[PATCH] crypto: remove md4 driver

Dimitri John Ledkov dimitri.ledkov at canonical.com
Sat Oct 14 16:02:32 PDT 2023 

On Fri, 13 Oct 2023 at 15:37, Denis Kenzior <denkenz at gmail.com> wrote:
>
> Hi Herbert,
>
> On 10/13/23 05:39, Herbert Xu wrote:
> > On Sun, Oct 08, 2023 at 05:01:39AM +0100, Dimitri John Ledkov wrote:
> >> No internal users left and cryptographically insecure. Users should
> >> upgrade to something else, e.g. sha256 blake3.
> >>
> >> Some drivers have their own full or partial md4 implementation without
> >> using crypto/md4.
> >>
> >> Userspace code search indicates a few copies of hash_info.h
> >> https://codesearch.debian.net/search?q=HASH_ALGO_MD4&literal=1 without
> >> need for MD4.
> >>
> >> Preserve uapi hash algorithm indexes and array length, but rename the
> >> MD4 enum.
> >>
> >> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> >> ---
> >>   crypto/Kconfig                 |   6 -
> >>   crypto/Makefile                |   1 -
> >>   crypto/hash_info.c             |   4 +-
> >>   crypto/md4.c                   | 241 ---------------------------------
> >>   crypto/tcrypt.c                |  12 --
> >>   crypto/testmgr.c               |   6 -
> >>   crypto/testmgr.h               |  42 ------
> >>   include/uapi/linux/hash_info.h |   2 +-
> >>   8 files changed, 3 insertions(+), 311 deletions(-)
> >>   delete mode 100644 crypto/md4.c
> >
> > Patch applied.  Thanks.
>
> Does this patch break userspace?
>
> Here's a thread regarding MD4 the last time its removal was attempted:
> https://lore.kernel.org/linux-crypto/20210818144617.110061-1-ardb@kernel.org/
>
> Please note that iwd does use MD4 hashes here:
> https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/checksum.c#n63
>
> https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/src/eap-mschapv2.c#n165
>

Thank you for this reference. The WiFI eap mschapv2 based
authentication indeed relies on MD4. The IWD code uses kernel as a
basically impromptu userspace library to gain access to MD4, which
sounds like a poor way of doing this. In comparison NetworkManager
uses userspace crypto libraries to compute that.

Note that iwd has an alternative code path of using md4 hashed
password, meaning it does still work on kernels without MD4.

It worries me a lot that this is still in active use.

MS-CHAPv2 has been completely broken since 2012 with a cloud service
at the time offered to automatically crack any communication. It is
insecure, does not provide any confidentiality, and worse off allows
to steal & reuse credentials to later impersonate the original user.
It is worse than unencrypted WiFi in that sense. Even Windows 11 since
at least 22H2 release prohibits such connections.  I will propose
patches to IWD to stop using the md5 crypto kernel interface. As much
as it is convenient, users of insecure & obsolete cryptography must
not hold up removal of such methods from the kernel.

-- 
okurrr,

Dimitri

More information about the linux-arm-kernel mailing list