Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-21 19:41:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
0594ad6184
linux/crypto
History
Lukas Wunner a03a728e37 crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 
Commit 1e562deace ("crypto: rsassa-pkcs1 - Migrate to sig_alg backend")
enforced that rsassa-pkcs1 sign/verify operations specify a hash
algorithm.  That is necessary because per RFC 8017 sec 8.2, a hash
algorithm identifier must be prepended to the hash before generating or
verifying the signature ("Full Hash Prefix").

However the commit went too far in that it changed user space behavior:
KEYCTL_PKEY_QUERY system calls now return -EINVAL unless they specify a
hash algorithm.  Intel Wireless Daemon (iwd) is one application issuing
such system calls (for EAP-TLS).

Closer analysis of the Embedded Linux Library (ell) used by iwd reveals
that the problem runs even deeper:  When iwd uses TLS 1.1 or earlier, it
not only queries for keys, but performs sign/verify operations without
specifying a hash algorithm.  These legacy TLS versions concatenate an
MD5 to a SHA-1 hash and omit the Full Hash Prefix:

https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/tls-suites.c#n97

TLS 1.1 was deprecated in 2021 by RFC 8996, but removal of support was
inadvertent in this case.  It probably should be coordinated with iwd
maintainers first.

So reinstate support for such legacy protocols by defaulting to hash
algorithm "none" which uses an empty Full Hash Prefix.

If it is later on decided to remove TLS 1.1 support but still allow
KEYCTL_PKEY_QUERY without a hash algorithm, that can be achieved by
reverting the present commit and replacing it with the following patch:

https://lore.kernel.org/r/ZxalYZwH5UiGX5uj@wunner.de/

It's worth noting that Python's cryptography library gained support for
such legacy use cases very recently, so they do seem to still be a thing.
The Python developers identified IKE version 1 as another protocol
omitting the Full Hash Prefix:

https://github.com/pyca/cryptography/issues/10226
https://github.com/pyca/cryptography/issues/5495

The author of those issues, Zoltan Kelemen, spent considerable effort
searching for test vectors but only found one in a 2019 blog post by
Kevin Jones.  Add it to testmgr.h to verify correctness of this feature.

Examination of wpa_supplicant as well as various IKE daemons (libreswan,
strongswan, isakmpd, raccoon) has determined that none of them seems to
use the kernel's Key Retention Service, so iwd is the only affected user
space application known so far.

Fixes: 1e562deace ("crypto: rsassa-pkcs1 - Migrate to sig_alg backend")
Reported-by: Klara Modin <klarasmodin@gmail.com>
Tested-by: Klara Modin <klarasmodin@gmail.com>
Closes: https://lore.kernel.org/r/2ed09a22-86c0-4cf0-8bda-ef804ccb3413@gmail.com/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-11-10 11:50:54 +08:00
..
asymmetric_keys crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
async_tx async_tx: fix kernel-doc notation warnings 2023-03-24 18:22:28 +08:00
842.c
acompress.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
adiantum.c crypto: adiantum - flush destination page before unmapping 2023-11-01 12:58:42 +08:00
aead.c crypto: aead,cipher - zeroize key buffer after use 2024-04-26 17:26:09 +08:00
aegis128-core.c crypto: aegis128 - Fix indentation issue in crypto_aegis128_process_crypt() 2024-09-13 18:26:52 +08:00
aegis128-neon-inner.c crypto: aegis128-neon - add header for internal prototypes 2023-05-24 18:12:33 +08:00
aegis128-neon.c crypto: aegis128-neon - add header for internal prototypes 2023-05-24 18:12:33 +08:00
aegis-neon.h crypto: aegis128-neon - add header for internal prototypes 2023-05-24 18:12:33 +08:00
aegis.h
aes_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
aes_ti.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
af_alg.c crypto: Add missing MODULE_DESCRIPTION() macros 2024-05-31 17:34:56 +08:00
ahash.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
akcipher.c crypto: akcipher - Drop sign/verify operations 2024-10-05 13:22:04 +08:00
algapi.c crypto: api - move crypto_simd_disabled_for_test to lib 2024-10-28 18:33:11 +08:00
algboss.c crypto: algboss - Pass instance creation error up 2024-09-06 14:50:46 +08:00
algif_aead.c sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
algif_hash.c crypto: Add missing MODULE_DESCRIPTION() macros 2024-05-31 17:34:56 +08:00
algif_rng.c sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
algif_skcipher.c crypto: Add missing MODULE_DESCRIPTION() macros 2024-05-31 17:34:56 +08:00
ansi_cprng.c
anubis.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
api.c crypto: api - Fix generic algorithm self-test races 2024-09-06 14:50:46 +08:00
arc4.c crypto: arc4 - Add internal state 2023-12-08 11:59:46 +08:00
aria_generic.c crypto: x86/aria - do not use magic number offsets of aria_ctx 2023-01-06 17:15:47 +08:00
authenc.c crypto: authenc - stop using alignmask of ahash 2023-10-27 18:04:29 +08:00
authencesn.c crypto: authencesn - stop using alignmask of ahash 2023-10-27 18:04:29 +08:00
blake2b_generic.c treewide: update LLVM Bugzilla links 2024-02-22 15:38:51 -08:00
blowfish_common.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
blowfish_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
bpf_crypto_skcipher.c bpf: crypto: add skcipher to bpf crypto 2024-04-24 16:01:10 -07:00
camellia_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
cast5_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
cast6_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
cast_common.c crypto: Add missing MODULE_DESCRIPTION() macros 2024-05-31 17:34:56 +08:00
cbc.c crypto: cbc - Ensure statesize is zero 2024-02-02 18:08:12 +08:00
ccm.c crypto: ccm - stop using alignmask of ahash 2023-10-27 18:04:29 +08:00
chacha20poly1305.c crypto: chacha20poly1305 - Annotate struct chachapoly_ctx with __counted_by() 2024-08-17 13:55:49 +08:00
chacha_generic.c
cipher.c crypto: aead,cipher - zeroize key buffer after use 2024-04-26 17:26:09 +08:00
cmac.c crypto: cmac - remove unnecessary alignment logic 2023-10-27 18:04:24 +08:00
compress.c
compress.h crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
crc32_generic.c crypto: crc32 - Provide crc32-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
crc32c_generic.c crypto: crc32c - Provide crc32c-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
crc64_rocksoft_generic.c crypto: add rocksoft 64b crc guard tag framework 2022-03-07 12:48:35 -07:00
crct10dif_common.c
crct10dif_generic.c
cryptd.c crypto: cryptd - Only access common skcipher fields on spawn 2023-10-13 18:27:26 +08:00
crypto_engine.c crypto: engine - Make crypto_engine_exit() return void 2023-10-01 16:28:15 +08:00
crypto_null.c
crypto_user.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
ctr.c crypto: ctr - Only access common skcipher fields on spawn 2023-10-13 18:27:27 +08:00
cts.c crypto: cts - Only access common skcipher fields on spawn 2023-10-13 18:27:27 +08:00
curve25519-generic.c crypto: Add missing MODULE_DESCRIPTION() macros 2024-05-31 17:34:56 +08:00
deflate.c crypto: deflate - Add aliases to deflate 2024-06-28 11:35:47 +10:00
des_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
dh_helper.c crypto: dh - split out deserialization code from crypto_dh_decode() 2022-03-03 10:47:50 +12:00
dh.c crypto: dh - Check mpi_rshift errors 2024-08-17 13:55:50 +08:00
drbg.c crypto: drbg - Use str_true_false() and str_enabled_disabled() helpers 2024-10-28 18:33:10 +08:00
ecb.c crypto: skcipher - Add internal state support 2023-12-08 11:59:46 +08:00
ecc_curve_defs.h crypto: ecc - Add NIST P521 curve parameters 2024-04-12 15:07:52 +08:00
ecc.c crypto: ecc - Fix off-by-one missing to clear most significant digit 2024-06-16 13:41:53 +08:00
ecdh_helper.c
ecdh.c crypto: ecdh - Initialize ctx->private_key in proper byte order 2024-04-26 17:26:09 +08:00
ecdsa-p1363.c crypto: ecdsa - Support P1363 signature decoding 2024-10-05 13:22:05 +08:00
