RE: [PATCH] crypto: testmgr - Improve randomization of params for AEAD fuzz testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > You're the expert, but shouldn't there be some priority to the checks
> > being performed? To me, it seems reasonable to do things like length
> > checks prior to even *starting* decryption and authentication.
> > Therefore, it makes more sense to get -EINVAL than -EBADMSG in this
> > case. IMHO you should only get -EBADMSG if the message was properly
> > formatted, but the tags eventually mismatched. From a security point
> > of view it can be very important to have a very clear distinction
> > between those 2 cases.
> >
> 
> Oh, I see.  Currently the fuzz tests assume that if encryption fails with an
> error (such as EINVAL), then decryption fails with that same error.
> 
Ah ok, oops. It should really log the error that was returned by the
generic decryption instead. Which should just be a matter of annotating
it back to vec.crypt_error?

> Regardless of what we think the correct decryption error is, running the
> decryption test at all in this case is sort of broken, since the ciphertext
> buffer was never initialized.
>
You could consider it broken or just some convenient way of getting
vectors that don't authenticate without needing to spend any effort ...

> So for now we probably should just sidestep this
> issue by skipping the decryption test if encryption failed, like this:
> 
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index 96e5923889b9c1..0413bdad9f6974 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -2330,10 +2330,12 @@ static int test_aead_vs_generic_impl(const char *driver,
>  					req, tsgls);
>  		if (err)
>  			goto out;
> -		err = test_aead_vec_cfg(driver, DECRYPT, &vec, vec_name, cfg,
> -					req, tsgls);
> -		if (err)
> -			goto out;
> +		if (vec.crypt_error != 0) {
> +			err = test_aead_vec_cfg(driver, DECRYPT, &vec, vec_name,
> +						cfg, req, tsgls);
> +			if (err)
> +				goto out;
> +		}
>  		cond_resched();
>  	}
>  	err = 0;
> 
> I'm planning to (at some point) update the AEAD tests to intentionally generate
> some inauthentic inputs, but that will take some more work.
> 
> - Eric
>
I believe that's a rather essential part of verifying AEAD decryption(!)


Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux