RE: [PATCH] crypto: testmgr - Improve randomization of params for AEAD fuzz testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Herbert,

> -----Original Message-----
> From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, July 30, 2019 12:31 AM
> To: Pascal Van Leeuwen <pvanleeuwen@xxxxxxxxxxxxxx>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>; Pascal van Leeuwen <pascalvanl@xxxxxxxxx>; linux-
> crypto@xxxxxxxxxxxxxxx; davem@xxxxxxxxxxxxx
> Subject: Re: [PATCH] crypto: testmgr - Improve randomization of params for AEAD fuzz testing
> 
> On Mon, Jul 29, 2019 at 10:16:48PM +0000, Pascal Van Leeuwen wrote:
> >
> > > EINVAL is for invalid lengths while EBADMSG is for inauthentic inputs.
> > > Inauthentic test vectors aren't yet automatically generated (even after this
> > > patch), so I don't think EBADMSG should be seen here.  Are you sure there isn't
> > > a bug in your patch that's causing this?
> > >
> > As far as I understand it, the output of the encryption is fed back in to
> > decrypt. However, if the encryption didn't work due to blocksize mismatch,
> > there would not be any valid encrypted and authenticated data written out.
> > So, if the (generic) driver checks that for decryption, it would result in
> > -EINVAL. If it wouldn't check that, it would try to decrypt and authentica
> > te the data, which would almost certainly result in a tag mismatch and
> > thus an -EBADMSG error being reported.
> >
> > So actually, the witnessed issue can be perfectly explained from a missing
> > block size check in aesni.
> 
> The same input can indeed fail for multiple reasons.  I think in
> such cases it is unreasonable to expect all implementations to
> return the same error value.
> 
Hmmm ... first off, testmgr expects error codes to match exactly. So if
you're saying that's not always the case, it would need to be changed.
(but then, what difference would still be acceptable?)
But so far it seems to have worked pretty well, except for this now.

You're the expert, but shouldn't there be some priority to the checks
being performed? To me, it seems reasonable to do things like length
checks prior to even *starting* decryption and authentication.
Therefore, it makes more sense to get -EINVAL than -EBADMSG in this 
case. IMHO you should only get -EBADMSG if the message was properly
formatted, but the tags eventually mismatched. From a security point
of view it can be very important to have a very clear distinction
between those 2 cases.

> Cheers,
> --
> Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux