Hi, On 2024-09-10 16:30, Lukas Wunner wrote:
A sig_alg backend has just been introduced with the intent of moving all asymmetric sign/verify algorithms to it one by one. Migrate the sign/verify operations from rsa-pkcs1pad.c to a separate rsassa-pkcs1.c which uses the new backend. Consequently there are now two templates which build on the "rsa" akcipher_alg: * The existing "pkcs1pad" template, which is instantiated as an akcipher_instance and retains the encrypt/decrypt operations of RSAES-PKCS1-v1_5 (RFC 8017 sec 7.2). * The new "pkcs1" template, which is instantiated as a sig_instance and contains the sign/verify operations of RSASSA-PKCS1-v1_5 (RFC 8017 sec 8.2). In a separate step, rsa-pkcs1pad.c could optionally be renamed to rsaes-pkcs1.c for clarity. Additional "oaep" and "pss" templates could be added for RSAES-OAEP and RSASSA-PSS. Note that it's currently allowed to allocate a "pkcs1pad(rsa)" transform without specifying a hash algorithm. That makes sense if the transform is only used for encrypt/decrypt and continues to be supported. But for sign/verify, such transforms previously did not insert the Full Hash Prefix into the padding. The resulting message encoding was incompliant with EMSA-PKCS1-v1_5 (RFC 8017 sec 9.2) and therefore nonsensical.From here on in, it is no longer allowed to allocate a transform withoutspecifying a hash algorithm if the transform is used for sign/verify operations. This simplifies the code because the insertion of the Full Hash Prefix is no longer optional, so various "if (digest_info)" clauses can be removed. There has been a previous attempt to forbid transform allocation without specifying a hash algorithm, namely by commit c0d20d22e0ad ("crypto: rsa-pkcs1pad - Require hash to be present"). It had to be rolled back with commit b3a8c8a5ebb5 ("crypto: rsa-pkcs1pad: Allow hash to be optional [ver #2]"), presumably because it broke allocation of a transform which was solely used for encrypt/decrypt, not sign/verify. Avoid such breakage by allowing transform allocation for encrypt/decrypt with and without specifying a hash algorithm (and simply ignoring the hash algorithm in the former case). So again, specifying a hash algorithm is now mandatory for sign/verify, but optional and ignored for encrypt/decrypt. The new sig_alg API uses kernel buffers instead of sglists, which avoids the overhead of copying signature and digest from sglists back into kernel buffers. rsassa-pkcs1.c is thus simplified quite a bit. sig_alg is always synchronous, whereas the underlying "rsa" akcipher_alg may be asynchronous. So await the result of the akcipher_alg, similar to crypto_akcipher_sync_{en,de}crypt(). As part of the migration, rename "rsa_digest_info" to "hash_prefix" to adhere to the spec language in RFC 9580. Otherwise keep the code unmodified wherever possible to ease reviewing and bisecting. Leave several simplification and hardening opportunities to separate commits. rsassa-pkcs1.c uses modern __free() syntax for allocation of buffers which need to be freed by kfree_sensitive(), hence a DEFINE_FREE() clause for kfree_sensitive() is introduced herein as a byproduct. Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
This commit (1e562deacecca1f1bec7d23da526904a1e87525e in next-20241021) seems to break connecting to wpa2-enterprise with iwd.
I've only tested with one such network (eduroam, EAP-PEAP MSCHAPv2) and not yet with wpa_supplicant.
