[FFmpeg-devel] [External] Re: Question Regarding Removal of Blowfish from libavutil in FFmpeg

[Timo Rothenpieler]

On 02/10/2024 11:39, Lynne via ffmpeg-devel wrote:
> On 02/10/2024 11:06, Kumar, Rahul via ffmpeg-devel wrote:
>> Thank you for the prompt response.
>>
>> The primary reason for removing Blowfish from our codebase is to 
>> comply with modern security guidelines and industry standards that 
>> discourage the use of outdated cryptographic algorithms, like 
>> Blowfish, due to their vulnerabilities.
>>
>> Given that av_blowfish* is part of the public ABI/API of libavutil, I 
>> understand the potential issues with breaking compatibility. As for 
>> rtmpcrypt, I appreciate the information regarding its dependence on 
>> Blowfish.
>>
>> I have a couple of questions and suggestions that I would like to 
>> discuss further:
>>
>> Would it be feasible to introduce a compile-time configuration option 
>> that makes Blowfish support optional within FFmpeg? This would allow 
>> projects with stricter security requirements to exclude Blowfish while 
>> preserving backward compatibility for others.
>>
>> Alternatively, would the FFmpeg community be open to discussing 
>> replacing Blowfish with a more secure, modern algorithm as part of a 
>> future release plan?
>>
>> Any thoughts or recommendations would be greatly appreciated.
>>
>> Thanks again for your guidance.
>>
>> Thanks,
>> Rahul Kumar
>>
>> -----Original Message-----
>> From: Michael Niedermayer <michael at niedermayer.cc>
>> Sent: Wednesday, October 2, 2024 3:23 AM
>> To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
>> Cc: Kumar, Rahul <Rahul.Kumar8 at Honeywell.com>
>> Subject: [External] Re: [FFmpeg-devel] Question Regarding Removal of 
>> Blowfish from libavutil in FFmpeg
>>
>> WARNING: This message has originated from an External Source. This may 
>> be a phishing email that can result in unauthorized access to 
>> Honeywell systems. Please use proper judgment and caution when opening 
>> attachments, clicking links, scanning QR codes, or responding.
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> 
> rtmpcrypt uses blowfish. If you don't want the blowfish code to be used 
> in the final build, just don't build rtmpcrypt. LTO will strip the code 
> off anyway.

It's public API, so it won't.

> We can't remove it. It's part of the rtmpcrypt spec.


The presence of unused code is also not a security issue. Stuff doesn't 
magically use blowfish just cause there is an implementation flying 
around somewhere.

Removing it for security is compliance theater.