[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMj1kXGiu5Wr8NAACBUtiJMY8rQAGCTOcQdK1QM6jgH-0Lm=YA@mail.gmail.com>
Date: Sat, 18 Jul 2020 11:18:10 +0300
From: Ard Biesheuvel <ardb@...nel.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-wireless@...r.kernel.org,
Marcel Holtmann <marcel@...tmann.org>,
Denis Kenzior <denkenz@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Trond Myklebust <trond.myklebust@...merspace.com>,
Anna Schumaker <anna.schumaker@...app.com>,
"J. Bruce Fields" <bfields@...ldses.org>,
Chuck Lever <chuck.lever@...cle.com>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
"open list:BPF JIT for MIPS (32-BIT AND 64-BIT)"
<netdev@...r.kernel.org>, devel@...verdev.osuosl.org,
linux-nfs@...r.kernel.org
Subject: Re: [RFC PATCH 4/7] crypto: remove ARC4 support from the skcipher API
On Fri, 3 Jul 2020 at 02:04, Ard Biesheuvel <ardb@...nel.org> wrote:
>
> On Thu, 2 Jul 2020 at 20:21, Ard Biesheuvel <ardb@...nel.org> wrote:
> >
> > On Thu, 2 Jul 2020 at 19:50, Eric Biggers <ebiggers@...nel.org> wrote:
> > >
> > > [+linux-wireless, Marcel Holtmann, and Denis Kenzior]
> > >
> > > On Thu, Jul 02, 2020 at 12:19:44PM +0200, Ard Biesheuvel wrote:
> > > > Remove the generic ecb(arc4) skcipher, which is slightly cumbersome from
> > > > a maintenance perspective, since it does not quite behave like other
> > > > skciphers do in terms of key vs IV lifetime. Since we are leaving the
> > > > library interface in place, which is used by the various WEP and TKIP
> > > > implementations we have in the tree, we can safely drop this code now
> > > > it no longer has any users.
> > > >
> > > > Signed-off-by: Ard Biesheuvel <ardb@...nel.org>
> > >
> > > Last year there was a discussion where it was mentioned that iwd uses
> > > "ecb(arc4)" via AF_ALG. So can we really remove it yet?
> > > See https://lkml.kernel.org/r/97BB95F6-4A4C-4984-9EAB-6069E19B4A4F@holtmann.org
> > > Note that the code isn't in "iwd" itself but rather in "libell" which iwd
> > > depends on: https://git.kernel.org/pub/scm/libs/ell/ell.git/
> > >
> > > Apparently it also uses md4 and ecb(des) too.
> > >
> >
> > Ah yes, I remember now :-(
> >
> > > Marcel and Denis, what's your deprecation plan for these obsolete and insecure
> > > algorithms?
> > >
> >
> > Given Denis's statement:
> >
> > It sounds to me like it was broken and should be fixed. So our vote /
> > preference is to have ARC4 fixed to follow the proper semantics. We
> > can deal with the kernel behavioral change on our end easily enough;
> > the required workarounds are the worse evil.
> >
> > I would think that an ABI break is not the end of the world for them,
> > and given how trivial it is to implement RC4 in C, the workaround
> > should be to simply implement RC4 in user space, and not even bother
> > trying to use AF_ALG to get at ecb(arc4)
> >
> > (same applies to md4 and ecb(des) btw)
> >
> > There will always be a long tail of use cases, and at some point, we
> > just have to draw the line and remove obsolete and insecure cruft,
> > especially when it impedes progress on other fronts.
> >
>
> I have ported iwd to Nettle's LGPL 2.1 implementation of ARC4, and the
> diffstat is
>
> src/crypto.c | 80 ++++++++++++--------
> src/main.c | 8 --
> unit/test-eapol.c | 3 +-
> 3 files changed, 51 insertions(+), 40 deletions(-)
>
> https://git.kernel.org/pub/scm/linux/kernel/git/ardb/iwd.git/log/?h=arc4-cleanup
Marcel, Denis,
Do you have any objections to the ecb(arc4) skcipher being dropped
from the kernel, given the fallback i proposed above (which is a much
better way of doing rc4 in user space anyway)?
For libell, I would suggest dropping rc4 entirely, once iwd stops
relying on it, as using rc4 for tls is obsolete as well.
Powered by blists - more mailing lists