This appears in the kernel log repeatedly:[ 123.714646] wlan0: authenticate with b4:de:31:fa:2d:cc (local address=78:46:5c:01:28:85)
[ 123.737991] wlan0: send auth to b4:de:31:fa:2d:cc (try 1/3) [ 123.763621] wlan0: authenticated [ 123.767600] wlan0: associate with b4:de:31:fa:2d:cc (try 1/3)[ 123.780873] wlan0: RX AssocResp from b4:de:31:fa:2d:cc (capab=0x1111 status=0 aid=1)
[ 123.809668] wlan0: associated[ 123.882344] wlan0: Limiting TX power to 30 (30 - 0) dBm as advertised by b4:de:31:fa:2d:cc [ 126.895233] wlan0: deauthenticating from b4:de:31:fa:2d:cc by local choice (Reason: 23=IEEE8021X_FAILED)
followed by this for a while:[ 127.214582] wlan0: authenticate with b4:de:31:fa:2d:cc (local address=78:46:5c:01:28:85)
[ 127.237431] wlan0: send auth to b4:de:31:fa:2d:cc (try 1/3) [ 127.363430] wlan0: send auth to b4:de:31:fa:2d:cc (try 2/3) [ 127.467526] wlan0: send auth to b4:de:31:fa:2d:cc (try 3/3) [ 127.571506] wlan0: authentication with b4:de:31:fa:2d:cc timed out Please let me know if there's anything else you need. Regards, Klara Modin
git bisect start # status: waiting for both good and bad commits # bad: [d49518711f816af793de9d4a1a0e13ad10b5ce91] i2c: spacemit: add support for SpacemiT K1 SoC git bisect bad d49518711f816af793de9d4a1a0e13ad10b5ce91 # status: waiting for good commit(s), bad commit known # good: [c55228220dd33e7627ad9736b6fce4df5e7eac98] Merge tag 'char-misc-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc git bisect good c55228220dd33e7627ad9736b6fce4df5e7eac98 # bad: [092d750e6edc08fdf25e858ac5aed09cfe4685be] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git git bisect bad 092d750e6edc08fdf25e858ac5aed09cfe4685be # good: [e0c1b92a36f6e500684f5e47d95eeb0719bad2ca] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux.git git bisect good e0c1b92a36f6e500684f5e47d95eeb0719bad2ca # good: [a8a3d62d6fa4c374c9b1fc669ca1bc73f5370650] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git git bisect good a8a3d62d6fa4c374c9b1fc669ca1bc73f5370650 # good: [39ab20647d7b8516fcad91950d8491369ebd5ea3] Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next git bisect good 39ab20647d7b8516fcad91950d8491369ebd5ea3 # good: [2fe3f43cbfb72a5dd053663933542d190311210c] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git git bisect good 2fe3f43cbfb72a5dd053663933542d190311210c # good: [582173a1dcc0a38c210b20450a615d724026d18f] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git git bisect good 582173a1dcc0a38c210b20450a615d724026d18f # good: [07375e61c414d70a7332443e710e24f8dc5d6705] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath.git git bisect good 07375e61c414d70a7332443e710e24f8dc5d6705 # bad: [98091a826873bc5c114455f474121b67907e98ab] crypto: drivers - Correct multiple typos in comments git bisect bad 98091a826873bc5c114455f474121b67907e98ab # bad: [d6793ff974e07e4eea151d1f0805e92d042825a1] crypto: ecdsa - Move X9.62 signature decoding into template git bisect bad d6793ff974e07e4eea151d1f0805e92d042825a1 # bad: [5e00481bf0a8b4dbd1588ae08f1ff82492011987] crypto: rsassa-pkcs1 - Harden digest length verification git bisect bad 5e00481bf0a8b4dbd1588ae08f1ff82492011987 # good: [ef132350a3c2ae15349b7f748ce0859f0c2861be] crypto: ecdsa - Migrate to sig_alg backend git bisect good ef132350a3c2ae15349b7f748ce0859f0c2861be # good: [7964b0d4bd1271f82d6b455366a200d320f7dbf8] crypto: rsa-pkcs1pad - Deduplicate set_{pub,priv}_key callbacks git bisect good 7964b0d4bd1271f82d6b455366a200d320f7dbf8 # bad: [1e562deacecca1f1bec7d23da526904a1e87525e] crypto: rsassa-pkcs1 - Migrate to sig_alg backend git bisect bad 1e562deacecca1f1bec7d23da526904a1e87525e # first bad commit: [1e562deacecca1f1bec7d23da526904a1e87525e] crypto: rsassa-pkcs1 - Migrate to sig_alg backend
Attachment:
dmesg_eduroam_8021x_auth_failure.gz
Description: application/gzip
Attachment:
config.gz
Description: application/gzip