Re: [PATCH] crypto: pkcs7: remove md4 md5 x.509 support
From: Jarkko Sakkinen
Date: Mon Oct 02 2023 - 19:47:43 EST
On Mon Oct 2, 2023 at 2:57 AM EEST, Dimitri John Ledkov wrote:
> Remove support for md4 md5 hash and signatures in x.509 certificate
> parsers, pkcs7 signature parser, authenticode parser.
>
> All of these are insecure or broken, and everyone has long time ago
> migrated to alternative hash implementations.
>
> Also remove md2 & md3 oids which have already didn't have support.
>
> This is also likely the last user of md4 in the kernel, and thus
> crypto/md4.c and related tests in tcrypt & testmgr can likely be
> removed. Other users such as cifs smbfs ext modpost sumversions have
> their own internal implementation as needed.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@xxxxxxxxxxxxx>
> ---
> crypto/asymmetric_keys/mscode_parser.c | 6 ------
> crypto/asymmetric_keys/pkcs7_parser.c | 6 ------
> crypto/asymmetric_keys/x509_cert_parser.c | 6 ------
> include/linux/oid_registry.h | 8 --------
> 4 files changed, 26 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
> index 839591ad21..690405ebe7 100644
> --- a/crypto/asymmetric_keys/mscode_parser.c
> +++ b/crypto/asymmetric_keys/mscode_parser.c
> @@ -75,12 +75,6 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
>
> oid = look_up_OID(value, vlen);
> switch (oid) {
> - case OID_md4:
> - ctx->digest_algo = "md4";
> - break;
> - case OID_md5:
> - ctx->digest_algo = "md5";
> - break;
> case OID_sha1:
> ctx->digest_algo = "sha1";
> break;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index 277482bb17..cf4caab962 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -227,12 +227,6 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
> struct pkcs7_parse_context *ctx = context;
>
> switch (ctx->last_oid) {
> - case OID_md4:
> - ctx->sinfo->sig->hash_algo = "md4";
> - break;
> - case OID_md5:
> - ctx->sinfo->sig->hash_algo = "md5";
> - break;
> case OID_sha1:
> ctx->sinfo->sig->hash_algo = "sha1";
> break;
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 7a9b084e20..8d23a69890 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -195,15 +195,9 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
> pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>
> switch (ctx->last_oid) {
> - case OID_md2WithRSAEncryption:
> - case OID_md3WithRSAEncryption:
> default:
> return -ENOPKG; /* Unsupported combination */
>
> - case OID_md4WithRSAEncryption:
> - ctx->cert->sig->hash_algo = "md4";
> - goto rsa_pkcs1;
> -
> case OID_sha1WithRSAEncryption:
> ctx->cert->sig->hash_algo = "sha1";
> goto rsa_pkcs1;
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index 0f4a890392..89fb4612b2 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -30,9 +30,6 @@ enum OID {
>
> /* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
> OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */
> - OID_md2WithRSAEncryption, /* 1.2.840.113549.1.1.2 */
> - OID_md3WithRSAEncryption, /* 1.2.840.113549.1.1.3 */
> - OID_md4WithRSAEncryption, /* 1.2.840.113549.1.1.4 */
> OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */
> OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */
> OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */
> @@ -49,11 +46,6 @@ enum OID {
> OID_smimeCapabilites, /* 1.2.840.113549.1.9.15 */
> OID_smimeAuthenticatedAttrs, /* 1.2.840.113549.1.9.16.2.11 */
>
> - /* {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2)} */
> - OID_md2, /* 1.2.840.113549.2.2 */
> - OID_md4, /* 1.2.840.113549.2.4 */
> - OID_md5, /* 1.2.840.113549.2.5 */
> -
> OID_mskrb5, /* 1.2.840.48018.1.2.2 */
> OID_krb5, /* 1.2.840.113554.1.2.2 */
> OID_krb5u2u, /* 1.2.840.113554.1.2.2.3 */
> --
> 2.34.1
Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
BR, Jarkko