From owner-freebsd-arch@freebsd.org Tue May 7 01:13:26 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 451AF159AE84 for ; Tue, 7 May 2019 01:13:26 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id CDE2A6B628 for ; Tue, 7 May 2019 01:13:25 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 8E07C159AE7E; Tue, 7 May 2019 01:13:25 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AC92159AE7D for ; Tue, 7 May 2019 01:13:25 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 097366B627 for ; Tue, 7 May 2019 01:13:25 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 9C53419088 for ; Tue, 7 May 2019 01:13:24 +0000 (UTC) (envelope-from jhb@FreeBSD.org) To: arch@FreeBSD.org From: John Baldwin Subject: Deprecating crypto algorithms in the kernel Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> Date: Mon, 6 May 2019 18:13:22 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 097366B627 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.90 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.90)[-0.902,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 01:13:26 -0000 I have been doing some work off and on to address some of the shortcomings in the in-kernel open crypto framework. However, some complexity can be removed by having fewer algorithms. Also, some of the currently supported algorithms have known weaknesses or are deprecated in RFCs, by the authors, etc. I would like to take a stab at trimming some of this for FreeBSD 13. For an initial proposal, I have a set of (untested) changes in a git branch here: https://github.com/freebsd/freebsd/compare/master...bsdjhb:crypto_warn This adds runtime deprecation notices in the kernel when using deprecated algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649 and 8429). It then also adds deprecation notices for a few algorithms in GELI. For GELI, the current patches should refuse to create new volumes with these algorithms and warn when mounting an existing volume. The current optimistic goal would be to merge all the warning back to 11 and 12 and then remove support for these algorithms outright in 13.0. For GELI in particular, I recognize this is somewhat painful as it means doing a dump/restore if you've created volumes with affected algorithms. OTOH, these algorithms are not the current defaults. Finally, I've added warnings to /dev/crypto to warn if userland tries to create new sessions for algorithms that no longer have any non-deprecated in-kernel consumers. I've attached the log messages from the commits below to give a bit more detail about the proposed changes. There is also an 'ipsec_deprecate' branch that has a few of the actual remove commits if you want to see what those look like, but the first step is really to decide what changes we should/can make and adding suitable warnings. BTW, not listed here is the compression support for IPsec. That actually adds a fair bit of complexity, and it also in my testing doesn't actually work on head. However, RFC 8221 notes that it is not widely implemented and is generally considered optional (the RFC lists all of the algorithms of which FreeBSD only supports 1 as MAY). commit 28ee9a2b109251829e940660b53a3551e70b720b Author: John Baldwin Date: Mon May 6 15:48:24 2019 -0700 Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. All of these algorithms are either explicitly marked MUST NOT, or they are implicitly MUST NOTs by virtue of not being included in IETF's list of protocols at all despite having assignments from IANA. Specifically, this adds warnings for the following ciphers: - des-cbc - blowfish-cbc - cast128-cbc - des-deriv - des-32iv - camellia-cbc Warnings for the following authetication algorithms are also added: - hmac-md5 - keyed-md5 - keyed-sha1 - hmac-ripemd160 commit 0ab679486d7af95ff39fe8f43dd8a3c011088a9c Author: John Baldwin Date: Mon May 6 16:13:36 2019 -0700 Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429. All of these algorithms are explicitly marked SHOULD NOT in one of these RFCs. Specifically, RFC 6649 deprecates all algorithms using DES as well as the "export-friendly" variant of RC4. RFC 8429 deprecates Triple DES and the remaining RC4 algorithms. commit 9821e245defdac414636a9f2ea4a920f75bdea8a Author: John Baldwin Date: Mon May 6 16:34:46 2019 -0700 Add warnings to /dev/crypto for deprecated algorithms. These algorithms are deprecated algorithms that will have no in-kernel consumers in FreeBSD 13. Specifically, deprecate the following algorithms: - DES - CAST128 - Skipjack - ARC4 commit dcd2c0a4a4e5a82f7cec2fc7e77e9356c1125765 Author: John Baldwin Date: Mon May 6 17:39:56 2019 -0700 Add deprecation warnings for weaker algorithms to geli(4). - Triple DES has been formally deprecated in Kerberos (RFC 8429) and is soon to be deprecated in IPsec (RFC 8221). It is generally considered a weak cipher. - Blowfish is deprecated. FreeBSD doesn't support its successor (Twofish). - MD5 is generally considered a weak digest that has known attacks. geli refuses to create new volumes using these algorithms and warns when attaching to existing volumes. The plan is to fully remove support for these algorithms in FreeBSD 13. commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b Author: John Baldwin Date: Mon May 6 17:54:33 2019 -0700 Add additional warnings to /dev/crypto for deprecated algorithms. If these algorithms are removed from geli(4) then there will no longer be any in-kernel consumers: - 3DES - Blowfish - MD5-HMAC -- -- John Baldwin From owner-freebsd-arch@freebsd.org Tue May 7 15:13:28 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DE68158A498 for ; Tue, 7 May 2019 15:13:28 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BBD018D27D for ; Tue, 7 May 2019 15:13:27 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: by mailman.ysv.freebsd.org (Postfix) id 7C26F158A497; Tue, 7 May 2019 15:13:27 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AA3C158A495 for ; Tue, 7 May 2019 15:13:27 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EBD9F8D27B; Tue, 7 May 2019 15:13:26 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from [194.32.164.27] ([194.32.164.27]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id x47FDIte044271; Tue, 7 May 2019 16:13:18 +0100 (BST) (envelope-from rb@gid.co.uk) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Deprecating crypto algorithms in the kernel From: Bob Bishop In-Reply-To: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> Date: Tue, 7 May 2019 16:13:18 +0100 Cc: arch@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <245B376C-F79C-4615-8021-6692EE58CE60@gid.co.uk> References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> To: John Baldwin X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: EBD9F8D27B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.968,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 15:13:28 -0000 Hi, > On 7 May 2019, at 02:13, John Baldwin wrote: >=20 > I have been doing some work off and on to address some of the = shortcomings > in the in-kernel open crypto framework. However, some complexity can = be > removed by having fewer algorithms. Also, some of the currently = supported > algorithms have known weaknesses or are deprecated in RFCs, by the = authors, > etc. I would like to take a stab at trimming some of this for FreeBSD = 13. > For an initial proposal, I have a set of (untested) changes in a git = branch > here: >=20 > https://github.com/freebsd/freebsd/compare/master...bsdjhb:crypto_warn >=20 > This adds runtime deprecation notices in the kernel when using = deprecated > algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs = 6649 > and 8429). Can=E2=80=99t speak to Kerberos, but I have an uneasy feeling that in = the case of IPsec there may be implementations out there that require = the obsolescent algorithms to interwork, RFC 8221 notwithstanding. = Haven=E2=80=99t had to do it myself for a while but last time I remember = being surprised by how far behind the curve the other end was. > It then also adds deprecation notices for a few algorithms in > GELI. For GELI, the current patches should refuse to create new = volumes > with these algorithms and warn when mounting an existing volume. >=20 > The current optimistic goal would be to merge all the warning back to = 11 > and 12 and then remove support for these algorithms outright in 13.0. > For GELI in particular, I recognize this is somewhat painful as it = means > doing a dump/restore if you've created volumes with affected = algorithms. > OTOH, these algorithms are not the current defaults. >=20 > Finally, I've added warnings to /dev/crypto to warn if userland tries = to > create new sessions for algorithms that no longer have any = non-deprecated > in-kernel consumers. >=20 > I've attached the log messages from the commits below to give a bit = more > detail about the proposed changes. There is also an 'ipsec_deprecate' > branch that has a few of the actual remove commits if you want to see > what those look like, but the first step is really to decide what = changes > we should/can make and adding suitable warnings. >=20 > BTW, not listed here is the compression support for IPsec. That = actually > adds a fair bit of complexity, and it also in my testing doesn't = actually > work on head. However, RFC 8221 notes that it is not widely = implemented > and is generally considered optional (the RFC lists all of the = algorithms > of which FreeBSD only supports 1 as MAY). > [etc] -- Bob Bishop rb@gid.co.uk From owner-freebsd-arch@freebsd.org Tue May 7 15:55:27 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3051D158BF85 for ; Tue, 7 May 2019 15:55:27 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 586058F202 for ; Tue, 7 May 2019 15:55:26 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 18F4D158BF81; Tue, 7 May 2019 15:55:26 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E91D1158BF80 for ; Tue, 7 May 2019 15:55:25 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io1-f42.google.com (mail-io1-f42.google.com [209.85.166.