Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp528597pjc; Mon, 20 May 2019 11:17:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqysLRnYv8275DeRswj9e+L5lwr5I+bHJmNjWuawyhBnmeVho1zaFk6HnXY+gsjA39fnZ6ok X-Received: by 2002:a17:902:4623:: with SMTP id o32mr57682845pld.276.1558376276038; Mon, 20 May 2019 11:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558376276; cv=none; d=google.com; s=arc-20160816; b=LlnigklnQSivyJp9e4tt417SnBQrt5D9LFI0VXV6iqOUpuvPtTiL31+Ui3KfJJhrkP F0SAbskwAeyXC82YpbvHWJxxh9Gp9SwfIE4XQly9Xpve4AgIHEBmD/L3EERblgUHqYNA IWBZvPr5SCCVcedkBd1ceODoaBEvkaqqC2HzESlYSJzVmXo9KoP9Q8PB/lJi97hPnryO P4BwGlkt8Dw3+aiQA7U1zXkZws2rbuMop5RtG1hS91KW+BXIC4jG3QjaYxc5zcShfPPc icWmseK82xTD+eYv/TaNVgaGIrKRJkBRLPYueMDh7bUrIY0h/sM7gy0rA2N4G3+Tda47 K70g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=5AW7KFoRnzfMFp4JA904nHKcv1lA0cf9QFmoapyzveI=; b=YPoHBCCkOaXlkh+iwSliWqyr+6Sl16x6tlxebUALKXTV49IJKwJva9qiTeCNBo7oRm UK5uzZdkBzwz5NVWoMzb0yAkL7cnEkaCZmAJF1kkVwdlZU4RX9s8fqsdaLbvA5xiGW0x jBULAIGbB7TGOrsgiMOoFeWZekHnhb0NLU6VQJX2fBJ4HtGHZKEXYwXiEyuX8capEM1T cE6Ayx11/AQW4CQhYC1uoZbZbNziMPgRTb0PWzEVP6F8bkH6TaJPOPOlFZ5OhVZDmacQ Jt0DwF5YA6HBKP0fYbxwJSEr1Ng4JYMp+ga2yiMsUwRyQ5JQ+/vTbt83f/g2cqp92Vld m+dg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I0kYMPWM; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si20797907pfa.240.2019.05.20.11.17.40; Mon, 20 May 2019 11:17:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I0kYMPWM; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392628AbfETQjM (ORCPT + 99 others); Mon, 20 May 2019 12:39:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:48064 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392622AbfETQjL (ORCPT ); Mon, 20 May 2019 12:39:11 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6F230214DA; Mon, 20 May 2019 16:39:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558370350; bh=ISo06FCJrG9k2nLXbAzv522hQDENE46NAA1tXip5Ako=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=I0kYMPWMpCmIFiFdE9bDFcr62ej78ewiWNnyHJT5Gm3GZEvbU+6w19XfssuSMsewm QfPxL21SH//mf2pBpU6UgGtqE+W3P9hWs+I83pSwIYO5dD4+NTuhgTVXmEfB6yvR78 FSkBHcBwvd9IMlkfd2Xvd2GpWXadm+SMCYeMdy/w= Date: Mon, 20 May 2019 09:39:08 -0700 From: Eric Biggers To: Daniel Axtens Cc: mpe@ellerman.id.au, linux-crypto@vger.kernel.org, Herbert Xu , marcelo.cerri@canonical.com, Stephan Mueller , leo.barbosa@canonical.com, linuxppc-dev@lists.ozlabs.org, nayna@linux.ibm.com, pfsmorigo@gmail.com, leitao@debian.org, gcwilson@linux.ibm.com, omosnacek@gmail.com Subject: Re: [PATCH] crypto: vmx - CTR: always increment IV as quadword Message-ID: <20190520163907.GA119750@gmail.com> References: <20190515102450.30557-1-dja@axtens.net> <87r28tzy1i.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87r28tzy1i.fsf@dja-thinkpad.axtens.net> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, May 20, 2019 at 11:59:05AM +1000, Daniel Axtens wrote: > Daniel Axtens writes: > > > The kernel self-tests picked up an issue with CTR mode: > > alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep" > > > > Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so > > after 3 increments it should wrap around to 0. > > > > In the aesp8-ppc code from OpenSSL, there are two paths that > > increment IVs: the bulk (8 at a time) path, and the individual > > path which is used when there are fewer than 8 AES blocks to > > process. > > > > In the bulk path, the IV is incremented with vadduqm: "Vector > > Add Unsigned Quadword Modulo", which does 128-bit addition. > > > > In the individual path, however, the IV is incremented with > > vadduwm: "Vector Add Unsigned Word Modulo", which instead > > does 4 32-bit additions. Thus the IV would instead become > > FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result. > > > > Use vadduqm. > > > > This was probably a typo originally, what with q and w being > > adjacent. It is a pretty narrow edge case: I am really > > impressed by the quality of the kernel self-tests! > > > > Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM") > > Cc: stable@vger.kernel.org > > Signed-off-by: Daniel Axtens > > > > --- > > > > I'll pass this along internally to get it into OpenSSL as well. > > I passed this along to OpenSSL and got pretty comprehensively schooled: > https://github.com/openssl/openssl/pull/8942 > > It seems we tweak the openssl code to use a 128-bit counter, whereas > the original code was in fact designed for a 32-bit counter. We must > have changed the vaddu instruction in the bulk path but not in the > individual path, as they're both vadduwm (4x32-bit) upstream. > > I think this change is still correct with regards to the kernel, > but I guess it's probably something where I should have done a more > thorough read of the documentation before diving in to the code, and > perhaps we should note it in the code somewhere too. Ah well. > > Regards, > Daniel > Ah, I didn't realize there are multiple conventions for CTR. Yes, all CTR implementations in the kernel follow the 128-bit convention, and evidently the test vectors test for that. Apparently the VMX OpenSSL code got incompletely changed from the 32-bit convention by this commit, so that's what you're fixing: commit 1d4aa0b4c1816e8ca92a6aadb0d8f6b43c56c0d0 Author: Leonidas Da Silva Barbosa Date: Fri Aug 14 10:12:22 2015 -0300 crypto: vmx - Fixing AES-CTR counter bug AES-CTR is using a counter 8bytes-8bytes what miss match with kernel specs. In the previous code a vadduwm was done to increment counter. Replacing this for a vadduqm now considering both cases counter 8-8 bytes and full 16bytes. A comment in the code would indeed be helpful. Note that the kernel doesn't currently need a 32-bit CTR implementation for GCM like OpenSSL does, because the kernel currently only supports 12-byte IVs with GCM. So the low 32 bits of the counter start at 1 and don't overflow, regardless of whether the counter is incremented mod 2^32 or mod 2^128. - Eric