Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3358457yba;
        Sat, 18 May 2019 15:29:24 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyGOsyuqy0nkMdtVobl79JxC1n66k55Zyl4TZfK9bSoozETFYpgpMLohnwG9fIaUAZelT0J
X-Received: by 2002:a17:902:683:: with SMTP id 3mr23712830plh.209.1558218564787;
        Sat, 18 May 2019 15:29:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558218564; cv=none;
        d=google.com; s=arc-20160816;
        b=uhEPc2otzGVmEO1JhmYurLmDZ2Go5e25FycifsahZZuXpmGA+mF28k2Ma2gSlWLjzz
         DEdl0XrFnNt6lbGd6yS8pGGegpw/moJ6sWowihOLEhf8J+xpY6+shnLArxvay8CTZOSs
         FMV0Uq5TayZrn1hrKoR8MPpZ9ssEf1XhJY76bZj7wL5j/QByRaMAEpZSU10T1hGtmkMK
         AENLNBvZTTsxJmg9R3yi1dzDlREa2imHxRf6SEOg2E3y6QjNSuw8O/w5EZt4Jly6/lIH
         jVjpxD1zMKI4ge4Xelyf0rJJnRw1V3M+Cbn1AYow2X+Ho9FSM1dLKKPXXwF872t688xh
         k5tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=sNp6b5dpW/u2WCf13x4ZaXrCaOGrpOeb4TFEC/fkDD8=;
        b=hZpRxsQskX5nl412NQCrUOYMU2uG690I/RULHuFRcrofePX9M167qRolpAJJrRtt5Z
         yWIbKp9ObG5Z3HJXNU0/i/JdD0uzvpCh8p3jZJhXTcezwgYfbaFXhtufgIscG+c5IZgi
         ZksMDB4OrtPHW9MoFT+5YFIn+O2+VjrGrugPESUBDONJUlc7klqCp1KzR466NzcNHn/y
         lE68DIBS3o160iJHs0UMHNwJ3wCZLX0A0+t3OFa/+of883sKkXUqWrzoPcXEeTAamUU/
         eS3hh+mw25kmK7rfAuUwNDckc3UaJFCImXh9Zt0vBnsTplGgud5COmuyQJ2lS3Ery0HN
         1PeA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BzsYIlJl;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t1si13377540pgh.406.2019.05.18.15.28.56;
        Sat, 18 May 2019 15:29:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BzsYIlJl;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727008AbfERWUt (ORCPT <rfc822;nullstelllensatz@gmail.com>
        + 99 others); Sat, 18 May 2019 18:20:49 -0400
Received: from mail.kernel.org ([198.145.29.99]:41786 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726777AbfERWUs (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Sat, 18 May 2019 18:20:48 -0400
Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E4FC120848;
        Sat, 18 May 2019 22:20:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1558218048;
        bh=FWB8o9hJXRs9/f3k+SAZiT620GgvbBJxzutwvrug9lA=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=BzsYIlJll0Drj/jsErYq00QuhkHcL93qP4q7thB0YHMm4JVARe7FGRxgiKr3EB0lN
         yOR4WfAt+Lzmj5QZ4yUr9m5R5SWzVvgXfV14Um+jUmbnMCJK2e08thpKAVte2k+myj
         +jwcw636lpOOAnQV/SInS5FksSC9mXdMdFz38OlM=
Date:   Sat, 18 May 2019 15:20:46 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Christian Lamparter <chunkeey@gmail.com>
Cc:     linux-crypto@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [RFC PATCH] crypto: skcipher - perform len fits into blocksize
 check at the top
Message-ID: <20190518222045.GA3119@sol.localdomain>
References: <20190518213035.21699-1-chunkeey@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190518213035.21699-1-chunkeey@gmail.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Hi Christian,

On Sat, May 18, 2019 at 11:30:35PM +0200, Christian Lamparter wrote:
> This patch adds early check to test the given data length
> is aligned with the supported ciphers blocksize, or abort
> with -EINVAL in case the supplied chunk size does not fit
> without padding into the blocksize for block ciphers.
> 
> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
> 
> ---
> 
> This will also work instead of the
> "crypto: crypto4xx - blockciphers should only accept complete blocks"
> It will fix all potential driver issues in other drivers as well as
> break the drivers that don't have the correct blocksize set. it will
> also make the extra checks scattered around in the drivers make
> redundand as well as the extra tests that do send incomplete blocks
> to the hardware drivers.
> ---
>  include/crypto/skcipher.h | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
> index e555294ed77f..971294602a41 100644
> --- a/include/crypto/skcipher.h
> +++ b/include/crypto/skcipher.h
> @@ -494,6 +494,8 @@ static inline int crypto_skcipher_encrypt(struct skcipher_request *req)
>  	crypto_stats_get(alg);
>  	if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
>  		ret = -ENOKEY;
> +	else if (!IS_ALIGNED(cryptlen, crypto_skcipher_blocksize(tfm)))
> +		ret = -EINVAL;
>  	else
>  		ret = tfm->encrypt(req);
>  	crypto_stats_skcipher_encrypt(cryptlen, ret, alg);
> @@ -521,6 +523,8 @@ static inline int crypto_skcipher_decrypt(struct skcipher_request *req)
>  	crypto_stats_get(alg);
>  	if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
>  		ret = -ENOKEY;
> +	else if (!IS_ALIGNED(cryptlen, crypto_skcipher_blocksize(tfm)))
> +		ret = -EINVAL;
>  	else
>  		ret = tfm->decrypt(req);
>  	crypto_stats_skcipher_decrypt(cryptlen, ret, alg);
> -- 

Unfortunately this doesn't work because there are some skcipher algorithms
("cts" and "adiantum") that set cra_blocksize to their minimum message length
(16) rather than their length alignment requirement (1).  I.e., these algorithms
support all messages with length >= 16 bytes.

So before we can add this check, we need to get this straightened out.

I actually don't think "block size" should be a property of all crypto
algorithms at all, e.g. for skciphers we should instead have "min_msgsize" and
"msgsize_alignment".  The notion of "block size" is not meaningful for
length-preserving encryption algorithms in general, let alone all crypto
algorithms.  But unfortunately "block size" is pretty deeply embedded into the
crypto API, so it doesn't look easy to fix this...  Maybe for skciphers we could
get away with it always meaning the msgsize_alignment, though.

- Eric