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D5CD8F200; Tue, 7 May 2019 15:55:25 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io1-f42.google.com with SMTP id b3so8930607iob.12; Tue, 07 May 2019 08:55:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=0xC38Au6w48vbbAEBZ4gnLOTwfquHpqhAhwgUhYCm5k=; b=Hd6GC2V81iDYQmHufyH584PAQ3kMrjjLC7PGbp0eUW6vFAxq3FiW+rTnORBCZivjAG DvFYJJI/LtsP7TsDcRvcKrzkPNG3iYG7LNksOuaihqSoURAoI8aNtIr+m1+GbWvwp5fB xpe2TZdiUtCm2F/8TGSAVipIwxU6/UT7YOn+DwbiXz8Hqihmru/jw2ddqd7SUA74UraO C9nvPVNo2qHxuJYPANB1iXCUgRwujzEl1DJNGKL7yCAx17xZDdCJruHB55k2LXLJufok TRKqwe04O9SoJUBQk2pzKdf5ln7fsxw1rFHSH54cfLHWO2j9ZUBNhsaHjMu3jbGxMJBn cMUA== X-Gm-Message-State: APjAAAW0LS5qK32F7Dp/rmtAi6ilVhKZDNGj33zRmGNV0DgpyjOpr+9S /nYmVmsHVi1k4CS/6SfXFcHdO03r X-Google-Smtp-Source: APXvYqzoG1euVlVvg/UJu0+3Uj8ia3pguPU9FIIVyHud+vilUBj6h06K1WVDwv7lMRHFy7atefaBtw== X-Received: by 2002:a6b:8f51:: with SMTP id r78mr11434823iod.110.1557244524168; Tue, 07 May 2019 08:55:24 -0700 (PDT) Received: from mail-it1-f180.google.com (mail-it1-f180.google.com. [209.85.166.180]) by smtp.gmail.com with ESMTPSA id s4sm3850960ioc.76.2019.05.07.08.55.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 08:55:23 -0700 (PDT) Received: by mail-it1-f180.google.com with SMTP id q65so25815864itg.2; Tue, 07 May 2019 08:55:23 -0700 (PDT) X-Received: by 2002:a02:1a89:: with SMTP id 131mr22038276jai.78.1557244523726; Tue, 07 May 2019 08:55:23 -0700 (PDT) MIME-Version: 1.0 References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> In-Reply-To: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> Reply-To: cem@freebsd.org From: Conrad Meyer Date: Tue, 7 May 2019 08:55:12 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Deprecating crypto algorithms in the kernel To: John Baldwin Cc: "freebsd-arch@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 7D5CD8F200 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994,0]; TAGGED_FROM(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 15:55:27 -0000 On Mon, May 6, 2019 at 6:14 PM John Baldwin wrote: > I have been doing some work off and on to address some of the shortcoming= s > in the in-kernel open crypto framework. =E2=80=A6 some of the currently = supported > algorithms have known weaknesses or are deprecated in RFCs, by the author= s, > etc. I would like to take a stab at trimming some of this for FreeBSD 13= . > For an initial proposal, =E2=80=A6 > > This adds runtime deprecation notices in the kernel when using deprecated > algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649 > and 8429). It then also adds deprecation notices for a few algorithms in > GELI. For GELI, the current patches should refuse to create new volumes > with these algorithms and warn when mounting an existing volume. > > The current optimistic goal would be to merge all the warning back to 11 > and 12 and then remove support for these algorithms outright in 13.0. > For GELI in particular, I recognize this is somewhat painful as it means > doing a dump/restore if you've created volumes with affected algorithms. > OTOH, these algorithms are not the current defaults. Nor were they ever =E2=80=94 the default has always been an aes-based algorithm since the initial import of GELI in 2005 (r148456). > Finally, I've added warnings to /dev/crypto to warn if userland tries to > create new sessions for algorithms that no longer have any non-deprecated > in-kernel consumers. We've discussed this offline, but I just wanted to remark on the public lists that I'm all in favor of removing crufty bad crypto algorithms, and your chosen list seems to meet that criteria while being a conservative change. Please kill 'em. :-) Best, Conrad From owner-freebsd-arch@freebsd.org Tue May 7 17:03:28 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFD4E158DB54 for ; Tue, 7 May 2019 17:03:28 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 08CF46B659 for ; Tue, 7 May 2019 17:03:28 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: by mailman.ysv.freebsd.org (Postfix) id C0E0C158DB38; Tue, 7 May 2019 17:03:27 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F81D158DB2F for ; Tue, 7 May 2019 17:03:27 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 58F3B6B64B; Tue, 7 May 2019 17:03:27 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x47H1GSf019189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 May 2019 13:01:18 -0400 Date: Tue, 7 May 2019 12:01:15 -0500 From: Benjamin Kaduk To: John Baldwin Cc: arch@freebsd.org Subject: Re: Deprecating crypto algorithms in the kernel Message-ID: <20190507170115.GI19509@kduck.mit.edu> References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> <245B376C-F79C-4615-8021-6692EE58CE60@gid.