Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1156425rwl; Wed, 12 Apr 2023 09:00:54 -0700 (PDT) X-Google-Smtp-Source: AKy350avHly18SlXO0CdtjlIKD42/604C08Z7KJc8/7MJ1zEiZJFRqaHxxXNu0lICTCGOykiNq9x X-Received: by 2002:a17:90a:7649:b0:244:a41a:f658 with SMTP id s9-20020a17090a764900b00244a41af658mr2657753pjl.4.1681315254081; Wed, 12 Apr 2023 09:00:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681315254; cv=none; d=google.com; s=arc-20160816; b=UUMyaX7bqFn1ph07E173P+oldhrTLW+srg7LCPtEYiS4e50LNy2pYg8heZ9WlLu5O/ +zjsADE9LN/3AzyRKyj22rubEXcLDvsOHapkWUBm/5ck6ybVQDOs68kl+kT3gYuOaPH6 q02Q4pE3mESKyawNjteUFT4KXGNhwtWyvM/fty1fdDoRSZG8uZ5qjDkd68XF4h2ElWqI 5j2ASs3sdgZacFrQfFLFG8RXcYqxEmx/9PHKkkT9zQKx0Cago5hCMzkqnnR4uE/sqLBZ nq0su5lU4MNdLy87wYe3AP+UWXIlUvb7nXgItMCIWYCeGVFa5GpCr8H6V1iff3O2/CJs llOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:from:organization :dkim-signature; bh=Jp+uLMlvohTK1fCAD9z2ZBAqRyO1rsjM59UZ+H2UJdE=; b=dmP6BKFSjBjb1DBKWhtg2frPYN1F5/mi+hKewefK4r/5Mqfb3ghWZXNipPV0klXJQ2 5B6aeK8l9PxJ/pe3eF7ASlNGZYzqq2igwYJkb56irbI99ZPpanj+/heRFOerg29wz7z9 LZ5KQsfm+kFCWQSv+L7uDAi4Jxjja97k9J6GqViBz4PuE35RjEwx7BpJZhAez6Ryk0hh 7Ajf+QBLFQ5rLi8LlD/XN5vEW7AUXVpeg1LjIqDu/ds5Uhrblf19FURFKtySUUAciOlu jl2sxmbXss/kZHOqapWSjhaETeadRbAFIl9Ku4WrLjrazuesEJ3FMJ3wLc6VDRy/37qP /3og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Psisnjkh; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d13-20020a17090a3b0d00b002467ae12b2esi2228643pjc.20.2023.04.12.08.59.55; Wed, 12 Apr 2023 09:00:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Psisnjkh; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231245AbjDLP5b (ORCPT + 99 others); Wed, 12 Apr 2023 11:57:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229575AbjDLP5a (ORCPT ); Wed, 12 Apr 2023 11:57:30 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA35F5FEA for ; Wed, 12 Apr 2023 08:56:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1681315002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Jp+uLMlvohTK1fCAD9z2ZBAqRyO1rsjM59UZ+H2UJdE=; b=PsisnjkhQVyqJMUURVovNzggbLaW7ArKaewDs/KbF+JnhdLAyNvDfNSyCnRj/a4vgPcBmK 9E2I0QxvObhXLRi23dyQmjtuuu/goPzGQgHlNRqzqWywAP7Soa5VzXAZRqeHeZBvswRsjY ZPJNMBqCYshnxVU6Eyw+bWrZjDV8FR4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-557-gsFujymGPYeLeLNikER73A-1; Wed, 12 Apr 2023 11:56:40 -0400 X-MC-Unique: gsFujymGPYeLeLNikER73A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9740A811E7C; Wed, 12 Apr 2023 15:56:39 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.177]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8ECEA40C20FA; Wed, 12 Apr 2023 15:56:38 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells To: Chuck Lever , Herbert Xu cc: dhowells@redhat.com, Scott Mayhew , Ard Biesheuvel , Jeff Layton , linux-nfs@vger.kernel.org, linux-crypto@vger.kernel.org Subject: Did the in-kernel Camellia or CMAC crypto implementation break? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <380322.1681314997.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Wed, 12 Apr 2023 16:56:37 +0100 Message-ID: <380323.1681314997@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Chuck, Herbert, I was trying to bring my krb5 crypto lib patches up to date, but noticed t= hat the Camellia encryption selftests are failing (the key derivation tests wo= rk, but the crypto tests failed). After some investigation that didn't get anywhere, I tried the sunrpc kuni= t tests that Chuck added - and those fail similarly (dmesg attached below). = I tried the hardware accelerated version also and that has the same failure. Note that Chuck and I implemented