Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2815959rwr; Fri, 28 Apr 2023 17:00:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5u2OTrM/+E4NgvZYu0zkqDd90ABX0/EtG3RBVmcpC39cKKld8iLhemzj14NKAM9Kcn3Na6 X-Received: by 2002:a05:6a21:78b:b0:f5:83f:9b88 with SMTP id mg11-20020a056a21078b00b000f5083f9b88mr7538037pzb.9.1682726438028; Fri, 28 Apr 2023 17:00:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682726438; cv=none; d=google.com; s=arc-20160816; b=n5Fu8u8yYtKogWWxJ+inx2+9jguNw/ShrfSmLQ+bPeLYu2zxHgf0hxz8L0OWIySSPl Yo5TLZJF9FHgEsbaJgvEsYXw6nv1ySfyAc4d1mvdAahVY12hMDOCOiglyDq5mNIm3wHt SvTUyCU5MhhNCe5W1ktLVOk3hKLt92ao+dcsaSaFsuRG9emcEb5j1esXOZ46epeB+kOh eW7rKbhNisrcQMzIUY16+he88aTtpV8XxXBLIkteztTNIOMzbPIvHVGD578lcccKqJks N93BwddZCqdyFHdHXBxB1XEIZWd8BN6IW/8bbsItIlJzwOXbbvN+icNXvCyQoS5dt/6A kW7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BisDslZfUJLYvV1GxCtU3+gjqm6XxDi+QftwUeeJ9Rw=; b=JLKqGDzRFs09S0EhQICEX4z7nRwPVfEFHGk4Jd/j1rNTheu9QxffKglz7sJTrU0YAx WFP++6CfCMNhtkz4m46Ny5mSIJU8DACrUeXxOWFHVQ3+tB8srcQC5DOBD6RsBS3bULDq JFU2FpYm7NJjq+81I5z82uhOyre9LFZXqkLZvJ+3in3orFrBv4bdh2NfSkpkn/mMiYQ1 tkjP5LWTfhEiH+aJgAxcLMfr9IO2ytISMPAIvfRNE+BlZTmJzI4dXnBGq9cU/ueBO+eE P3DCKuRRgaKp5Ss3CTy0br1BYKeOVgAeV0IX14a9l9F7X4DFu/hfxXOvqRKQf/gG7zak fR7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VIqITLiE; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e10-20020a63690a000000b00524ea64ba6esi17746666pgc.530.2023.04.28.17.00.15; Fri, 28 Apr 2023 17:00:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VIqITLiE; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347041AbjD1XsI (ORCPT + 99 others); Fri, 28 Apr 2023 19:48:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347055AbjD1XsC (ORCPT ); Fri, 28 Apr 2023 19:48:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C83914C04; Fri, 28 Apr 2023 16:47:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D8FE2631AD; Fri, 28 Apr 2023 23:46:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1286AC433D2; Fri, 28 Apr 2023 23:46:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1682725601; bh=kfZZr6KMfoLR9GKJOF8IGsGbILU6f3g0vJrOdB364gE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VIqITLiE5JfV5HMm7a4hnTYSC9E5B9WRpkDFjAtDHgZ9LHeTPCDExX+/RBtIpqLhD ytd7NxeGOhbzxK9O3J9nX9nzNS5hPULLNvFdruPZGAAwJh6ioyyS2lN2Y+RAHbmNl1 yKiuq+FB4UNad21ZQGq8MCl3Zxd+ls06+ICgcEulFXPk3uPUDjaP9AfU3tS1tiS2Ok kPS8xiZmenpR3VlrG1cHHr+F4wj3uTph0YjIWWLnj1lQ77mTk8dG02nxPQqwCF6HCR Dn+FuRJqAWZC0xgap+G3KFH5cQQrA+00Hbo5I13WzrEEXn4hjI3SilJCqMYryWzQmp 1Q9xXIwdYRyVg== Date: Fri, 28 Apr 2023 16:46:39 -0700 From: Eric Biggers To: Ard Biesheuvel Cc: Chuck Lever III , David Howells , Herbert Xu , Scott Mayhew , "linux-crypto@vger.kernel.org" , Linux NFS Mailing List Subject: Re: RPCSEC GSS krb5 KUnit test fails on arm64 with h/w accelerated ciphers enabled Message-ID: <20230428234639.GD3150@sol.localdomain> References: <870429E7-8202-405B-96F7-46A11B41EF05@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, Apr 28, 2023 at 05:48:30PM +0100, Ard Biesheuvel wrote: > On Fri, 28 Apr 2023 at 17:18, Chuck Lever III wrote: > > > > > > > > > On Apr 28, 2023, at 12:09 PM, Ard Biesheuvel wrote: > > > > > > On Fri, 28 Apr 2023 at 13:59, Chuck Lever III wrote: > > >> > > >> > > >> > > >>> On Apr 28, 2023, at 5:57 AM, Ard Biesheuvel wrote: > > >>> > > >>> On Fri, 28 Apr 2023 at 10:44, Herbert Xu wrote: > > >>>> > > >>>> Scott Mayhew wrote: > > >>>>> > > >>>>> diff --git a/arch/arm64/crypto/aes-modes.S b/arch/arm64/crypto/aes-modes.S > > >>>>> index 0e834a2c062c..477605fad76b 100644 > > >>>>> --- a/arch/arm64/crypto/aes-modes.S > > >>>>> +++ b/arch/arm64/crypto/aes-modes.S > > >>>>> @@ -268,6 +268,7 @@ AES_FUNC_START(aes_cbc_cts_encrypt) > > >>>>> add x4, x0, x4 > > >>>>> st1 {v0.16b}, [x4] /* overlapping stores */ > > >>>>> st1 {v1.16b}, [x0] > > >>>>> + st1 {v1.16b}, [x5] > > >>>>> ret > > >>>>> AES_FUNC_END(aes_cbc_cts_encrypt) > > >>>>> > > >>>>> But I don't know if that change is at all correct! (I've never even > > >>>>> looked at arm64 asm before). If someone who's knowledgeable about this > > >>>>> code could chime in, I'd appreciate it. > > >>>> > > >>>> Ard, could you please take a look at this? > > >>>> > > >>> > > >>> The issue seems to be that the caller expects iv_out to have been > > >>> populated even when doing ciphertext stealing. > > >>> > > >>> This is meaningless, because the output IV can only be used to chain > > >>> additional encrypted data if the split is at a block boundary. The > > >>> ciphertext stealing fundamentally terminates the encryption, and > > >>> produces a block of ciphertext that is shorter than the block size, so > > >>> what the output IV should be is actually unspecified. > > >>> > > >>> IOW, test cases having plain/ciphertext vectors whose size is not a > > >>> multiple of the cipher block size should not specify an expected value > > >>> for the output IV. > > >> > > >> The test cases are extracted from RFC 3962 Appendix B. The > > >> standard clearly expects there to be a non-zero next IV for > > >> plaintext sizes that are not block-aligned. > > >> > > > > > > OK, so this is the Kerberos V specific spec on how to use AES in CBC > > > mode, which appears to describe how to chain multiple CBC encryptions > > > together. > > > > > > CBC-CTS itself does not define this: the IV is an input only, and the > > > reason we happen to return the IV is because a single CBC operation > > > may be broken up into several ones, which can only be done on block > > > boundaries. This is why CBC-CTS itself passes all its tests: a single > > > CBC-CTS encryption only performs ciphertext stealing at the very end, > > > and the next IV is never used in that case. (This is why the CTS mode > > > tests in crypto/testmgr.h don't have iv_out vectors) > > > > > > Note that RFC3962 defines that the penultimate block of CBC-CTS > > > ciphertext is used as the next IV. CBC returns the last ciphertext > > > block as the output IV. It is a happy coincidence that the generic CTS > > > template encapsulates CBC in a way where its output IV ends up in the > > > right place. > > > > > >> Also, these test cases pass on other hardware platforms. > > >> > > > > > > Fair enough. > > > > > > I am not opposed to fixing this, but given that it is the RFC3962 spec > > > that defines that the next IV is the penultimate full block of the > > > previous CBC-CTS ciphertext, we might consider doing the memcpy() in > > > the Kerberos code not in the CBC-CTS implementations. > > > > Interesting thought. I'm all about proper layering, so I think this > > is worth considering. Can you send an RFC patch? > > > > I'm not that familiar with kunit so this is just an off hand > suggestion, but I imagine something like the below would suffice > > --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c > +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c > @@ -639,6 +639,13 @@ gss_krb5_cts_crypt(struct crypto_sync_skcipher > *cipher, struct xdr_buf *buf, > > ret = write_bytes_to_xdr_buf(buf, offset, data, len); > > + /* > + * CBC-CTS does not define an output IV but RFC 3962 defines it as the > + * penultimate block of ciphertext, so copy that into the IV buffer > + * before returning. > + */ > + if (encrypt) > + memcpy(iv, data, crypto_sync_skcipher_ivsize(cipher)); The whole "update the IV" thing that the crypto API does for some algorithms is very weird and nonstandard, and most algorithms don't implement it. So I'd definitely support handling this in the caller here. - Eric