[PATCH v2 06/19] crypto: rsassa-pkcs1 - Migrate to sig_alg backend
Klara Modin
klarasmodin at gmail.com
Mon Oct 21 16:08:03 UTC 2024
Hi,
On 2024-09-10 16:30, Lukas Wunner wrote:
> A sig_alg backend has just been introduced with the intent of moving all
> asymmetric sign/verify algorithms to it one by one.
>
> Migrate the sign/verify operations from rsa-pkcs1pad.c to a separate
> rsassa-pkcs1.c which uses the new backend.
>
> Consequently there are now two templates which build on the "rsa"
> akcipher_alg:
>
> * The existing "pkcs1pad" template, which is instantiated as an
> akcipher_instance and retains the encrypt/decrypt operations of
> RSAES-PKCS1-v1_5 (RFC 8017 sec 7.2).
>
> * The new "pkcs1" template, which is instantiated as a sig_instance
> and contains the sign/verify operations of RSASSA-PKCS1-v1_5
> (RFC 8017 sec 8.2).
>
> In a separate step, rsa-pkcs1pad.c could optionally be renamed to
> rsaes-pkcs1.c for clarity. Additional "oaep" and "pss" templates
> could be added for RSAES-OAEP and RSASSA-PSS.
>
> Note that it's currently allowed to allocate a "pkcs1pad(rsa)" transform
> without specifying a hash algorithm. That makes sense if the transform
> is only used for encrypt/decrypt and continues to be supported. But for
> sign/verify, such transforms previously did not insert the Full Hash
> Prefix into the padding. The resulting message encoding was incompliant
> with EMSA-PKCS1-v1_5 (RFC 8017 sec 9.2) and therefore nonsensical.
>
>>From here on in, it is no longer allowed to allocate a transform without
> specifying a hash algorithm if the transform is used for sign/verify
> operations. This simplifies the code because the insertion of the Full
> Hash Prefix is no longer optional, so various "if (digest_info)" clauses
> can be removed.
>
> There has been a previous attempt to forbid transform allocation without
> specifying a hash algorithm, namely by commit c0d20d22e0ad ("crypto:
> rsa-pkcs1pad - Require hash to be present"). It had to be rolled back
> with commit b3a8c8a5ebb5 ("crypto: rsa-pkcs1pad: Allow hash to be
> optional [ver #2]"), presumably because it broke allocation of a
> transform which was solely used for encrypt/decrypt, not sign/verify.
> Avoid such breakage by allowing transform allocation for encrypt/decrypt
> with and without specifying a hash algorithm (and simply ignoring the
> hash algorithm in the former case).
>
> So again, specifying a hash algorithm is now mandatory for sign/verify,
> but optional and ignored for encrypt/decrypt.
>
> The new sig_alg API uses kernel buffers instead of sglists, which
> avoids the overhead of copying signature and digest from sglists back
> into kernel buffers. rsassa-pkcs1.c is thus simplified quite a bit.
>
> sig_alg is always synchronous, whereas the underlying "rsa" akcipher_alg
> may be asynchronous. So await the result of the akcipher_alg, similar
> to crypto_akcipher_sync_{en,de}crypt().
>
> As part of the migration, rename "rsa_digest_info" to "hash_prefix" to
> adhere to the spec language in RFC 9580. Otherwise keep the code
> unmodified wherever possible to ease reviewing and bisecting. Leave
> several simplification and hardening opportunities to separate commits.
>
> rsassa-pkcs1.c uses modern __free() syntax for allocation of buffers
> which need to be freed by kfree_sensitive(), hence a DEFINE_FREE()
> clause for kfree_sensitive() is introduced herein as a byproduct.
>
> Signed-off-by: Lukas Wunner <lukas at wunner.de>
This commit (1e562deacecca1f1bec7d23da526904a1e87525e in next-20241021)
seems to break connecting to wpa2-enterprise with iwd.
I've only tested with one such network (eduroam, EAP-PEAP MSCHAPv2) and
not yet with wpa_supplicant.
