On Sat, 18 Jul 2020 at 11:18, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Fri, 3 Jul 2020 at 02:04, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > On Thu, 2 Jul 2020 at 20:21, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > > > On Thu, 2 Jul 2020 at 19:50, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > > > > > [+linux-wireless, Marcel Holtmann, and Denis Kenzior] > > > > > > > > On Thu, Jul 02, 2020 at 12:19:44PM +0200, Ard Biesheuvel wrote: > > > > > Remove the generic ecb(arc4) skcipher, which is slightly cumbersome from > > > > > a maintenance perspective, since it does not quite behave like other > > > > > skciphers do in terms of key vs IV lifetime. Since we are leaving the > > > > > library interface in place, which is used by the various WEP and TKIP > > > > > implementations we have in the tree, we can safely drop this code now > > > > > it no longer has any users. > > > > > > > > > > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > > > > > > > > Last year there was a discussion where it was mentioned that iwd uses > > > > "ecb(arc4)" via AF_ALG. So can we really remove it yet? > > > > See https://lkml.kernel.org/r/97BB95F6-4A4C-4984-9EAB-6069E19B4A4F@xxxxxxxxxxxx > > > > Note that the code isn't in "iwd" itself but rather in "libell" which iwd > > > > depends on: https://git.kernel.org/pub/scm/libs/ell/ell.git/ > > > > > > > > Apparently it also uses md4 and ecb(des) too. > > > > > > > > > > Ah yes, I remember now :-( > > > > > > > Marcel and Denis, what's your deprecation plan for these obsolete and insecure > > > > algorithms? > > > > > > > > > > Given Denis's statement: > > > > > > It sounds to me like it was broken and should be fixed. So our vote / > > > preference is to have ARC4 fixed to follow the proper semantics. We > > > can deal with the kernel behavioral change on our end easily enough; > > > the required workarounds are the worse evil. > > > > > > I would think that an ABI break is not the end of the world for them, > > > and given how trivial it is to implement RC4 in C, the workaround > > > should be to simply implement RC4 in user space, and not even bother > > > trying to use AF_ALG to get at ecb(arc4) > > > > > > (same applies to md4 and ecb(des) btw) > > > > > > There will always be a long tail of use cases, and at some point, we > > > just have to draw the line and remove obsolete and insecure cruft, > > > especially when it impedes progress on other fronts. > > > > > > > I have ported iwd to Nettle's LGPL 2.1 implementation of ARC4, and the > > diffstat is > > > > src/crypto.c | 80 ++++++++++++-------- > > src/main.c | 8 -- > > unit/test-eapol.c | 3 +- > > 3 files changed, 51 insertions(+), 40 deletions(-) > > > > https://git.kernel.org/pub/scm/linux/kernel/git/ardb/iwd.git/log/?h=arc4-cleanup > > Marcel, Denis, > > Do you have any objections to the ecb(arc4) skcipher being dropped > from the kernel, given the fallback i proposed above (which is a much > better way of doing rc4 in user space anyway)? > > For libell, I would suggest dropping rc4 entirely, once iwd stops > relying on it, as using rc4 for tls is obsolete as well. Ping?