diff mbox series

crypto: pkcs7: remove md4 md5 x.509 support

Message ID 20231001235716.588251-1-dimitri.ledkov@canonical.com (mailing list archive)
State New
Headers show
Series crypto: pkcs7: remove md4 md5 x.509 support | expand

Commit Message

Dimitri John Ledkov Oct. 1, 2023, 11:57 p.m. UTC
Remove support for md4 md5 hash and signatures in x.509 certificate
parsers, pkcs7 signature parser, authenticode parser.

All of these are insecure or broken, and everyone has long time ago
migrated to alternative hash implementations.

Also remove md2 & md3 oids which have already didn't have support.

This is also likely the last user of md4 in the kernel, and thus
crypto/md4.c and related tests in tcrypt & testmgr can likely be
removed. Other users such as cifs smbfs ext modpost sumversions have
their own internal implementation as needed.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 crypto/asymmetric_keys/mscode_parser.c    | 6 ------
 crypto/asymmetric_keys/pkcs7_parser.c     | 6 ------
 crypto/asymmetric_keys/x509_cert_parser.c | 6 ------
 include/linux/oid_registry.h              | 8 --------
 4 files changed, 26 deletions(-)

Comments

Jarkko Sakkinen Oct. 2, 2023, 11:47 p.m. UTC | #1
On Mon Oct 2, 2023 at 2:57 AM EEST, Dimitri John Ledkov wrote:
> Remove support for md4 md5 hash and signatures in x.509 certificate
> parsers, pkcs7 signature parser, authenticode parser.
>
> All of these are insecure or broken, and everyone has long time ago
> migrated to alternative hash implementations.
>
> Also remove md2 & md3 oids which have already didn't have support.
>
> This is also likely the last user of md4 in the kernel, and thus
> crypto/md4.c and related tests in tcrypt & testmgr can likely be
> removed. Other users such as cifs smbfs ext modpost sumversions have
> their own internal implementation as needed.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
> ---
>  crypto/asymmetric_keys/mscode_parser.c    | 6 ------
>  crypto/asymmetric_keys/pkcs7_parser.c     | 6 ------
>  crypto/asymmetric_keys/x509_cert_parser.c | 6 ------
>  include/linux/oid_registry.h              | 8 --------
>  4 files changed, 26 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
> index 839591ad21..690405ebe7 100644
> --- a/crypto/asymmetric_keys/mscode_parser.c
> +++ b/crypto/asymmetric_keys/mscode_parser.c
> @@ -75,12 +75,6 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
>  
>  	oid = look_up_OID(value, vlen);
>  	switch (oid) {
> -	case OID_md4:
> -		ctx->digest_algo = "md4";
> -		break;
> -	case OID_md5:
> -		ctx->digest_algo = "md5";
> -		break;
>  	case OID_sha1:
>  		ctx->digest_algo = "sha1";
>  		break;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index 277482bb17..cf4caab962 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -227,12 +227,6 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
>  	struct pkcs7_parse_context *ctx = context;
>  
>  	switch (ctx->last_oid) {
> -	case OID_md4:
> -		ctx->sinfo->sig->hash_algo = "md4";
> -		break;
> -	case OID_md5:
> -		ctx->sinfo->sig->hash_algo = "md5";
> -		break;
>  	case OID_sha1:
>  		ctx->sinfo->sig->hash_algo = "sha1";
>  		break;
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 7a9b084e20..8d23a69890 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -195,15 +195,9 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
>  	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>  
>  	switch (ctx->last_oid) {
> -	case OID_md2WithRSAEncryption:
> -	case OID_md3WithRSAEncryption:
>  	default:
>  		return -ENOPKG; /* Unsupported combination */
>  
> -	case OID_md4WithRSAEncryption:
> -		ctx->cert->sig->hash_algo = "md4";
> -		goto rsa_pkcs1;
> -
>  	case OID_sha1WithRSAEncryption:
>  		ctx->cert->sig->hash_algo = "sha1";
>  		goto rsa_pkcs1;
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index 0f4a890392..89fb4612b2 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -30,9 +30,6 @@ enum OID {
>  
>  	/* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
>  	OID_rsaEncryption,		/* 1.2.840.113549.1.1.1 */
> -	OID_md2WithRSAEncryption,	/* 1.2.840.113549.1.1.2 */
> -	OID_md3WithRSAEncryption,	/* 1.2.840.113549.1.1.3 */
> -	OID_md4WithRSAEncryption,	/* 1.2.840.113549.1.1.4 */
>  	OID_sha1WithRSAEncryption,	/* 1.2.840.113549.1.1.5 */
>  	OID_sha256WithRSAEncryption,	/* 1.2.840.113549.1.1.11 */
>  	OID_sha384WithRSAEncryption,	/* 1.2.840.113549.1.1.12 */
> @@ -49,11 +46,6 @@ enum OID {
>  	OID_smimeCapabilites,		/* 1.2.840.113549.1.9.15 */
>  	OID_smimeAuthenticatedAttrs,	/* 1.2.840.113549.1.9.16.2.11 */
>  
> -	/* {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2)} */
> -	OID_md2,			/* 1.2.840.113549.2.2 */
> -	OID_md4,			/* 1.2.840.113549.2.4 */
> -	OID_md5,			/* 1.2.840.113549.2.5 */
> -
>  	OID_mskrb5,			/* 1.2.840.48018.1.2.2 */
>  	OID_krb5,			/* 1.2.840.113554.1.2.2 */
>  	OID_krb5u2u,			/* 1.2.840.113554.1.2.2.3 */
> -- 
> 2.34.1