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <245B376C-F79C-4615-8021-6692EE58CE60@gid.co.uk> User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 58F3B6B64B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.93 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.931,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 17:03:29 -0000 Hi John, Thanks for taking this on; it seems worth doing. [inline] On Tue, May 07, 2019 at 04:13:18PM +0100, Bob Bishop wrote: > Hi, > > > On 7 May 2019, at 02:13, John Baldwin wrote: > > > > I have been doing some work off and on to address some of the shortcomings > > in the in-kernel open crypto framework. However, some complexity can be > > removed by having fewer algorithms. Also, some of the currently supported > > algorithms have known weaknesses or are deprecated in RFCs, by the authors, > > etc. I would like to take a stab at trimming some of this for FreeBSD 13. > > For an initial proposal, I have a set of (untested) changes in a git branch > > here: > > > > https://github.com/freebsd/freebsd/compare/master...bsdjhb:crypto_warn > > > > This adds runtime deprecation notices in the kernel when using deprecated > > algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649 > > and 8429). > > Can’t speak to Kerberos, but I have an uneasy feeling that in the case of IPsec there may be implementations out there that require the obsolescent algorithms to interwork, RFC 8221 notwithstanding. Haven’t had to do it myself for a while but last time I remember being surprised by how far behind the curve the other end was. I can speak to Kerberos (I'm an author on RFC 8429), and we were pretty careful about what we deprecated. There may be some deployments that (e.g.) need to talk to legacy Windows versions that can't be easily upgraded, which may need to retain a legacy unix system as a communication partner, but anything that is running current software should be fine with these changes. (IIUC the Windows UI to enable AES for Kerberos is a bit clunky, but it does work.) For IPsec, I have also heard rumors about truly weird implementations that insist on old/bad algorithms, but don't have personal experience to relate. That said, the major version timeline that John is proposing still seems like a reasonable plan to me, as we should not let ourselves be held hostage by external legacy implementations that cannot upgrade. > > It then also adds deprecation notices for a few algorithms in > > GELI. For GELI, the current patches should refuse to create new volumes > > with these algorithms and warn when mounting an existing volume. > > > > The current optimistic goal would be to merge all the warning back to 11 > > and 12 and then remove support for these algorithms outright in 13.0. > > For GELI in particular, I recognize this is somewhat painful as it means > > doing a dump/restore if you've created volumes with affected algorithms. > > OTOH, these algorithms are not the current defaults. > > > > Finally, I've added warnings to /dev/crypto to warn if userland tries to > > create new sessions for algorithms that no longer have any non-deprecated > > in-kernel consumers. > > > > I've attached the log messages from the commits below to give a bit more > > detail about the proposed changes. There is also an 'ipsec_deprecate' > > branch that has a few of the actual remove commits if you want to see > > what those look like, but the first step is really to decide what changes > > we should/can make and adding suitable warnings. > > > > BTW, not listed here is the compression support for IPsec. That actually > > adds a fair bit of complexity, and it also in my testing doesn't actually > > work on head. However, RFC 8221 notes that it is not widely implemented > > and is generally considered optional (the RFC lists all of the algorithms > > of which FreeBSD only supports 1 as MAY). > > [etc] > > > > commit 28ee9a2b109251829e940660b53a3551e70b720b > > Author: John Baldwin > > Date: Mon May 6 15:48:24 2019 -0700 > > > > Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. > > > > All of these algorithms are either explicitly marked MUST NOT, or they are > > implicitly MUST NOTs by virtue of not being included in IETF's list of > > protocols at all despite having assignments from IANA. [see below] > > Specifically, this adds warnings for the following ciphers: > > - des-cbc > > - blowfish-cbc > > - cast128-cbc > > - des-deriv > > - des-32iv > > - camellia-cbc AFAIK Camellia is not bad per se, just not implemented/used much outside of Japan. For IETF protocols, it mostly got specified via Informational documents and not Standards-Track ones, since many people thought AES/etc. were fine. > > > > Warnings for the following authetication algorithms are also added: > > - hmac-md5 > > - keyed-md5 > > - keyed-sha1 > > - hmac-ripemd160 > > > > commit 0ab679486d7af95ff39fe8f43dd8a3c011088a9c > > Author: John Baldwin > > Date: Mon May 6 16:13:36 2019 -0700 > > > > Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429. > > > > All of these algorithms are explicitly marked SHOULD NOT in one of these > > RFCs. > > > > Specifically, RFC 6649 deprecates all algorithms using DES as well as > > the "export-friendly" variant of RC4. RFC 8429 deprecates Triple DES > > and the remaining RC4 algorithms. > > > > commit 9821e245defdac414636a9f2ea4a920f75bdea8a > > Author: John Baldwin > > Date: Mon May 6 16:34:46 2019 -0700 > > > > Add warnings to /dev/crypto for deprecated algorithms. > > > > These algorithms are deprecated algorithms that will have no in-kernel > > consumers in FreeBSD 13. Specifically, deprecate the following algorithms: > > - DES > > - CAST128 > > - Skipjack > > - ARC4 > > > > commit dcd2c0a4a4e5a82f7cec2fc7e77e9356c1125765 > > Author: John Baldwin > > Date: Mon May 6 17:39:56 2019 -0700 > > > > Add deprecation warnings for weaker algorithms to geli(4). > > > > - Triple DES has been formally deprecated in Kerberos (RFC 8429) > > and is soon to be deprecated in IPsec (RFC 8221). It is generally > > considered a weak cipher. Nitpicking the wording: it's not so much that it's weak per se (even single-DES is just falling to the 56-bit brute-force attack, and I think triple-DES still basically holds the expected 112-bit strength), but it's quite slow and has a 64-bit block size, which increases the risk of birthday collisions. I'm all for replacing/removing it, but mostly not because I think it's "weak". -Ben > > - Blowfish is deprecated. FreeBSD doesn't support its successor > > (Twofish). > > - MD5 is generally considered a weak digest that has known attacks. > > > > geli refuses to create new volumes using these algorithms and warns > > when attaching to existing volumes. The plan is to fully remove support > > for these algorithms in FreeBSD 13. > > > > commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b > > Author: John Baldwin > > Date: Mon May 6 17:54:33 2019 -0700 > > > > Add additional warnings to /dev/crypto for deprecated algorithms. > > > > If these algorithms are removed from geli(4) then there will no longer be > > any in-kernel consumers: > > - 3DES > > - Blowfish > > - MD5-HMAC > > > > -- > > -- > > John Baldwin > > _______________________________________________ > > freebsd-arch@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" From owner-freebsd-arch@freebsd.org Tue May 7 19:39:31 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F33481591BA3 for ; Tue, 7 May 2019 19:39:30 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 5F682718A2 for ; Tue, 7 May 2019 19:39:30 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: by mailman.ysv.freebsd.org (Postfix) id 1C7781591BA2; Tue, 7 May 2019 19:39:30 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AE2F1591BA1 for ; Tue, 7 May 2019 19:39:30 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 77BE87189E; Tue, 7 May 2019 19:39:29 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x47JdPHk013096; Tue, 7 May 2019 12:39:25 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x47JdPQA013095; Tue, 7 May 2019 12:39:25 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201905071939.x47JdPQA013095@gndrsh.dnsmgr.net> Subject: Re: Deprecating crypto algorithms in the kernel In-Reply-To: To: cem@freebsd.org Date: Tue, 7 May 2019 12:39:25 -0700 (PDT) CC: John Baldwin , "freebsd-arch@freebsd.org" X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 77BE87189E X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.965,0] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 19:39:31 -0000 > On Mon, May 6, 2019 at 6:14 PM John Baldwin wrote: > > I have been doing some work off and on to address some of the shortcomings > > in the in-kernel open crypto framework. ? some of the currently supported > > algorithms have known weaknesses or are deprecated in RFCs, by the authors, > > etc. I would like to take a stab at trimming some of this for FreeBSD 13. > > For an initial proposal, ? > > > > This adds runtime deprecation notices in the kernel when using deprecated > > algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649 > > and 8429). It then also adds deprecation notices for a few algorithms in > > GELI. For GELI, the current patches should refuse to create new volumes > > with these algorithms and warn when mounting an existing volume. > > > > The current optimistic goal would be to merge all the warning back to 11 > > and 12 and then remove support for these algorithms outright in 13.0. > > For GELI in particular, I recognize this is somewhat painful as it means > > doing a dump/restore if you've created volumes with affected algorithms. > > OTOH, these algorithms are not the current defaults. > > Nor were they ever ? the default has always been an aes-based > algorithm since the initial import of GELI in 2005 (r148456). > > > Finally, I've added warnings to /dev/crypto to warn if userland tries to > > create new sessions for algorithms that no longer have any non-deprecated > > in-kernel consumers. > > We've discussed this offline, but I just wanted to remark on the > public lists that I'm all in favor of removing crufty bad crypto > algorithms, and your chosen list seems to meet that criteria while > being a conservative change. Please kill 'em. :-) Does doing this in any way break TCPMD5, which is extensively still in use for BGP sessions. Breaking that would probably be a bad idea. -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-arch@freebsd.org Tue May 7 19:44:39 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AE2C1591EE5 for ; Tue, 7 May 2019 19:44:39 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C66B871DEC for ; Tue, 7 May 2019 19:44:38 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 8ADB21591EE4; Tue, 7 May 2019 19:44:38 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6891A1591EE3 for ; Tue, 7 May 2019 19:44:38 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F9C271DEA; Tue, 7 May 2019 19:44:38 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 7E593DB1; Tue, 7 May 2019 19:44:37 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: Deprecating crypto algorithms in the kernel To: "Rodney W. Grimes" , cem@freebsd.org Cc: "freebsd-arch@freebsd.org" References: <201905071939.x47JdPQA013095@gndrsh.dnsmgr.net> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <0c8c59cf-7d3a-a751-0775-47b1bc0403df@FreeBSD.org> Date: Tue, 7 May 2019 12:44:36 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <201905071939.x47JdPQA013095@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 0F9C271DEA X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.974,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 19:44:39 -0000 On 5/7/19 12:39 PM, Rodney W. Grimes wrote: >> On Mon, May 6, 2019 at 6:14 PM John Baldwin wrote: >>> I have been doing some work off and on to address some of the shortcomings >>> in the in-kernel open crypto framework. ? some of the currently supported >>> algorithms have known weaknesses or are deprecated in RFCs, by the authors, >>> etc. I would like to take a stab at trimming some of this for FreeBSD 13. >>> For an initial proposal, ? >>> >>> This adds runtime deprecation notices in the kernel when using deprecated >>> algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649 >>> and 8429). It then also adds deprecation notices for a few algorithms in >>> GELI. For GELI, the current patches should refuse to create new volumes >>> with these algorithms and warn when mounting an existing volume. >>> >>> The current optimistic goal would be to merge all the warning back to 11 >>> and 12 and then remove support for these algorithms outright in 13.0. >>> For GELI in particular, I recognize this is somewhat painful as it means >>> doing a dump/restore if you've created volumes with affected algorithms. >>> OTOH, these algorithms are not the current defaults. >> >> Nor were they ever ? the default has always been an aes-based >> algorithm since the initial import of GELI in 2005 (r148456). >> >>> Finally, I've added warnings to /dev/crypto to warn if userland tries to >>> create new sessions for algorithms that no longer have any non-deprecated >>> in-kernel consumers. >> >> We've discussed this offline, but I just wanted to remark on the >> public lists that I'm all in favor of removing crufty bad crypto >> algorithms, and your chosen list seems to meet that criteria while >> being a conservative change. Please kill 'em. :-) > > Does doing this in any way break TCPMD5, which is extensively > still in use for BGP sessions. Breaking that would probably > be a bad idea. This does not affect TCPMD5. -- John Baldwin From owner-freebsd-arch@freebsd.org Tue May 7 20:36:17 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 888A515933AD for ; Tue, 7 May 2019 20:36:17 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC0A73A1A for ; Tue, 7 May 2019 20:36:16 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mailman.ysv.freebsd.org (Postfix) id 3B18E15933AC; Tue, 7 May 2019 20:36:16 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18C0815933AB for ; Tue, 7 May 2019 20:36:16 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B106773A18 for ; Tue, 7 May 2019 20:36:15 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qk1-x734.google.com with SMTP id w25so1972415qkj.11 for ; Tue, 07 May 2019 13:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0hxbxjFJ/OMRUh8GS6ebr3GtWFbghOGGN8qjLdY3y9M=; b=f0hUXlEeddISgCjBBkV2AgQG62T64a2YjfNS0sP/6UXEghKPDGJ6UdJgrfzEofu3Q8 P7mSP761QqgwRJq76ZUttw6B/LGE4GkKKExomND7C89oGtljkMycv9h/qcQYbeUlddky bvf58MWmEn1yxl/FEC2I/7Ow28t7vZ8zdud7d7i3u1T/KmtthkDQqV/quJTLlIRiopyQ IO2P+U8gxGYaH7lvRt8GteiNU/B83YsiUzu+ko5NA66daz6u5/kkiB3rKYztDGYw32cD gHiGTIdN9dLL/8FdP+VRCW1Ts27XEySqbkrhTBeFFXmVKxORuGSF13VOV76kRT902k3A Kc/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0hxbxjFJ/OMRUh8GS6ebr3GtWFbghOGGN8qjLdY3y9M=; b=A0CKBzQRqWROS5H69gK6ydxVU/XywWG2CYnADAPyQyAFVz7nLV7sk/zqzGHFVcIoVh TAx2d9Zj1UWIoIlpQWO+BbLfdrcgpqVxZ6I4SqX2aZUFgXMcirLbVx+OZOIgfnGieD6w 2xM15ygVWkk1v7gAfHhCThKheToHCZMiNNbbXYEDgQoiXyrNskeLUqZARC/VXfvoJB1o pisNSA7Q2owRoNAI8NeDIHD2DXXoihCtFtJo0Jn5tGwM/hqIBGr05MLJ1B4hdLnNJLez r0ppQF5KEX5V8gcsORsLKt2ItXBNiIGQ41bs4zOoyixuWmisGnYvc2ZBAHqSAN+jGA0f f+Mw== X-Gm-Message-State: APjAAAVlLjIpvTRftItu8lmosO41cxt3/gvQz2fVbxcNR8gBPCTgdb0f QCMDasaIMD5TPIYsywLulAnaKNkoz66Jwxv97m9jEQ== X-Google-Smtp-Source: APXvYqzQwCfQ9s1QlCqK23mcBE7J9ovuPZBdsDrTeCCu6nkUqdNB3t3HcS/vFWyaOm9ids67cM6rfWJ7zwBWldyPnbM= X-Received: by 2002:a37:f50c:: with SMTP id l12mr12670757qkk.175.1557261375070; Tue, 07 May 2019 13:36:15 -0700 (PDT) MIME-Version: 1.0 References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> In-Reply-To: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> From: Warner Losh Date: Tue, 7 May 2019 14:36:03 -0600 Message-ID: Subject: Re: Deprecating crypto algorithms in the kernel To: John Baldwin Cc: "freebsd-arch@freebsd.org" X-Rspamd-Queue-Id: B106773A18 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.95 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.95)[-0.952,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 20:36:17 -0000 [[ trimmed ]] On Mon, May 6, 2019 at 7:14 PM John Baldwin wrote: > commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b > Author: John Baldwin > Date: Mon May 6 17:54:33 2019 -0700 > > Add additional warnings