2013-03-08 16:38:47

by Chaoxing Lin

[permalink] [raw]
Subject: potential bug in GMAC implementation. not work in ESN mode

I was testing ipsec with GMAC and found that the rfc4543 GMAC implementation in kernel software crypto work in "esp=aes256gmac-noesn!" mode.
It does not work in in "esp=aes256gmac-esn!" mode. The tunnel was established but no data traffic is possible.

Looking at source code, I found this piece of code is suspicious.
Line 1146~1147 tries to put req->assoc to assoc[1]. But I think this way only works when req->assoc has only one segment. In ESN mode, req->assoc contains 3 segments (SPI, SN-hi, SN-low). Line 1146~1147 will only attach SPI segment(with total length) in assoc.

Please let me know whether I understand it right.
Thanks,

Chaoxing


Source from kernel 3.8.2
path: root/crypto/gcm.c

1136: /* construct the aad */
1137: dstp = sg_page(dst);
vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;

sg_init_table(payload, 2);
sg_set_buf(payload, req->iv, 8);
scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);

sg_init_table(assoc, 2);
1146: sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
1147: req->assoc->offset);
scatterwalk_crypto_chain(assoc, payload, 0, 2);

aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags, req->base.complete,
req->base.data);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
1154: aead_request_set_assoc(subreq, assoc, assoclen);


2013-03-14 19:57:57

by Chaoxing Lin

[permalink] [raw]
Subject: RE: potential bug in GMAC implementation. not work in ESN mode

Ping.... Is there anyone looking at this potential bug??


-----Original Message-----
From: Chaoxing Lin
Sent: Friday, March 08, 2013 11:38 AM
To: '[email protected]'
Subject: potential bug in GMAC implementation. not work in ESN mode

I was testing ipsec with GMAC and found that the rfc4543 GMAC implementation in kernel software crypto work in "esp=aes256gmac-noesn!" mode.
It does not work in in "esp=aes256gmac-esn!" mode. The tunnel was established but no data traffic is possible.

Looking at source code, I found this piece of code is suspicious.
Line 1146~1147 tries to put req->assoc to assoc[1]. But I think this way only works when req->assoc has only one segment. In ESN mode, req->assoc contains 3 segments (SPI, SN-hi, SN-low). Line 1146~1147 will only attach SPI segment(with total length) in assoc.

Please let me know whether I understand it right.
Thanks,

Chaoxing


Source from kernel 3.8.2
path: root/crypto/gcm.c

1136: /* construct the aad */
1137: dstp = sg_page(dst);
vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;

sg_init_table(payload, 2);
sg_set_buf(payload, req->iv, 8);
scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);

sg_init_table(assoc, 2);
1146: sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
1147: req->assoc->offset);
scatterwalk_crypto_chain(assoc, payload, 0, 2);

aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags, req->base.complete,
req->base.data);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
1154: aead_request_set_assoc(subreq, assoc, assoclen);

2013-03-25 16:13:01

by Chaoxing Lin

[permalink] [raw]
Subject: RE: potential bug in GMAC implementation. not work in ESN mode

2nd ping....

Nobody is maintaining crypto/gcm.c?



-----Original Message-----
From: Chaoxing Lin
Sent: Friday, March 08, 2013 11:38 AM
To: '[email protected]'
Subject: potential bug in GMAC implementation. not work in ESN mode

I was testing ipsec with GMAC and found that the rfc4543 GMAC implementation in kernel software crypto work in "esp=aes256gmac-noesn!" mode.
It does not work in in "esp=aes256gmac-esn!" mode. The tunnel was established but no data traffic is possible.

Looking at source code, I found this piece of code is suspicious.
Line 1146~1147 tries to put req->assoc to assoc[1]. But I think this way only works when req->assoc has only one segment. In ESN mode, req->assoc contains 3 segments (SPI, SN-hi, SN-low). Line 1146~1147 will only attach SPI segment(with total length) in assoc.

