IPSec ESN: Packets decryption fail with ESN enabled connection

IPSec ESN: Packets decryption fail with ESN enabled connection

[Harsh Jain]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

Hi All,

Kernel version on both machines: 4.19.7.

Packet drops with EBADMSG is observed on receive end of connection. It seems that sometimes crypto driver receives packet with wrong "seq_hi" value in AAD. See below the dump of assoc data for 1 such instance.

[  380.823454] assoclen 8th byte 1 clen 1464 op 1  ==> High byte of ESN
[  380.828398] authsize 12 cryptlen 1464
[  380.832637] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 ==> Decrypted data seems correct,last byte is proto(06 TCP)
[  380.840215] dt00000010: bf ee 4f 80 a4 7f 2a 50 6a 5a 0b 10
[  380.846636] ass00000000: 0a bc d3 31 <00 00 00 01> 00 1c e5 ec 0e af 04 69 ==> ESN-Hi = 1
[  380.854316] ass00000010: a4 fc 08 ad

Note: If I decrypt the same packet with ESN - Hi = 0. It Decrypt successfully means peer machine has used ESN-HI = 0 while encrypting.

To debug further we added trace in "xfrm_replay_seqhi". Following was the output:

 <idle>-0     [003] ..s.   380.967766: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 1ce5ec bottom 0x 1ce5ee replay seq 0x 1ce62d replay window 0x 40

1) Is this an expected variable with ESN enables connection?.

2) If packets are supposed to be dropped can't we avoid decryption overhead.

Following logs are attached

1) dmesg log

2) debug patch used to reproduce the issue.

3) ftace log file

4) ip xfrm state list


Regards

Harsh Jain



[-- Attachment #2: dmesg.log --]
[-- Type: text/plain, Size: 8359 bytes --]

