Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp247525ybm;
        Thu, 28 May 2020 01:34:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxkvQnFzuGof/dUuPC6IrwdQqLLr8401a75p4AZp/3D5PQSBT1piqnyf1KGz+p/1F0KzXhQ
X-Received: by 2002:a17:906:57c5:: with SMTP id u5mr1875027ejr.419.1590654851402;
        Thu, 28 May 2020 01:34:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590654851; cv=none;
        d=google.com; s=arc-20160816;
        b=SjB/JawhWU7WRAFsXHWDKIlRIItMEf2Yg5i3NWwOehoZ6LvTt14bFlwGS6vm4Ru6fg
         qO6Jru+p1Xlnu5cZqmgGukemwqWpTFHO+zHDTn0x+Yx/lJ6Zz00vuIPzJVYgxR+Avjf1
         CaR5+Zdi4Yr9ZysoA+uJytDPPCEI01tH0NKZJBKt8xy1CFS5eqZHY/G7mdKMP/XMGXrl
         z9XjxLnr31IiA93oChp22RTcuMXWND/qo1ygF9jh7HcXEgFEJvcFpdAYqXLSsi3okVm3
         8VJt/vYeqfUqCURiGQaz1WcHiX3dKAtuMcKDDWqrC0JAo/1RhY0OY9vLaiWBCKFtmg2B
         iS0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=kfYuwUyHeal/s8QbVDAHG+gD9PsHuYgROwOrEM0xuZY=;
        b=tv30bOJn13uoar3p0UP+GjSjEJx3NcKFQFykFdrw9KROzpyNTfGt+v9fUymZ+ck2pa
         lwQ/31MQHjrnApJJVfEvr4Z4aQR1lgiFx/21Wtrov5C3IjlEL/HvrWyi8D3NOd/oxy43
         KEIYv5wGA/750/OIYFG+aG+5wrcErD61q3z6sDL9+iUQd9nQbVmc1bpLszbv0i9++BRk
         YqMAROWsaKZrTCtA8YLUl5ggrCEVbdZYIl12aH3UfmHvaVTeV09NAVcJEkWTU9/C27OO
         6pQKvu4PVhp8WczhDMOrFHRzidwh3wXyaq3ZN19pxXuFDHt4IIU4zEaRcY71lXXm8J3Y
         WKKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ooTtB7P0;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e18si3367650eja.513.2020.05.28.01.33.41;
        Thu, 28 May 2020 01:34:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ooTtB7P0;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726085AbgE1Idj (ORCPT <rfc822;bhat.jayalakshmi@gmail.com>
        + 99 others); Thu, 28 May 2020 04:33:39 -0400
Received: from mail.kernel.org ([198.145.29.99]:44066 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726939AbgE1Idi (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 28 May 2020 04:33:38 -0400
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 28283214D8
        for <linux-crypto@vger.kernel.org>; Thu, 28 May 2020 08:33:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1590654818;
        bh=b+hkukDcY3wWk9NH35StsAnbduxjzZHjk4n+pej6zbw=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=ooTtB7P0P8pvXKcchknaERtrB/rOTvzL+V3/9OiT64bwj+j6gv3LIwiq4JOvQbirh
         pimVtgY7fSc1uF/FFb0Z73Zr/oBmvlaFgquHMy22BP1YUTXmzBuSglFcddntvgWUwG
         aQWG1Whi+k9Lzn9hO+6sjKldmhBNPhrq4w68R7bk=
Received: by mail-il1-f179.google.com with SMTP id a14so26796246ilk.2
        for <linux-crypto@vger.kernel.org>; Thu, 28 May 2020 01:33:37 -0700 (PDT)
X-Gm-Message-State: AOAM530aNOrTRpYNcB7Pa1kYCtr/NtmPLJr/p5ILeO83LYAJCVs9ozTv
        hvUSGQqfyvhLef395evVyoYwa/nd3XUYft0vI3o=
X-Received: by 2002:a92:bb55:: with SMTP id w82mr1838867ili.211.1590654816584;
 Thu, 28 May 2020 01:33:36 -0700 (PDT)
MIME-Version: 1.0
References: <20200519190211.76855-1-ardb@kernel.org> <20200528073349.GA32566@gondor.apana.org.au>
In-Reply-To: <20200528073349.GA32566@gondor.apana.org.au>
From:   Ard Biesheuvel <ardb@kernel.org>
Date:   Thu, 28 May 2020 10:33:25 +0200
X-Gmail-Original-Message-ID: <CAMj1kXGkvLP1YnDimdLOM6xMXSQKXPKCEBGRCGBRsWKAQR5Stg@mail.gmail.com>
Message-ID: <CAMj1kXGkvLP1YnDimdLOM6xMXSQKXPKCEBGRCGBRsWKAQR5Stg@mail.gmail.com>
Subject: Re: [RFC/RFT PATCH 0/2] crypto: add CTS output IVs for arm64 and testmgr
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        Eric Biggers <ebiggers@kernel.org>,
        Stephan Mueller <smueller@chronox.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, 28 May 2020 at 09:33, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> Ard Biesheuvel <ardb@kernel.org> wrote:
> > Stephan reports that the arm64 implementation of cts(cbc(aes)) deviates
> > from the generic implementation in what it returns as the output IV. So
> > fix this, and add some test vectors to catch other non-compliant
> > implementations.
> >
> > Stephan, could you provide a reference for the NIST validation tool and
> > how it flags this behaviour as non-compliant? Thanks.
>
> I think our CTS and XTS are both broken with respect to af_alg.
>
> The reason we use output IVs in general is to support chaining
> which is required by algif_skcipher to break up large requests
> into smaller ones.
>
> For CTS and XTS that simply doesn't work.  So we should fix this
> by changing algif_skcipher to not do chaining (and hence drop
> support for large requests like algif_aead) for algorithms like
> CTS/XTS.
>

The reason we return output IVs for CBC is because our generic
implementation of CTS can wrap any CBC implementation, and relies on
this output IV rather than grabbing it from the ciphertext directly
(which may be tricky and is best left up to the CBC code)

For CTS itself, as well as XTS, returning an output IV is meaningless,
given that
a) the implementations rely on the skcipher_walk infrastructure to
present all input except the last bit in chunks that are a multiple of
the block size,
b) neither specification defines how chaining of inputs should work,
regardless of whether the preceding input was a multiple of the block
size or not.

The CS3 mode that we implement for CTS swaps the final two blocks
unconditionally. So even if the input is a whole multiple of the block
size, the preceding ciphertext will turn out differently if any output
happens to follow.

For XTS, the IV is encrypted before processing the first block, so
even if you do return an output IV, the subsequent invocations of the
skcipher need to omit the encryption, which we don't implement
currently.

So if you are saying that we should never split up algif_skcipher
requests into multiple calls into the underlying skcipher, then I
agree with you. Even if the generic CTS seems to work more or less as
expected by, e.g., the NIST validation tool, this is unspecified
behavior, and definitely broken in various other places.