RE: [EXT] caam test failures with libkcapi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> Sent: Tuesday, April 2, 2024 1:30 PM
> To: Gaurav Jain <gaurav.jain@xxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; Horia Geanta
> <horia.geanta@xxxxxxx>; Pankaj Gupta <pankaj.gupta@xxxxxxx>; Linux Crypto
> Mailing List <linux-crypto@xxxxxxxxxxxxxxx>; Varun Sethi <V.Sethi@xxxxxxx>
> Subject: Re: [EXT] caam test failures with libkcapi
> 
> Caution: This is an external email. Please take care when clicking links or opening
> attachments. When in doubt, report the message using the 'Report this email'
> button
> 
> 
> On Tue, Apr 2, 2024 at 9:03 AM Gaurav Jain <gaurav.jain@xxxxxxx> wrote:
> >
> > Hi
> >
> > > -----Original Message-----
> > > From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > > Sent: Thursday, January 4, 2024 2:07 PM
> > > To: Gaurav Jain <gaurav.jain@xxxxxxx>
> > > Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; Horia Geanta
> > > <horia.geanta@xxxxxxx>; Pankaj Gupta <pankaj.gupta@xxxxxxx>; Linux
> > > Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>; Varun Sethi
> > > <V.Sethi@xxxxxxx>
> > > Subject: Re: [EXT] caam test failures with libkcapi
> > >
> > > Caution: This is an external email. Please take care when clicking
> > > links or opening attachments. When in doubt, report the message using the
> 'Report this email'
> > > button
> > >
> > >
> > > On Wed, Jan 3, 2024 at 12:50 PM Gaurav Jain <gaurav.jain@xxxxxxx> wrote:
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > > > > Sent: Saturday, December 23, 2023 7:29 PM
> > > > > To: Gaurav Jain <gaurav.jain@xxxxxxx>
> > > > > Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; Horia Geanta
> > > > > <horia.geanta@xxxxxxx>; Pankaj Gupta <pankaj.gupta@xxxxxxx>;
> > > > > Linux Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>
> > > > > Subject: Re: [EXT] caam test failures with libkcapi
> > > > >
> > > > > Caution: This is an external email. Please take care when
> > > > > clicking links or opening attachments. When in doubt, report the
> > > > > message using the 'Report this email' button
> > > > >
> > > > >
> > > > > On Fri, Dec 22, 2023 at 11:50 AM Gaurav Jain <gaurav.jain@xxxxxxx>
> wrote:
> > > [...]
> > > > > > Can you please share the logs for libkcapi test failures.
> > > > >
> > > > > A log from our kernel CI testing is available here (it is from
> > > > > CentOS Stream 9, but it fails in the same way on the Fedora's
> > > > > 6.6.6-based
> > > > > kernel):
> > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > > >
> 2Fs3%2F&data=05%7C02%7Cgaurav.jain%40nxp.com%7Ce9969dcbe6984b29b
> > > > >
> 67808dc52eaf809%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638
> > > > >
> 476416387187745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
> Q
> > > > >
> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=JA
> > > > > APuV4AKF5wRhRzHazeKC0wZJc12yDQIkVNTpAxKNs%3D&reserved=0
> > > > > .amaz%2F&data=05%7C02%7Cgaurav.jain%40nxp.com%7Cb05dbbf9c0d8
> 48a
> > > f5bef
> > > > >
> > >
> 08dc0d006b59%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638399
> > > 5426
> > > > >
> > >
> 48069426%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> > > uMzI
> > > > >
> > >
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ykpF%2BM%
> > > 2BDWj
> > > > > w6GHN6165kLe7c8WFRJSSLTfWd%2FqLxI9w%3D&reserved=0
> > > > > onaws.com%2Farr-cki-prod-trusted-artifacts%2Ftrusted-
> > > > >
> > >
> artifacts%2F1109180874%2Ftest_aarch64%2F5766414724%2Fartifacts%2Frun
> > > > > .d
> > > > >
> > >
> one.03%2Fjob.01%2Frecipes%2F15194733%2Ftasks%2F31%2Flogs%2Ftaskout.l
> > > > >
> > >
> og&data=05%7C02%7Cgaurav.jain%40nxp.com%7C3b52a83449bf4b3fffe208dc
> > > > >
> > >
> 03bf4b66%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C6383893673
> > > > >
> > >
> 38072709%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> > > > >
> > >
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9SCFiT
> > > > > 1nNsTZg4bh6n75CeicDC51Jw3wacQCaL7w4vQ%3D&reserved=0
> > > >
> > > > In this log I cannot see CAAM failures. can you tell which CAAM tfm failed?
> > >
> > > The test exercises the kernel crypto API via the AF_ALG interface.
> > > The failures basically detect that for certain inputs the crypto API
> > > returns different results than expected when the CAAM driver is used
> > > (the machine in question has the relevant hardware, so the caam_jr
> > > crypto drivers are registered for certain algorithms and they take priority).
> > >
> > > For example, when you install libkcapi-tools and run:
> > >
> > > kcapi -x 2 -s  -e -c "gcm(aes)" -i 16c4b4bd1198f39f4ae817b7 \
> > >     -k
> > > 87c91a8b63f66934dd3703415b2538461fbfef55ce7a9ca9bb9425499f4cd1d6
> > > \
> > >     -a
> > >
> "303bb57e4534b08a4d5f001a84b3052c9d0d58ee03eda5211a540950e819dc" \
> > >     -p
> "b05fbd403c2fa41a8cc702a7474ed9ba6c50fcc6c19732a7d300f1113862bc"
> > > -l 4
> > >
> > > ...the caam_jr implementation results in
> > >
> b05fbd403c2fa41a8cc702a7474ed9ba6c50fcc6c19732a7d300f1113862bc6d275
> > > 6d6,
> > > while the expected output is
> > >
> 9bea5263e7b365d5a06cb3ccab0d43cb9a1ca967dfb7b1a6955b3c493018af6d275
> > > 6d6.
