From: Chuck Lever III <chuck.lever@oracle.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Chuck Lever <cel@kernel.org>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
"simo@redhat.com" <simo@redhat.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"linux-m68k@lists.linux-m68k.org"
<linux-m68k@lists.linux-m68k.org>
Subject: Re: [PATCH v2 00/41] RPCSEC GSS krb5 enhancements
Date: Thu, 23 Feb 2023 14:00:05 +0000 [thread overview]
Message-ID: <D5221DC2-2A9C-43DC-AC21-FA96E7F76E5B@oracle.com> (raw)
In-Reply-To: <b3e0b5e6-1d0-cdb2-186c-6b4f50e0a3aa@linux-m68k.org>
> On Feb 23, 2023, at 8:05 AM, Geert Uytterhoeven <geert@linux-m68k.org> wrote:
>
> Hi Chuck,
>
> On Sun, 15 Jan 2023, Chuck Lever wrote:
>> The purpose of this series is to improve/harden the security
>> provided by the Linux kernel's RPCSEC GSS Kerberos 5 mechanism.
>> There are lots of clean-ups in this series, but the pertinent
>> feature is the addition of a clean deprecation path for the DES-
>> and SHA1-based encryption types in accordance with Internet BCPs.
>>
>> This series disables DES-based enctypes by default, provides a
>> mechanism for disabling SHA1-based enctypes, and introduces two
>> modern enctypes that do not use deprecated crypto algorithms.
>>
>> Not only does that improve security for Kerberos 5 users, but it
>> also prepares SunRPC for eventually switching to a shared common
>> kernel Kerberos 5 implementation, which surely will not implement
>> any deprecated encryption types (in particular, DES-based ones).
>>
>> Today, MIT supports both of the newly-introduced enctypes, but
>> Heimdal does not appear to. Thus distributions can enable and
>> disable kernel enctype support to match the set of enctypes
>> supported in their user space Kerberos libraries.
>>
>> Scott has been kicking the tires -- we've found no regressions with
>> the current SHA1-based enctypes, while the new ones are disabled by
>> default until we have an opportunity for interop testing. The KUnit
>> tests for the new enctypes pass and this implementation successfully
>> interoperates with itself using these enctypes. Therefore I believe
>> it to be safe to merge.
>>
>> When this series gets merged, the Linux NFS community should select
>> and announce a date-certain for removal of SunRPC's DES-based
>> enctype code.
>
> As this is now upstream, I gave it a try on m68k (on the ARAnyM
> emulator), using a config based on atari_defconfig:
>
> KTAP version 1
> # Subtest: RFC 3961 tests
> 1..3
> KTAP version 1
> # Subtest: RFC 3961 n-fold
> ok 1 64-fold("012345")
> ok 2 56-fold("password")
> ok 3 64-fold("Rough Consensus, and Running Code")
> ok 4 168-fold("password")
> ok 5 192-fold("MASSACHVSETTS INSTITVTE OF TECHNOLOGY")
> ok 6 168-fold("Q")
> ok 7 168-fold("ba")
> ok 8 64-fold("kerberos")
> ok 9 128-fold("kerberos")
> ok 10 168-fold("kerberos")
> ok 11 256-fold("kerberos")
> # RFC 3961 n-fold: pass:11 fail:0 skip:0 total:11
> ok 1 RFC 3961 n-fold
> KTAP version 1
> # Subtest: RFC 3961 key derivation
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 1 des3-hmac-sha1 key derivation case 1
Geert, thanks for testing GSS on m68k.
This assertion failure means that support for the encryption types
specified in RFC 3961 is not built into your kernel.
The new Kunit tests don't work unless everything is built in --
there's a net/sunrpc/.kunitconfig that provides the supported
build configuration for running them. I typically use a command
line similar to this:
./tools/testing/kunit/kunit.py run --raw_output=all --kunitconfig ./net/sunrpc/.kunitconfig
I'm not sure what's crashing at rfc6803_suite+0x2, but I suspect
it's a similar issue.
