On Fri, 3 Jul 2020 at 02:04, Ard Biesheuvel <a...@kernel.org> wrote: > > On Thu, 2 Jul 2020 at 20:21, Ard Biesheuvel <a...@kernel.org> wrote: > > > > On Thu, 2 Jul 2020 at 19:50, Eric Biggers <ebigg...@kernel.org> wrote: > > > > > > [+linux-wireless, Marcel Holtmann, and Denis Kenzior] > > > > > > On Thu, Jul 02, 2020 at 12:19:44PM +0200, Ard Biesheuvel wrote: > > > > Remove the generic ecb(arc4) skcipher, which is slightly cumbersome from > > > > a maintenance perspective, since it does not quite behave like other > > > > skciphers do in terms of key vs IV lifetime. Since we are leaving the > > > > library interface in place, which is used by the various WEP and TKIP > > > > implementations we have in the tree, we can safely drop this code now > > > > it no longer has any users. > > > > > > > > Signed-off-by: Ard Biesheuvel <a...@kernel.org> > > > > > > Last year there was a discussion where it was mentioned that iwd uses > > > "ecb(arc4)" via AF_ALG. So can we really remove it yet? > > > See > > > https://lkml.kernel.org/r/97bb95f6-4a4c-4984-9eab-6069e19b4...@holtmann.org > > > Note that the code isn't in "iwd" itself but rather in "libell" which iwd > > > depends on: https://git.kernel.org/pub/scm/libs/ell/ell.git/ > > > > > > Apparently it also uses md4 and ecb(des) too. > > > > > > > Ah yes, I remember now :-( > > > > > Marcel and Denis, what's your deprecation plan for these obsolete and > > > insecure > > > algorithms? > > > > > > > Given Denis's statement: > > > > It sounds to me like it was broken and should be fixed. So our vote / > > preference is to have ARC4 fixed to follow the proper semantics. We > > can deal with the kernel behavioral change on our end easily enough; > > the required workarounds are the worse evil. > > > > I would think that an ABI break is not the end of the world for them, > > and given how trivial it is to implement RC4 in C, the workaround > > should be to simply implement RC4 in user space, and not even bother > > trying to use AF_ALG to get at ecb(arc4) > > > > (same applies to md4 and ecb(des) btw) > > > > There will always be a long tail of use cases, and at some point, we > > just have to draw the line and remove obsolete and insecure cruft, > > especially when it impedes progress on other fronts. > > > > I have ported iwd to Nettle's LGPL 2.1 implementation of ARC4, and the > diffstat is > > src/crypto.c | 80 ++++++++++++-------- > src/main.c | 8 -- > unit/test-eapol.c | 3 +- > 3 files changed, 51 insertions(+), 40 deletions(-) > > https://git.kernel.org/pub/scm/linux/kernel/git/ardb/iwd.git/log/?h=arc4-cleanup
Marcel, Denis, Do you have any objections to the ecb(arc4) skcipher being dropped from the kernel, given the fallback i proposed above (which is a much better way of doing rc4 in user space anyway)? For libell, I would suggest dropping rc4 entirely, once iwd stops relying on it, as using rc4 for tls is obsolete as well.
