Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp443739ybl; Wed, 29 Jan 2020 03:28:43 -0800 (PST) X-Google-Smtp-Source: APXvYqzgzJV2yvRqEiRQR7+be1Rf1Iw4EfT7TZkdOXEJQmaraYmSVfKHIjSnmToVwb6wHMheaAKB X-Received: by 2002:a05:6830:1e5c:: with SMTP id e28mr11595916otj.163.1580297323446; Wed, 29 Jan 2020 03:28:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580297323; cv=none; d=google.com; s=arc-20160816; b=k7qCSoEFhtOL4hZvB0m8uKVdgw/XxrVznVr8lBjoNsAKid4RAJIjHL+FdscH2gDkSv 96yS6MozFeCKQqEIFoNdqWlbqLfoeQQPO9hWpuDoIxmzyLNn4/QfU/JACf4q0jARI1QP xhc7XaRXezQA3wQBleA+iZk1WF7+j8w43Yn0O9hkLhchOLGVGDoLl0f0TeSe0sC5oUFD lzQEcnjpCQj6JOtXuEL/Zdj/DXfPSHbMa1pOVvABzEqmSGeSWFVYBMl/7NUe8GbMG2Tk 6B2ToJeEdV22ZBrlkitNJlfxePPUvC9jPbGyKQQoiVnNJPmJTT3AqX2JqcU/dcLWV3iS 5fJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=KAVxi2jUpaSOMH9MjkyK4jIEapVEWsyDIKYn69cYqhQ=; b=EfIBA8wFvs6+CZ5bojB90cX84o/BGqHQbYOQWkEajUCt0+iSjDpWECsasJmXQvWzM1 xf+o/i0U9B3HDpq2QwzyUSikchMKTsEmstToPK7kQl3sLKTr/NkkIib9b/vw41oUiHYc 5/2pRT/kT/4BQgxkbCH8knI6lWXdT8uiMpFol4Q+ztrq7ITTHur38bq0L30Jyp42T0kk jTSVMs/YbnIpY74UGOZQwJpGTRz6VWOOeWqErgPhTNct5rf2behlv/XzBBfXueA2PqSf cAhiRH2igoqJYyOCJo9/WUuKPmVV0hU+6rfw4ycL7SX10Y1LwXjlYIJBLrmwB38fPiHX 903w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=oPp1U9L5; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y23si923980oti.65.2020.01.29.03.28.25; Wed, 29 Jan 2020 03:28:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=oPp1U9L5; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726068AbgA2L2Z (ORCPT + 99 others); Wed, 29 Jan 2020 06:28:25 -0500 Received: from mail-vk1-f193.google.com ([209.85.221.193]:33500 "EHLO mail-vk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726067AbgA2L2Z (ORCPT ); Wed, 29 Jan 2020 06:28:25 -0500 Received: by mail-vk1-f193.google.com with SMTP id i78so4672145vke.0 for ; Wed, 29 Jan 2020 03:28:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benyossef-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KAVxi2jUpaSOMH9MjkyK4jIEapVEWsyDIKYn69cYqhQ=; b=oPp1U9L59tbKdM2PNq6+grDDTFTKQW5KUdHMnIy3AgG+UgkLFp8sGR5t9qtzVw+j6b qYoErT/VbYQLAcfN3skVI/T1CpHFZH78YCy+1SBqdxrHnYjU2wsvtVrbiO0G4We4IEWe jBxY46H3KS+nUCfToHcqEswgRLg5vRe8H1KMFfvOy1j7jEx+sEUqa4wa7/gkOmQdltX3 s+FbdN/X4VCuYsHtEty9Q5LmR7PwIc/gRESWtuB5+pqPESH7TbT1X4HVxM6mbSFuWL9r 1viIjV+9kjyoZGBy1p7JJ+08ngO03Q/QVZmOn9fQRPHgabcjnhbm8McXIrJrcAwh49Vm bYgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KAVxi2jUpaSOMH9MjkyK4jIEapVEWsyDIKYn69cYqhQ=; b=KJJCCsfnmXXWHF9JqzQR0hINO7LnJG1SLrREVM+P6yO9z8Y/gXa+1Wg03V+IHoiBU0 MKAVJkk6j6CCAcqd1bYnOryRHtb3ENUAVzso1RcYYuugrc9TMmrTU/+30phnTzzpeMh1 +Geuidm8J0XPOs45ihTl/fZ/mxbaELNUnCh6mz6/a32ETj6+iGt3hLLHMD3a2Ca0eH5k FIVBlJvTHvRXyzqQ8pWAjKoAyEm3MI9jXWsW4eMz6m7yohX8yikAEPohD5gdWeEcbn7J 5bGL2tV3HKsGUnu98vwofLGP9iUYuiqkcoylXRfIlQhQUFSQ5Udj70oim65aZvs3gUvw +ZEw== X-Gm-Message-State: APjAAAUvKGqoJE9LEanuCUBafaScG9rEaRS0lOCILhN3gHiyWq3VKoHS peoCyJu4nKa53Nf7j7TM4haqV7kdr/GecVVLNL9oWw== X-Received: by 2002:a1f:7cc2:: with SMTP id x185mr15939952vkc.1.1580297303740; Wed, 29 Jan 2020 03:28:23 -0800 (PST) MIME-Version: 1.0 References: <20200128023455.GC960@sol.localdomain> <20200128033824.p3z3jhc7mp7wlikp@gondor.apana.org.au> <20200128211229.GA224488@gmail.com> In-Reply-To: <20200128211229.GA224488@gmail.com> From: Gilad Ben-Yossef Date: Wed, 29 Jan 2020 13:28:12 +0200 Message-ID: Subject: Re: Possible issue with new inauthentic AEAD in extended crypto tests To: Eric Biggers Cc: Herbert Xu , Stephan Mueller , Linux Crypto Mailing List , Geert