crypto: pkcs7 - remove sha1 support
Removes support for sha1 signed kernel modules, importing sha1 signed x.509 certificates. rsa-pkcs1pad keeps sha1 padding support, which seems to be used by virtio driver. sha1 remains available as there are many drivers and subsystems using it. Note only hmac(sha1) with secret keys remains cryptographically secure. In the kernel there are filesystems, IMA, tpm/pcr that appear to be using sha1. Maybe they can all start to be slowly upgraded to something else i.e. blake3, ParallelHash, SHAKE256 as needed. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
parent
c35b581e51
commit
16ab7cb582
@ -75,9 +75,6 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
|
||||
|
||||
oid = look_up_OID(value, vlen);
|
||||
switch (oid) {
|
||||
case OID_sha1:
|
||||
ctx->digest_algo = "sha1";
|
||||
break;
|
||||
case OID_sha256:
|
||||
ctx->digest_algo = "sha256";
|
||||
break;
|
||||
|
@ -227,9 +227,6 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
|
||||
struct pkcs7_parse_context *ctx = context;
|
||||
|
||||
switch (ctx->last_oid) {
|
||||
case OID_sha1:
|
||||
ctx->sinfo->sig->hash_algo = "sha1";
|
||||
break;
|
||||
case OID_sha256:
|
||||
ctx->sinfo->sig->hash_algo = "sha256";
|
||||
break;
|
||||
@ -272,7 +269,6 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
|
||||
ctx->sinfo->sig->pkey_algo = "rsa";
|
||||
ctx->sinfo->sig->encoding = "pkcs1";
|
||||
break;
|
||||
case OID_id_ecdsa_with_sha1:
|
||||
case OID_id_ecdsa_with_sha224:
|
||||
case OID_id_ecdsa_with_sha256:
|
||||
case OID_id_ecdsa_with_sha384:
|
||||
|
@ -116,8 +116,7 @@ software_key_determine_akcipher(const struct public_key *pkey,
|
||||
*/
|
||||
if (!hash_algo)
|
||||
return -EINVAL;
|
||||
if (strcmp(hash_algo, "sha1") != 0 &&
|
||||
strcmp(hash_algo, "sha224") != 0 &&
|
||||
if (strcmp(hash_algo, "sha224") != 0 &&
|
||||
strcmp(hash_algo, "sha256") != 0 &&
|
||||
strcmp(hash_algo, "sha384") != 0 &&
|
||||
strcmp(hash_algo, "sha512") != 0)
|
||||
|
@ -115,7 +115,7 @@ EXPORT_SYMBOL_GPL(decrypt_blob);
|
||||
* Sign the specified data blob using the private key specified by params->key.
|
||||
* The signature is wrapped in an encoding if params->encoding is specified
|
||||
* (eg. "pkcs1"). If the encoding needs to know the digest type, this can be
|
||||
* passed through params->hash_algo (eg. "sha1").
|
||||
* passed through params->hash_algo (eg. "sha512").
|
||||
*
|
||||
* Returns the length of the data placed in the signature buffer or an error.
|
||||
*/
|
||||
|
@ -198,10 +198,6 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
|
||||
default:
|
||||
return -ENOPKG; /* Unsupported combination */
|
||||
|
||||
case OID_sha1WithRSAEncryption:
|
||||
ctx->cert->sig->hash_algo = "sha1";
|
||||
goto rsa_pkcs1;
|
||||
|
||||
case OID_sha256WithRSAEncryption:
|
||||
ctx->cert->sig->hash_algo = "sha256";
|
||||
goto rsa_pkcs1;
|
||||
@ -218,10 +214,6 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
|
||||
ctx->cert->sig->hash_algo = "sha224";
|
||||
goto rsa_pkcs1;
|
||||
|
||||
case OID_id_ecdsa_with_sha1:
|
||||
ctx->cert->sig->hash_algo = "sha1";
|
||||
goto ecdsa;
|
||||
|
||||
case OID_id_ecdsa_with_sha224:
|
||||
ctx->cert->sig->hash_algo = "sha224";
|
||||
goto ecdsa;
|
||||
|
@ -653,30 +653,6 @@ static const struct akcipher_testvec rsa_tv_template[] = {
|
||||
