Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp13932ybi; Tue, 16 Jul 2019 15:17:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqxyLd2P3DppsTrTsAkKQeJ8rvMiBhsSvDltR/tnLsRuqrXecNH3u90g/lTMOnKEKESaMbCO X-Received: by 2002:a17:90a:3401:: with SMTP id o1mr39303301pjb.7.1563315432558; Tue, 16 Jul 2019 15:17:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563315432; cv=none; d=google.com; s=arc-20160816; b=i9iGmWrypXROcAQ06YjFaPMe7jxhYiniMbbCa7BiTbsfmPeNhJ6SASB0l3ef+VjhUd nO5ApMPM71MNft3GFTV/9No6PKw608/06SSI31m+2K+wIcycXIgKCqpAIh4YsYwBhEqB NepbOo63YwyKlk4OmTLji0DSB4p6vTY0zNQKNA4D4Gac6HPrdHwh5P8X66qHPyCGukOm NHoqZbAW7WstL62i/udFVIY8MfKtmmdf1HCN3Bm2Sprj/qmumVCrhuBkxti8CFBIBH2s 5UVQKO8SdgYogJdYT1BI+5WVWJnrdoXdmGs5Qf88IZ8VkrILp/bzqlwk2S5PNiLn1dYc pREA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=9Lnd3C0M6zeKMtlOpFkPukBklbUfF1krSbTnVh0igzI=; b=FC9K3xrAFhyySNrQJXNv6K/jK4dsrUKAGPBA2sbtJ5DUslJxaR7xAo2j6w/oG05nIv rXFpHTHVT77sRGExn40de4pqCZo+5d16P389Ugl7V+q8bInY8WDul6tClAewCEIDaTCG KxN1KdCiU23Mk525Tux8GDw8TpVo0hrmbU+52U4FTmPDh3knZCmsbWmsf0+PNa6Pr9uB /kIMDht3RxtS5QaECGP5EZTeBrjc95ZD4VQxitpDhcuplpIYpU4uXN1DHWpoYjDFJKJ5 2sRy/EEPa3zoynDcT00l4cePwM0nSbJpufFEpWVrO8KZiQti4yHmmUSAxcUxsPrrp9nU bfdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tt0P5e36; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si21010847pgd.439.2019.07.16.15.16.50; Tue, 16 Jul 2019 15:17:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tt0P5e36; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728681AbfGPWQn (ORCPT + 99 others); Tue, 16 Jul 2019 18:16:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:52336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728235AbfGPWQn (ORCPT ); Tue, 16 Jul 2019 18:16:43 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC4482173B; Tue, 16 Jul 2019 22:16:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563315402; bh=GmeO5yi4t0dbDpMdkRaLpWH3QSHfNwKYnvWl9mEMk8A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Tt0P5e36/mP7FGqLuIvBPOZbAfs+Fog54vpMAd0uTKOr7S5qsWjrf5IN1qUxcr4JG l3R0ETaYpJ5CuqagosvhZhHCl/mNswKx5GKVNkH96NpHgFyxs4wE3lLj7bj2SCx+1U JM+d/Wb93fuhJkzLRJYe9uBN7oXSzEOrFkf/ycrk= Date: Tue, 16 Jul 2019 15:16:41 -0700 From: Eric Biggers To: Horia Geanta Cc: Herbert Xu , "linux-crypto@vger.kernel.org" Subject: Re: xts fuzz testing and lack of ciphertext stealing support Message-ID: <20190716221639.GA44406@gmail.com> Mail-Followup-To: Horia Geanta , Herbert Xu , "linux-crypto@vger.kernel.org" References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Horia, On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote: > Hi, > > With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers. > > Below are several failures, extracted from different runs: > > [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, 0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]" > > [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]" > > [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18" > > It looks like the problem is not in CAAM driver. > More exactly, fuzz testing is generating random test vectors and running > them through both SW generic (crypto/xts.c) and CAAM implementation: > -SW generic implementation of xts(aes) does not support ciphertext stealing > and throws -EINVAL when input is not a multiple of AES block size (16B) > -caam has support for ciphertext stealing, and allows for any input size > which results in "unexpectedly succeeded" error messages. > > Any suggestion how this should be fixed? > > Thanks, > Horia I don't think drivers should allow inputs the generic implementation doesn't, since those inputs aren't tested by the crypto self-tests (so how do you know it's even correct?), and people could accidentally rely on the driver-specific behavior and then be unable to migrate to another platform or implementation. So for now I recommend just updating the caam driver to return -EINVAL on XTS inputs not evenly divisible by the block size. Of course, if there are actual use cases for XTS with ciphertext stealing in the kernel, we could add it to all the other implementations too. But I'm not aware of any currently. Don't all XTS users in the kernel pass whole blocks? - Eric