Uytterhoeven , David Miller , Ofir Drang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Jan 28, 2020 at 11:12 PM Eric Biggers wrote: > > On Tue, Jan 28, 2020 at 09:24:25AM +0200, Gilad Ben-Yossef wrote: > > - The source is presumed to have enough room for both the associated > > data and the plaintext. > > - Unless it's in-place encryption, in which case, you also presume to > > have room for the authentication tag > > The authentication tag is part of the ciphertext, not the plaintext. So = the > rule is just that the ciphertext buffer needs to have room for it, not th= e > plaintext. > > Of course, when doing in-place encryption/decryption, the two buffers are= the > same, so both will have room for it, even though the tag is only meaningf= ul on > the ciphertext side. That's just the logical consequence of "in-place". Yes, of course. I understand the purpose all of this serves. > > > - The only way to tell if this is in-place encryption or not is to > > compare the pointers to the source and destination - there is no flag. > > Requiring users to remember to provide a flag to indicate in-place > encryption/decryption, in addition to passing the same scatterlist, would= make > the API more complex. > Asking the user to provide the flag is throwing the problem at the user - so indeed, not a good idea. But that still doesn't mean we need to have "rea->src =3D=3D req->dst" in every driver. We can have the API framework do this. > > - You can count on the scattergather list not having a first NULL > > buffer, *unless* the plaintext and associated data length are both > > zero AND it's not in place encryption. > > - You can count on not getting NULL as a scatterlist point, *unless* > > the plaintext and associated data length are both zero AND it's not in > > place encryption. (I'm actually unsure of this one?) > > If we consider that the input is not just a scatterlist, but rather a > scatterlist and a length, then these observations are really just "you ca= n > access the first byte, unless the length is 0" -- which is sort of obviou= s. And Yes, if it is indeed a scatterlist and length. In fact it isn't - it's a scatterlist and four different lengths: plaintext, associated data, IV and auth tag. Some of them are used in various scenarios and some aren't. Which is exactly my point. > requiring a dereferencable pointer for length =3D 0 is generally consider= ed to be > bad API design; see the memcpy() fiasco > (https://www.imperialviolet.org/2016/06/26/nonnull.html). Yes, that's not a good option - but neither is having a comment that can be read to imply that the API requires it if it doesn't :-) Thinking about it, I'm wondering if having something like this will save boilerplate code in many drivers: static inline bool crypto_aead_inplace(struct aead_request req) { return (req->src =3D=3D req->dst); } unsigned int crypto_aead_sg_len(struct aead_request req, bool enc, bool src= , int authsize, bool need_iv) { struct crypto_aead *tfm =3D crypto_aead_reqtfm(req); unsigned int len =3D req->assoclen + req->cryptlen; if (need_iv) len +=3D crypto_aead_ivsize(tfm); if (src && !enc) || (!src && enc) || crypto_aead_inplace(req)) len +=3D authsize; return len; } It would be better even if we can put the authsize and need_iv into the tfv at registration time and not have to pass them as parameters at all. Anyways, thanks for entertaining my ramblings... :-) Thanks, Gilad --=20 Gilad Ben-Yossef Chief Coffee Drinker values of =CE=B2 will give rise to dom!