Re: [RFC PATCH 4/7] crypto: remove ARC4 support from the skcipher API
From: Ard Biesheuvel <ardb@kernel.org>
Date: 2020-07-02 23:04:29
Also in:
linux-crypto, linux-nfs, lkml, netdev
On Thu, 2 Jul 2020 at 20:21, Ard Biesheuvel [off-list ref] wrote:
On Thu, 2 Jul 2020 at 19:50, Eric Biggers [off-list ref] wrote:quoted
[+linux-wireless, Marcel Holtmann, and Denis Kenzior] On Thu, Jul 02, 2020 at 12:19:44PM +0200, Ard Biesheuvel wrote:quoted
Remove the generic ecb(arc4) skcipher, which is slightly cumbersome from a maintenance perspective, since it does not quite behave like other skciphers do in terms of key vs IV lifetime. Since we are leaving the library interface in place, which is used by the various WEP and TKIP implementations we have in the tree, we can safely drop this code now it no longer has any users. Signed-off-by: Ard Biesheuvel <ardb@kernel.org>Last year there was a discussion where it was mentioned that iwd uses "ecb(arc4)" via AF_ALG. So can we really remove it yet? See https://lkml.kernel.org/r/97BB95F6-4A4C-4984-9EAB-6069E19B4A4F@holtmann.org Note that the code isn't in "iwd" itself but rather in "libell" which iwd depends on: https://git.kernel.org/pub/scm/libs/ell/ell.git/ Apparently it also uses md4 and ecb(des) too.Ah yes, I remember now :-(quoted
Marcel and Denis, what's your deprecation plan for these obsolete and insecure algorithms?Given Denis's statement: It sounds to me like it was broken and should be fixed. So our vote / preference is to have ARC4 fixed to follow the proper semantics. We can deal with the kernel behavioral change on our end easily enough; the required workarounds are the worse evil. I would think that an ABI break is not the end of the world for them, and given how trivial it is to implement RC4 in C, the workaround should be to simply implement RC4 in user space, and not even bother trying to use AF_ALG to get at ecb(arc4) (same applies to md4 and ecb(des) btw) There will always be a long tail of use cases, and at some point, we just have to draw the line and remove obsolete and insecure cruft, especially when it impedes progress on other fronts.
I have ported iwd to Nettle's LGPL 2.1 implementation of ARC4, and the diffstat is src/crypto.c | 80 ++++++++++++-------- src/main.c | 8 -- unit/test-eapol.c | 3 +- 3 files changed, 51 insertions(+), 40 deletions(-) https://git.kernel.org/pub/scm/linux/kernel/git/ardb/iwd.git/log/?h=arc4-cleanup