md5sum (from libkcapi) fails as splice() returns -ENOKEY

md5sum (from libkcapi) fails as splice() returns -ENOKEY

[christophe leroy]

Hello Stephan,

I'm trying to use md5sum from the latest libkcapi 0.14 and I getting a 
failure with return code -5.

What am I missing ? See strace below, splice() return -ENOKEY.

Christophe

execve("./md5sum", ["./md5sum", "kcapi.tar"], [/* 11 vars */]) = 0
brk(0)                                  = 0x10024000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/ppc823/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/ppc823", 0x7ffa2328) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls", 0x7ffa2328)      = -1 ENOENT (No such file or directory)
open("/usr/lib/ppc823/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/ppc823", 0x7ffa2328)   = -1 ENOENT (No such file or directory)
open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib", {st_mode=S_IFDIR|0755, st_size=3568, ...}) = 0
open("/lib/tls/ppc823/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/ppc823", 0x7ffa2328)   = -1 ENOENT (No such file or directory)
open("/lib/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls", 0x7ffa2328)          = -1 ENOENT (No such file or directory)
open("/lib/ppc823/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/ppc823", 0x7ffa2328)       = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\3\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\2\35\\\0\0\0004"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1797540, ...}) = 0
mmap(0xfe58000, 1661856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xfe58000
mprotect(0xffc8000, 114688, PROT_NONE)  = 0
mmap(0xffe4000, 32768, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17c000) = 0xffe4000
mmap(0xffec000, 7072, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xffec000
close(3)                                = 0
mprotect(0xffe4000, 16384, PROT_READ)   = 0
mprotect(0x1001c000, 16384, PROT_READ)  = 0
mprotect(0x779f8000, 16384, PROT_READ)  = 0
brk(0)                                  = 0x10024000
brk(0x10048000)                         = 0x10048000
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "0\n", 1024)                    = 2
close(3)                                = 0
socket(PF_ALG, SOCK_SEQPACKET, 0)       = 3
bind(3, {sa_family=AF_ALG, sa_data="hash\0\0\0\0\0\0\0\0\0\0"}, 88) = 0
pipe([4, 5])                            = 0
socket(PF_NETLINK, SOCK_RAW, 21)        = 6
bind(6, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(6, {sa_family=AF_NETLINK, pid=266, groups=00000000}, [12]) = 0
sendmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\0\0\0\340\0\23\0\1\0;\232\247\0\0\0\0md5\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 224}], msg_controllen=0, msg_flags=0}, 0) = 224
recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\0\0\0014\0\23\0\0\0;\232\247\0\0\1\nmd5\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 308
close(6)                                = 0
open("kcapi.tar", O_RDONLY|O_CLOEXEC)   = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=378880, ...}) = 0
mmap(NULL, 378880, PROT_READ, MAP_SHARED, 6, 0) = 0x7795c000
accept(3, 0, NULL)                      = 7
vmsplice(5, [{"bin/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 378880}], 1, SPLICE_F_MORE|SPLICE_F_GIFT) = 262144
splice(4, NULL, 7, NULL, 262144, SPLICE_F_MORE) = -1 ENOKEY (Required key not available)
write(2, "Generation of hash for file kcap"..., 50) = 50
munmap(0x7795c000, 378880)              = 0
close(6)                                = 0
close(3)                                = 0
close(7)                                = 0
close(4)                                = 0
close(5)                                = 0
exit_group(-5)                          = ?
+++ exited with 251 +++


---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Stephan Müller]

Am Montag, 11. September 2017, 19:07:31 CEST schrieb christophe leroy:

Hi christophe,

> Hello Stephan,
> 
> I'm trying to use md5sum from the latest libkcapi 0.14 and I getting a
> failure with return code -5.
> 
> What am I missing ? See strace below, splice() return -ENOKEY.

The ENOKEY error is due to an accept() at the wrong location. But I do not see 
that error:

tar xvfJ libkcapi-0.14.0.tar.xz
cd libkcapi-0.14.0
autoreconf -i
./configure --enable-kcapi-hasher
make
cd bin/.libs/ # I make no make install for testing
ln kcapi-hasher md5sum # create md5sum app
export LD_LIBRARY_PATH=../../.libs/ # location of current library

$ ./md5sum md5sum 
ddd1a82680b16fb6c241d81656b844df  md5sum

So, it works for me.

Can you please check whether you use the current library version? Note, 
library version 0.10.1 fixed the aforementioned accept() call for kernel 4.4 
and later.

