[FFmpeg-devel] [External] Re: Question Regarding Removal of Blowfish from libavutil in FFmpeg

Wed Oct 2 17:39:47 EEST 2024

On 10/2/2024 11:28 AM, Timo Rothenpieler wrote:
> On 02/10/2024 11:39, Lynne via ffmpeg-devel wrote:
>> On 02/10/2024 11:06, Kumar, Rahul via ffmpeg-devel wrote:
>>> Thank you for the prompt response.
>>>
>>> The primary reason for removing Blowfish from our codebase is to 
>>> comply with modern security guidelines and industry standards that 
>>> discourage the use of outdated cryptographic algorithms, like 
>>> Blowfish, due to their vulnerabilities.
>>>
>>> Given that av_blowfish* is part of the public ABI/API of libavutil, I 
>>> understand the potential issues with breaking compatibility. As for 
>>> rtmpcrypt, I appreciate the information regarding its dependence on 
>>> Blowfish.
>>>
>>> I have a couple of questions and suggestions that I would like to 
>>> discuss further:
>>>
>>> Would it be feasible to introduce a compile-time configuration option 
>>> that makes Blowfish support optional within FFmpeg? This would allow 
>>> projects with stricter security requirements to exclude Blowfish 
>>> while preserving backward compatibility for others.
>>>
>>> Alternatively, would the FFmpeg community be open to discussing 
>>> replacing Blowfish with a more secure, modern algorithm as part of a 
>>> future release plan?
>>>
>>> Any thoughts or recommendations would be greatly appreciated.
>>>
>>> Thanks again for your guidance.
>>>
>>> Thanks,
>>> Rahul Kumar
>>>
>>> -----Original Message-----
>>> From: Michael Niedermayer <michael at niedermayer.cc>
>>> Sent: Wednesday, October 2, 2024 3:23 AM
>>> To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
>>> Cc: Kumar, Rahul <Rahul.Kumar8 at Honeywell.com>
>>> Subject: [External] Re: [FFmpeg-devel] Question Regarding Removal of 
>>> Blowfish from libavutil in FFmpeg
>>>
>>> WARNING: This message has originated from an External Source. This 
>>> may be a phishing email that can result in unauthorized access to 
>>> Honeywell systems. Please use proper judgment and caution when 
>>> opening attachments, clicking links, scanning QR codes, or responding.
>>> _______________________________________________
>>> ffmpeg-devel mailing list
>>> ffmpeg-devel at ffmpeg.org
>>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>>
>>> To unsubscribe, visit link above, or email
>>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>>
>> rtmpcrypt uses blowfish. If you don't want the blowfish code to be 
>> used in the final build, just don't build rtmpcrypt. LTO will strip 
>> the code off anyway.
> 
> It's public API, so it won't.
> 
>> We can't remove it. It's part of the rtmpcrypt spec.
> 
> 
> The presence of unused code is also not a security issue. Stuff doesn't 
> magically use blowfish just cause there is an implementation flying 
> around somewhere.
> 
> Removing it for security is compliance theater.

Something that was suggested long ago but never came to fruition was 
making lavu modules configure time selectable, which for those with 
public facing interfaces (namely every single one, probably) would mean 
just not compiling the actual code and making the functions return 
ENOSYS or NULL.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241002/dfc232e5/attachment.sig>