Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4977490ybf; Wed, 4 Mar 2020 14:45:01 -0800 (PST) X-Google-Smtp-Source: ADFU+vuNsINj9i2uQO6dcB2ZwWMt8DYH3cPVtNNH+ZZmC0VmjiCBPQDL41qJS/nVKkKMSNNvzbNN X-Received: by 2002:a9d:638a:: with SMTP id w10mr4262884otk.103.1583361901740; Wed, 04 Mar 2020 14:45:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583361901; cv=none; d=google.com; s=arc-20160816; b=cgv3/ePk5DnZowbkmKvJybGuEkABkvgietYey8WSmmL/SWPzp11uXX3639ko6h0QBX eWbWy9Kpfc03n5AzqPXt3yk0d1viHo3LicdCsmnlDjvjSideiHxNIGPACucg/78q6PU1 hqmzrQcsiaamkzCJlCUh4MELxiFOYNZBQ44gCeflpqzoQpiNlkzawCc31ctaSholXMCE K7nK+dHjV8CrgDg1gkWjF7Zx06Pzl+Fh2O4aas8GSvWh0BOksdUjOT/EJn9TgzREawY3 nKzdzuh+jVeL5YtcX99LuL1JPDXzRLoRm98A3QY8diTsoSC3ai7xzFxaQ90H6KbU1yRc bZfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0QuRJpTLR/uono13SvCiVMIFDbGAvdvIQt8p9Tah9gM=; b=C7prf+SjRl9wL3dlOaGkVrM4nepAqjqcS9YoZyK+jq2bbEN1WClNNpY4p5b/2Sd+RB IY+rVfdg1r4ejMNZffP7lbEwSzhoco0+KNdo29f5xJqW0r8FbcCku9ocfd7VP1wjpy5J oXGX1UslOtrfNqViqB0ClmtyRxLg1vjFHsW0R9JXghl6KbREvTbBtw6zaFdUetJ8ruxf xxFcxUo/tvBTu/U2QqPYF3pLBBGgSCRRE9ZJ/fqUJvXAql52fLDBQ4XLcD+plFm4Zplh P8PVr29tx/E0HGvZMNk2Yk/8POLALedNg9SxEF2+gu/Q6HEFT99tIk91YXDhvCGUX4VH fCWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=c96qHRVD; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m16si2075236otf.74.2020.03.04.14.44.40; Wed, 04 Mar 2020 14:45:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=c96qHRVD; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388407AbgCDWoi (ORCPT + 99 others); Wed, 4 Mar 2020 17:44:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:49310 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388351AbgCDWoi (ORCPT ); Wed, 4 Mar 2020 17:44:38 -0500 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3BD2C2084E; Wed, 4 Mar 2020 22:44:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583361877; bh=7kagA36q7o6JUgkNkpStFltXSlxiCI9+NLGIEaE2l8s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c96qHRVD09hFs+ygWqgS62l2Gn4YLMFoOVnnUW0WhB6WJwnMltmTROThk2ZhoLrjO fpi3oZisPg6yUhF7BXhTYdsnCpsktF8dcTsD8snvb2NStHf8HnOjF2MrtakaBnkG+8 DA7Hd7ZFvsz9cxa5/Txcjwy+MazmKjme5sBijBlo= From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: Gilad Ben-Yossef , Geert Uytterhoeven , Stephan Mueller Subject: [PATCH 1/3] crypto: testmgr - use consistent IV copies for AEADs that need it Date: Wed, 4 Mar 2020 14:44:03 -0800 Message-Id: <20200304224405.152829-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200304224405.152829-1-ebiggers@kernel.org> References: <20200304224405.152829-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers rfc4543 was missing from the list of algorithms that may treat the end of the AAD buffer specially. Also, with rfc4106, rfc4309, rfc4543, and rfc7539esp, the end of the AAD buffer is actually supposed to contain a second copy of the IV, and we've concluded that if the IV copies don't match the behavior is implementation-defined. So, the fuzz tests can't easily test that case. So, make the fuzz tests only use inputs where the two IV copies match. Reported-by: Geert Uytterhoeven Fixes: 40153b10d91c ("crypto: testmgr - fuzz AEADs against their generic implementation") Cc: Stephan Mueller Originally-from: Gilad Ben-Yossef Signed-off-by: Eric Biggers --- crypto/testmgr.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 88f33c0efb23..0a10dbde27ef 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -91,10 +91,11 @@ struct aead_test_suite { unsigned int einval_allowed : 1; /* - * Set if the algorithm intentionally ignores the last 8 bytes of the - * AAD buffer during decryption. + * Set if this algorithm requires that the IV be located at the end of + * the AAD buffer, in addition to being given in the normal way. The + * behavior when the two IV copies differ is implementation-defined. */ - unsigned int esp_aad : 1; + unsigned int aad_iv : 1; }; struct cipher_test_suite { @@ -2167,9 +2168,10 @@ struct aead_extra_tests_ctx { * here means the full ciphertext including the authentication tag. The * authentication tag (and hence also the ciphertext) is assumed to be nonempty. */ -static void mutate_aead_message(struct aead_testvec *vec, bool esp_aad) +static void mutate_aead_message(struct aead_testvec *vec, bool aad_iv, + unsigned int ivsize) { - const unsigned int aad_tail_size = esp_aad ? 8 : 0; + const unsigned int aad_tail_size = aad_iv ? ivsize : 0; const unsigned int authsize = vec->clen - vec->plen; if (prandom_u32() % 2 == 0 && vec->alen > aad_tail_size) { @@ -2207,6 +2209,9 @@ static void generate_aead_message(struct aead_request *req, /* Generate the AAD. */ generate_random_bytes((u8 *)vec->assoc, vec->alen); + if (suite->aad_iv && vec->alen >= ivsize) + /* Avoid implementation-defined behavior. */ + memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize); if (inauthentic && prandom_u32() % 2 == 0) { /* Generate a random ciphertext. */ @@ -2242,7 +2247,7 @@ static void generate_aead_message(struct aead_request *req, * Mutate the authentic (ciphertext, AAD) pair to get an * inauthentic one. */ - mutate_aead_message(vec, suite->esp_aad); + mutate_aead_message(vec, suite->aad_iv, ivsize); } vec->novrfy = 1; if (suite->einval_allowed) @@ -5202,7 +5207,7 @@ static const struct alg_test_desc alg_test_descs[] = { .aead = { ____VECS(aes_gcm_rfc4106_tv_template), .einval_allowed = 1, - .esp_aad = 1, + .aad_iv = 1, } } }, { @@ -5214,7 +5219,7 @@ static const struct alg_test_desc alg_test_descs[] = { .aead = { ____VECS(aes_ccm_rfc4309_tv_template), .einval_allowed = 1, - .esp_aad = 1, + .aad_iv = 1, } } }, { @@ -5225,6 +5230,7 @@ static const struct alg_test_desc alg_test_descs[] = { .aead = { ____VECS(aes_gcm_rfc4543_tv_template), .einval_allowed = 1, + .aad_iv = 1, } } }, { @@ -5240,7 +5246,7 @@ static const struct alg_test_desc alg_test_descs[] = { .aead = { ____VECS(rfc7539esp_tv_template), .einval_allowed = 1, - .esp_aad = 1, + .aad_iv = 1, } } }, { -- 2.25.1