[PATCH] crypto: vmx - fix copy-paste error in CTR mode
Eric Biggers
ebiggers at kernel.org
Fri Mar 15 15:34:34 AEDT 2019
Hi Daniel,
On Fri, Mar 15, 2019 at 03:24:35PM +1100, Daniel Axtens wrote:
> Hi Eric,
>
> >> The original assembly imported from OpenSSL has two copy-paste
> >> errors in handling CTR mode. When dealing with a 2 or 3 block tail,
> >> the code branches to the CBC decryption exit path, rather than to
> >> the CTR exit path.
> >
> > So does this need to be fixed in OpenSSL too?
>
> Yes, I'm getting in touch with some people internally (at IBM) about
> doing that.
>
> >> This leads to corruption of the IV, which leads to subsequent blocks
> >> being corrupted.
> >>
> >> This can be detected with libkcapi test suite, which is available at
> >> https://github.com/smuellerDD/libkcapi
> >>
> >
> > Is this also detected by the kernel's crypto self-tests, and if not why not?
> > What about with the new option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y?
>
> It seems the self-tests do not catch it. To catch it, there has to be a
> test where the blkcipher_walk creates a walk.nbytes such that
> [(the number of AES blocks) mod 8] is either 2 or 3. This happens with
> AF_ALG pretty frequently, but when I booted with self-tests it only hit
> 1, 4, 5, 6 and 7 - it missed 0, 2 and 3.
>
> I don't have the EXTRA_TESTS option - I'm testing with 5.0-rc6. Is it in
> -next?
>
> Regards,
> Daniel
The improvements I recently made to the self-tests are intended to catch exactly
this sort of bug. They were just merged for v5.1, so try the latest mainline.
This almost certainly would be caught by EXTRA_TESTS (and if not I'd want to
know), but it may be caught by the regular self-tests now too.
- Eric
More information about the Linuxppc-dev
mailing list