On Fri, Oct 25, 2024 at 09:17:02AM +0200, Lukas Wunner wrote: > So below is a new patch which reinstates support for these legacy > protocols. It should also fix the issue you're seeing with TLS 1.2 > or newer (which is caused by invoking KEYCTL_PKEY_QUERY without > specifying a hash algorithm). [...] > I've looked at the source code of wpa_supplicant as well as > various IKEv1 daemons (strongswan, libreswan, isakmpd, raccoon) > and none of them seems to use the kernel's Key Retention Service, > so iwd is the only known user space application affected so far. Yes, based on historical mailing list discussions it appears that KEYCTL_PKEY_* were added to the kernel for iwd, and iwd is their only user. This design is a huge mistake both on the part of iwd and the kernel community, for a variety of reasons that have already been covered extensively in the discussions that occur each time iwd breaks. iwd should be using a real crypto library, like all the other wireless daemons. - Eric