$ ./md5sum -v
md5sum: libkcapi 0.14.0

Ciao
Stephan

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Christophe LEROY]

Hi Stephan

Le 11/09/2017 à 21:17, Stephan Müller a écrit :
> Am Montag, 11. September 2017, 19:07:31 CEST schrieb christophe leroy:
> 
> Hi christophe,
> 
>> Hello Stephan,
>>
>> I'm trying to use md5sum from the latest libkcapi 0.14 and I getting a
>> failure with return code -5.
>>
>> What am I missing ? See strace below, splice() return -ENOKEY.
> 
> The ENOKEY error is due to an accept() at the wrong location. But I do not see
> that error:

I did the test once more without the Talitos Crypto driver compiled in 
the kernel, and this time it works.
I believe it must then be an issue with that driver.
What could be the issue, what should I look for in the driver ?

> 
> tar xvfJ libkcapi-0.14.0.tar.xz
> cd libkcapi-0.14.0
> autoreconf -i

I get an error here, have to replace AC_CONFIG_MACRO_DIRS by 
AC_CONFIG_MACRO_DIR in configure.ac

# tar xfJ libkcapi-0.14.0.tar.xz

# cd libkcapi-0.14.0

# autoreconf -i
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and
libtoolize: rerunning libtoolize, to keep the correct libtool macros 
in-tree.
configure.ac:26: error: possibly undefined macro: AC_CONFIG_MACRO_DIRS
       If this token and others are legitimate, please use m4_pattern_allow.
       See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

# sed -i s/AC_CONFIG_MACRO_DIRS/AC_CONFIG_MACRO_DIR/g configure.ac

# autoreconf -i
configure.ac:22: installing `./config.guess'
configure.ac:22: installing `./config.sub'
configure.ac:21: installing `./install-sh'
configure.ac:21: installing `./missing'
lib/doc/Makefile.am: installing `./depcomp'

# autoreconf --version
autoreconf (GNU Autoconf) 2.63
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv2+: GNU GPL version 2 or later
<http://gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David J. MacKenzie and Akim Demaille.

Thanks
Christophe


> ./configure --enable-kcapi-hasher
> make
> cd bin/.libs/ # I make no make install for testing
> ln kcapi-hasher md5sum # create md5sum app
> export LD_LIBRARY_PATH=../../.libs/ # location of current library
> 
> $ ./md5sum md5sum
> ddd1a82680b16fb6c241d81656b844df  md5sum
> 
> So, it works for me.
> 
> Can you please check whether you use the current library version? Note,
> library version 0.10.1 fixed the aforementioned accept() call for kernel 4.4
> and later.
> 
> $ ./md5sum -v
> md5sum: libkcapi 0.14.0
> 
> Ciao
> Stephan
> 

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Stephan Mueller]

Am Dienstag, 12. September 2017, 09:01:08 CEST schrieb Christophe LEROY:

Hi Christophe,

> Hi Stephan
> 
> Le 11/09/2017 à 21:17, Stephan Müller a écrit :
> > Am Montag, 11. September 2017, 19:07:31 CEST schrieb christophe leroy:
> > 
> > Hi christophe,
> > 
> >> Hello Stephan,
> >> 
> >> I'm trying to use md5sum from the latest libkcapi 0.14 and I getting a
> >> failure with return code -5.
> >> 
> >> What am I missing ? See strace below, splice() return -ENOKEY.
> > 
> > The ENOKEY error is due to an accept() at the wrong location. But I do not
> > see
> > that error:
> I did the test once more without the Talitos Crypto driver compiled in
> the kernel, and this time it works.
> I believe it must then be an issue with that driver.
> What could be the issue, what should I look for in the driver ?
> 

I think I see the error in talitos.c -- yet I do not have that hardware so I 
cannot create a patch and test.

In talitos_alg_alloc the function pointer setkey is set unconditional for 
CRYPTO_ALG_TYPE_AHASH. This is correct for HMAC/CMAC, but not correct for 
staight hashes. As both, md5 and hmac(md5) (and also for the SHA equivalents) 
are marked as CRYPTO_ALG_TYPE_AHASH in driver_algs, they all will get a setkey 
function.

This will trigger the following code in algif_hash:

static int hash_accept_parent(void *private, struct sock *sk)
{
        struct algif_hash_tfm *tfm = private;

        if (!tfm->has_key && crypto_ahash_has_setkey(tfm->hash))
                return -ENOKEY;

If the setkey would not be present for the straight hashes, ENOKEY would not 
be returned.

...