to /dev/crypto for deprecated algorithms. > > If these algorithms are removed from geli(4) then there will no longer > be > any in-kernel consumers: > - 3DES > - Blowfish > - MD5-HMAC > This freaked me out when I saw it, since I have GELI volumes going back a about a decade. However, checking into it showed no cause for concern. The default was changed in this commit: pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070 Add support for AES-XTS. This will be the default now. All my GELI volumes are AES-XTS (though some pre-date this change, I may have converted somehow along the way). Camilla support was added in 2007, and that's not on the chopping block, but wasn't made the default. So all GELI volumes created in the last 8 years aren't affected (plus or minus for time to get into a release) and even older ones likely are still supported. So I expect the practical impact of this to be minimal. Warner From owner-freebsd-arch@freebsd.org Tue May 7 20:46:35 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0199915938B4 for ; Tue, 7 May 2019 20:46:35 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 57D6A74610 for ; Tue, 7 May 2019 20:46:34 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 1B74E15938B1; Tue, 7 May 2019 20:46:34 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB9E215938AF for ; Tue, 7 May 2019 20:46:33 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-it1-f179.google.com (mail-it1-f179.google.com [209.85.166.179]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8837B7460D for ; Tue, 7 May 2019 20:46:33 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-it1-f179.google.com with SMTP id u186so356437ith.0 for ; Tue, 07 May 2019 13:46:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=CUukZ7Xxg5S3C28o+HL9LGu0MaR8u8u4mIEfWSG1SAw=; b=nO747Y1daMelxFaANg5OouE8Dm00OYFRltCqdFirT+inCb7VsiprJBRFD6y7OMbtNK FiGXzgLjfaNPhmh3ruHZPRaaU7lBp1TFGjY61i+GPG+FbMUI63M+TMG5r8nfREk6cVFw bpcl33f6QAZoePLKe/8c/BFd16tVp/1VmZ9cOAIjfPf9Za1XRU22Gvopk6WJ8wm8O1r9 KX/RiqS+d9ZFL4EtE3AUIxVNSGD/r4OK+2FzXpHMvvQcu4GFiWbXqIoLvvvFjMacPc4h 5Xcry28YxXq7cZFLUnlkj+NsNDdsfYXQ6aU1ytb/K+inw4Cqz8yi7nbecmHYkQ3HLHij 7wJQ== X-Gm-Message-State: APjAAAVLl9gFRuvoHv6jNu8wPmQqup/WhrhJuM3VeEEaJfLEwuLQnphK 4HSqN1c8D7T9Gj46D6/2wDlFAO0F X-Google-Smtp-Source: APXvYqwkOCQYjkL74zD6zzrRmTUCSg4AST0Bq+1GNLN+rEzlHPELGIcjYDucf0SgfSKqncgZaV3ApQ== X-Received: by 2002:a24:2b50:: with SMTP id h77mr330381ita.63.1557261986878; Tue, 07 May 2019 13:46:26 -0700 (PDT) Received: from mail-it1-f169.google.com (mail-it1-f169.google.com. [209.85.166.169]) by smtp.gmail.com with ESMTPSA id j8sm79045itk.0.2019.05.07.13.46.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 13:46:26 -0700 (PDT) Received: by mail-it1-f169.google.com with SMTP id q132so423380itc.5 for ; Tue, 07 May 2019 13:46:26 -0700 (PDT) X-Received: by 2002:a05:660c:130f:: with SMTP id f15mr321584itb.166.1557261986390; Tue, 07 May 2019 13:46:26 -0700 (PDT) MIME-Version: 1.0 References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> In-Reply-To: Reply-To: cem@freebsd.org From: Conrad Meyer Date: Tue, 7 May 2019 13:46:15 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Deprecating crypto algorithms in the kernel To: Warner Losh Cc: "freebsd-arch@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 8837B7460D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.984,0]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 20:46:35 -0000 On Tue, May 7, 2019 at 1:37 PM Warner Losh wrote: > This freaked me out when I saw it, since I have GELI volumes going back a > about a decade. However, checking into it showed no cause for concern. > > The default was changed in this commit: > > pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070 > Add support for AES-XTS. This will be the default now. > > All my GELI volumes are AES-XTS (though some pre-date this change, I may > have converted somehow along the way). Camilla support was added in 2007, > and that's not on the chopping block, but wasn't made the default. > > So all GELI volumes created in the last 8 years aren't affected (plus or > minus for time to get into a release) and even older ones likely are still > supported. So I expect the practical impact of this to be minimal. Prior to AES-XTS, the default was "aes" (some non-XTS AES mode), since geli was initially committed in 2005. So all GELI volumes created, ever, that did not explicitly override the default encryption algorithm with a weak cipher should be using some AES-based encryption mode. None of those are on the chopping block, or even trending towards deprecation. Best, Conrad From owner-freebsd-arch@freebsd.org Tue May 7 21:14:41 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 284BD1594294 for ; Tue, 7 May 2019 21:14:41 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A7147753D7 for ; Tue, 7 May 2019 21:14:40 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 67B8D1594293; Tue, 7 May 2019 21:14:40 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43D6B1594292 for ; Tue, 7 May 2019 21:14:40 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D808F753D6; Tue, 7 May 2019 21:14:39 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 