Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1162471ybi; Wed, 17 Jul 2019 10:29:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqwnHob850cFtHdfqYYQW8Hpr3dJ3zEScaByk8wY32K0Mr1Qx9CdmVn0IBu2xg0tudwRFY9R X-Received: by 2002:a17:90a:c70c:: with SMTP id o12mr19252040pjt.62.1563384558327; Wed, 17 Jul 2019 10:29:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563384558; cv=none; d=google.com; s=arc-20160816; b=z714gqcweJX6FShaEsnZM1CryVNGHJkz3Lxrno1FV6yuAeOyXJECCnmK5bI1C7m5OS 2gxyFD03LSxV3OPxqbHwOy/BoGZS6h5k5k6ht3eBiUh8LUYyIy22pQAr6xKi2Q4beQkY NFBDD8Kgj8yutiMSziQOGiFNzbEuqKyurn0X8wQkLfjfCNVOh2AN2nWbq6XJ3jlEgcw9 JO2mxpMC9kW5V8nHTRjorULSwocaGFJ2wb3mh2NnOSfji/ZjUPwinwC2UAm3xR6ygNLN 5No2NUzqFdcCol8JAC0OHi+NbtDyhKdpEN5JxsagIzJM/Vz7gFq97jrkdPLBZWbdc5gz iv3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=QH7fpsoQZuBsx41egF5Cw+nA0AkcE9rgYLhMvHbhsFw=; b=iQs++0ycay1YcdHe8OYCV+zHbP/vkFluHezQL8bbVOwOCnb53cdTAPbI+ED+Fc4b+r XaDol82RjhQgoxc0tKjWvhkYcX/wvJt3Ga84FQlpfUtsPxYN80PlkvKhBD9qOkzF7tk+ kS7HCYj/1iJOmIQvGPf8cSVANsckOZQQbZCFFX4YEU34aNOwRxVxFi3YflHmq7PcQUkc BZu2iDgIzX/4SGetvDjiQoFPcOJnOmGJxDhPi+rXM3VZQV+YEONBnqiOgw4enLvW+mcA 7Qj4fsLZI0GeObHONt04VFe97WIgMYTxLbXqUdhAXM0EeqsjLO+xon6GvJigCDPfBX2t eOXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="YE2wx4/J"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v14si24292862pgl.386.2019.07.17.10.28.58; Wed, 17 Jul 2019 10:29:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="YE2wx4/J"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388105AbfGQR21 (ORCPT + 99 others); Wed, 17 Jul 2019 13:28:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:47082 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726917AbfGQR21 (ORCPT ); Wed, 17 Jul 2019 13:28:27 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0DBBF21743; Wed, 17 Jul 2019 17:28:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563384506; bh=N+UJ7GLw1U0qClVIF6cFvFlLcWkWCzd2SdKdwTn5VpA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YE2wx4/JYyxfTYWWnmlWVt958TMYn6Zd2YSukcN8+ozrb3s30q6/tjIRem5IxCBFz 16VDbFDJWCXDGSqRqcwWIGSd7GyixZQb4Ow1a7rTmi7v1g4INAHoAq2mGopZuIrOG3 8Lv/qfkEpQfpvfDp+raa/I0/QqQ/wsFMMFuKNpRU= Date: Wed, 17 Jul 2019 10:28:24 -0700 From: Eric Biggers To: Horia Geanta Cc: Herbert Xu , "linux-crypto@vger.kernel.org" , "dm-devel@redhat.com" Subject: Re: xts fuzz testing and lack of ciphertext stealing support Message-ID: <20190717172823.GA205944@gmail.com> Mail-Followup-To: Horia Geanta , Herbert Xu , "linux-crypto@vger.kernel.org" , "dm-devel@redhat.com" References: <20190716221639.GA44406@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jul 17, 2019 at 05:09:31PM +0000, Horia Geanta wrote: > On 7/17/2019 1:16 AM, Eric Biggers wrote: > > Hi Horia, > > > > On Tue, Jul 16, 2019 at 05:46:29PM +0000, Horia Geanta wrote: > >> Hi, > >> > >> With fuzz testing enabled, I am seeing xts(aes) failures on caam drivers. > >> > >> Below are several failures, extracted from different runs: > >> > >> [ 3.921654] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=40 klen=64"; expected_error=-22, cfg="random: inplace use_finup nosimd src_divs=[57.93%@+11, 37.18%@+164, 0.68%@+4, 0.50%@+305, 3.71%@alignmask+3975]" > >> > >> [ 3.726698] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=369 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@alignmask+584]" > >> > >> [ 3.741082] alg: skcipher: xts-aes-caam encryption unexpectedly succeeded on test vector "random: len=2801 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+6] iv_offset=18" > >> > >> It looks like the problem is not in CAAM driver. > >> More exactly, fuzz testing is generating random test vectors and running > >> them through both SW generic (crypto/xts.c) and CAAM implementation: > >> -SW generic implementation of xts(aes) does not support ciphertext stealing > >> and throws -EINVAL when input is not a multiple of AES block size (16B) > >> -caam has support for ciphertext stealing, and allows for any input size > >> which results in "unexpectedly succeeded" error messages. > >> > >> Any suggestion how this should be fixed? > >> > >> Thanks, > >> Horia > > > > I don't think drivers should allow inputs the generic implementation doesn't, > > since those inputs aren't tested by the crypto self-tests (so how do you know > How about implementation adding static test vectors and using them to validate > the standard feature set that's not supported by the generic implementation? > > > it's even correct?), and people could accidentally rely on the driver-specific > > behavior and then be unable to migrate to another platform or implementation. > > > People could also *intentionally* rely on a driver offering an implementation > that is closer to the spec / standard. > > > So for now I recommend just updating the caam driver to return -EINVAL on XTS > > inputs not evenly divisible by the block size. > > > I was hoping for something more constructive... > > > Of course, if there are actual use cases for XTS with ciphertext stealing in the > > kernel, we could add it to all the other implementations too. But I'm not aware > > of any currently. Don't all XTS users in the kernel pass whole blocks? > > > That's my guess too. > > What about user space relying on offloading and xts working > according to the spec? > Sure, AF_ALG users could expect ciphertext stealing to work. I don't know of any actual examples of people saying they want it, but it's possible. My point is simply that we add this, we need to find a way to support it in all implementations. It's not helpful to add it to only one specific driver, as then it's inconsistent and is untestable with the common tests. - Eric