ 3.200194] ------------[ cut here ]------------
> [ 3.200196] alg: self-tests for rsa-generic (rsa) failed (rc=-74)
> [ 3.200220] WARNING: CPU: 2 PID: 352 at crypto/testmgr.c:5804 alg_test (crypto/testmgr.c:5804 (discriminator 1))
> [ 3.246192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014
> [ 3.247679] RIP: 0010:alg_test (crypto/testmgr.c:5804 (discriminator 1))
> [ 3.248367] Code: 0f 85 e7 f8 d0 00 48 8b 95 c8 fe ff ff 44 89 c1 48 c7 c7 a0 a8 f4 82 44 89 85 c4 fe ff ff 48 8b b5 d0 fe ff ff e8 f
>
> Code starting with the faulting instruction
> ===========================================
> 0: 0f 85 e7 f8 d0 00 jne 0xd0f8ed
> 6: 48 8b 95 c8 fe ff ff mov -0x138(%rbp),%rdx
> d: 44 89 c1 mov %r8d,%ecx
> 10: 48 c7 c7 a0 a8 f4 82 mov $0xffffffff82f4a8a0,%rdi
> 17: 44 89 85 c4 fe ff ff mov %r8d,-0x13c(%rbp)
> 1e: 48 8b b5 d0 fe ff ff mov -0x130(%rbp),%rsi
> 25: e8 .byte 0xe8
> 26: 0f .byte 0xf
> [ 3.251371] RSP: 0018:ffffc900023afd90 EFLAGS: 00010286
> [ 3.252226] RAX: 0000000000000000 RBX: 1ffff92000475fb9 RCX: 0000000000000000
> [ 3.253380] RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffff52000475fa2
> [ 3.254552] RBP: ffffc900023afef0 R08: 0000000000000001 R09: ffff88806d5275cb
> [ 3.255718] R10: ffffed100daa4eb9 R11: 000000000000000a R12: 00000000000000b8
> [ 3.256871] R13: 00000000000000b9 R14: 00000000000000b8 R15: 00000000000000b9
> [ 3.258042] FS: 0000000000000000(0000) GS:ffff88806d500000(0000) knlGS:0000000000000000
> [ 3.259350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 3.260272] CR2: 0000000000000000 CR3: 0000000003415000 CR4: 00000000003506e0
> [ 3.261448] Call Trace:
> [ 3.261869] <TASK>
> [ 3.262220] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5341)
> [ 3.262966] ? alg_test_crc32c (crypto/testmgr.c:5745)
> [ 3.263628] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5709)
> [ 3.264340] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> [ 3.265151] ? __kthread_parkme (./include/linux/instrumented.h:71 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:134 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
> [ 3.265823] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
> [ 3.266578] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383)
> [ 3.267301] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> [ 3.268103] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:51 (discriminator 22))
> [ 3.268782] ? __kasan_check_read (mm/kasan/shadow.c:32)
> [ 3.269468] ? __kthread_parkme (./arch/x86/include/asm/bitops.h:207 (discriminator 4) ./include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 4) kernel/kthread.c:270 (discriminator 4))
> [ 3.270142] ? crypto_unregister_scomps (crypto/algboss.c:177)
> [ 3.270954] cryptomgr_test (crypto/algboss.c:187)
> [ 3.270961] kthread (kernel/kthread.c:376)
> [ 3.270967] ? kthread_exit (kernel/kthread.c:335)
> [ 3.270971] ret_from_fork (arch/x86/entry/entry_64.S:308)
> [ 3.270976] </TASK>
> [ 3.270978] irq event stamp: 265
> [ 3.270980] hardirqs last enabled at (265): _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:45 ./arch/x86/include/asm/irqflags.h:80 ./arch/x86/include/asm/irqflags.h:138 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> [ 3.270987] hardirqs last disabled at (264): _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:108 kernel/locking/spinlock.c:162)
> [ 3.270992] softirqs last enabled at (0): copy_process (kernel/fork.c:2186)
> [ 3.270999] softirqs last disabled at (0): 0x0
> [ 3.271002] ---[ end trace 0000000000000000 ]---