On Fri, 13 Oct 2023 at 15:37, Denis Kenzior <denkenz@xxxxxxxxx> wrote: > > Hi Herbert, > > On 10/13/23 05:39, Herbert Xu wrote: > > On Sun, Oct 08, 2023 at 05:01:39AM +0100, Dimitri John Ledkov wrote: > >> No internal users left and cryptographically insecure. Users should > >> upgrade to something else, e.g. sha256 blake3. > >> > >> Some drivers have their own full or partial md4 implementation without > >> using crypto/md4. > >> > >> Userspace code search indicates a few copies of hash_info.h > >> https://codesearch.debian.net/search?q=HASH_ALGO_MD4&literal=1 without > >> need for MD4. > >> > >> Preserve uapi hash algorithm indexes and array length, but rename the > >> MD4 enum. > >> > >> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@xxxxxxxxxxxxx> > >> --- > >> crypto/Kconfig | 6 - > >> crypto/Makefile | 1 - > >> crypto/hash_info.c | 4 +- > >> crypto/md4.c | 241 --------------------------------- > >> crypto/tcrypt.c | 12 -- > >> crypto/testmgr.c | 6 - > >> crypto/testmgr.h | 42 ------ > >> include/uapi/linux/hash_info.h | 2 +- > >> 8 files changed, 3 insertions(+), 311 deletions(-) > >> delete mode 100644 crypto/md4.c > > > > Patch applied. Thanks. > > Does this patch break userspace? > > Here's a thread regarding MD4 the last time its removal was attempted: > https://lore.kernel.org/linux-crypto/20210818144617.110061-1-ardb@xxxxxxxxxx/ > > Please note that iwd does use MD4 hashes here: > https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/checksum.c#n63 > > https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/src/eap-mschapv2.c#n165 > Thank you for this reference. The WiFI eap mschapv2 based authentication indeed relies on MD4. The IWD code uses kernel as a basically impromptu userspace library to gain access to MD4, which sounds like a poor way of doing this. In comparison NetworkManager uses userspace crypto libraries to compute that. Note that iwd has an alternative code path of using md4 hashed password, meaning it does still work on kernels without MD4. It worries me a lot that this is still in active use. MS-CHAPv2 has been completely broken since 2012 with a cloud service at the time offered to automatically crack any communication. It is insecure, does not provide any confidentiality, and worse off allows to steal & reuse credentials to later impersonate the original user. It is worse than unencrypted WiFi in that sense. Even Windows 11 since at least 22H2 release prohibits such connections. I will propose patches to IWD to stop using the md5 crypto kernel interface. As much as it is convenient, users of insecure & obsolete cryptography must not hold up removal of such methods from the kernel. -- okurrr, Dimitri