linux/crypto
Lukas Wunner a03a728e37 crypto: rsassa-pkcs1 - Reinstate support for legacy protocols
Commit 1e562deace ("crypto: rsassa-pkcs1 - Migrate to sig_alg backend")
enforced that rsassa-pkcs1 sign/verify operations specify a hash
algorithm.  That is necessary because per RFC 8017 sec 8.2, a hash
algorithm identifier must be prepended to the hash before generating or
verifying the signature ("Full Hash Prefix").

However the commit went too far in that it changed user space behavior:
KEYCTL_PKEY_QUERY system calls now return -EINVAL unless they specify a
hash algorithm.  Intel Wireless Daemon (iwd) is one application issuing
such system calls (for EAP-TLS).

Closer analysis of the Embedded Linux Library (ell) used by iwd reveals
that the problem runs even deeper:  When iwd uses TLS 1.1 or earlier, it
not only queries for keys, but performs sign/verify operations without
specifying a hash algorithm.  These legacy TLS versions concatenate an
MD5 to a SHA-1 hash and omit the Full Hash Prefix:

https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/tls-suites.c#n97

TLS 1.1 was deprecated in 2021 by RFC 8996, but removal of support was
inadvertent in this case.  It probably should be coordinated with iwd
maintainers first.

So reinstate support for such legacy protocols by defaulting to hash
algorithm "none" which uses an empty Full Hash Prefix.

If it is later on decided to remove TLS 1.1 support but still allow
KEYCTL_PKEY_QUERY without a hash algorithm, that can be achieved by
reverting the present commit and replacing it with the following patch:

https://lore.kernel.org/r/ZxalYZwH5UiGX5uj@wunner.de/

It's worth noting that Python's cryptography library gained support for
such legacy use cases very recently, so they do seem to still be a thing.
The Python developers identified IKE version 1 as another protocol
omitting the Full Hash Prefix:

https://github.com/pyca/cryptography/issues/10226
https://github.com/pyca/cryptography/issues/5495

The author of those issues, Zoltan Kelemen, spent considerable effort
searching for test vectors but only found one in a 2019 blog post by
Kevin Jones.  Add it to testmgr.h to verify correctness of this feature.

Examination of wpa_supplicant as well as various IKE daemons (libreswan,
strongswan, isakmpd, raccoon) has determined that none of them seems to
use the kernel's Key Retention Service, so iwd is the only affected user
space application known so far.