[  332.906713] alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106-gcm-aes-chcr))
[  380.823454] assoclen 8th byte 1 clen 1464 op 1
[  380.828398] authsize 12 cryptlen 1464
[  380.832637] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  380.840215] dt00000010: bf ee 4f 80 a4 7f 2a 50 6a 5a 0b 10
[  380.846636] ass00000000: 0a bc d3 31 00 00 00 01 00 1c e5 ec 0e af 04 69
[  380.854316] ass00000010: a4 fc 08 ad
[  410.554838] assoclen 8th byte 1 clen 48 op 1
[  410.559944] authsize 12 cryptlen 48
[  410.563885] dt00000000: 01 01 08 0a 6c 1d 2c 2e 16 7d fa 58 00 01 01 06
[  410.571504] dt00000010: 35 05 32 69 93 2a 68 24 4c 45 b3 8d
[  410.577908] ass00000000: 0a bc d3 31 00 00 00 01 00 3f 89 5e 0e af 04 69
[  410.585604] ass00000010: a4 df 64 1f
[  410.783712] assoclen 8th byte 1 clen 1464 op 1
[  410.788603] authsize 12 cryptlen 1464
[  410.792617] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  410.800236] dt00000010: 49 7d 28 3e e2 35 66 ca 0f 84 54 b1
[  410.806615] ass00000000: 0a bc d3 31 00 00 00 01 00 3f c2 c9 0e af 04 69
[  410.814336] ass00000010: a4 df 2f 88
[  410.856390] assoclen 8th byte 1 clen 1464 op 1
[  410.861499] authsize 12 cryptlen 1464
[  410.865710] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  410.873407] dt00000010: 3f 59 b5 41 1f a0 2a 49 72 38 ea 04
[  410.879786] ass00000000: 0a bc d3 31 00 00 00 01 00 3f cc b6 0e af 04 69
[  410.887404] ass00000010: a4 df 21 f7
[  410.895450] assoclen 8th byte 1 clen 1464 op 1
[  410.900492] authsize 12 cryptlen 1464
[  410.904686] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  410.912327] dt00000010: f7 67 32 e5 55 5c 46 b0 7c 58 dd d8
[  410.918725] ass00000000: 0a bc d3 31 00 00 00 01 00 3f cd 9c 0e af 04 69
[  410.926440] ass00000010: a4 df 20 dd
[  410.960343] assoclen 8th byte 1 clen 1464 op 1
[  410.965221] authsize 12 cryptlen 1464
[  410.969334] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  410.977003] dt00000010: f0 11 fd 7c cb 11 86 86 af 91 9b 6d
[  410.983527] ass00000000: 0a bc d3 31 00 00 00 01 00 3f d5 21 0e af 04 69
[  410.991697] ass00000010: a4 df 38 60
[  411.156836] assoclen 8th byte 1 clen 1464 op 1
[  411.161836] authsize 12 cryptlen 1464
[  411.166052] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.173699] dt00000010: ad 04 6f 17 40 fe 82 72 76 80 45 09
[  411.180183] ass00000000: 0a bc d3 31 00 00 00 01 00 40 01 d1 0e af 04 69
[  411.187981] ass00000010: a4 a0 ec 90
[  411.218735] assoclen 8th byte 1 clen 1464 op 1
[  411.223650] authsize 12 cryptlen 1464
[  411.227841] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.235115] dt00000010: 15 1f 5d d6 c0 f3 93 85 0e 95 5e 48
[  411.241166] ass00000000: 0a bc d3 31 00 00 00 01 00 40 05 9b 0e af 04 69
[  411.248798] ass00000010: a4 a0 e8 da
[  411.343551] assoclen 8th byte 1 clen 1464 op 1
[  411.348507] authsize 12 cryptlen 1464
[  411.352691] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.360120] dt00000010: 6f 30 6e bb 11 0c 79 f2 39 7e a0 1a
[  411.366496] ass00000000: 0a bc d3 31 00 00 00 01 00 40 17 3d 0e af 04 69
[  411.374265] ass00000010: a4 a0 fa 7c
[  411.390500] assoclen 8th byte 1 clen 1464 op 1
[  411.395523] authsize 12 cryptlen 1464
[  411.399569] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.406857] dt00000010: d0 9f 7c cf 6a c7 90 51 4f 3d 1f dc
[  411.413053] ass00000000: 0a bc d3 31 00 00 00 01 00 40 19 ff 0e af 04 69
[  411.420480] ass00000010: a4 a0 f4 be
[  411.451036] assoclen 8th byte 1 clen 1464 op 1
[  411.455914] authsize 12 cryptlen 1464
[  411.460003] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.467316] dt00000010: 00 48 a6 50 b6 b3 67 f2 9a 87 06 05
[  411.473497] ass00000000: 0a bc d3 31 00 00 00 01 00 40 20 e8 0e af 04 69
[  411.480886] ass00000010: a4 a0 cd a9
[  411.493908] assoclen 8th byte 1 clen 1464 op 1
[  411.499081] authsize 12 cryptlen 1464
[  411.503454] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.510716] dt00000010: 2c ea 03 e1 9f a8 27 28 e8 22 5f 94
[  411.516874] ass00000000: 0a bc d3 31 00 00 00 01 00 40 22 d1 0e af 04 69
[  411.524292] ass00000010: a4 a0 cf 90
