On Mon, Aug 08, 2016 at 08:30:32PM +0200, Stephan Mueller wrote:
> Am Montag, 8. August 2016, 20:18:32 CEST schrieb Stephan Mueller:
>
> Hi Stephan,
>
> > Am Montag, 8. August 2016, 17:44:27 CEST schrieb Russell King - ARM Linux:
> >
> > Hi Russell,
> >
> > > Hi,
> > >
> > > When trying to use the openssl AF_ALG module with 4.8-rc1 with imx
> > > caam, I get this:
> > >
> > > $ OPENSSL_CONF=/shared/crypto/openssl-imx.cnf strace openssl dgst -md5
> > > </bin/bash ...
> > > socket(PF_ALG, SOCK_SEQPACKET, 0) = 3
> > > close(3) = 0
> > > socket(PF_ALG, SOCK_SEQPACKET, 0) = 3
> > > bind(3, {sa_family=AF_ALG, sa_data="hash\0\0\0\0\0\0\0\0\0\0"}, 88) = 0
> > > accept(3, 0, NULL) = 4
> > > fstat64(0, {st_mode=S_IFREG|0755, st_size=666864, ...}) = 0
> > > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> > > =
> > > 0xb6fab000 read(0,
> > > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0(\0\1\0\0\0\21'\2\0004\0\0\0"...,
> > > 8192)
> > > = 8192 send(4,
> > > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0(\0\1\0\0\0\21'\2\0004\0\0\0"...,
> > > 8192,
> > > MSG_MORE) = -1 ENOKEY (Required key not available)
> > >
> > > This used to work, so something in the kernel AF_ALG API has changed
> > > which has broken userspace. Any ideas what's up, or where to look?
> >
> > This seems to be the the change added by Herbert to fix a security issue.
> > This caused a similar stirr in the cryptsetup user space tool.
> >
> > I guess you are affected by 6de62f15b581f920ade22d758f4c338311c2f0d4
>
> Just to be clear: the settings on the tfmfd must be completed before an
> accept(). If make an operation on the tfmfd after the accept call, you get
> the ENOKEY.
As you can see from the above strace, there's no operations on fd 3
after the accept call. The only operation on the accepted fd (fd 4)
is the send(). So, I'm not sure I follow what you're saying.
I've also checked - there's no updates for af-alg-rr, so everyone
who's using af-alg-rr must have been broken by this change - if there
_are_ any users of AF_ALG with openssl. Maybe everyone just patches
cryptodev into their kernel?
I don't know, but this seems to go completely against Linus' no
userspace regressions, which seems to be an absolute requirement of
all kernel development... Linus flames people for arguing against
that rule!
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