static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = {
|
||||
{
|
||||
.key =
|
||||
"\x04\xf7\x46\xf8\x2f\x15\xf6\x22\x8e\xd7\x57\x4f\xcc\xe7\xbb\xc1"
|
||||
"\xd4\x09\x73\xcf\xea\xd0\x15\x07\x3d\xa5\x8a\x8a\x95\x43\xe4\x68"
|
||||
"\xea\xc6\x25\xc1\xc1\x01\x25\x4c\x7e\xc3\x3c\xa6\x04\x0a\xe7\x08"
|
||||
"\x98",
|
||||
.key_len = 49,
|
||||
.params =
|
||||
"\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48"
|
||||
"\xce\x3d\x03\x01\x01",
|
||||
.param_len = 21,
|
||||
.m =
|
||||
"\xcd\xb9\xd2\x1c\xb7\x6f\xcd\x44\xb3\xfd\x63\xea\xa3\x66\x7f\xae"
|
||||
"\x63\x85\xe7\x82",
|
||||
.m_size = 20,
|
||||
.algo = OID_id_ecdsa_with_sha1,
|
||||
.c =
|
||||
"\x30\x35\x02\x19\x00\xba\xe5\x93\x83\x6e\xb6\x3b\x63\xa0\x27\x91"
|
||||
"\xc6\xf6\x7f\xc3\x09\xad\x59\xad\x88\x27\xd6\x92\x6b\x02\x18\x10"
|
||||
"\x68\x01\x9d\xba\xce\x83\x08\xef\x95\x52\x7b\xa0\x0f\xe4\x18\x86"
|
||||
"\x80\x6f\xa5\x79\x77\xda\xd0",
|
||||
.c_size = 55,
|
||||
.public_key_vec = true,
|
||||
.siggen_sigver_test = true,
|
||||
}, {
|
||||
.key =
|
||||
"\x04\xb6\x4b\xb1\xd1\xac\xba\x24\x8f\x65\xb2\x60\x00\x90\xbf\xbd"
|
||||
"\x78\x05\x73\xe9\x79\x1d\x6f\x7c\x0b\xd2\xc3\x93\xa7\x28\xe1\x75"
|
||||
"\xf7\xd5\x95\x1d\x28\x10\xc0\x75\x50\x5c\x1a\x4f\x3f\x8f\xa5\xee"
|
||||
@ -780,32 +756,6 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = {
|
||||
static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = {
|
||||
{
|
||||
.key =
|
||||
"\x04\xb9\x7b\xbb\xd7\x17\x64\xd2\x7e\xfc\x81\x5d\x87\x06\x83\x41"
|
||||
"\x22\xd6\x9a\xaa\x87\x17\xec\x4f\x63\x55\x2f\x94\xba\xdd\x83\xe9"
|
||||
"\x34\x4b\xf3\xe9\x91\x13\x50\xb6\xcb\xca\x62\x08\xe7\x3b\x09\xdc"
|
||||
"\xc3\x63\x4b\x2d\xb9\x73\x53\xe4\x45\xe6\x7c\xad\xe7\x6b\xb0\xe8"
|
||||
"\xaf",
|
||||
.key_len = 65,
|
||||
.params =
|
||||
"\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48"
|
||||
"\xce\x3d\x03\x01\x07",
|
||||
.param_len = 21,
|
||||
.m =
|
||||
"\xc2\x2b\x5f\x91\x78\x34\x26\x09\x42\x8d\x6f\x51\xb2\xc5\xaf\x4c"
|
||||
"\x0b\xde\x6a\x42",
|
||||
.m_size = 20,
|
||||
.algo = OID_id_ecdsa_with_sha1,
|
||||
.c =
|
||||
"\x30\x46\x02\x21\x00\xf9\x25\xce\x9f\x3a\xa6\x35\x81\xcf\xd4\xe7"
|
||||
"\xb7\xf0\x82\x56\x41\xf7\xd4\xad\x8d\x94\x5a\x69\x89\xee\xca\x6a"
|
||||
"\x52\x0e\x48\x4d\xcc\x02\x21\x00\xd7\xe4\xef\x52\x66\xd3\x5b\x9d"
|
||||
"\x8a\xfa\x54\x93\x29\xa7\x70\x86\xf1\x03\x03\xf3\x3b\xe2\x73\xf7"
|
||||
"\xfb\x9d\x8b\xde\xd4\x8d\x6f\xad",
|
||||
.c_size = 72,
|
||||
.public_key_vec = true,
|
||||
.siggen_sigver_test = true,
|
||||
}, {
|
||||
.key =
|
||||
"\x04\x8b\x6d\xc0\x33\x8e\x2d\x8b\x67\xf5\xeb\xc4\x7f\xa0\xf5\xd9"
|
||||
"\x7b\x03\xa5\x78\x9a\xb5\xea\x14\xe4\x23\xd0\xaf\xd7\x0e\x2e\xa0"
|
||||
"\xc9\x8b\xdb\x95\xf8\xb3\xaf\xac\x00\x2c\x2c\x1f\x7a\xfd\x95\x88"
|
||||
@ -916,36 +866,6 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = {
|
||||
|
||||
static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = {
|
||||
{
|
||||
.key = /* secp384r1(sha1) */
|
||||
"\x04\x89\x25\xf3\x97\x88\xcb\xb0\x78\xc5\x72\x9a\x14\x6e\x7a\xb1"
|
||||
"\x5a\xa5\x24\xf1\x95\x06\x9e\x28\xfb\xc4\xb9\xbe\x5a\x0d\xd9\x9f"
|
||||
"\xf3\xd1\x4d\x2d\x07\x99\xbd\xda\xa7\x66\xec\xbb\xea\xba\x79\x42"
|
||||
"\xc9\x34\x89\x6a\xe7\x0b\xc3\xf2\xfe\x32\x30\xbe\xba\xf9\xdf\x7e"
|
||||
"\x4b\x6a\x07\x8e\x26\x66\x3f\x1d\xec\xa2\x57\x91\x51\xdd\x17\x0e"
|
||||
