[PATCH] crypto: Remove some unreachable algorithms
Jouni Malinen
j at w1.fi
Mon Oct 6 14:23:40 PDT 2025
On Mon, Oct 06, 2025 at 11:38:36AM -0400, David Benjamin wrote:
> The tls_ciphers table contained a number of algorithms that weren't
> referenced in tls_cipher_suites. Remove those. That includes
> TLS_CIPHER_IDEA_CBC, which was probably always broken because it was
> mapped to CRYPTO_CIPHER_NULL. It also removes RC2, which is an
> export-only cipher, despite the file saying it doesn't bother with
> exportable ciphers.
>
> That, in turn, removes all references to CRYPTO_CIPHER_ALG_RC2, so
> remove that too. The OpenSSL port of CRYPTO_CIPHER_ALG_RC2 probably
> never worked anyway because it uses RC2 in ECB mode instead of CBC.
>
> It's likely other removals are possible. tlsv1_common.c has single-DES
> ciphers, but tlsv1_client.c and tlsv1_server.c only configure a much
> smaller list. There's also a lot of code for TLS_KEY_X_DH_anon, but
> those ciphers aren't configured. I've left those alone because I'm not
> sure how all this code is used.
Thanks, applied.
I doubt there would be any real uses for single-DES in TLS, but both RC2
and single-DES might still exist in actual production use cases with
PKCS#12/PKCS#5. TLS_KEY_X_DH_anon might be of use for EAP-FAST
provisioning, but I don't remember how much of it got fully implemented.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list