ecdsa-x962.c crypto: ecdsa - Move X9.62 signature size calculation into template 2024-10-05 13:22:04 +08:00
ecdsa.c crypto: ecdsa - Support P1363 signature decoding 2024-10-05 13:22:05 +08:00
ecdsasignature.asn1
echainiv.c
ecrdsa_defs.h crypto: ecc - Add nbits field to ecc_curve structure 2024-04-12 15:07:52 +08:00
ecrdsa_params.asn1
ecrdsa_pub_key.asn1
ecrdsa.c crypto: ecrdsa - Fix signature size calculation 2024-10-05 13:22:05 +08:00
essiv.c crypto: essiv - Handle lskcipher spawns 2023-10-13 18:27:26 +08:00
fcrypt.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
fips.c crypto: fips - Remove the now superfluous sentinel element from ctl_table array 2024-04-05 15:46:33 +08:00
gcm.c crypto: gcm - stop using alignmask of ahash 2023-10-27 18:04:29 +08:00
geniv.c
ghash-generic.c
hash_info.c crypto: FIPS 202 SHA-3 register in hash info for IMA 2023-10-27 18:04:30 +08:00
hash.h crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
hctr2.c crypto: hctr2 - stop using alignmask of shash_alg 2023-10-27 18:04:25 +08:00
hmac.c crypto: hmac - remove unnecessary alignment logic 2023-10-27 18:04:24 +08:00
internal.h crypto: akcipher - Drop sign/verify operations 2024-10-05 13:22:04 +08:00
jitterentropy-kcapi.c crypto: jitter - Use kvfree_sensitive() to fix Coccinelle warning 2024-04-05 15:46:33 +08:00
jitterentropy-testing.c crypto: jitter - output full sample from test interface 2024-10-19 08:44:30 +08:00
jitterentropy.c crypto: jitter - Use min() to simplify jent_read_entropy() 2024-08-30 18:22:30 +08:00
jitterentropy.h crypto: jitter - output full sample from test interface 2024-10-19 08:44:30 +08:00
Kconfig crypto: ecdsa - Update Kconfig help text for NIST P521 2024-10-28 18:32:28 +08:00
kdf_sp800108.c crypto: kdf - silence noisy self-test 2022-11-25 17:39:18 +08:00
keywrap.c
khazad.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
kpp.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
lrw.c crypto: lrw - Only access common skcipher fields on spawn 2023-10-13 18:27:27 +08:00
lskcipher.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
lz4.c
lz4hc.c
lzo-rle.c
lzo.c
Makefile crypto: crc32c - Provide crc32c-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
md4.c
md5.c
michael_mic.c
nhpoly1305.c
pcbc.c crypto: pcbc - remove redundant assignment to nbytes 2024-01-26 16:39:32 +08:00
pcrypt.c crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY 2024-10-28 18:32:36 +08:00
poly1305_generic.c
polyval-generic.c crypto: x86/polyval - Add PCLMULQDQ accelerated implementation of POLYVAL 2022-06-10 16:40:17 +08:00
proc.c crypto: proc - Print fips status 2023-02-14 13:39:33 +08:00
ripemd.h
rmd160.c
rng.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
rsa_helper.c
rsa-pkcs1pad.c crypto: rsassa-pkcs1 - Migrate to sig_alg backend 2024-10-05 13:22:04 +08:00
rsa.c crypto: rsassa-pkcs1 - Migrate to sig_alg backend 2024-10-05 13:22:04 +08:00
rsaprivkey.asn1 treewide: Add SPDX identifier to IETF ASN.1 modules 2023-10-27 18:04:28 +08:00
rsapubkey.asn1 treewide: Add SPDX identifier to IETF ASN.1 modules 2023-10-27 18:04:28 +08:00
rsassa-pkcs1.c crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
scatterwalk.c
scompress.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
seed.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
seqiv.c crypto: api - Use data directly in completion function 2023-02-13 18:35:14 +08:00
serpent_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
sha1_generic.c
sha3_generic.c
sha256_generic.c crypto: sha256 - remove duplicate generic hash init function 2021-12-31 18:10:54 +11:00
sha512_generic.c
shash.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
sig.c crypto: sig - Fix oops on KEYCTL_PKEY_QUERY for RSA keys 2024-10-26 14:41:59 +08:00
simd.c crypto: simd - Do not call crypto_alloc_tfm during registration 2024-08-24 21:39:15 +08:00
skcipher.c crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
skcipher.h crypto: remove CONFIG_CRYPTO_STATS 2024-04-02 10:49:38 +08:00
sm3_generic.c crypto: sm3 - make dependent on sm3 library 2022-01-28 16:51:11 +11:00
sm3.c crypto: sm3,sm4 - move into crypto directory 2022-04-08 16:11:48 +08:00
sm4_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
sm4.c crypto: sm4 - export sm4 constant arrays 2022-04-08 16:12:46 +08:00
streebog_generic.c
tcrypt.c crypto: tcrypt - add skcipher speed for given alg 2024-06-28 11:35:46 +10:00
tcrypt.h crypto: tcrypt - include larger key sizes in RFC4106 benchmark 2023-01-20 18:29:31 +08:00
tea.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
testmgr.c crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
testmgr.h crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
twofish_common.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
twofish_generic.c crypto: Prepare to move crypto_tfm_ctx 2022-12-02 18:12:40 +08:00
vmac.c crypto: vmac - don't set alignmask 2023-10-27 18:04:24 +08:00
wp512.c crypto: wp512 - disable kmsan checks in wp512_process_buffer() 2022-12-30 22:56:27 +08:00
xcbc.c crypto: xcbc - remove unnecessary alignment logic 2023-10-27 18:04:25 +08:00
xctr.c crypto: xctr - Add XCTR support 2022-06-10 16:40:16 +08:00
xor.c crypto: xor - fix template benchmarking 2024-08-02 20:53:25 +08:00
xts.c crypto: xts - use 'spawn' for underlying single-block cipher 2023-10-20 13:39:25 +08:00
xxhash_generic.c
zstd.c