[  411.670707] assoclen 8th byte 1 clen 1308 op 1
[  411.675597] authsize 12 cryptlen 1308
[  411.679631] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 01 02 02 06
[  411.686882] dt00000010: 28 e5 1d 38 2b e2 28 ff a1 87 4b 3d
[  411.693012] ass00000000: 0a bc d3 31 00 00 00 01 00 40 49 3c 0e af 04 69
[  411.700352] ass00000010: a4 a0 a4 7d
[  411.888764] assoclen 8th byte 1 clen 1464 op 1
[  411.893725] authsize 12 cryptlen 1464
[  411.898006] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.905667] dt00000010: 99 46 ae b4 98 86 97 38 89 01 30 4a
[  411.912186] ass00000000: 0a bc d3 31 00 00 00 01 00 40 75 eb 0e af 04 69
[  411.919994] ass00000010: a4 a0 98 aa
[  411.941061] assoclen 8th byte 1 clen 1464 op 1
[  411.946060] authsize 12 cryptlen 1464
[  411.950240] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  411.957833] dt00000010: 2a c6 d5 ee 8b 71 27 34 68 05 cd be
[  411.964236] ass00000000: 0a bc d3 31 00 00 00 01 00 40 79 63 0e af 04 69
[  411.971897] ass00000010: a4 a0 94 22
[  412.022407] assoclen 8th byte 1 clen 48 op 1
[  412.027202] authsize 12 cryptlen 48
[  412.031253] dt00000000: 01 01 08 0a 6c 1d 31 e9 16 7e 00 0a 00 01 01 06
[  412.038827] dt00000010: 60 68 e4 8d 0c 18 9e 95 a9 87 36 64
[  412.045270] ass00000000: 0a bc d3 31 00 00 00 01 00 40 84 c0 0e af 04 69
[  412.052914] ass00000010: a4 a0 69 81
[  412.069077] assoclen 8th byte 1 clen 1308 op 1
[  412.074283] authsize 12 cryptlen 1308
[  412.078543] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 01 02 02 06
[  412.086158] dt00000010: 4b 54 27 22 64 2d 1e 84 f2 d4 18 7b
[  412.092540] ass00000000: 0a bc d3 31 00 00 00 01 00 40 87 20 0e af 04 69
[  412.100260] ass00000010: a4 a0 6a 61
[  412.152515] assoclen 8th byte 1 clen 1464 op 1
[  412.157484] authsize 12 cryptlen 1464
[  412.161645] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  412.169259] dt00000010: 59 ac 43 eb e2 7e 95 da f9 8e aa 2c
[  412.175631] ass00000000: 0a bc d3 31 00 00 00 01 00 40 94 6a 0e af 04 69
[  412.183268] ass00000010: a4 a0 79 2b
[  412.241431] assoclen 8th byte 1 clen 1308 op 1
[  412.246381] authsize 12 cryptlen 1308
[  412.250633] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 01 02 02 06
[  412.258262] dt00000010: 93 0d bc 69 74 87 bd 45 54 30 0b 2f
[  412.264648] ass00000000: 0a bc d3 31 00 00 00 01 00 40 a2 b8 0e af 04 69
[  412.272645] ass00000010: a4 a0 4f f9
[  412.283069] assoclen 8th byte 1 clen 1464 op 1
[  412.288041] authsize 12 cryptlen 1464
[  412.292259] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  412.299832] dt00000010: 2f 63 b7 7b 5d 74 61 2b 76 35 47 4e
[  412.306258] ass00000000: 0a bc d3 31 00 00 00 01 00 40 a4 30 0e af 04 69
[  412.313919] ass00000010: a4 a0 49 71
[  412.338312] assoclen 8th byte 1 clen 1308 op 1
[  412.343035] authsize 12 cryptlen 1308
[  412.347033] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 01 02 02 06
[  412.354640] dt00000010: ea 49 09 eb 16 70 f2 c6 5b 5f b2 e2
[  412.361068] ass00000000: 0a bc d3 31 00 00 00 01 00 40 a9 1b 0e af 04 69
[  412.368741] ass00000010: a4 a0 44 5a
[  412.390526] assoclen 8th byte 1 clen 1308 op 1
[  412.395440] authsize 12 cryptlen 1308
[  412.399528] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 01 02 02 06
[  412.407159] dt00000010: ae 76 fb 6d e0 05 93 3f 0b 02 c3 94
[  412.413531] ass00000000: 0a bc d3 31 00 00 00 01 00 40 ad 7f 0e af 04 69
[  412.421356] ass00000010: a4 a0 40 3e
[  412.444239] assoclen 8th byte 1 clen 1464 op 1
[  412.449168] authsize 12 cryptlen 1464
[  412.453234] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  412.460823] dt00000010: cf d2 3d 60 de 7a 7e fd 6c c6 41 d3
[  412.467255] ass00000000: 0a bc d3 31 00 00 00 01 00 40 b2 43 0e af 04 69
[  412.474923] ass00000010: a4 a0 5f 02
[  412.538722] assoclen 8th byte 1 clen 1464 op 1
[  412.543661] authsize 12 cryptlen 1464
[  412.547693] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
[  412.555352] dt00000010: 1f ac 19 2f 4c d7 c2 46 36 6b 5d 3c
[  412.561740] ass00000000: 0a bc d3 31 00 00 00 01 00 40 c3 12 0e af 04 69
[  412.569451] ass00000010: a4 a0 2e 53

