From owner-freebsd-arch@freebsd.org  Tue May  7 01:13:26 2019
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 451AF159AE84
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Tue,  7 May 2019 01:13:26 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id CDE2A6B628
 for <freebsd-arch@freebsd.org>; Tue,  7 May 2019 01:13:25 +0000 (UTC)
 (envelope-from jhb@FreeBSD.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 8E07C159AE7E; Tue,  7 May 2019 01:13:25 +0000 (UTC)
Delivered-To: arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AC92159AE7D
 for <arch@mailman.ysv.freebsd.org>; Tue,  7 May 2019 01:13:25 +0000 (UTC)
 (envelope-from jhb@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 097366B627
 for <arch@FreeBSD.org>; Tue,  7 May 2019 01:13:25 +0000 (UTC)
 (envelope-from jhb@FreeBSD.org)
Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx
 [66.234.199.215])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: jhb)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 9C53419088
 for <arch@FreeBSD.org>; Tue,  7 May 2019 01:13:24 +0000 (UTC)
 (envelope-from jhb@FreeBSD.org)
To: arch@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: Deprecating crypto algorithms in the kernel
Openpgp: preference=signencrypt
Autocrypt: addr=jhb@FreeBSD.org; keydata=
 mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0
 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo
 /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD
 /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X
 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z
 pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1
 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k
 do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk
 d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID
 AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM
 jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3
 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj
 XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH
 YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO
 EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz
 hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX
 sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16
 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH
 aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx
 Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I
 SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf
 afMAg8QvmOWnHx3wl8WslCaXaE8=
Message-ID: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org>
Date: Mon, 6 May 2019 18:13:22 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0)
 Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 097366B627
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.90 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.90)[-0.902,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 01:13:26 -0000

I have been doing some work off and on to address some of the shortcomings
in the in-kernel open crypto framework.  However, some complexity can be
removed by having fewer algorithms.  Also, some of the currently supported
algorithms have known weaknesses or are deprecated in RFCs, by the authors,
etc.  I would like to take a stab at trimming some of this for FreeBSD 13.
For an initial proposal, I have a set of (untested) changes in a git branch
here:

https://github.com/freebsd/freebsd/compare/master...bsdjhb:crypto_warn

This adds runtime deprecation notices in the kernel when using deprecated
algorithms for IPsec (according to RFC 8221), and Kerberos GSS (RFCs 6649
and 8429).  It then also adds deprecation notices for a few algorithms in
GELI.  For GELI, the current patches should refuse to create new volumes
with these algorithms and warn when mounting an existing volume.

The current optimistic goal would be to merge all the warning back to 11
and 12 and then remove support for these algorithms outright in 13.0.
For GELI in particular, I recognize this is somewhat painful as it means
doing a dump/restore if you've created volumes with affected algorithms.
OTOH, these algorithms are not the current defaults.

Finally, I've added warnings to /dev/crypto to warn if userland tries to
create new sessions for algorithms that no longer have any non-deprecated
in-kernel consumers.

I've attached the log messages from the commits below to give a bit more
detail about the proposed changes.  There is also an 'ipsec_deprecate'
branch that has a few of the actual remove commits if you want to see
what those look like, but the first step is really to decide what changes
we should/can make and adding suitable warnings.

BTW, not listed here is the compression support for IPsec.  That actually
adds a fair bit of complexity, and it also in my testing doesn't actually
work on head.  However, RFC 8221 notes that it is not widely implemented
and is generally considered optional (the RFC lists all of the algorithms
of which FreeBSD only supports 1 as MAY).

commit 28ee9a2b109251829e940660b53a3551e70b720b
Author: John Baldwin <jhb@FreeBSD.org>
Date:   Mon May 6 15:48:24 2019 -0700

    Add deprecation warnings for IPsec algorithms deprecated in RFC 8221.
    
    All of these algorithms are either explicitly marked MUST NOT, or they are
    implicitly MUST NOTs by virtue of not being included in IETF's list of
    protocols at all despite having assignments from IANA.
    
    Specifically, this adds warnings for the following ciphers:
    - des-cbc
    - blowfish-cbc
    - cast128-cbc
    - des-deriv
    - des-32iv
    - camellia-cbc
    
    Warnings for the following authetication algorithms are also added:
    - hmac-md5
    - keyed-md5
    - keyed-sha1
    - hmac-ripemd160

commit 0ab679486d7af95ff39fe8f43dd8a3c011088a9c
Author: John Baldwin <jhb@FreeBSD.org>
Date:   Mon May 6 16:13:36 2019 -0700

    Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429.
    
    All of these algorithms are explicitly marked SHOULD NOT in one of these
    RFCs.
    
    Specifically, RFC 6649 deprecates all algorithms using DES as well as
    the "export-friendly" variant of RC4.  RFC 8429 deprecates Triple DES
    and the remaining RC4 algorithms.

commit 9821e245defdac414636a9f2ea4a920f75bdea8a
Author: John Baldwin <jhb@FreeBSD.org>
Date:   Mon May 6 16:34:46 2019 -0700

    Add warnings to /dev/crypto for deprecated algorithms.
    
    These algorithms are deprecated algorithms that will have no in-kernel
    consumers in FreeBSD 13.  Specifically, deprecate the following algorithms:
    - DES
    - CAST128
    - Skipjack
    - ARC4

commit dcd2c0a4a4e5a82f7cec2fc7e77e9356c1125765
Author: John Baldwin <jhb@FreeBSD.org>
Date:   Mon May 6 17:39:56 2019 -0700

    Add deprecation warnings for weaker algorithms to geli(4).
    
    - Triple DES has been formally deprecated in Kerberos (RFC 8429)
      and is soon to be deprecated in IPsec (RFC 8221).  It is generally
      considered a weak cipher.
    - Blowfish is deprecated.  FreeBSD doesn't support its successor
      (Twofish).
    - MD5 is generally considered a weak digest that has known attacks.
    
    geli refuses to create new volumes using these algorithms and warns
    when attaching to existing volumes.  The plan is to fully remove support
    for these algorithms in FreeBSD 13.

commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b
Author: John Baldwin <jhb@FreeBSD.org>
Date:   Mon May 6 17:54:33 2019 -0700

    Add additional warnings to /dev/crypto for deprecated algorithms.
    
    If these algorithms are removed from geli(4) then there will no longer be
    any in-kernel consumers:
    - 3DES
    - Blowfish
    - MD5-HMAC

-- 
-- 
John Baldwin