Re: x509 parsing bug + fuzzing crypto in the userspace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 21, 2017 at 9:46 PM, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> On Tue, Nov 21, 2017 at 09:00:26AM +0100, Dmitry Vyukov wrote:
>> >
>> > Note that separate from asymmetric_keys (which you can think of as being
>> > in-between the keyrings subsystem and the crypto subsystem) there is also the
>> > userspace interface to cryptographic algorithms, AF_ALG.  It might be possible
>> > to port a lot of the crypto API to userspace, but it would require a lot of work
>> > to stub things out.  Maybe a simpler improvement would be to teach syzkaller to
>> > more thoroughly test AF_ALG.  For example it could be made aware of algorithm
>> > templates so that it could try combining them in unusual ways.  (Example:
>> > https://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2 was a NULL pointer
>> > dereference bug that occurred if you asked to use the algorithm "mcryptd(md5)",
>> > i.e. the mcryptd template wrapping md5.)  Also,
>> > CONFIG_CRYPTO_MANAGER_DISABLE_TESTS should be unset, so that the crypto
>> > self-tests are enabled.
>>
>>
>> Can you please outline all uncovered by the current syzkaller
>> descriptions parts? We should add least TODO's for them. Or maybe we
>> could just resolve them right away.
>>
>
> Just focusing on the algorithm names, the syzkaller descriptions currently use a
> fixed set of algorithm names:
>
>         salg_name = "cmac(aes)", "ecb(aes)", "cbc(aes)", "hmac(sha1)", [...]
>
> But algorithm names are not just fixed strings; you can create "new" algorithms
> by composing templates.  For example "cmac(aes)" indicates the "cmac" template
> instantiated using "aes" as the underlying block cipher.  But it could also be
> "cmac(des)", "cmac(blowfish)", etc.  Templates can even take multiple arguments,
> e.g. "gcm_base(ctr(aes),ghash)".
>
> So ideally the descriptions would contain the list of all templates which might
> be available in addition to all "primitive" algorithm names, then express that
> an algorithm name has a syntax like:
>
>         alg_name -> primitive_alg_name | template_name(alg_name[,alg_name]*)
>
> To get the list of all "primitive" algorithm names which might be available you
> can run:
>
>         git grep -E '\.cra_(driver_)?name' | grep -o '".*"' | sort | uniq
>
> It's a long list, though it doesn't distinguish between the different types of
> algorithm (hash, symmetric cipher, AEAD, etc.), and not all are actually
> accessible through AF_ALG.  Note that it still includes names with parentheses
> because a module may directly implement an algorithm like "xts(aes)", which then
> may be used instead of the template version.
>
> And to get the list of templates which might be available you can run:
>
>         git grep -A5 'struct crypto_template.*{' | grep '\.name' | grep -o '".*"' | sort
>
> (There is probably more to improve for AF_ALG besides the algorithm names; this
> is just what I happened to notice for now.)


Thanks! I think we can incorporate this into syzkaller.

One question: what's the relation between alg names and type ("aead",
"hash", "rng", "skcipher")? I remember I already looked at it before
and could not figure it out. Are all algorithms and templates
partitioned between types? Or they are orthogonal?



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux