Bugzilla – Bug 555850
crda -- Database signature verification failed.
Last modified: 2010-09-10 15:14:20 UTC
crda reports database signature verification failure: # export COUNTRY=DE # /sbin/crda Database signature verification failed. A strace complains about fips_enabled: open("/usr/local/lib/crda/regulatory.bin", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/crda/regulatory.bin", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=3108, ...}) = 0 mmap(NULL, 3108, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f603dfa4000 access("/etc/gcrypt/fips_enabled", F_OK) = -1 ENOENT (No such file or directory) open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603dfa3000 read(4, "0\n", 1024) = 2 close(4) = 0 munmap(0x7f603dfa3000, 4096) = 0 write(2, "Database signature verification "..., 40Database signature verification failed. ) = 40 exit_group(-22) = ?
Enabling FIPS does not help, ...: # echo "1" > /proc/sys/crypto/fips_enabled -bash: /proc/sys/crypto/fips_enabled: Keine Berechtigung # echo "1" > /etc/gcrypt/fips_enabled # strace -f /sbin/crda [...] open("/usr/lib/crda/regulatory.bin", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=3108, ...}) = 0 mmap(NULL, 3108, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6847a6c000 access("/etc/gcrypt/fips_enabled", F_OK) = 0 open("/etc/gcrypt/fips_enabled", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=2, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6847a6b000 read(4, "1\n", 4096) = 2 close(4) = 0 munmap(0x7f6847a6b000, 4096) = 0 mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6847a64000 getuid() = 0 mlock(0x7f6847a64000, 32768) = 0 open("/dev/random", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 select(5, [4], NULL, NULL, {3, 0}) = 0 (Timeout) select(5, [4], NULL, NULL, {3, 0}) = 0 (Timeout) select(5, [4], NULL, NULL, {3, 0}) = 0 (Timeout) select(5, [4], NULL, NULL, {3, 0}) = 1 (in [4], left {1, 947924}) read(4, "\312D\22\n\6\3\363f", 16) = 8 select(5, [4], NULL, NULL, {3, 0}) = 1 (in [4], left {2, 606831}) read(4, "\220\352p\321\217\274\20\356", 8) = 8 getpid() = 6552 select(5, [4], NULL, NULL, {3, 0}) = 1 (in [4], left {2, 606648}) read(4, "\350\263\301\375tenV", 16) = 8 select(5, [4], NULL, NULL, {3, 0}) = 1 (in [4], left {2, 603033}) read(4, "\377\234\250\0327\355!D", 8) = 8 getppid() = 6551 write(2, "Database signature verification "..., 40Database signature verification failed. ) = 40 exit_group(-22) = ? looks like a invalid signature.
I can confirm. Getting a regulatory database from http://wireless.kernel.org/download/wireless-regdb/regulatory.bins/ fixes the problem. Quite possibly regulatory.bin is compiled and therefore signed by Novell but Novell's public key for verification is not embedded in crda. Please note that this is a _major_ bug, as it effectively restricts any and all wireless devices to world (ie. most restrictive) regulatory domain, disallowing network access for all who use, say, channel 13 on their APs, which is actually relatively popular in Europe.
Vladimir, any news?
# cd hilbert:/mounts/work_users/ro # osc rq list hardware 34100 State:new By:oertel When:2010-03-05T01:53:12 submit: home:oertel:branches:hardware/crda -> hardware Descr: 'update to current release' 34099 State:new By:oertel When:2010-03-05T01:33:50 submit: home:oertel:branches:hardware/wireless-regdb -> hardware Descr: 'update to current' with these I don't get the verification failed message anymore (it's the regdb-2009.11.25 and crda-1.1.1 releases) but on calling crda I get: "Failed to set regulatory domain: -22" whatever that may mean. setting the domain via "iw reg set DE" works for me.
It is required to set also WIRELESS_WPA_DRIVER='nl80211' in case the wpa_supplicant is in use. I opened a bug 585802 to track the switch to the new driver on 11.3 and collect the cases where the new driver does not work.
All is well in 11.3, closed as FIXED Sep 10 17:10:54 vaio kernel: [74086.544686] cfg80211: Calling CRDA for country: CZ Sep 10 17:10:54 vaio kernel: [74086.547515] cfg80211: Regulatory domain changed to country: CZ Sep 10 17:10:54 vaio kernel: [74086.547518] (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) Sep 10 17:10:54 vaio kernel: [74086.547520] (2400000 KHz - 2483500 KHz @ 40000 KHz), (N/A, 2000 mBm) Sep 10 17:10:54 vaio kernel: [74086.547522] (5150000 KHz - 5250000 KHz @ 40000 KHz), (N/A, 2301 mBm) Sep 10 17:10:54 vaio kernel: [74086.547524] (5250000 KHz - 5350000 KHz @ 40000 KHz), (N/A, 2301 mBm) Sep 10 17:10:54 vaio kernel: [74086.547525] (5470000 KHz - 5725000 KHz @ 40000 KHz), (N/A, 3000 mBm)