the kerberos Camellia routines independently. David --- KTAP version 1 # Subtest: RFC 6803 suite 1..3 KTAP version 1 # Subtest: RFC 6803 key derivation ok 1 Derive Kc subkey for camellia128-cts-cmac ok 2 Derive Ke subkey for camellia128-cts-cmac ok 3 Derive Ki subkey for camellia128-cts-cmac ok 4 Derive Kc subkey for camellia256-cts-cmac ok 5 Derive Ke subkey for camellia256-cts-cmac ok 6 Derive Ki subkey for camellia256-cts-cmac # RFC 6803 key derivation: pass:6 fail:0 skip:0 total:6 ok 1 RFC 6803 key derivation KTAP version 1 # Subtest: RFC 6803 checksum ok 1 camellia128-cts-cmac checksum test 1 ok 2 camellia128-cts-cmac checksum test 2 ok 3 camellia256-cts-cmac checksum test 3 ok 4 camellia256-cts-cmac checksum test 4 # RFC 6803 checksum: pass:4 fail:0 skip:0 total:4 ok 2 RFC 6803 checksum KTAP version 1 # Subtest: RFC 6803 encryption # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D 135 (0x87) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D -108 (0xffffffffffff= ff94) HMAC mismatch not ok 1 Encrypt empty plaintext with camellia128-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D -49 (0xffffffffffffffcf) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D -3 (0xffffffffffffff= fd) HMAC mismatch not ok 2 Encrypt 1 byte with camellia128-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D -36 (0xffffffffffffffdc) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D 44 (0x2c) HMAC mismatch not ok 3 Encrypt 9 bytes with camellia128-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D -58 (0xffffffffffffffc6) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D -103 (0xffffffffffff= ff99) HMAC mismatch not ok 4 Encrypt 13 bytes with camellia128-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D 160 (0xa0) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D 95 (0x5f) HMAC mismatch not ok 5 Encrypt 30 bytes with camellia128-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D -150 (0xffffffffffffff6a) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D 48 (0x30) HMAC mismatch not ok 6 Encrypt empty plaintext with camellia256-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D 24 (0x18) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D 22 (0x16) HMAC mismatch not ok 7 Encrypt 1 byte with camellia256-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D 108 (0x6c) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D -106 (0xffffffffffff= ff96) HMAC mismatch not ok 8 Encrypt 9 bytes with camellia256-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D 64 (0x40) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D -196 (0xffffffffffff= ff3c) HMAC mismatch not ok 9 Encrypt 13 bytes with camellia256-cts-cmac # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1389 Expected memcmp(param->expected_result->data, buf.head[0].iov_base, bu= f.len) =3D=3D 0, but memcmp(param->expected_result->data, buf.head[0].iov_base, buf.len= ) =3D=3D -238 (0xffffffffffffff12) encrypted result mismatch # RFC 6803 encryption: EXPECTATION FAILED at net/sunrpc/auth_gss/gss_k= rb5_test.c:1393 Expected memcmp(param->expected_result->data + (param->expected_result= ->len - checksum.len), checksum.data, checksum.len) =3D=3D 0, but memcmp(param->expected_result->data + (param->expected_result->len= - checksum.len), checksum.data, checksum.len) =3D=3D 168 (0xa8) HMAC mismatch not ok 10 Encrypt 30 bytes with camellia256-cts-cmac # RFC 6803 encryption: pass:0 fail:10 skip:0 total:10 not ok 3 RFC 6803 encryption # RFC 6803 suite: pass:2 fail:1 skip:0 total:3 # Totals: pass:10 fail:10 skip:0 total:20 not ok 3 RFC 6803 suite