Eric Biggers <ebiggers@xxxxxxxxxx> writes: > Hi Daniel, > > On Fri, Mar 15, 2019 at 03:24:35PM +1100, Daniel Axtens wrote: >> Hi Eric, >> >> >> The original assembly imported from OpenSSL has two copy-paste >> >> errors in handling CTR mode. When dealing with a 2 or 3 block tail, >> >> the code branches to the CBC decryption exit path, rather than to >> >> the CTR exit path. >> > >> > So does this need to be fixed in OpenSSL too? >> >> Yes, I'm getting in touch with some people internally (at IBM) about >> doing that. >> >> >> This leads to corruption of the IV, which leads to subsequent blocks >> >> being corrupted. >> >> >> >> This can be detected with libkcapi test suite, which is available at >> >> https://github.com/smuellerDD/libkcapi >> >> >> > >> > Is this also detected by the kernel's crypto self-tests, and if not why not? >> > What about with the new option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y? >> >> It seems the self-tests do not catch it. To catch it, there has to be a >> test where the blkcipher_walk creates a walk.nbytes such that >> [(the number of AES blocks) mod 8] is either 2 or 3. This happens with >> AF_ALG pretty frequently, but when I booted with self-tests it only hit >> 1, 4, 5, 6 and 7 - it missed 0, 2 and 3. >> >> I don't have the EXTRA_TESTS option - I'm testing with 5.0-rc6. Is it in >> -next? >> >> Regards, >> Daniel > > The improvements I recently made to the self-tests are intended to catch exactly > this sort of bug. They were just merged for v5.1, so try the latest mainline. > This almost certainly would be caught by EXTRA_TESTS (and if not I'd want to > know), but it may be caught by the regular self-tests now too. Well, even the patched code fails with the new self-tests, so clearly they're catching something! I'll investigate in more detail next week. Regards, Daniel > > - Eric
