Hi Daniel, On Fri, Mar 15, 2019 at 03:24:35PM +1100, Daniel Axtens wrote: > Hi Eric, > > >> The original assembly imported from OpenSSL has two copy-paste > >> errors in handling CTR mode. When dealing with a 2 or 3 block tail, > >> the code branches to the CBC decryption exit path, rather than to > >> the CTR exit path. > > > > So does this need to be fixed in OpenSSL too? > > Yes, I'm getting in touch with some people internally (at IBM) about > doing that. > > >> This leads to corruption of the IV, which leads to subsequent blocks > >> being corrupted. > >> > >> This can be detected with libkcapi test suite, which is available at > >> https://github.com/smuellerDD/libkcapi > >> > > > > Is this also detected by the kernel's crypto self-tests, and if not why not? > > What about with the new option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y? > > It seems the self-tests do not catch it. To catch it, there has to be a > test where the blkcipher_walk creates a walk.nbytes such that > [(the number of AES blocks) mod 8] is either 2 or 3. This happens with > AF_ALG pretty frequently, but when I booted with self-tests it only hit > 1, 4, 5, 6 and 7 - it missed 0, 2 and 3. > > I don't have the EXTRA_TESTS option - I'm testing with 5.0-rc6. Is it in > -next? > > Regards, > Daniel The improvements I recently made to the self-tests are intended to catch exactly this sort of bug. They were just merged for v5.1, so try the latest mainline. This almost certainly would be caught by EXTRA_TESTS (and if not I'd want to know), but it may be caught by the regular self-tests now too. - Eric