From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Vadim Fedorenko <vfedorenko@novek.ru>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net/tls: support SM4 CCM algorithm
Date: Fri, 8 Oct 2021 11:24:46 +0800 [thread overview]
Message-ID: <939f33ed-7d43-06a6-1860-26157eeaec7c@linux.alibaba.com> (raw)
In-Reply-To: <16a76d3e-910f-4fdf-5b2d-9f3355cce4ca@novek.ru>
On 10/1/21 6:56 AM, Vadim Fedorenko wrote:
> On 30.09.2021 04:34, Tianjia Zhang wrote:
>> Hi Vadim,
>>
>> On 9/29/21 5:24 AM, Vadim Fedorenko wrote:
>>> On 28.09.2021 07:28, Tianjia Zhang wrote:
>>>> The IV of CCM mode has special requirements, this patch supports CCM
>>>> mode of SM4 algorithm.
>>>>
>>> Have you tried to connect this implementation to application with
>>> user-space implementation of CCM mode? I wonder just because I have an
>>> issue with AES-CCM Kernel TLS implementation when it's connected to
>>> OpenSSL-driven server, but still have no time to fix it correctly.
>>
>> I did not encounter any issue when using KTLS with AES-CCM algorithm,
>> but the KTLS RX mode on the OpenSSL side does not seem to be supported.
>>
>> I encountered some problems when using the SM4-CCM algorithm of KTLS.
>> Follow the RFC8998 specification, the handshake has been successful,
>> and the first data transmission can be successful. After that, I will
>> encounter the problem of MAC verification failure, but this is issue
>> on the OpenSSL side. because the problem is still being investigated,
>> I have not opened the code for the time being.
>>
> Are you sure that this is an issue on the OpenSSL side? Because
> absolutely the same problem is reported for AES-CCM algo and only when
> it's offloaded to kernel. Looks like encryption of CCM could be broken
> somehow.
>
> I will try to investigate it a bit later from the AES-CCM side.
Yes, but I only used openssl s_server/s_client to do the test. In
theory, this is not guaranteed to be fully covered. Can you tell us
about the scenario where your issue occurred? I will try to see if it
can replay.
Best regards,
Tianjia
prev parent reply other threads:[~2021-10-08 3:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-28 6:28 [PATCH] net/tls: support SM4 CCM algorithm Tianjia Zhang
2021-09-28 12:30 ` patchwork-bot+netdevbpf
2021-09-28 21:24 ` Vadim Fedorenko
2021-09-30 3:34 ` Tianjia Zhang
2021-09-30 22:56 ` Vadim Fedorenko
2021-10-08 3:24 ` Tianjia Zhang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=939f33ed-7d43-06a6-1860-26157eeaec7c@linux.alibaba.com \
--to=tianjia.zhang@linux.alibaba.com \
--cc=borisp@nvidia.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).