Bug 207664 - security/wolfssl: enable ARC4 support
Summary: security/wolfssl: enable ARC4 support
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Johan van Selst
Keywords: feature, patch
Depends on:
Reported: 2016-03-03 00:21 UTC by Jan Beich
Modified: 2019-10-19 12:45 UTC (History)
5 users (show)

See Also:
jbeich: maintainer-feedback-

v1 (1.07 KB, patch)
2016-03-03 00:21 UTC, Jan Beich
jbeich: maintainer-approval? (johans)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer 2016-03-03 00:21:32 UTC
Created attachment 167660 [details]

net-p2p/transmission-* ports gained WOLFSSL option but it requires security/wolfssl built with --enable-arc4. wolfssl API seems to be inconsistent with its ABI.

  $ make WITH=WOLFSSL WITHOUT=OPENSSL TRYBROKEN= net-p2p/transmission-cli
  libtransmission/libtransmission.a(crypto-utils-cyassl.o): In function `tr_rc4_set_key':
  libtransmission/crypto-utils-cyassl.c:176: undefined reference to `wc_Arc4SetKey'
  libtransmission/libtransmission.a(crypto-utils-cyassl.o): In function `tr_rc4_process':
  libtransmission/crypto-utils-cyassl.c:193: undefined reference to `wc_Arc4Process'
  cc: error: linker command failed with exit code 1 (use -v to see invocation)

  $ nm -D /usr/local/lib/libwolfssl.so | fgrep
  000000000002a630 T wc_Chacha_Process

  $ fgrep -r Process /usr/local/include
  /usr/local/include/wolfssl/wolfcrypt/arc4.h:WOLFSSL_API void wc_Arc4Process(Arc4*, byte*, const byte*, word32);
  /usr/local/include/wolfssl/wolfcrypt/hc128.h:WOLFSSL_API int wc_Hc128_Process(HC128*, byte*, const byte*, word32);
  /usr/local/include/wolfssl/wolfcrypt/chacha.h:WOLFSSL_API int wc_Chacha_Process(ChaCha* ctx, byte* cipher, const byte* plain,
  /usr/local/include/wolfssl/wolfcrypt/rabbit.h:WOLFSSL_API int wc_RabbitProcess(Rabbit*, byte*, const byte*, word32);
Comment 1 Jan Beich freebsd_committer 2016-04-02 19:50:45 UTC
Ping after maintainer timeout. Maybe ports-secteam can share an opinion.

net-p2p/transmission-* only supports RC4 for encryption between peers. ftp/curl doesn't use RC4 with WOLFSSL=on. No other consumers exist in the ports tree.

Neither Arch Linux nor Debian pass --enable-arc4, nor do they provide an option to select SSL backend for Transmission.
Comment 2 Jason Unovitch freebsd_committer 2016-05-03 01:48:27 UTC
(In reply to Jan Beich from comment #1)
Sorry for the delay.  Sometimes a less than ideal fix to address a real world issue is better than an unfixed issue.  However, IMHO enabling RC4 this late in the game feels like the wrong direction.  Microsoft [1], Chromium [2], and Mozilla [3] and all moving the route of killing the cipher and enabling it today feels like the wrong direction.  I would always appreciate a second thought from the rest of the team on this one.

[1] https://blogs.windows.com/msedgedev/2015/09/01/ending-support-for-the-rc4-cipher-in-microsoft-edge-and-internet-explorer-11/
[2] https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/kVfCywocUO8/vgi_rQuhKgAJ
[3] https://groups.google.com/forum/#!topic/mozilla.dev.platform/JIEFcrGhqSM/discussion
Comment 3 Walter Schwarzenfeld freebsd_triage 2018-01-13 03:45:03 UTC
net-p2p/transmission-cli Makefile shows:

WOLFSSL_LIB_DEPENDS=    libwolfssl.so:security/wolfssl
WOLFSSL_CONFIGURE_ON=   --with-crypto=cyassl

wolfssl Makefile shows:

--enable-ripemd --enable-sha512 --enable-opensslcoexist

it is done, could be closed.
Comment 4 Jan Beich freebsd_committer 2018-01-14 13:41:19 UTC
(In reply to w.schwarzenfeld from comment #3)
How did you manage to miss WOLFSSL_BROKEN? Nothing here has been done. We're just at an impasse.

recent build log with TRYBROKEN: http://tpaste.us/10OV
Comment 5 Walter Schwarzenfeld freebsd_triage 2018-01-14 14:14:12 UTC
Good question, I overlooked it, sorry.
Comment 6 Jochen Neumeister freebsd_committer 2019-02-15 18:14:46 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 7 Tobias Kortkamp freebsd_committer 2019-10-18 14:35:26 UTC
The WOLFSSL option was removed from net-p2p/transmission-cli in ports r514668
for being broken for >3 years.  Can we close this bug?  It seems there was no
other reason to enable RC4 in security/wolfssl.
Comment 8 Jan Beich freebsd_committer 2019-10-19 12:45:47 UTC
FWIW, comment 2 rationale is weak. While RC4 is deprecated there're no plans to remove it from OpenSSL (yet) thus break net-p2p/transmission. Given current state[1] of security/wolfssl there's little value in enabling more consumers at this time.

May be revised in future as RC4 is also required by OpenSSH and wpa_supplicant.

[1] Some of vulnerabilities found in 2018 or later may affect the version in ports/.