Fixes: 1e562deace ("crypto: rsassa-pkcs1 - Migrate to sig_alg backend")
Reported-by: Klara Modin <klarasmodin@gmail.com>
Tested-by: Klara Modin <klarasmodin@gmail.com>
Closes: https://lore.kernel.org/r/2ed09a22-86c0-4cf0-8bda-ef804ccb3413@gmail.com/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-11-10 11:50:54 +08:00
..
asymmetric_keys crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
async_tx
842.c
acompress.c
adiantum.c
aead.c
aegis128-core.c crypto: aegis128 - Fix indentation issue in crypto_aegis128_process_crypt() 2024-09-13 18:26:52 +08:00
aegis128-neon-inner.c
aegis128-neon.c
aegis-neon.h
aegis.h
aes_generic.c
aes_ti.c
af_alg.c
ahash.c
akcipher.c crypto: akcipher - Drop sign/verify operations 2024-10-05 13:22:04 +08:00
algapi.c crypto: api - move crypto_simd_disabled_for_test to lib 2024-10-28 18:33:11 +08:00
algboss.c crypto: algboss - Pass instance creation error up 2024-09-06 14:50:46 +08:00
algif_aead.c
algif_hash.c
algif_rng.c
algif_skcipher.c
ansi_cprng.c
anubis.c
api.c crypto: api - Fix generic algorithm self-test races 2024-09-06 14:50:46 +08:00
arc4.c
aria_generic.c
authenc.c
authencesn.c
blake2b_generic.c
blowfish_common.c
blowfish_generic.c
bpf_crypto_skcipher.c
camellia_generic.c
cast5_generic.c
cast6_generic.c
cast_common.c
cbc.c
ccm.c
chacha20poly1305.c
chacha_generic.c
cipher.c
cmac.c
compress.c
compress.h
crc32_generic.c crypto: crc32 - Provide crc32-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
crc32c_generic.c crypto: crc32c - Provide crc32c-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
crc64_rocksoft_generic.c
crct10dif_common.c
crct10dif_generic.c
cryptd.c
crypto_engine.c
crypto_null.c
crypto_user.c
ctr.c
cts.c
curve25519-generic.c
deflate.c
des_generic.c
dh_helper.c
dh.c
drbg.c crypto: drbg - Use str_true_false() and str_enabled_disabled() helpers 2024-10-28 18:33:10 +08:00
ecb.c
ecc_curve_defs.h
ecc.c
ecdh_helper.c
ecdh.c
ecdsa-p1363.c crypto: ecdsa - Support P1363 signature decoding 2024-10-05 13:22:05 +08:00
ecdsa-x962.c crypto: ecdsa - Move X9.62 signature size calculation into template 2024-10-05 13:22:04 +08:00
ecdsa.c crypto: ecdsa - Support P1363 signature decoding 2024-10-05 13:22:05 +08:00
ecdsasignature.asn1
echainiv.c
ecrdsa_defs.h
ecrdsa_params.asn1
ecrdsa_pub_key.asn1
ecrdsa.c crypto: ecrdsa - Fix signature size calculation 2024-10-05 13:22:05 +08:00
essiv.c
fcrypt.c
fips.c
gcm.c
geniv.c
ghash-generic.c
hash_info.c
hash.h
hctr2.c
hmac.c
internal.h crypto: akcipher - Drop sign/verify operations 2024-10-05 13:22:04 +08:00
jitterentropy-kcapi.c
jitterentropy-testing.c crypto: jitter - output full sample from test interface 2024-10-19 08:44:30 +08:00
jitterentropy.c crypto: jitter - Use min() to simplify jent_read_entropy() 2024-08-30 18:22:30 +08:00
jitterentropy.h crypto: jitter - output full sample from test interface 2024-10-19 08:44:30 +08:00
Kconfig crypto: ecdsa - Update Kconfig help text for NIST P521 2024-10-28 18:32:28 +08:00
kdf_sp800108.c
keywrap.c
khazad.c
kpp.c
lrw.c
lskcipher.c
lz4.c
lz4hc.c
lzo-rle.c
lzo.c
Makefile crypto: crc32c - Provide crc32c-arch driver for accelerated library code 2024-10-28 18:33:10 +08:00
md4.c
md5.c
michael_mic.c
nhpoly1305.c
pcbc.c
pcrypt.c crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY 2024-10-28 18:32:36 +08:00
poly1305_generic.c
polyval-generic.c
proc.c
ripemd.h
rmd160.c
rng.c
rsa_helper.c
rsa-pkcs1pad.c crypto: rsassa-pkcs1 - Migrate to sig_alg backend 2024-10-05 13:22:04 +08:00
rsa.c crypto: rsassa-pkcs1 - Migrate to sig_alg backend 2024-10-05 13:22:04 +08:00
rsaprivkey.asn1
rsapubkey.asn1
rsassa-pkcs1.c crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
scatterwalk.c
scompress.c
seed.c
seqiv.c
serpent_generic.c
sha1_generic.c
sha3_generic.c
sha256_generic.c
sha512_generic.c
shash.c
sig.c crypto: sig - Fix oops on KEYCTL_PKEY_QUERY for RSA keys 2024-10-26 14:41:59 +08:00
simd.c crypto: simd - Do not call crypto_alloc_tfm during registration 2024-08-24 21:39:15 +08:00
skcipher.c
skcipher.h
sm3_generic.c
sm3.c
sm4_generic.c
sm4.c
streebog_generic.c
tcrypt.c
tcrypt.h
tea.c
testmgr.c crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
testmgr.h crypto: rsassa-pkcs1 - Reinstate support for legacy protocols 2024-11-10 11:50:54 +08:00
twofish_common.c
twofish_generic.c
vmac.c
wp512.c
xcbc.c
xctr.c
xor.c
xts.c
xxhash_generic.c
zstd.c