public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed
From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Eric Biggers" <ebiggers@kernel.org>,
	<linux-crypto@vger.kernel.org>,
	"Herbert Xu" <herbert@gondor.apana.org.au>
Cc: <keyrings@vger.kernel.org>, <linux-wireless@vger.kernel.org>,
	<iwd@lists.linux.dev>, "James Prestwood" <prestwoj@gmail.com>,
	"Dimitri John Ledkov" <dimitri.ledkov@canonical.com>,
	"Karel Balej" <balejk@matfyz.cz>
Subject: Re: [PATCH] Revert "crypto: pkcs7 - remove sha1 support"
Date: Tue, 19 Mar 2024 19:20:54 +0200	[thread overview]
Message-ID: <CZXWE5J2QMIN.1L4QKQU7C7UMN@kernel.org> (raw)
In-Reply-To: <20240313233227.56391-1-ebiggers@kernel.org>

On Thu Mar 14, 2024 at 1:32 AM EET, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> This reverts commit 16ab7cb5825fc3425c16ad2c6e53d827f382d7c6 because it
> broke iwd.  iwd uses the KEYCTL_PKEY_* UAPIs via its dependency libell,
> and apparently it is relying on SHA-1 signature support.  These UAPIs
> are fairly obscure, and their documentation does not mention which
> algorithms they support.  iwd really should be using a properly
> supported userspace crypto library instead.  Regardless, since something
> broke we have to revert the change.
>
> It may be possible that some parts of this commit can be reinstated
> without breaking iwd (e.g. probably the removal of MODULE_SIG_SHA1), but
> for now this just does a full revert to get things working again.
>
> Reported-by: Karel Balej <balejk@matfyz.cz>
> Closes: https://lore.kernel.org/r/CZSHRUIJ4RKL.34T4EASV5DNJM@matfyz.cz
> Cc: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  crypto/asymmetric_keys/mscode_parser.c    |  3 +
>  crypto/asymmetric_keys/pkcs7_parser.c     |  4 ++
>  crypto/asymmetric_keys/public_key.c       |  3 +-
>  crypto/asymmetric_keys/signature.c        |  2 +-
>  crypto/asymmetric_keys/x509_cert_parser.c |  8 +++
>  crypto/testmgr.h                          | 80 +++++++++++++++++++++++
>  include/linux/oid_registry.h              |  4 ++
>  kernel/module/Kconfig                     |  5 ++
>  8 files changed, 107 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
> index 05402ef8964e..8aecbe4637f3 100644
> --- a/crypto/asymmetric_keys/mscode_parser.c
> +++ b/crypto/asymmetric_keys/mscode_parser.c
> @@ -73,10 +73,13 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
>  	char buffer[50];
>  	enum OID oid;
>  
>  	oid = look_up_OID(value, vlen);
>  	switch (oid) {
> +	case OID_sha1:
> +		ctx->digest_algo = "sha1";
> +		break;

I fully agree with the change BUT...

IMHO it would make sense to e.g either add inline comment about iwd
dependency or link to the bug report here.

I'd like to think that there is common will to eventually get rid of
all of SHA-1, and thus in cases where it is not yet possible it would
make sense to guide what to needs to be done to make it happen, right?

BR, Jarkko

  parent reply	other threads:[~2024-03-19 17:20 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-13 23:32 [PATCH] Revert "crypto: pkcs7 - remove sha1 support" Eric Biggers
2024-03-14  8:11 ` Karel Balej
2024-03-14 19:40   ` Eric Biggers
2024-03-19 17:20 ` Jarkko Sakkinen [this message]
2024-03-21  4:10   ` Eric Biggers
2024-03-21 14:44     ` Andrew Zaborowski
2024-03-21 16:26     ` Jarkko Sakkinen
2024-03-22 11:45 ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CZXWE5J2QMIN.1L4QKQU7C7UMN@kernel.org \
    --to=jarkko@kernel.org \
    --cc=balejk@matfyz.cz \
    --cc=dimitri.ledkov@canonical.com \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=iwd@lists.linux.dev \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=prestwoj@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox