From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Dimitri John Ledkov" <dimitri.ledkov@canonical.com>,
"David Howells" <dhowells@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: <keyrings@vger.kernel.org>, <linux-crypto@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] crypto: pkcs7: remove md4 md5 x.509 support
Date: Tue, 03 Oct 2023 02:47:33 +0300 [thread overview]
Message-ID: <CVYCS4GZ0JJ0.KXKWHDIN8X0W@seitikki> (raw)
In-Reply-To: <20231001235716.588251-1-dimitri.ledkov@canonical.com>
On Mon Oct 2, 2023 at 2:57 AM EEST, Dimitri John Ledkov wrote:
> Remove support for md4 md5 hash and signatures in x.509 certificate
> parsers, pkcs7 signature parser, authenticode parser.
>
> All of these are insecure or broken, and everyone has long time ago
> migrated to alternative hash implementations.
>
> Also remove md2 & md3 oids which have already didn't have support.
>
> This is also likely the last user of md4 in the kernel, and thus
> crypto/md4.c and related tests in tcrypt & testmgr can likely be
> removed. Other users such as cifs smbfs ext modpost sumversions have
> their own internal implementation as needed.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
> ---
> crypto/asymmetric_keys/mscode_parser.c | 6 ------
> crypto/asymmetric_keys/pkcs7_parser.c | 6 ------
> crypto/asymmetric_keys/x509_cert_parser.c | 6 ------
> include/linux/oid_registry.h | 8 --------
> 4 files changed, 26 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
> index 839591ad21..690405ebe7 100644
> --- a/crypto/asymmetric_keys/mscode_parser.c
> +++ b/crypto/asymmetric_keys/mscode_parser.c
> @@ -75,12 +75,6 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
>
> oid = look_up_OID(value, vlen);
> switch (oid) {
> - case OID_md4:
> - ctx->digest_algo = "md4";
> - break;
> - case OID_md5:
> - ctx->digest_algo = "md5";
> - break;
> case OID_sha1:
> ctx->digest_algo = "sha1";
> break;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index 277482bb17..cf4caab962 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -227,12 +227,6 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
> struct pkcs7_parse_context *ctx = context;
>
> switch (ctx->last_oid) {
> - case OID_md4:
> - ctx->sinfo->sig->hash_algo = "md4";
> - break;
> - case OID_md5:
> - ctx->sinfo->sig->hash_algo = "md5";
> - break;
> case OID_sha1:
> ctx->sinfo->sig->hash_algo = "sha1";
> break;
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 7a9b084e20..8d23a69890 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -195,15 +195,9 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
> pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>
> switch (ctx->last_oid) {
> - case OID_md2WithRSAEncryption:
> - case OID_md3WithRSAEncryption:
> default:
> return -ENOPKG; /* Unsupported combination */
>
> - case OID_md4WithRSAEncryption:
> - ctx->cert->sig->hash_algo = "md4";
> - goto rsa_pkcs1;
> -
> case OID_sha1WithRSAEncryption:
> ctx->cert->sig->hash_algo = "sha1";
> goto rsa_pkcs1;
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index 0f4a890392..89fb4612b2 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -30,9 +30,6 @@ enum OID {
>
> /* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
> OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */
> - OID_md2WithRSAEncryption, /* 1.2.840.113549.1.1.2 */
> - OID_md3WithRSAEncryption, /* 1.2.840.113549.1.1.3 */
> - OID_md4WithRSAEncryption, /* 1.2.840.113549.1.1.4 */
> OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */
> OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */
> OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */
> @@ -49,11 +46,6 @@ enum OID {
> OID_smimeCapabilites, /* 1.2.840.113549.1.9.15 */
> OID_smimeAuthenticatedAttrs, /* 1.2.840.113549.1.9.16.2.11 */
>
> - /* {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2)} */
> - OID_md2, /* 1.2.840.113549.2.2 */
> - OID_md4, /* 1.2.840.113549.2.4 */
> - OID_md5, /* 1.2.840.113549.2.5 */
> -
> OID_mskrb5, /* 1.2.840.48018.1.2.2 */
> OID_krb5, /* 1.2.840.113554.1.2.2 */
> OID_krb5u2u, /* 1.2.840.113554.1.2.2.3 */
> --
> 2.34.1
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
next prev parent reply other threads:[~2023-10-02 23:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-01 23:57 [PATCH] crypto: pkcs7: remove md4 md5 x.509 support Dimitri John Ledkov
2023-10-02 23:47 ` Jarkko Sakkinen [this message]
2023-10-05 10:28 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CVYCS4GZ0JJ0.KXKWHDIN8X0W@seitikki \
--to=jarkko@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dimitri.ledkov@canonical.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox