| Message ID | 20210706095924.764117-9-berrange@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | crypto: misc cleanup and introduce gnutls backend driver | expand |
On Tue, Jul 06, 2021 at 10:59:14AM +0100, Daniel P. Berrangé wrote: > The GNUTLS crypto provider doesn't support DES-ECB, only DES-CBC. I had to go research these terms; DES-ECB is weaker (each block encrypted on its own), DES-CBC is stronger (the encryption of later blocks depend on the earlier text). Makes sense that GNUTLS has dropped support for the weaker form. > We can use the latter to simulate the former, if we encrypt only > 1 block (8 bytes) of data at a time, using a all-zeros IV. This using an all-zeros > is a very inefficient way to use the QCryptoCipher APIs, but > since the VNC authentication challenge is only 16 bytes, this > is acceptable. No other part of QEMU should be using DES. This > test case demonstrates the equivalence of ECB and CBC for the > single-block case. Agreed - both on the inefficiency (we're throwing away all the work spent on chaining the later blocks - thankfully there is only one such block in our 16-byte challenge), and on the fact that DES should be avoided where possible (our sole use is due to VNC's less-than-stellar "security"). > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > tests/unit/test-crypto-cipher.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) Reviewed-by: Eric Blake <eblake@redhat.com>
On Thu, Jul 08, 2021 at 01:50:54PM -0500, Eric Blake wrote: > On Tue, Jul 06, 2021 at 10:59:14AM +0100, Daniel P. Berrangé wrote: > > The GNUTLS crypto provider doesn't support DES-ECB, only DES-CBC. > > I had to go research these terms; DES-ECB is weaker (each block > encrypted on its own), DES-CBC is stronger (the encryption of later > blocks depend on the earlier text). Makes sense that GNUTLS has > dropped support for the weaker form. > > > We can use the latter to simulate the former, if we encrypt only > > 1 block (8 bytes) of data at a time, using a all-zeros IV. This > > using an all-zeros > > > is a very inefficient way to use the QCryptoCipher APIs, but > > since the VNC authentication challenge is only 16 bytes, this > > is acceptable. No other part of QEMU should be using DES. This > > test case demonstrates the equivalence of ECB and CBC for the > > single-block case. > > Agreed - both on the inefficiency (we're throwing away all the work > spent on chaining the later blocks - thankfully there is only one such > block in our 16-byte challenge), and on the fact that DES should be > avoided where possible (our sole use is due to VNC's less-than-stellar > "security"). Actually there isn't any work wasted chaining blocks, because we're only writing one block of data. The inefficiency is because we have to constantly re-create the cipher context object after every 8 bytes. This massively dominates over the cipher speed. > > > > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > > --- > > tests/unit/test-crypto-cipher.c | 23 +++++++++++++++++++++++ > > 1 file changed, 23 insertions(+) > > Reviewed-by: Eric Blake <eblake@redhat.com> Regards, Daniel
diff --git a/tests/unit/test-crypto-cipher.c b/tests/unit/test-crypto-cipher.c index fd0a8de34c..7dca7b26e4 100644 --- a/tests/unit/test-crypto-cipher.c +++ b/tests/unit/test-crypto-cipher.c @@ -149,6 +149,29 @@ static QCryptoCipherTestData test_data[] = { "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b", }, + { + /* + * Testing 'password' as plaintext fits + * in single AES block, and gives identical + * ciphertext in ECB and CBC modes + */ + .path = "/crypto/cipher/des-rfb-ecb-56-one-block", + .alg = QCRYPTO_CIPHER_ALG_DES_RFB, + .mode = QCRYPTO_CIPHER_MODE_ECB, + .key = "0123456789abcdef", + .plaintext = "70617373776f7264", + .ciphertext = "73fa80b66134e403", + }, + { + /* See previous comment */ + .path = "/crypto/cipher/des-rfb-cbc-56-one-block", + .alg = QCRYPTO_CIPHER_ALG_DES_RFB, + .mode = QCRYPTO_CIPHER_MODE_CBC, + .key = "0123456789abcdef", + .iv = "0000000000000000", + .plaintext = "70617373776f7264", + .ciphertext = "73fa80b66134e403", + }, { .path = "/crypto/cipher/des-rfb-ecb-56", .alg = QCRYPTO_CIPHER_ALG_DES_RFB,
The GNUTLS crypto provider doesn't support DES-ECB, only DES-CBC. We can use the latter to simulate the former, if we encrypt only 1 block (8 bytes) of data at a time, using a all-zeros IV. This is a very inefficient way to use the QCryptoCipher APIs, but since the VNC authentication challenge is only 16 bytes, this is acceptable. No other part of QEMU should be using DES. This test case demonstrates the equivalence of ECB and CBC for the single-block case. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tests/unit/test-crypto-cipher.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)