[-- Attachment #3: patch.diff --]
[-- Type: text/plain, Size: 4736 bytes --]

diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
index bd3ee2a..1102301 100644
--- a/drivers/crypto/chelsio/chcr_algo.c
+++ b/drivers/crypto/chelsio/chcr_algo.c
@@ -225,12 +225,32 @@ static inline int chcr_handle_aead_resp(struct aead_request *req,
 	struct chcr_aead_reqctx *reqctx = aead_request_ctx(req);
 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
 	struct chcr_dev *dev = a_ctx(tfm)->dev;
+	u8 tmp[64];
+	int skip, lenp, authsize;
 
 	chcr_aead_common_exit(req);
 	if (reqctx->verify == VERIFY_SW) {
 		chcr_verify_tag(req, input, &err);
 		reqctx->verify = VERIFY_HW;
 	}
+       if (err == -EBADMSG) {
+               authsize = crypto_aead_authsize(tfm);
+               skip = req->assoclen + req->cryptlen - authsize - 16;
+               lenp = authsize + 16;
+               printk("authsize %d cryptlen %d\n", authsize, req->cryptlen);
+               sg_pcopy_to_buffer(req->dst, sg_nents(req->dst),
+                                tmp, lenp, skip);
+              // sg_pcopy_to_buffer(req->dst, sg_nents(req->dst),
+                //          tmp, req->assoclen + 16, 972);
+
+       print_hex_dump(KERN_CONT, "dt", DUMP_PREFIX_OFFSET, 16, 1,tmp, lenp, false);
+       sg_pcopy_to_buffer(req->dst, sg_nents(req->dst),
+                                  tmp, req->assoclen, 0);
+       print_hex_dump(KERN_CONT, "ass", DUMP_PREFIX_OFFSET, 16, 1,tmp, req->assoclen, false);
+      // print_hex_dump(KERN_CONT, "assbef", DUMP_PREFIX_OFFSET, 16, 1,reqctx->tmp, req->assoclen, false);
+	
+
+       }
 	chcr_dec_wrcount(dev);
 	req->base.complete(&req->base, err);
 
@@ -3023,6 +3043,14 @@ static struct sk_buff *create_gcm_wr(struct aead_request *req,
 	error = chcr_aead_common_init(req);
 	if (error)
 		return ERR_PTR(error);
+	if (req->assoclen == 20) {
+		sg_pcopy_to_buffer(req->src, sg_nents(req->src), reqctx->tmp, 20, 0);
+#if 1
+		if (reqctx->tmp[7]) {
+			printk("assoclen 8th byte %d clen %d op %d\n", reqctx->tmp[7], req->cryptlen, reqctx->op);
+		}
+#endif
+	}
 	dnents = sg_nents_xlen(req->dst, req->assoclen + req->cryptlen +
 				(reqctx->op ? -authsize : authsize),
 				CHCR_DST_SG_SIZE, 0);
diff --git a/drivers/crypto/chelsio/chcr_crypto.h b/drivers/crypto/chelsio/chcr_crypto.h
index e231e8b..7940fcf 100644
--- a/drivers/crypto/chelsio/chcr_crypto.h
+++ b/drivers/crypto/chelsio/chcr_crypto.h
@@ -189,6 +189,7 @@ struct chcr_aead_reqctx {
 	u16 imm;
 	u16 verify;
 	u8 iv[CHCR_MAX_CRYPTO_IV_LEN + MAX_SCRATCH_PAD_SIZE];
+	u8 tmp[24];
 	u8 *scratch_pad;
 };
 
diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_pci_id_tbl.h b/drivers/net/ethernet/chelsio/cxgb4/t4_pci_id_tbl.h
index 60df66f..8689109 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/t4_pci_id_tbl.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/t4_pci_id_tbl.h
@@ -205,6 +205,7 @@
 	CH_PCI_ID_TABLE_FENTRY(0x6009),
 	CH_PCI_ID_TABLE_FENTRY(0x600d),
 	CH_PCI_ID_TABLE_FENTRY(0x6011),
+	CH_PCI_ID_TABLE_FENTRY(0x6010),
 	CH_PCI_ID_TABLE_FENTRY(0x6014),
 	CH_PCI_ID_TABLE_FENTRY(0x6015),
 	CH_PCI_ID_TABLE_FENTRY(0x6080),
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 9768901..6fffac6 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -761,7 +761,15 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
 
 	aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
 	aead_request_set_ad(req, assoclen);
+#if 0
+{
+	u8 tmp[24];
 
+sg_pcopy_to_buffer(sg, sg_nents(sg),
+                                tmp, assoclen, 0);
+print_hex_dump(KERN_CONT, "espass", DUMP_PREFIX_OFFSET, 16, 1,tmp, assoclen, false);
+}
+#endif
 	err = crypto_aead_decrypt(req);
 	if (err == -EINPROGRESS)
 		goto out;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index be3520e..70d0e5a 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -384,7 +384,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		XFRM_SKB_CB(skb)->seq.input.low = seq;
 		XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
-
+if (seq_hi)
+	trace_printk("hi %x lo %x\n", seq_hi, seq);
 		skb_dst_force(skb);
 		dev_hold(skb->dev);
 