This appears in the kernel log repeatedly:
[ 123.714646] wlan0: authenticate with b4:de:31:fa:2d:cc (local
address=78:46:5c:01:28:85)
[ 123.737991] wlan0: send auth to b4:de:31:fa:2d:cc (try 1/3)
[ 123.763621] wlan0: authenticated
[ 123.767600] wlan0: associate with b4:de:31:fa:2d:cc (try 1/3)
[ 123.780873] wlan0: RX AssocResp from b4:de:31:fa:2d:cc (capab=0x1111
status=0 aid=1)
[ 123.809668] wlan0: associated
[ 123.882344] wlan0: Limiting TX power to 30 (30 - 0) dBm as advertised
by b4:de:31:fa:2d:cc
[ 126.895233] wlan0: deauthenticating from b4:de:31:fa:2d:cc by local
choice (Reason: 23=IEEE8021X_FAILED)
followed by this for a while:
[ 127.214582] wlan0: authenticate with b4:de:31:fa:2d:cc (local
address=78:46:5c:01:28:85)
[ 127.237431] wlan0: send auth to b4:de:31:fa:2d:cc (try 1/3)
[ 127.363430] wlan0: send auth to b4:de:31:fa:2d:cc (try 2/3)
[ 127.467526] wlan0: send auth to b4:de:31:fa:2d:cc (try 3/3)
[ 127.571506] wlan0: authentication with b4:de:31:fa:2d:cc timed out
Please let me know if there's anything else you need.
Regards,
Klara Modin
-------------- next part --------------
git bisect start
# status: waiting for both good and bad commits
# bad: [d49518711f816af793de9d4a1a0e13ad10b5ce91] i2c: spacemit: add support for SpacemiT K1 SoC
git bisect bad d49518711f816af793de9d4a1a0e13ad10b5ce91
# status: waiting for good commit(s), bad commit known
# good: [c55228220dd33e7627ad9736b6fce4df5e7eac98] Merge tag 'char-misc-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
git bisect good c55228220dd33e7627ad9736b6fce4df5e7eac98
# bad: [092d750e6edc08fdf25e858ac5aed09cfe4685be] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
git bisect bad 092d750e6edc08fdf25e858ac5aed09cfe4685be
# good: [e0c1b92a36f6e500684f5e47d95eeb0719bad2ca] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux.git
git bisect good e0c1b92a36f6e500684f5e47d95eeb0719bad2ca
# good: [a8a3d62d6fa4c374c9b1fc669ca1bc73f5370650] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git
git bisect good a8a3d62d6fa4c374c9b1fc669ca1bc73f5370650
# good: [39ab20647d7b8516fcad91950d8491369ebd5ea3] Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
git bisect good 39ab20647d7b8516fcad91950d8491369ebd5ea3
# good: [2fe3f43cbfb72a5dd053663933542d190311210c] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
git bisect good 2fe3f43cbfb72a5dd053663933542d190311210c
# good: [582173a1dcc0a38c210b20450a615d724026d18f] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
git bisect good 582173a1dcc0a38c210b20450a615d724026d18f
# good: [07375e61c414d70a7332443e710e24f8dc5d6705] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath.git
git bisect good 07375e61c414d70a7332443e710e24f8dc5d6705
# bad: [98091a826873bc5c114455f474121b67907e98ab] crypto: drivers - Correct multiple typos in comments
git bisect bad 98091a826873bc5c114455f474121b67907e98ab
# bad: [d6793ff974e07e4eea151d1f0805e92d042825a1] crypto: ecdsa - Move X9.62 signature decoding into template
git bisect bad d6793ff974e07e4eea151d1f0805e92d042825a1
# bad: [5e00481bf0a8b4dbd1588ae08f1ff82492011987] crypto: rsassa-pkcs1 - Harden digest length verification
git bisect bad 5e00481bf0a8b4dbd1588ae08f1ff82492011987
# good: [ef132350a3c2ae15349b7f748ce0859f0c2861be] crypto: ecdsa - Migrate to sig_alg backend
git bisect good ef132350a3c2ae15349b7f748ce0859f0c2861be
# good: [7964b0d4bd1271f82d6b455366a200d320f7dbf8] crypto: rsa-pkcs1pad - Deduplicate set_{pub,priv}_key callbacks
git bisect good 7964b0d4bd1271f82d6b455366a200d320f7dbf8
# bad: [1e562deacecca1f1bec7d23da526904a1e87525e] crypto: rsassa-pkcs1 - Migrate to sig_alg backend
git bisect bad 1e562deacecca1f1bec7d23da526904a1e87525e
# first bad commit: [1e562deacecca1f1bec7d23da526904a1e87525e] crypto: rsassa-pkcs1 - Migrate to sig_alg backend
More information about the Linux-security-module-archive
mailing list