"\x0b\x25\xd6\x80\x5c\x3b\xe6\x1a\x98\x48\x91\x45\x7a\x73\xb0\xc3"
|
||||
"\xf1",
|
||||
.key_len = 97,
|
||||
.params =
|
||||
"\x30\x10\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x05\x2b\x81\x04"
|
||||
"\x00\x22",
|
||||
.param_len = 18,
|
||||
.m =
|
||||
"\x12\x55\x28\xf0\x77\xd5\xb6\x21\x71\x32\x48\xcd\x28\xa8\x25\x22"
|
||||
"\x3a\x69\xc1\x93",
|
||||
.m_size = 20,
|
||||
.algo = OID_id_ecdsa_with_sha1,
|
||||
.c =
|
||||
"\x30\x66\x02\x31\x00\xf5\x0f\x24\x4c\x07\x93\x6f\x21\x57\x55\x07"
|
||||
"\x20\x43\x30\xde\xa0\x8d\x26\x8e\xae\x63\x3f\xbc\x20\x3a\xc6\xf1"
|
||||
"\x32\x3c\xce\x70\x2b\x78\xf1\x4c\x26\xe6\x5b\x86\xcf\xec\x7c\x7e"
|
||||
"\xd0\x87\xd7\xd7\x6e\x02\x31\x00\xcd\xbb\x7e\x81\x5d\x8f\x63\xc0"
|
||||
"\x5f\x63\xb1\xbe\x5e\x4c\x0e\xa1\xdf\x28\x8c\x1b\xfa\xf9\x95\x88"
|
||||
"\x74\xa0\x0f\xbf\xaf\xc3\x36\x76\x4a\xa1\x59\xf1\x1c\xa4\x58\x26"
|
||||
"\x79\x12\x2a\xb7\xc5\x15\x92\xc5",
|
||||
.c_size = 104,
|
||||
.public_key_vec = true,
|
||||
.siggen_sigver_test = true,
|
||||
}, {
|
||||
.key = /* secp384r1(sha224) */
|
||||
"\x04\x69\x6c\xcf\x62\xee\xd0\x0d\xe5\xb5\x2f\x70\x54\xcf\x26\xa0"
|
||||
"\xd9\x98\x8d\x92\x2a\xab\x9b\x11\xcb\x48\x18\xa1\xa9\x0d\xd5\x18"
|
||||
|
@ -17,12 +17,10 @@
|
||||
* build_OID_registry.pl to generate the data for look_up_OID().
|
||||
*/
|
||||
enum OID {
|
||||
OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */
|
||||
OID_id_dsa, /* 1.2.840.10040.4.1 */
|
||||
OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */
|
||||
OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */
|
||||
OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */
|
||||
OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */
|
||||
OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */
|
||||
OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */
|
||||
OID_id_ecdsa_with_sha384, /* 1.2.840.10045.4.3.3 */
|
||||
@ -30,7 +28,6 @@ enum OID {
|
||||
|
||||
/* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
|
||||
OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */
|
||||
OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */
|
||||
OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */
|
||||
OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */
|
||||
OID_sha512WithRSAEncryption, /* 1.2.840.113549.1.1.13 */
|
||||
@ -67,7 +64,6 @@ enum OID {
|
||||
OID_PKU2U, /* 1.3.5.1.5.2.7 */
|
||||
OID_Scram, /* 1.3.6.1.5.5.14 */
|
||||
OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
|
||||
OID_sha1, /* 1.3.14.3.2.26 */
|
||||
OID_id_ansip384r1, /* 1.3.132.0.34 */
|
||||
OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
|
||||
OID_sha384, /* 2.16.840.1.101.3.4.2.2 */
|
||||
|
@ -236,10 +236,6 @@ choice
|
||||
possible to load a signed module containing the algorithm to check
|
||||
the signature on that module.
|
||||
|
||||
config MODULE_SIG_SHA1
|
||||
bool "Sign modules with SHA-1"
|
||||
select CRYPTO_SHA1
|
||||
|
||||
config MODULE_SIG_SHA224
|
||||
bool "Sign modules with SHA-224"
|
||||
select CRYPTO_SHA256
|
||||
@ -261,7 +257,6 @@ endchoice
|
||||
config MODULE_SIG_HASH
|
||||
string
|
||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||
default "sha1" if MODULE_SIG_SHA1
|
||||
default "sha224" if MODULE_SIG_SHA224
|
||||
default "sha256" if MODULE_SIG_SHA256
|
||||
default "sha384" if MODULE_SIG_SHA384
|
||||
|
Loading…
Reference in New Issue
Block a user