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 9e3a5e85..059bbfb 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -35,8 +35,10 @@ u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq)
 
 	if (likely(replay_esn->seq >= replay_esn->replay_window - 1)) {
 		/* A. same subspace */
-		if (unlikely(seq < bottom))
+		if (unlikely(seq < bottom)) {
 			seq_hi++;
+		trace_printk("seq_hi 0x %x seq 0x %x bottom 0x %x replay seq 0x %x replay window 0x %x\n", seq_hi, seq, bottom, replay_esn->seq, replay_esn->replay_window);
+		}
 	} else {
 		/* B. window spans two subspaces */
 		if (unlikely(seq >= bottom))

[-- Attachment #4: trace --]
[-- Type: text/plain, Size: 6451 bytes --]

# tracer: nop
#
#                              _-----=> irqs-off
#                             / _----=> need-resched
#                            | / _---=> hardirq/softirq
#                            || / _--=> preempt-depth
#                            ||| /     delay
#           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
#              | |       |   ||||       |         |
          <idle>-0     [003] ..s.   380.967766: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 1ce5ec bottom 0x 1ce5ee replay seq 0x 1ce62d replay window 0x 40
          <idle>-0     [003] ..s.   380.967768: xfrm_input: hi 1000000 lo ece51c00
     ksoftirqd/7-47    [007] ..s.   398.904404: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 319dd2 bottom 0x 319dd3 replay seq 0x 319e12 replay window 0x 40
          <idle>-0     [007] ..s.   403.827904: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 377334 bottom 0x 377336 replay seq 0x 377375 replay window 0x 40
       netserver-9089  [003] ..s.   410.699151: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3f895e bottom 0x 3f8967 replay seq 0x 3f89a6 replay window 0x 40
       netserver-9089  [003] ..s.   410.699153: xfrm_input: hi 1000000 lo 5e893f00
       netserver-9089  [003] ..s1   410.928023: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3fc2c9 bottom 0x 3fc2db replay seq 0x 3fc31a replay window 0x 40
       netserver-9089  [003] ..s1   410.928025: xfrm_input: hi 1000000 lo c9c23f00
          <idle>-0     [003] .Ns.   411.000702: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3fccb6 bottom 0x 3fccc9 replay seq 0x 3fcd08 replay window 0x 40
          <idle>-0     [003] .Ns.   411.000703: xfrm_input: hi 1000000 lo b6cc3f00
          <idle>-0     [003] .Ns.   411.039764: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3fcd9c bottom 0x 3fcdaf replay seq 0x 3fcdee replay window 0x 40
          <idle>-0     [003] .Ns.   411.039765: xfrm_input: hi 1000000 lo 9ccd3f00
          <idle>-0     [003] ..s.   411.104656: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3fd521 bottom 0x 3fd524 replay seq 0x 3fd563 replay window 0x 40
          <idle>-0     [003] ..s.   411.104657: xfrm_input: hi 1000000 lo 21d53f00
     ksoftirqd/7-47    [007] ..s.   411.277935: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 3ffb91 bottom 0x 3ffb92 replay seq 0x 3ffbd1 replay window 0x 40
          <idle>-0     [003] ..s.   411.301147: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4001d1 bottom 0x 4001e3 replay seq 0x 400222 replay window 0x 40
          <idle>-0     [003] ..s.   411.301148: xfrm_input: hi 1000000 lo d1014000
          <idle>-0     [003] ..s.   411.363046: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40059b bottom 0x 40059e replay seq 0x 4005dd replay window 0x 40
          <idle>-0     [003] .Ns.   411.363048: xfrm_input: hi 1000000 lo 9b054000
       netserver-9089  [003] ..s.   411.487863: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40173d bottom 0x 401772 replay seq 0x 4017b1 replay window 0x 40
       netserver-9089  [003] ..s.   411.487865: xfrm_input: hi 1000000 lo 3d174000
          <idle>-0     [003] .Ns.   411.534813: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4019ff bottom 0x 401a19 replay seq 0x 401a58 replay window 0x 40
          <idle>-0     [003] .Ns.   411.534814: xfrm_input: hi 1000000 lo ff194000
       netserver-9090  [003] ..s.   411.595348: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4020e8 bottom 0x 4020fd replay seq 0x 40213c replay window 0x 40
       netserver-9090  [003] ..s.   411.595350: xfrm_input: hi 1000000 lo e8204000
     dbus-daemon-793   [003] ..s.   411.638221: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4022d1 bottom 0x 4022fe replay seq 0x 40233d replay window 0x 40
     dbus-daemon-793   [003] ..s.   411.638222: xfrm_input: hi 1000000 lo d1224000
       netserver-9090  [003] ..s1   411.815020: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40493c bottom 0x 404954 replay seq 0x 404993 replay window 0x 40
       netserver-9090  [003] ..s1   411.815021: xfrm_input: hi 1000000 lo 3c494000
           lspci-9154  [003] ..s.   412.033076: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4075eb bottom 0x 407620 replay seq 0x 40765f replay window 0x 40
           lspci-9154  [003] ..s.   412.033078: xfrm_input: hi 1000000 lo eb754000
          <idle>-0     [003] .Ns.   412.085373: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 407963 bottom 0x 40798d replay seq 0x 4079cc replay window 0x 40
          <idle>-0     [003] .Ns.   412.085374: xfrm_input: hi 1000000 lo 63794000
          <idle>-0     [003] ..s.   412.166720: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 4084c0 bottom 0x 408516 replay seq 0x 408555 replay window 0x 40
          <idle>-0     [003] ..s.   412.166722: xfrm_input: hi 1000000 lo c0844000
          <idle>-0     [003] .Ns.   412.213390: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 408720 bottom 0x 4087a8 replay seq 0x 4087e7 replay window 0x 40
          <idle>-0     [003] .Ns.   412.213391: xfrm_input: hi 1000000 lo 20874000
       netserver-9105  [003] ..s.   412.296827: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40946a bottom 0x 40946d replay seq 0x 4094ac replay window 0x 40
       netserver-9105  [003] ..s.   412.296828: xfrm_input: hi 1000000 lo 6a944000
          <idle>-0     [003] .Ns.   412.385744: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40a2b8 bottom 0x 40a2c5 replay seq 0x 40a304 replay window 0x 40
          <idle>-0     [003] .Ns.   412.385746: xfrm_input: hi 1000000 lo b8a24000
       netserver-9105  [003] ..s.   412.427381: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40a430 bottom 0x 40a431 replay seq 0x 40a470 replay window 0x 40
       netserver-9105  [003] ..s.   412.427382: xfrm_input: hi 1000000 lo 30a44000
          <idle>-0     [003] ..s.   412.482624: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40a91b bottom 0x 40a91f replay seq 0x 40a95e replay window 0x 40
          <idle>-0     [003] ..s.   412.482625: xfrm_input: hi 1000000 lo 1ba94000
          <idle>-0     [003] .Ns.   412.534834: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40ad7f bottom 0x 40ad8c replay seq 0x 40adcb replay window 0x 40
          <idle>-0     [003] .Ns.   412.534836: xfrm_input: hi 1000000 lo 7fad4000
       netserver-9105  [003] ..s.   412.588551: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40b243 bottom 0x 40b250 replay seq 0x 40b28f replay window 0x 40
       netserver-9105  [003] ..s.   412.588552: xfrm_input: hi 1000000 lo 43b24000
       netserver-9105  [003] ..s.   412.683034: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 40c312 bottom 0x 40c328 replay seq 0x 40c367 replay window 0x 40
       netserver-9105  [003] ..s.   412.683035: xfrm_input: hi 1000000 lo 12c34000

[-- Attachment #5: xfrm_list_where_drop_happen.log --]
[-- Type: text/plain, Size: 1362 bytes --]

src 1.2.2.96 dst 1.2.2.108
	proto esp spi 0x0eeffaa2 reqid 95874 mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 64, bitmap-length 2
	 00000000 00000000 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 1.2.2.108 dst 1.2.2.96
	proto esp spi 0x0eeffaa1 reqid 95873 mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 64, bitmap-length 2
	 00000000 00000000 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 1.0.0.96 dst 1.0.0.108
	proto esp spi 0x0abcd332 reqid 91442 mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x2246df
	 replay_window 64, bitmap-length 2
	 00000000 00000000 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 1.0.0.108 dst 1.0.0.96
	proto esp spi 0x0abcd331 reqid 91441 mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0x40e3d0, oseq-hi 0x0, oseq 0x0
	 replay_window 64, bitmap-length 2
	 ffffffff ffffffff 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 

Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Harsh Jain]

+linux-crypto

On 26-12-2018 14:54, Harsh Jain wrote:
> Hi All,
>
> Kernel version on both machines: 4.19.7.
>
> Packet drops with EBADMSG is observed on receive end of connection. It seems that sometimes crypto driver receives packet with wrong "seq_hi" value in AAD. See below the dump of assoc data for 1 such instance.
>
> [  380.823454] assoclen 8th byte 1 clen 1464 op 1  ==> High byte of ESN
> [  380.828398] authsize 12 cryptlen 1464
> [  380.832637] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 ==> Decrypted data seems correct,last byte is proto(06 TCP)
> [  380.840215] dt00000010: bf ee 4f 80 a4 7f 2a 50 6a 5a 0b 10
> [  380.846636] ass00000000: 0a bc d3 31 <00 00 00 01> 00 1c e5 ec 0e af 04 69 ==> ESN-Hi = 1
> [  380.854316] ass00000010: a4 fc 08 ad
>
> Note: If I decrypt the same packet with ESN - Hi = 0. It Decrypt successfully means peer machine has used ESN-HI = 0 while encrypting.
>
> To debug further we added trace in "xfrm_replay_seqhi". Following was the output:
>
>  <idle>-0     [003] ..s.   380.967766: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 1ce5ec bottom 0x 1ce5ee replay seq 0x 1ce62d replay window 0x 40
>
> 1) Is this an expected variable with ESN enables connection?.
>
> 2) If packets are supposed to be dropped can't we avoid decryption overhead.
>
> Following logs are attached
>
> 1) dmesg log
>
> 2) debug patch used to reproduce the issue.
>
> 3) ftace log file
>
> 4) ip xfrm state list
>
>
> Regards
>
> Harsh Jain
>
>

Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Herbert Xu]

On Wed, Dec 26, 2018 at 03:16:29PM +0530, Harsh Jain wrote:
> +linux-crypto
> 
> On 26-12-2018 14:54, Harsh Jain wrote:
> > Hi All,
> >
> > Kernel version on both machines: 4.19.7.
> >
> > Packet drops with EBADMSG is observed on receive end of connection. It seems that sometimes crypto driver receives packet with wrong "seq_hi" value in AAD. See below the dump of assoc data for 1 such instance.
> >
> > [  380.823454] assoclen 8th byte 1 clen 1464 op 1  ==> High byte of ESN
> > [  380.828398] authsize 12 cryptlen 1464
> > [  380.832637] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 ==> Decrypted data seems correct,last byte is proto(06 TCP)
> > [  380.840215] dt00000010: bf ee 4f 80 a4 7f 2a 50 6a 5a 0b 10
> > [  380.846636] ass00000000: 0a bc d3 31 <00 00 00 01> 00 1c e5 ec 0e af 04 69 ==> ESN-Hi = 1
> > [  380.854316] ass00000010: a4 fc 08 ad
> >
> > Note: If I decrypt the same packet with ESN - Hi = 0. It Decrypt successfully means peer machine has used ESN-HI = 0 while encrypting.
> >
> > To debug further we added trace in "xfrm_replay_seqhi". Following was the output:
> >
> >  <idle>-0     [003] ..s.   380.967766: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 1ce5ec bottom 0x 1ce5ee replay seq 0x 1ce62d replay window 0x 40
> >
> > 1) Is this an expected variable with ESN enables connection?.
> >
> > 2) If packets are supposed to be dropped can't we avoid decryption overhead.
> >
> > Following logs are attached
> >
> > 1) dmesg log
> >
> > 2) debug patch used to reproduce the issue.
> >
> > 3) ftace log file
> >
> > 4) ip xfrm state list

Does this occur if you use software crypto on the receiving end
while keeping the sending end unchanged?