5E7A61790; Tue, 7 May 2019 21:14:39 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: Deprecating crypto algorithms in the kernel To: Warner Losh Cc: "freebsd-arch@freebsd.org" References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: Date: Tue, 7 May 2019 14:14:37 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: D808F753D6 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.94)[-0.944,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 21:14:41 -0000 On 5/7/19 1:36 PM, Warner Losh wrote: > [[ trimmed ]] > On Mon, May 6, 2019 at 7:14 PM John Baldwin wrote: > >> commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b >> Author: John Baldwin >> Date: Mon May 6 17:54:33 2019 -0700 >> >> Add additional warnings to /dev/crypto for deprecated algorithms. >> >> If these algorithms are removed from geli(4) then there will no longer >> be >> any in-kernel consumers: >> - 3DES >> - Blowfish >> - MD5-HMAC >> > > This freaked me out when I saw it, since I have GELI volumes going back a > about a decade. However, checking into it showed no cause for concern. > > The default was changed in this commit: > > pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070 > Add support for AES-XTS. This will be the default now. > > All my GELI volumes are AES-XTS (though some pre-date this change, I may > have converted somehow along the way). Camilla support was added in 2007, > and that's not on the chopping block, but wasn't made the default. > > So all GELI volumes created in the last 8 years aren't affected (plus or > minus for time to get into a release) and even older ones likely are still > supported. So I expect the practical impact of this to be minimal. To be clear, the default has never been 3DES or Blowfish, but today you can still choose to create one via 'geli create -e', so they may still exist, but only if you have explicitly chosen to use it. -- John Baldwin From owner-freebsd-arch@freebsd.org Wed May 8 23:20:23 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA3C015964C9 for ; Wed, 8 May 2019 23:20:22 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7D8486C57A for ; Wed, 8 May 2019 23:20:22 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 3DEAF15964C8; Wed, 8 May 2019 23:20:22 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 000AE15964C7 for ; Wed, 8 May 2019 23:20:21 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 971A56C579; Wed, 8 May 2019 23:20:21 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 29E0DC6B4; Wed, 8 May 2019 23:20:21 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: Deprecating crypto algorithms in the kernel To: Benjamin Kaduk Cc: arch@freebsd.org References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> <245B376C-F79C-4615-8021-6692EE58CE60@gid.co.uk> <20190507170115.GI19509@kduck.mit.edu> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <41d11a3a-463c-941a-e66f-035a6e3fc7b3@FreeBSD.org> Date: Wed, 8 May 2019 16:20:18 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190507170115.GI19509@kduck.mit.edu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 971A56C579 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.961,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2019 23:20:23 -0000 On 5/7/19 10:01 AM, Benjamin Kaduk wrote: >>> On 7 May 2019, at 02:13, John Baldwin wrote: >>> >>> commit 28ee9a2b109251829e940660b53a3551e70b720b >>> Author: John Baldwin >>> Date: Mon May 6 15:48:24 2019 -0700 >>> >>> Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. >>> >>> All of these algorithms are either explicitly marked MUST NOT, or they are >>> implicitly MUST NOTs by virtue of not being included in IETF's list of >>> protocols at all despite having assignments from IANA. > > [see below] > >>> Specifically, this adds warnings for the following ciphers: >>> - des-cbc >>> - blowfish-cbc >>> - cast128-cbc >>> - des-deriv >>> - des-32iv >>> - camellia-cbc > > AFAIK Camellia is not bad per se, just not implemented/used much outside of > Japan. > > For IETF protocols, it mostly got specified via Informational documents and > not Standards-Track ones, since many people thought AES/etc. were fine. Yes, I chose to not deprecate Camellia and ripemd160 in geli since it did seem to just be less popular rather than "new use actively discouraged". Do you think it might be worth letting it remain in IPsec? Similarly for ripemd160? >>> commit dcd2c0a4a4e5a82f7cec2fc7e77e9356c1125765 >>> Author: John Baldwin >>> Date: Mon May 6 17:39:56 2019 -0700 >>> >>> Add deprecation warnings for weaker algorithms to geli(4). >>> >>> - Triple DES has been formally deprecated in Kerberos (RFC 8429) >>> and is soon to be deprecated in IPsec (RFC 8221). It is generally >>> considered a weak cipher. > > Nitpicking the wording: it's not so much that it's weak per se (even > single-DES is just falling to the 56-bit brute-force attack, and I think > triple-DES still basically holds the expected 112-bit strength), but it's > quite slow and has a 64-bit block size, which increases the risk of > birthday collisions. I'm all for replacing/removing it, but mostly not > because I think it's "weak". Ok, I will drop that sentence. -- John Baldwin