[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240313202223.GB1111@sol.localdomain>
Date: Wed, 13 Mar 2024 13:22:23 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: James Prestwood <prestwoj@...il.com>
Cc: Johannes Berg <johannes@...solutions.net>,
Karel Balej <balejk@...fyz.cz>, dimitri.ledkov@...onical.com,
alexandre.torgue@...s.st.com, davem@...emloft.net,
dhowells@...hat.com, herbert@...dor.apana.org.au,
keyrings@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-modules@...r.kernel.org,
linux-stm32@...md-mailman.stormreply.com, mcgrof@...nel.org,
mcoquelin.stm32@...il.com, linux-wireless@...r.kernel.org,
netdev@...r.kernel.org, iwd@...ts.linux.dev
Subject: Re: [REGRESSION] Re: [PATCH] crypto: pkcs7: remove sha1 support
On Wed, Mar 13, 2024 at 01:12:54PM -0700, James Prestwood wrote:
> Hi,
>
> On 3/13/24 12:44 PM, Eric Biggers wrote:
> > On Wed, Mar 13, 2024 at 10:26:06AM -0700, James Prestwood wrote:
> > > Hi,
> > >
> > > On 3/13/24 1:56 AM, Johannes Berg wrote:
> > > > Not sure why you're CC'ing the world, but I guess adding a few more
> > > > doesn't hurt ...
> > > >
> > > > On Wed, 2024-03-13 at 09:50 +0100, Karel Balej wrote:
> > > > > and I use iwd
> > > > This is your problem, the wireless stack in the kernel doesn't use any
> > > > kernel crypto code for 802.1X.
> > > Yes, the wireless stack has zero bearing on the issue. I think that's what
> > > you meant by "problem".
> > >
> > > IWD has used the kernel crypto API forever which was abruptly broken, that
> > > is the problem.
> > >
> > > The original commit says it was to remove support for sha1 signed kernel
> > > modules, but it did more than that and broke the keyctl API.
> > >
> > Which specific API is iwd using that is relevant here?
> > I cloned https://kernel.googlesource.com/pub/scm/network/wireless/iwd
> > and grepped for keyctl and AF_ALG, but there are no matches.
>
> IWD uses ELL for its crypto, which uses the AF_ALG API:
>
> https://git.kernel.org/pub/scm/libs/ell/ell.git/
Thanks for pointing out that the relevant code is really in that separate
repository. Note, it seems that keyctl() is the problem here, not AF_ALG. The
blamed commit didn't change anything for AF_ALG.
> I believe the failure is when calling:
>
> KEYCTL_PKEY_QUERY enc="x962" hash="sha1"
>
> From logs Michael posted on the IWD list, the ELL API that fails is:
>
> l_key_get_info (ell.git/ell/key.c:416)
Okay, I guess that's what's actually causing the problem. KEYCTL_PKEY_* are a
weird set of APIs where userspace can ask the kernel to do asymmetric key
operations. It's unclear why they exist, as the same functionality is available
in userspace crypto libraries.
I suppose that the blamed commit, or at least part of it, will need to be
reverted to keep these weird keyctls working.
For the future, why doesn't iwd just use a userspace crypto library such as
OpenSSL?
- Eric
Powered by blists - more mailing lists