From: David Benjamin <davidben@google.com>
Date: Mon, 6 Oct 2025 15:18:39 +0000 (-0400)
Subject: crypto: Remove some unreachable algorithms
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c16d20f9d59e0782ddfea79e62904bb79a3ba4f3;p=thirdparty%2Fhostap.git

crypto: Remove some unreachable algorithms

The tls_ciphers table contained a number of algorithms that weren't
referenced in tls_cipher_suites. Remove those. That includes
TLS_CIPHER_IDEA_CBC, which was probably always broken because it was
mapped to CRYPTO_CIPHER_NULL. It also removes RC2, which is an
export-only cipher, despite the file saying it doesn't bother with
exportable ciphers.

That, in turn, removes all references to CRYPTO_CIPHER_ALG_RC2, so
remove that too. The OpenSSL port of CRYPTO_CIPHER_ALG_RC2 probably
never worked anyway because it uses RC2 in ECB mode instead of CBC.

It's likely other removals are possible. tlsv1_common.c has single-DES
ciphers, but tlsv1_client.c and tlsv1_server.c only configure a much
smaller list. There's also a lot of code for TLS_KEY_X_DH_anon, but
those ciphers aren't configured. I've left those alone because I'm not
sure how all this code is used.

Signed-off-by: David Benjamin <davidben@google.com>
---

diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index 0ac8fc1947..e6bc7bac3c 100644
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -217,7 +217,7 @@ int crypto_hash_finish(struct crypto_hash *ctx, u8 *hash, size_t *len);
 
 enum crypto_cipher_alg {
 	CRYPTO_CIPHER_NULL = 0, CRYPTO_CIPHER_ALG_AES, CRYPTO_CIPHER_ALG_3DES,
-	CRYPTO_CIPHER_ALG_DES, CRYPTO_CIPHER_ALG_RC2, CRYPTO_CIPHER_ALG_RC4
+	CRYPTO_CIPHER_ALG_DES, CRYPTO_CIPHER_ALG_RC4
 };
 
 struct crypto_cipher;
diff --git a/src/crypto/crypto_gnutls.c b/src/crypto/crypto_gnutls.c
index a7a163f5cb..524d1fe079 100644
--- a/src/crypto/crypto_gnutls.c
+++ b/src/crypto/crypto_gnutls.c
@@ -439,14 +439,6 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
 		res = gcry_cipher_open(&ctx->enc, a, GCRY_CIPHER_MODE_CBC, 0);
 		gcry_cipher_open(&ctx->dec, a, GCRY_CIPHER_MODE_CBC, 0);
 		break;
-	case CRYPTO_CIPHER_ALG_RC2:
-		if (key_len == 5)
-			a = GCRY_CIPHER_RFC2268_40;
-		else
-			a = GCRY_CIPHER_RFC2268_128;
-		res = gcry_cipher_open(&ctx->enc, a, GCRY_CIPHER_MODE_CBC, 0);
-		gcry_cipher_open(&ctx->dec, a, GCRY_CIPHER_MODE_CBC, 0);
-		break;
 	default:
 		os_free(ctx);
 		return NULL;
diff --git a/src/crypto/crypto_libtomcrypt.c b/src/crypto/crypto_libtomcrypt.c
index fd79c1a403..b14e28260c 100644
--- a/src/crypto/crypto_libtomcrypt.c
+++ b/src/crypto/crypto_libtomcrypt.c
@@ -315,9 +315,6 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
 	case CRYPTO_CIPHER_ALG_DES:
 		idx = find_cipher("des");
 		break;
-	case CRYPTO_CIPHER_ALG_RC2:
-		idx = find_cipher("rc2");
-		break;
 	case CRYPTO_CIPHER_ALG_RC4:
 		idx = -1;
 		rc4 = 1;
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index d99572ec0d..dad48e0461 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -961,11 +961,6 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
 		cipher = EVP_des_cbc();
 		break;
 #endif /* OPENSSL_NO_DES */
-#ifndef OPENSSL_NO_RC2
-	case CRYPTO_CIPHER_ALG_RC2:
-		cipher = EVP_rc2_ecb();
-		break;
-#endif /* OPENSSL_NO_RC2 */
 #ifndef OPENSSL_NO_NULL
 	case CRYPTO_CIPHER_NULL:
 		cipher = EVP_enc_null();
diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 7a91202ee6..d2541fde51 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -822,7 +822,6 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
 		}
 		break;
 #endif /* NO_DES3 */
-	case CRYPTO_CIPHER_ALG_RC2:
 	case CRYPTO_CIPHER_ALG_DES:
 	default:
 		os_free(ctx);
diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c
index 0dd8e27999..c675d02eb2 100644
--- a/src/tls/tlsv1_common.c
+++ b/src/tls/tlsv1_common.c
@@ -76,16 +76,8 @@ static const struct tls_cipher_suite tls_cipher_suites[] = {
 static const struct tls_cipher_data tls_ciphers[] = {
 	{ TLS_CIPHER_NULL,         TLS_CIPHER_STREAM,  0,  0,  0,
 	  CRYPTO_CIPHER_NULL },
-	{ TLS_CIPHER_IDEA_CBC,     TLS_CIPHER_BLOCK,  16, 16,  8,
-	  CRYPTO_CIPHER_NULL },
-	{ TLS_CIPHER_RC2_CBC_40,   TLS_CIPHER_BLOCK,   5, 16,  0,
-	  CRYPTO_CIPHER_ALG_RC2 },
-	{ TLS_CIPHER_RC4_40,       TLS_CIPHER_STREAM,  5, 16,  0,
-	  CRYPTO_CIPHER_ALG_RC4 },
 	{ TLS_CIPHER_RC4_128,      TLS_CIPHER_STREAM, 16, 16,  0,
 	  CRYPTO_CIPHER_ALG_RC4 },
-	{ TLS_CIPHER_DES40_CBC,    TLS_CIPHER_BLOCK,   5,  8,  8,
-	  CRYPTO_CIPHER_ALG_DES },
 	{ TLS_CIPHER_DES_CBC,      TLS_CIPHER_BLOCK,   8,  8,  8,
 	  CRYPTO_CIPHER_ALG_DES },
 	{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK,  24, 24,  8,
diff --git a/src/tls/tlsv1_common.h b/src/tls/tlsv1_common.h
index 4cfdc2d551..b681152600 100644
--- a/src/tls/tlsv1_common.h
+++ b/src/tls/tlsv1_common.h
@@ -194,11 +194,7 @@ typedef enum {
 
 typedef enum {
 	TLS_CIPHER_NULL,
-	TLS_CIPHER_RC4_40,
 	TLS_CIPHER_RC4_128,
-	TLS_CIPHER_RC2_CBC_40,
-	TLS_CIPHER_IDEA_CBC,
-	TLS_CIPHER_DES40_CBC,
 	TLS_CIPHER_DES_CBC,
 	TLS_CIPHER_3DES_EDE_CBC,
 	TLS_CIPHER_AES_128_CBC,