> > > You can search the test log for "FAILED" to find the other failing
> > > commands (note that in some cases you need to escape the -c argument
> > > as it contains parentheses).
> >
> > We have developed an application to run the gcm(aes) algorithm which is
> offloaded to caam_jr driver via AF_ALG interface.
> > we have used the below test vector
> > Plaintext is
> > "b05fbd403c2fa41a8cc702a7474ed9ba6c50fcc6c19732a7d300f1113862bc" ->
> 31
> > byte Key is
> > "87c91a8b63f66934dd3703415b2538461fbfef55ce7a9ca9bb9425499f4cd1d6"
> ->
> > 32 byte Iv is "16c4b4bd1198f39f4ae817b7" -> 12 byte Aad is
> > "303bb57e4534b08a4d5f001a84b3052c9d0d58ee03eda5211a540950e819dc"
> -> 31
> > byte
> >
> > Our application results matches the expected ciphertext which is
> "9bea5263e7b365d5a06cb3ccab0d43cb9a1ca967dfb7b1a6955b3c493018af6d27
> 56d6".
> > I can see the expected output at your end is basically the plaintext appended by
> authentication tag of 4 bytes "6d2756d6".
> > caam_jr driver aes-gcm implementation is providing the correct output.
> 
> How does your application invoke AF_ALG exactly? The libkcapi test program
> invokes it in various different ways (to try to discover bugs) and only some of them
> fail. In this case the key seems to be to send the AAD and plaintext separately.
> This is what an strace of the failing invocation looks like:
> 
> socket(AF_ALG, SOCK_SEQPACKET, 0)       = 3
> bind(3, {sa_family=AF_ALG, salg_type="aead", salg_feat=0, salg_mask=0,
> salg_name="gcm(aes)"}, 88) = 0
> pipe2([4, 5], 0)                        = 0
> fcntl(4, F_SETPIPE_SZ, 69632)           = 131072
> fcntl(5, F_SETPIPE_SZ, 69632)           = 131072
> setsockopt(3, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL, 4) = 0 setsockopt(3,
> SOL_ALG, ALG_SET_KEY,
> "\207\311\32\213c\366i4\3357\3A[%8F\37\277\357U\316z\234\251\273\224
> %I\237L\321\326",
> 32) = 0
> accept(3, NULL, NULL)                   = 6
> sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0,
> msg_control=[{cmsg_len=20, cmsg_level=SOL_ALG, cmsg_type=0x3,
> cmsg_data="\x01\x00\x00\x00"}, {cmsg_len=32, cmsg_level=SOL_ALG,
> cmsg_type=0x2,
> cmsg_data="\x0c\x00\x00\x00\x16\xc4\xb4\xbd\x11\x98\xf3\x9f\x4a\xe8\x17\
> xb7"},
> {cmsg_len=20, cmsg_level=SOL_ALG, cmsg_type=0x4,
> cmsg_data="\x1f\x00\x00\x00"}], msg_controllen=80, msg_flags=0},
> MSG_MORE) = 0
> vmsplice(5,
> [{iov_base="0;\265~E4\260\212M_\0\32\204\263\5,\235\rX\356\3\355\245!\3
> 2T\tP\350\31\334",
> iov_len=31}], 1, SPLICE_F_MORE|SPLICE_F_GIFT) = 31 splice(4, NULL, 6, NULL,
> 31, SPLICE_F_MORE) = 31 vmsplice(5,
> [{iov_base="\260_\275@</\244\32\214\307\2\247GN\331\272lP\374\306\301
> \2272\247\323\0\361\218b\274",
> iov_len=31}], 1, SPLICE_F_GIFT) = 31
> splice(4, NULL, 6, NULL, 31, 0)         = 31
> recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0",
> iov_len=1}, {iov_base=";", iov_len=1}, {iov_base="\265", iov_len=1},
> {iov_base="~", iov_len=1}, {iov_base="E", iov_len=1}, {iov_base="4", iov_len=1},
> {iov_base="\260", iov_len=1}, {iov_base="\212", iov_len=1}, {iov_base="M",
> iov_len=1}, {iov_base="_", iov_len=1}, {iov_base="\0", iov_len=1},
> {iov_base="\32", iov_len=1}, {iov_base="\204", iov_len=1}, {iov_base="\263",
> iov_len=1},
> {iov_base="\5,\235\rX\356\3\355\245!\32T\tP\350\31\334\233\352Rc\347\26
> 3e\325\240l\263\314\253\rC"...,
> iov_len=48}, {iov_base="m'V\326", iov_len=4}], msg_iovlen=16,
> msg_controllen=0, msg_flags=0}, 0) = 66 newfstatat(1, "",
> {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x12), ...}, AT_EMPTY_PATH) =
> 0 write(1, "9bea5263e7b365d5a06cb3ccab0d43cb"..., 71) = 71
> close(6)                                = 0
> close(4)                                = 0
> close(5)                                = 0
> close(3)                                = 0
> 
> (This is from a non-caam run on my machine, but the invocation should be the
> same, only the results differ.)
> 
In our test, key and iv is send separately. But AAD is prepended to plaintext(AAD + plaintext).
Resulting Ciphertext is also prepended with AAD and appended with Auth Tag(AAD + ciphertext + auth tag).

Gaurav
> --
> Ondrej Mosnacek
> Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux