Source: linux Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <[email protected]>
Hi, people claim that the crypto API is a source of security issues when (mis-)used by user space. LWN commenters on the recent algif_aead issue have some more notes: https://lwn.net/Articles/1070682/ partial quotes: > found only 6 packages that use it: iproute2, util-linux, bluez, > qtconnectivity, openssl, and ell > [..] As far I know, the only thing that uses algif_aead is bluetooth-meshd > Yes, it's only a small set of userspace programs that made the > shortsighted decision to use AF_ALG, instead of following the > standard practice of using a userspace crypto library. > Help fixing these userspace programs would be greatly appreciated. > It would be really impactful, as it would allow more people to > disable CONFIG_CRYPTO_USER_API_* in their kernels. https://lwn.net/Articles/1070960/ > it's primarily intended as an interface for some hardware crypto > acceleration engines (like AMD's CCP, on systems it works in > anyway) So it appears there are some tradeoffs to be made. Please take a look and consider turning the crypto user api off. Best, Chris PS: For src:util-linux, a quick look suggests we can easily stop using the kernels crypto API.