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko
Herbert Xu Oct. 5, 2023, 10:28 a.m. UTC | #2
On Mon, Oct 02, 2023 at 12:57:15AM +0100, Dimitri John Ledkov wrote:
> Remove support for md4 md5 hash and signatures in x.509 certificate
> parsers, pkcs7 signature parser, authenticode parser.
> 
> All of these are insecure or broken, and everyone has long time ago
> migrated to alternative hash implementations.
> 
> Also remove md2 & md3 oids which have already didn't have support.
> 
> This is also likely the last user of md4 in the kernel, and thus
> crypto/md4.c and related tests in tcrypt & testmgr can likely be
> removed. Other users such as cifs smbfs ext modpost sumversions have
> their own internal implementation as needed.
> 
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
> ---
>  crypto/asymmetric_keys/mscode_parser.c    | 6 ------
>  crypto/asymmetric_keys/pkcs7_parser.c     | 6 ------
>  crypto/asymmetric_keys/x509_cert_parser.c | 6 ------
>  include/linux/oid_registry.h              | 8 --------
>  4 files changed, 26 deletions(-)

Patch applied.  Thanks.
diff mbox series

Patch

diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 839591ad21..690405ebe7 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -75,12 +75,6 @@  int mscode_note_digest_algo(void *context, size_t hdrlen,
 
 	oid = look_up_OID(value, vlen);
 	switch (oid) {
-	case OID_md4:
-		ctx->digest_algo = "md4";
-		break;
-	case OID_md5:
-		ctx->digest_algo = "md5";
-		break;
 	case OID_sha1:
 		ctx->digest_algo = "sha1";
 		break;
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 277482bb17..cf4caab962 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -227,12 +227,6 @@  int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
 	struct pkcs7_parse_context *ctx = context;
 
 	switch (ctx->last_oid) {
-	case OID_md4:
-		ctx->sinfo->sig->hash_algo = "md4";
-		break;
-	case OID_md5:
-		ctx->sinfo->sig->hash_algo = "md5";
-		break;
 	case OID_sha1:
 		ctx->sinfo->sig->hash_algo = "sha1";
 		break;
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 7a9b084e20..8d23a69890 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -195,15 +195,9 @@  int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
 
 	switch (ctx->last_oid) {
-	case OID_md2WithRSAEncryption:
-	case OID_md3WithRSAEncryption:
 	default:
 		return -ENOPKG; /* Unsupported combination */
 
-	case OID_md4WithRSAEncryption:
-		ctx->cert->sig->hash_algo = "md4";
-		goto rsa_pkcs1;
-
 	case OID_sha1WithRSAEncryption:
 		ctx->cert->sig->hash_algo = "sha1";
 		goto rsa_pkcs1;
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 0f4a890392..89fb4612b2 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -30,9 +30,6 @@  enum OID {
 
 	/* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
 	OID_rsaEncryption,		/* 1.2.840.113549.1.1.1 */
-	OID_md2WithRSAEncryption,	/* 1.2.840.113549.1.1.2 */
-	OID_md3WithRSAEncryption,	/* 1.2.840.113549.1.1.3 */
-	OID_md4WithRSAEncryption,	/* 1.2.840.113549.1.1.4 */
 	OID_sha1WithRSAEncryption,	/* 1.2.840.113549.1.1.5 */
 	OID_sha256WithRSAEncryption,	/* 1.2.840.113549.1.1.11 */
 	OID_sha384WithRSAEncryption,	/* 1.2.840.113549.1.1.12 */
@@ -49,11 +46,6 @@  enum OID {
 	OID_smimeCapabilites,		/* 1.2.840.113549.1.9.15 */
 	OID_smimeAuthenticatedAttrs,	/* 1.2.840.113549.1.9.16.2.11 */
 
-	/* {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2)} */
-	OID_md2,			/* 1.2.840.113549.2.2 */
-	OID_md4,			/* 1.2.840.113549.2.4 */
-	OID_md5,			/* 1.2.840.113549.2.5 */
-
 	OID_mskrb5,			/* 1.2.840.48018.1.2.2 */
 	OID_krb5,			/* 1.2.840.113554.1.2.2 */
 	OID_krb5u2u,			/* 1.2.840.113554.1.2.2.3 */