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 2 des3-hmac-sha1 key derivation case 2
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 3 des3-hmac-sha1 key derivation case 3
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 4 des3-hmac-sha1 key derivation case 4
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 5 des3-hmac-sha1 key derivation case 5
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 6 des3-hmac-sha1 key derivation case 6
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 7 des3-hmac-sha1 key derivation case 7
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 8 des3-hmac-sha1 key derivation case 8
> # RFC 3961 key derivation: ASSERTION FAILED at net/sunrpc/auth_gss/gss_krb5_test.c:52
> Expected gk5e != ((void *)0), but
> gk5e == 00000000
> ((void *)0) == 00000000
> not ok 9 des3-hmac-sha1 key derivation case 9
> # RFC 3961 key derivation: pass:0 fail:9 skip:0 total:9
> not ok 2 RFC 3961 key derivation
> *** CHK *** FORMAT=2
> Current process id is 794
> BAD KERNEL TRAP: 00000000
> Modules linked in: gss_krb5_test rpcsec_gss_krb5 auth_rpcgss oid_registry kunit
> PC: [<1188975a>] rfc6803_suite+0x2/0xffffc688 [gss_krb5_test]
> SR: 2200 SP: 93025120 a2: 01b6f700
> d0: 00000002 d1: 00000010 d2: 00000014 d3: 01aebcc4
> d4: 01aebc44 d5: 00000009 a0: 11889754 a1: 01aebc44
> Process insmod (pid: 794, task=c42c6bea)
> Frame format=2 instr addr=1188975a
> Stack from 01aebbd8:
> 11963860 00000000 01aebc44 00000000 00000005 00000001 00000000 00000000
> 11889e5c 11889e34 11889be8 119644d8 1196356e 00000001 00000009 00000000
> 00000000 0000000b 01aebcfc 00000001 00000000 00000001 00000002 00000000
> 00000000 00000000 00000000 00657333 2d686d61 632d7368 6131206b 65792064
> 65726976 6174696f 6e206361 73652039 00000000 484e4f4c 4f475922 29000000
> 00000801 000c729c 005b9c58 00000000 00040cc0 00040cc0 00000000 00000000
> Call Trace: [<11963860>] kunit_run_tests+0x2f2/0x3d2 [kunit]
> [<119644d8>] kunit_debugfs_create_suite+0x0/0x54 [kunit]
> [<1196356e>] kunit_run_tests+0x0/0x3d2 [kunit]
> [<000c729c>] get_page_from_freelist+0x176/0x48a
> [<00040cc0>] __finish_swait+0x1a/0x1c
> [<00040cc0>] __finish_swait+0x1a/0x1c
> [<00040cc0>] __finish_swait+0x1a/0x1c
> [<000c7126>] get_page_from_freelist+0x0/0x48a
> [<00009752>] ssincosnan+0x10/0x26
> [<000c6f00>] __putback_isolated_page+0x62/0x7c
> [<119639e2>] __kunit_test_suites_init+0xa2/0xfa [kunit]
> [<000405ea>] __wake_up+0x0/0x1c
> [<00037774>] blocking_notifier_call_chain+0x0/0x46
> [<11963a5a>] kunit_module_notify+0x20/0x34 [kunit]
> [<00037404>] notifier_call_chain+0x34/0x48
> [<0004e3b4>] module_put+0x0/0x50
> [<000377a0>] blocking_notifier_call_chain+0x2c/0x46
> [<0004ebd4>] do_init_module+0xd6/0x1a2
> [<0036ec50>] memset+0x0/0x8c
> [<00005b94>] flush_icache_range+0x0/0x30
> [<0005009c>] load_module+0x1304/0x1368
> [<0000eb60>] zer_rm2+0x1c/0x24
> [<0036ed04>] __generic_copy_from_user+0x0/0x40
> [<00010000>] EXPTBL+0x1c8/0x400
> [<0036ec50>] memset+0x0/0x8c
> [<003762ac>] __cond_resched+0x0/0x46
> [<000501d4>] sys_init_module+0xd4/0xda
> [<0000eb60>] zer_rm2+0x1c/0x24
> [<0000536e>] buserr_c+0xc6/0x49a
> [<00002962>] syscall+0x8/0xc
> [<0000eb60>] zer_rm2+0x1c/0x24
> [<0000eb60>] zer_rm2+0x1c/0x24
> [<00010000>] EXPTBL+0x1c8/0x400
> [<0018c00b>] nfs_direct_write_schedule_iovec+0xe3/0x1d6
>
> Code: 646b 1188 42f6 0000 0000 0000 0000 5246 <4320> 3638 3033 2073 7569 7465 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
> Disabling lock debugging due to kernel taint
>
> All of gss_krb5_test, rpcsec_gss_krb5, auth_rpcgss, oid_registry, and
> kunit are modular.
>
> Thanks!
