Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp828151ybl;
        Sun, 1 Dec 2019 13:55:34 -0800 (PST)
X-Google-Smtp-Source: APXvYqzBjh6E8wc9qBwPfNQZ52O4kwg1vcTOmf8zuuc2YaLMrgGunYxTyuTvSgeheCesCKFC86e/
X-Received: by 2002:a50:c8cb:: with SMTP id k11mr23137191edh.188.1575237334601;
        Sun, 01 Dec 2019 13:55:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575237334; cv=none;
        d=google.com; s=arc-20160816;
        b=y20e+tpKui4ur/41WjCdaCz7GGYeVZP/fvSsY9R89RqMBAakVUAe4am/qOwQa1iIko
         YvRA4L76DRfRzw5Gp6J3xDjGp5I6rRgOp0s8BiJnv5FyPDVpucCDeLw9t99/sW5B5d2a
         mKnEpVqpx3Uz9ZssasiXhhVvunabNl7qTCECFsTzGVFqNegDmuszJpEdjhUvmMiGMKN9
         p0Br3h6JEUhCADG+HSjuznU2Y9QjBY7usRDkkqbalOYAZ1DaECE35od0x2FZSa0dwyud
         BdZ2XeSp000PxS7nEUPN8eTdUadQOUQw/K0/XrYXuMYs5jzcuywmxhY+7z/p8XHeDaG/
         Ax9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=y5okJS1nmIvQkAmdRCHLUR2doVJbbarSw7nLeTj+B/0=;
        b=cCRou6oPfVyUHuPtzPf1Uck4a39C76dWxK+TpaS6n2LskgzH2QFpk6Oi01Ce3cMNwQ
         s67pQSJZdXD3rQHwdp6z4xoWyIDcZ/uSuaQQ0mTcrp1Oj7MHp4yUjp8AjnP8MImHQkRw
         EXeQjP92EgzHAAtL3/gJkEBvCtzrHVVbt83wVVg/ceuXaBAwgSCVMeD5BlKvJqcKap7m
         gkV3gsvIWBoYcCMFexSOLPYimcqHM+NtAoChvraekjjSd3tPo2JAox3/EnNfDYvkxl2D
         wl+JJWwh59ZJ+JgFTfyMgjdIpoivJlyFUOepjXeM9G/P2MHLNT9ZhU5BQFoGXUmlh+l8
         wowg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VyOCPAma;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 39si20372545edz.341.2019.12.01.13.55.10;
        Sun, 01 Dec 2019 13:55:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VyOCPAma;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727301AbfLAVyV (ORCPT <rfc822;mehta.salil.lnk@gmail.com>
        + 99 others); Sun, 1 Dec 2019 16:54:21 -0500
Received: from mail.kernel.org ([198.145.29.99]:33400 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727266AbfLAVyV (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Sun, 1 Dec 2019 16:54:21 -0500
Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4C14A217AB;
        Sun,  1 Dec 2019 21:54:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1575237260;
        bh=EuAafZaO9ltKvvDUJZdS4MB+SmmRnUWxVmGC4e8CdPA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=VyOCPAmai6+wc99y0aDPYdWyYXPWmjb0dQzI1LbI3943XFE7PqFC7wtqNNhBQA8xC
         hgh97sgNHM16z7NSieRXprzfHp50/LakNtOZVAHS1B2yzjZmGofdMFgW0SUBm8L578
         9C5NSXvmd7Am8neFVgARg1rX7BkfORt+PmTGOPs4=
From:   Eric Biggers <ebiggers@kernel.org>
To:     linux-crypto@vger.kernel.org
Cc:     Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Subject: [PATCH 3/7] crypto: testmgr - don't try to decrypt uninitialized buffers
Date:   Sun,  1 Dec 2019 13:53:26 -0800
Message-Id: <20191201215330.171990-4-ebiggers@kernel.org>
X-Mailer: git-send-email 2.24.0
In-Reply-To: <20191201215330.171990-1-ebiggers@kernel.org>
References: <20191201215330.171990-1-ebiggers@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

Currently if the comparison fuzz tests encounter an encryption error
when generating an skcipher or AEAD test vector, they will still test
the decryption side (passing it the uninitialized ciphertext buffer)
and expect it to fail with the same error.

This is sort of broken because it's not well-defined usage of the API to
pass an uninitialized buffer, and furthermore in the AEAD case it's
acceptable for the decryption error to be EBADMSG (meaning "inauthentic
input") even if the encryption error was something else like EINVAL.

Fix this for skcipher by explicitly initializing the ciphertext buffer
on error, and for AEAD by skipping the decryption test on error.

Reported-by: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Fixes: d435e10e67be ("crypto: testmgr - fuzz skciphers against their generic implementation")
Fixes: 40153b10d91c ("crypto: testmgr - fuzz AEADs against their generic implementation")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/testmgr.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 85d720a57bb0..a8940415512f 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2102,6 +2102,7 @@ static void generate_random_aead_testvec(struct aead_request *req,
 	 * If the key or authentication tag size couldn't be set, no need to
 	 * continue to encrypt.
 	 */
+	vec->crypt_error = 0;
 	if (vec->setkey_error || vec->setauthsize_error)
 		goto done;
 
@@ -2245,10 +2246,12 @@ static int test_aead_vs_generic_impl(const char *driver,
 					req, tsgls);
 		if (err)
 			goto out;
-		err = test_aead_vec_cfg(driver, DECRYPT, &vec, vec_name, cfg,
-					req, tsgls);
-		if (err)
-			goto out;
+		if (vec.crypt_error == 0) {
+			err = test_aead_vec_cfg(driver, DECRYPT, &vec, vec_name,
+						cfg, req, tsgls);
+			if (err)
+				goto out;
+		}
 		cond_resched();
 	}
 	err = 0;
@@ -2678,6 +2681,15 @@ static void generate_random_cipher_testvec(struct skcipher_request *req,
 	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
 	skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
 	vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
+	if (vec->crypt_error != 0) {
+		/*
+		 * The only acceptable error here is for an invalid length, so
+		 * skcipher decryption should fail with the same error too.
+		 * We'll test for this.  But to keep the API usage well-defined,
+		 * explicitly initialize the ciphertext buffer too.
+		 */
+		memset((u8 *)vec->ctext, 0, vec->len);
+	}
 done:
 	snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
 		 vec->len, vec->klen);
-- 
2.24.0