Please let me know whether I understand it right.
Thanks,

Chaoxing


Source from kernel 3.8.2
path: root/crypto/gcm.c

1136: /* construct the aad */
1137: dstp = sg_page(dst);
vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;

sg_init_table(payload, 2);
sg_set_buf(payload, req->iv, 8);
scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);

sg_init_table(assoc, 2);
1146: sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
1147: req->assoc->offset);
scatterwalk_crypto_chain(assoc, payload, 0, 2);

aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags, req->base.complete,
req->base.data);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
1154: aead_request_set_assoc(subreq, assoc, assoclen);

2013-03-26 20:16:34

by Jussi Kivilinna

[permalink] [raw]
Subject: Re: potential bug in GMAC implementation. not work in ESN mode

On 25.03.2013 18:12, Chaoxing Lin wrote:
> 2nd ping....
>
> Nobody is maintaining crypto/gcm.c?
>
>
>
> -----Original Message-----
> From: Chaoxing Lin
> Sent: Friday, March 08, 2013 11:38 AM
> To: '[email protected]'
> Subject: potential bug in GMAC implementation. not work in ESN mode
>
> I was testing ipsec with GMAC and found that the rfc4543 GMAC implementation in kernel software crypto work in "esp=aes256gmac-noesn!" mode.
> It does not work in in "esp=aes256gmac-esn!" mode. The tunnel was established but no data traffic is possible.
>
> Looking at source code, I found this piece of code is suspicious.
> Line 1146~1147 tries to put req->assoc to assoc[1]. But I think this way only works when req->assoc has only one segment. In ESN mode, req->assoc contains 3 segments (SPI, SN-hi, SN-low). Line 1146~1147 will only attach SPI segment(with total length) in assoc.
>
> Please let me know whether I understand it right.

Your analysis seems correct. Does attached the patch fix the problem? (I've only compile tested it.)

-Jussi

> Thanks,
>
> Chaoxing
>
>
> Source from kernel 3.8.2
> path: root/crypto/gcm.c
>
> 1136: /* construct the aad */
> 1137: dstp = sg_page(dst);
> vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
>
> sg_init_table(payload, 2);
> sg_set_buf(payload, req->iv, 8);
> scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
> assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
>
> sg_init_table(assoc, 2);
> 1146: sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
> 1147: req->assoc->offset);
> scatterwalk_crypto_chain(assoc, payload, 0, 2);
>
> aead_request_set_tfm(subreq, ctx->child);
> aead_request_set_callback(subreq, req->base.flags, req->base.complete,
> req->base.data);
> aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
> 1154: aead_request_set_assoc(subreq, assoc, assoclen);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to [email protected]rg
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>


Attachments:
10-gcm-fix-assumption-that-assoc-has-one-segment.patch (1.80 kB)
signature.asc (730.00 B)
OpenPGP digital signature
Download all attachments

2013-03-27 13:43:23

by Chaoxing Lin

[permalink] [raw]
Subject: RE: potential bug in GMAC implementation. not work in ESN mode

Thanks Jussi, the patch fixes the problem.

You may commit it officially.

-----Original Message-----
From: Jussi Kivilinna [mailto:[email protected]]
Sent: Tuesday, March 26, 2013 4:16 PM
To: Chaoxing Lin
Cc: [email protected]
Subject: Re: potential bug in GMAC implementation. not work in ESN mode

On 25.03.2013 18:12, Chaoxing Lin wrote:
> 2nd ping....
>
> Nobody is maintaining crypto/gcm.c?
>
>
>
> -----Original Message-----
> From: Chaoxing Lin
> Sent: Friday, March 08, 2013 11:38 AM
> To: '[email protected]'
> Subject: potential bug in GMAC implementation. not work in ESN mode
>
> I was testing ipsec with GMAC and found that the rfc4543 GMAC implementation in kernel software crypto work in "esp=aes256gmac-noesn!" mode.
> It does not work in in "esp=aes256gmac-esn!" mode. The tunnel was established but no data traffic is possible.
>
> Looking at source code, I found this piece of code is suspicious.
> Line 1146~1147 tries to put req->assoc to assoc[1]. But I think this way only works when req->assoc has only one segment. In ESN mode, req->assoc contains 3 segments (SPI, SN-hi, SN-low). Line 1146~1147 will only attach SPI segment(with total length) in assoc.
>
> Please let me know whether I understand it right.

Your analysis seems correct. Does attached the patch fix the problem? (I've only compile tested it.)

-Jussi

> Thanks,
>
> Chaoxing
>
>
> Source from kernel 3.8.2
> path: root/crypto/gcm.c
>
> 1136: /* construct the aad */
> 1137: dstp = sg_page(dst);
> vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
>
> sg_init_table(payload, 2);
> sg_set_buf(payload, req->iv, 8);
> scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
> assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
>
> sg_init_table(assoc, 2);
> 1146: sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
> 1147: req->assoc->offset);
> scatterwalk_crypto_chain(assoc, payload, 0, 2);
>
> aead_request_set_tfm(subreq, ctx->child);
> aead_request_set_callback(subreq, req->base.flags, req->base.complete,
> req->base.data);
> aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
> 1154: aead_request_set_assoc(subreq, assoc, assoclen);
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-crypto" in the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>