From owner-svn-src-all@freebsd.org Mon Jul 13 22:36:50 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AA8E99513B; Mon, 13 Jul 2015 22:36:50 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B98E1881; Mon, 13 Jul 2015 22:36:49 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t6DMamCR030115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Jul 2015 15:36:48 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t6DMamaH030112; Mon, 13 Jul 2015 15:36:48 -0700 (PDT) (envelope-from jmg) Date: Mon, 13 Jul 2015 15:36:48 -0700 From: John-Mark Gurney To: George Neville-Neil Cc: "Matthew D. Fuller" , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r285336 - in head/sys: netipsec opencrypto Message-ID: <20150713223647.GO8523@funkthat.com> References: <201507091816.t69IGawf097288@repo.freebsd.org> <20150711044843.GG96394@over-yonder.net> <20150711075705.GC8523@funkthat.com> <815B402A-A14F-40F7-91CA-899C7A9597B3@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <815B402A-A14F-40F7-91CA-899C7A9597B3@freebsd.org> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Mon, 13 Jul 2015 15:36:49 -0700 (PDT) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 22:36:50 -0000 George V. Neville-Neil wrote this message on Mon, Jul 13, 2015 at 11:25 -0400: > On 11 Jul 2015, at 3:57, John-Mark Gurney wrote: > > > Matthew D. Fuller wrote this message on Fri, Jul 10, 2015 at 23:48 > > -0500: > >> On Thu, Jul 09, 2015 at 06:16:36PM +0000 I heard the voice of > >> George V. Neville-Neil, and lo! it spake thus: > >>> New Revision: 285336 > >>> URL: https://svnweb.freebsd.org/changeset/base/285336 > >>> > >>> Log: > >>> Add support for AES modes to IPSec. These modes work both in > >>> software only > >>> mode and with hardware support on systems that have AESNI > >>> instructions. > >> > >> With (apparently) this change, I can trigger a panic at will by > >> running > >> > >> % geli onetime -e AES-XTS -d /dev/ada0s1 > >> > >> My best guess is that it comes from > >> > >>> -#define RIJNDAEL128_BLOCK_LEN 16 > >>> +#define AES_MIN_BLOCK_LEN 1 > >> > >>> - RIJNDAEL128_BLOCK_LEN, 8, 32, 64, > >>> + AES_MIN_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, > >>> AES_XTS_MAX_KEY, > >> > >> changing that first arg from 16 to 1. It seems to be avoided with > >> the > >> following patch: > >> > >> ------8K-------- > >> > >> Index: sys/opencrypto/xform.c > >> =================================================================== > >> --- sys/opencrypto/xform.c (revision 285365) > >> +++ sys/opencrypto/xform.c (working copy) > >> @@ -257,7 +257,7 @@ > >> > >> struct enc_xform enc_xform_aes_xts = { > >> CRYPTO_AES_XTS, "AES-XTS", > >> - AES_MIN_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, > >> AES_XTS_MAX_KEY, > >> + AES_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY, > >> aes_xts_encrypt, > >> aes_xts_decrypt, > >> aes_xts_setkey, > >> > >> ------8K-------- > >> > >> at least in a little testing here. If that's the actual fix, some of > >> the other MIN_BLOCK_LEN changes in GCM and GMAC are probably suspect > >> too. > >> > >> > >> (I also wonder why AES-ICM is still using the RIJNDAEL128 #defines; > >> shouldn't it be using the AES's too? But that's cosmtic...) > > > > Our XTS though should be a block size of 1, doesn't implement > > cipher text stealing, so still must be 16... I assumed that the values > > of all the defines did not change... That is clearly not the case... > > > > gnn, can you please make sure that the tables in xform.c match before > > your change? If you think there needs to be a value changed, please > > run it by me.. > > > > Correct, I changed it from the RIJNDAEL value to the "correct" minimum > value > of 1. I can do a followup commit to bump it back to 16 if that's what > you think > it ought to be. The function swcr_encdec requires that the blocksize (of their xform entry) be the cipher block size and nothing else... If it is anything else, then the results will be incorrect, and likely buffer overflows and other bad things may happen... Please ensure that ALL constants of the xform tables match exactly what they were before... If there are any deviations that you believe are required, let me review them to make sure they won't break anything... The name AES_MIN_BLOCK_LEN is bad and needs to be removed... There is only one AES block size and that is 16... It cannot be longer or shorter... Any shorter or longer block size is an additional construction on top of AES and that would need to be added to the name... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."