> 
> # autoreconf --version
> autoreconf (GNU Autoconf) 2.63

Thanks for the bug report. But I think the autoconf tools are not up to date. 
It should be 2.69.

Could you please check whether you can update?

I am thinking now to add AC_PREREQ([2.60]) to configure.ac.



Ciao
Stephan

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Stephan Mueller]

Am Dienstag, 12. September 2017, 09:20:41 CEST schrieb Stephan Mueller:

> I am thinking now to add AC_PREREQ([2.60]) to configure.ac.

I meant 2.69, of course? :-)

Ciao
Stephan

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Christophe LEROY]

Hi Stephan,

Le 12/09/2017 à 09:20, Stephan Mueller a écrit :
> Am Dienstag, 12. September 2017, 09:01:08 CEST schrieb Christophe LEROY:
> 
> Hi Christophe,
> 
>> Hi Stephan
>>
>> Le 11/09/2017 à 21:17, Stephan Müller a écrit :
>>> Am Montag, 11. September 2017, 19:07:31 CEST schrieb christophe leroy:
>>>
>>> Hi christophe,
>>>
>>>> Hello Stephan,
>>>>
>>>> I'm trying to use md5sum from the latest libkcapi 0.14 and I getting a
>>>> failure with return code -5.
>>>>
>>>> What am I missing ? See strace below, splice() return -ENOKEY.
>>>
>>> The ENOKEY error is due to an accept() at the wrong location. But I do not
>>> see
>>> that error:
>> I did the test once more without the Talitos Crypto driver compiled in
>> the kernel, and this time it works.
>> I believe it must then be an issue with that driver.
>> What could be the issue, what should I look for in the driver ?
>>
> 
> I think I see the error in talitos.c -- yet I do not have that hardware so I
> cannot create a patch and test.
> 
> In talitos_alg_alloc the function pointer setkey is set unconditional for
> CRYPTO_ALG_TYPE_AHASH. This is correct for HMAC/CMAC, but not correct for
> staight hashes. As both, md5 and hmac(md5) (and also for the SHA equivalents)
> are marked as CRYPTO_ALG_TYPE_AHASH in driver_algs, they all will get a setkey
> function.
> 
> This will trigger the following code in algif_hash:
> 
> static int hash_accept_parent(void *private, struct sock *sk)
> {
>          struct algif_hash_tfm *tfm = private;
> 
>          if (!tfm->has_key && crypto_ahash_has_setkey(tfm->hash))
>                  return -ENOKEY;
> 
> If the setkey would not be present for the straight hashes, ENOKEY would not
> be returned.

Thanks.
I modified it and it now works (allthough it doesn't provide the correct 
MD5sum ... have to findout why)
I submitted a patch for it.

Christophe
> 
> ...
> 
>>
>> # autoreconf --version
>> autoreconf (GNU Autoconf) 2.63
> 
> Thanks for the bug report. But I think the autoconf tools are not up to date.
> It should be 2.69.
> 
> Could you please check whether you can update?
> 
> I am thinking now to add AC_PREREQ([2.60]) to configure.ac.
> 
> 
> 
> Ciao
> Stephan
> 

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Christophe LEROY]

Hi again

Le 12/09/2017 à 09:22, Stephan Mueller a écrit :
> Am Dienstag, 12. September 2017, 09:20:41 CEST schrieb Stephan Mueller:
> 
>> I am thinking now to add AC_PREREQ([2.60]) to configure.ac.
> 
> I meant 2.69, of course? :-)

Ok ... CentOS ships with 2.63 and no update seems available via 'yum 
update'.

Is 2.69 really necessary ? It seems to work just fine with 2.63 once the 
modification is done.

Christophe


> 
> Ciao
> Stephan
> 

Re: md5sum (from libkcapi) fails as splice() returns -ENOKEY

[Stephan Mueller]

Am Dienstag, 12. September 2017, 11:07:26 CEST schrieb Christophe LEROY:

Hi Christophe,

> Hi again
> 
> Le 12/09/2017 à 09:22, Stephan Mueller a écrit :
> > Am Dienstag, 12. September 2017, 09:20:41 CEST schrieb Stephan Mueller:
> >> I am thinking now to add AC_PREREQ([2.60]) to configure.ac.
> > 
> > I meant 2.69, of course? :-)
> 
> Ok ... CentOS ships with 2.63 and no update seems available via 'yum
> update'.
> 
> Is 2.69 really necessary ? It seems to work just fine with 2.63 once the
> modification is done.

Ok, then I will make that change, thanks for letting me know.
> 
> Christophe
> 
> > Ciao
> > Stephan



Ciao
Stephan