If not then I would start debugging this within your driver.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Harsh Jain]

On 02-01-2019 18:21, Herbert Xu wrote:
> On Wed, Dec 26, 2018 at 03:16:29PM +0530, Harsh Jain wrote:
>> +linux-crypto
>>
>> On 26-12-2018 14:54, Harsh Jain wrote:
>>> Hi All,
>>>
>>> Kernel version on both machines: 4.19.7.
>>>
>>> Packet drops with EBADMSG is observed on receive end of connection. It seems that sometimes crypto driver receives packet with wrong "seq_hi" value in AAD. See below the dump of assoc data for 1 such instance.
>>>
>>> [  380.823454] assoclen 8th byte 1 clen 1464 op 1  ==> High byte of ESN
>>> [  380.828398] authsize 12 cryptlen 1464
>>> [  380.832637] dt00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 ==> Decrypted data seems correct,last byte is proto(06 TCP)
>>> [  380.840215] dt00000010: bf ee 4f 80 a4 7f 2a 50 6a 5a 0b 10
>>> [  380.846636] ass00000000: 0a bc d3 31 <00 00 00 01> 00 1c e5 ec 0e af 04 69 ==> ESN-Hi = 1
>>> [  380.854316] ass00000010: a4 fc 08 ad
>>>
>>> Note: If I decrypt the same packet with ESN - Hi = 0. It Decrypt successfully means peer machine has used ESN-HI = 0 while encrypting.
>>>
>>> To debug further we added trace in "xfrm_replay_seqhi". Following was the output:
>>>
>>>  <idle>-0     [003] ..s.   380.967766: xfrm_replay_seqhi: seq_hi 0x 1 seq 0x 1ce5ec bottom 0x 1ce5ee replay seq 0x 1ce62d replay window 0x 40
>>>
>>> 1) Is this an expected variable with ESN enables connection?.
>>>
>>> 2) If packets are supposed to be dropped can't we avoid decryption overhead.
>>>
>>> Following logs are attached
>>>
>>> 1) dmesg log
>>>
>>> 2) debug patch used to reproduce the issue.
>>>
>>> 3) ftace log file
>>>
>>> 4) ip xfrm state list
> Does this occur if you use software crypto on the receiving end
> while keeping the sending end unchanged?

I tried with "authencesn(hmac(sha1-ssse3),cbc(aes-asm))" on both sides.

Server : iperf  -s  -w 512k  -p 20002

Client : iperf  -t 60 -w 512k -l 2048 -c 1.0.0.96 -P 32 -p 20002

>
> If not then I would start debugging this within your driver.

ESP Packet whose's sequence No. is out of window gets dropped with EBADMSG.  It seems that "xfrm_replay_seqhi" intentionally increments the "seq_hi" to fail verification for Out of seq packet.

>
> Thanks,

Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Steffen Klassert]

On Thu, Jan 03, 2019 at 04:16:56PM +0530, Harsh Jain wrote:
> 
> On 02-01-2019 18:21, Herbert Xu wrote:
> > Does this occur if you use software crypto on the receiving end
> > while keeping the sending end unchanged?
> 
> I tried with "authencesn(hmac(sha1-ssse3),cbc(aes-asm))" on both sides.
> 
> Server : iperf  -s  -w 512k  -p 20002
> 
> Client : iperf  -t 60 -w 512k -l 2048 -c 1.0.0.96 -P 32 -p 20002
> 
> >
> > If not then I would start debugging this within your driver.
> 
> ESP Packet whose's sequence No. is out of window gets dropped with EBADMSG.  It seems that "xfrm_replay_seqhi" intentionally increments the "seq_hi" to fail verification for Out of seq packet.

Yes, this is defined in RFC 4303 Appendix A2.2.

Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Harsh Jain]

On 04-01-2019 14:04, Steffen Klassert wrote:
> On Thu, Jan 03, 2019 at 04:16:56PM +0530, Harsh Jain wrote:
>> On 02-01-2019 18:21, Herbert Xu wrote:
>>> Does this occur if you use software crypto on the receiving end
>>> while keeping the sending end unchanged?
>> I tried with "authencesn(hmac(sha1-ssse3),cbc(aes-asm))" on both sides.
>>
>> Server : iperf  -s  -w 512k  -p 20002
>>
>> Client : iperf  -t 60 -w 512k -l 2048 -c 1.0.0.96 -P 32 -p 20002
>>
>>> If not then I would start debugging this within your driver.
>> ESP Packet whose's sequence No. is out of window gets dropped with EBADMSG.  It seems that "xfrm_replay_seqhi" intentionally increments the "seq_hi" to fail verification for Out of seq packet.
> Yes, this is defined in RFC 4303 Appendix A2.2.

Thanks, It means we cannot avoid verification part for packets with low seql.