>
> Gr{oetje,eeting}s,
>
> Geert
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
> -- Linus Torvalds
--
Chuck Lever
next prev parent reply other threads:[~2023-02-23 14:00 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-15 17:20 [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Chuck Lever
2023-01-15 17:20 ` [PATCH v2 01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h Chuck Lever
2023-01-15 17:20 ` [PATCH v2 02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:20 ` [PATCH v2 03/41] SUNRPC: Remove .conflen " Chuck Lever
2023-01-15 17:20 ` [PATCH v2 04/41] SUNRPC: Improve Kerberos confounder generation Chuck Lever
2023-01-15 17:20 ` [PATCH v2 05/41] SUNRPC: Obscure Kerberos session key Chuck Lever
2023-01-15 17:20 ` [PATCH v2 06/41] SUNRPC: Refactor set-up for aux_cipher Chuck Lever
2023-01-15 17:21 ` [PATCH v2 07/41] SUNRPC: Obscure Kerberos encryption keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 08/41] SUNRPC: Obscure Kerberos signing keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 09/41] SUNRPC: Obscure Kerberos integrity keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism Chuck Lever
2023-01-15 17:21 ` [PATCH v2 11/41] SUNRPC: Remove another switch on ctx->enctype Chuck Lever
2023-01-15 17:21 ` [PATCH v2 12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file Chuck Lever
2023-01-15 17:21 ` [PATCH v2 13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink Chuck Lever
2023-01-15 17:21 ` [PATCH v2 14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro Chuck Lever
2023-01-15 17:21 ` [PATCH v2 15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES Chuck Lever
2023-03-06 8:16 ` Geert Uytterhoeven
2023-03-06 16:17 ` Chuck Lever III
2023-03-06 18:01 ` Geert Uytterhoeven
2023-01-15 17:21 ` [PATCH v2 16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods Chuck Lever
2023-01-15 17:22 ` [PATCH v2 18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 19/41] SUNRPC: Clean up cipher set up for v1 encryption types Chuck Lever
2023-01-15 17:22 ` [PATCH v2 20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() Chuck Lever
2023-01-15 17:22 ` [PATCH v2 21/41] SUNRPC: Add new subkey length fields Chuck Lever
2023-01-15 17:22 ` [PATCH v2 22/41] SUNRPC: Refactor CBC with CTS into helpers Chuck Lever
2023-01-15 17:22 ` [PATCH v2 23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types Chuck Lever
2023-03-22 15:49 ` Anna Schumaker
2023-03-22 16:30 ` Chuck Lever III
2023-03-22 17:06 ` Anna Schumaker
2023-03-22 17:18 ` Anna Schumaker
2023-01-15 17:22 ` [PATCH v2 24/41] SUNRPC: Add KDF-HMAC-SHA2 Chuck Lever
2023-01-15 17:22 ` [PATCH v2 25/41] SUNRPC: Add RFC 8009 encryption and decryption functions Chuck Lever
2023-01-15 17:23 ` [PATCH v2 26/41] SUNRPC: Advertise support for RFC 8009 encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 27/41] SUNRPC: Support the Camellia enctypes Chuck Lever
2023-01-15 17:23 ` [PATCH v2 28/41] SUNRPC: Add KDF_FEEDBACK_CMAC Chuck Lever
2023-01-15 17:23 ` [PATCH v2 29/41] SUNRPC: Advertise support for the Camellia encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h Chuck Lever
2023-01-15 17:23 ` [PATCH v2 31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko Chuck Lever
2023-01-15 17:23 ` [PATCH v2 32/41] SUNRPC: Export get_gss_krb5_enctype() Chuck Lever
2023-01-15 17:23 ` [PATCH v2 33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation Chuck Lever
2023-01-15 17:23 ` [PATCH v2 34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption Chuck Lever
2023-01-15 17:23 ` [PATCH v2 35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types Chuck Lever
2023-01-15 17:24 ` [PATCH v2 36/41] SUNRPC: Add checksum " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 37/41] SUNRPC: Add encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 39/41] SUNRPC: Add RFC 8009 checksum KUnit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 40/41] SUNRPC: Add RFC 8009 encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 41/41] SUNRPC: Add encryption self-tests Chuck Lever
2023-01-18 16:02 ` [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Simo Sorce
2023-01-18 17:16 ` Chuck Lever III
2023-02-23 13:05 ` Geert Uytterhoeven
2023-02-23 14:00 ` Chuck Lever III [this message]
2023-02-23 15:16 ` Geert Uytterhoeven
2023-02-23 16:18 ` Chuck Lever III
2023-02-23 16:52 ` Geert Uytterhoeven
2023-02-23 19:32 ` Chuck Lever III
2023-02-27 9:51 ` Geert Uytterhoeven
2023-02-27 15:06 ` Chuck Lever III
2023-02-27 15:37 ` Geert Uytterhoeven
2023-02-23 17:57 ` Andreas Schwab
2023-02-23 18:19 ` Michael Schmitz
2023-02-23 21:46 ` Andreas Schwab
2023-02-23 22:17 ` Michael Schmitz
2023-02-23 18:28 ` Eero Tamminen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5221DC2-2A9C-43DC-AC21-FA96E7F76E5B@oracle.com \
--to=chuck.lever@oracle.com \
--cc=cel@kernel.org \
--cc=dhowells@redhat.com \
--cc=geert@linux-m68k.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.