sysadmin/ipxe - ipxe - codex.r10x.net

sysadmin/ipxe

Fork 0

mirror of https://github.com/ipxe/ipxe synced 2026-01-22 12:08:58 +03:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Michael Brown	46510f36ab	[build] Mark MD4 and MD5 as forbidden for UEFI Secure Boot A past security review identified MD4 and MD5 support as features that ought to be disabled by default. (There is zero impact on UEFI Secure Boot itself from having these algorithms enabled: this was just a side comment in the review.) As noted in the resulting commit `7f2006a` ("[crypto] Disable MD5 as an OID-identifiable algorithm by default"), the actual MD5 code will almost certainly still be present in the binary due to its implicit use by various features. Disabling MD5 support via config/crypto.h simply removes the OID-identified algorithm, which prevents it from being used as an explicitly identified algorithm (e.g. in an X.509 certificate digest). Match the intent of this review comment by marking the OID-identified algorithms for MD4 and MD5 as forbidden for UEFI Secure Boot. Extend this to also disable the "md4sum" command and the use of the md5WithRSAEncryption OID-identified algorithm. (The "md5sum" command is left enabled for historical reasons, and we have no definition for md4WithRSAEncryption anyway.) Signed-off-by: Michael Brown <mcb30@ipxe.org>	2026-01-14 16:10:29 +00:00
Michael Brown	e4b6328c84	[asn1] Rename ASN1_OID_CURSOR to ASN1_CURSOR There is nothing OID-specific about the ASN1_OID_CURSOR macro. Rename to allow it to be used for constructing ASN.1 cursors with arbitrary contents. Signed-off-by: Michael Brown <mcb30@ipxe.org>	2020-12-08 12:38:45 +00:00
Michael Brown	bd7a5e4b9c	[crypto] Allow algorithms to be included without being OID-identifiable There are many ways in which the object for a cryptographic algorithm may be included, even if not explicitly enabled in config/crypto.h. For example: the MD5 algorithm is required by TLSv1.1 or earlier, by iSCSI CHAP authentication, by HTTP digest authentication, and by NTLM authentication. In the current implementation, inclusion of an algorithm for any reason will result in the algorithm's ASN.1 object identifier being included in the "asn1_algorithms" table, which consequently allows the algorithm to be used for any ASN1-identified purpose. For example: if the MD5 algorithm is included in order to support HTTP digest authentication, then iPXE would accept a (validly signed) TLS certificate using an MD5 digest. Split the ASN.1 object identifiers into separate files that are required only if explicitly enabled in config/crypto.h. This allows an algorithm to be omitted from the "asn1_algorithms" table even if the algorithm implementation is dragged in for some other purpose. The end result is that only the algorithms that are explicitly enabled in config/crypto.h can be used for ASN1-identified purposes such as signature verification. Signed-off-by: Michael Brown <mcb30@ipxe.org>	2020-06-16 17:14:54 +01:00

Michael Brown

46510f36ab

[build] Mark MD4 and MD5 as forbidden for UEFI Secure Boot

A past security review identified MD4 and MD5 support as features that
ought to be disabled by default.  (There is zero impact on UEFI Secure
Boot itself from having these algorithms enabled: this was just a side
comment in the review.)

As noted in the resulting commit 7f2006a ("[crypto] Disable MD5 as an
OID-identifiable algorithm by default"), the actual MD5 code will
almost certainly still be present in the binary due to its implicit
use by various features.  Disabling MD5 support via config/crypto.h
simply removes the OID-identified algorithm, which prevents it from
being used as an explicitly identified algorithm (e.g. in an X.509
certificate digest).

Match the intent of this review comment by marking the OID-identified
algorithms for MD4 and MD5 as forbidden for UEFI Secure Boot.

Extend this to also disable the "md4sum" command and the use of the
md5WithRSAEncryption OID-identified algorithm.  (The "md5sum" command
is left enabled for historical reasons, and we have no definition for
md4WithRSAEncryption anyway.)

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2026-01-14 16:10:29 +00:00

Michael Brown

e4b6328c84

[asn1] Rename ASN1_OID_CURSOR to ASN1_CURSOR

There is nothing OID-specific about the ASN1_OID_CURSOR macro.  Rename
to allow it to be used for constructing ASN.1 cursors with arbitrary
contents.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2020-12-08 12:38:45 +00:00

Michael Brown

bd7a5e4b9c

[crypto] Allow algorithms to be included without being OID-identifiable

There are many ways in which the object for a cryptographic algorithm
may be included, even if not explicitly enabled in config/crypto.h.
For example: the MD5 algorithm is required by TLSv1.1 or earlier, by
iSCSI CHAP authentication, by HTTP digest authentication, and by NTLM
authentication.

In the current implementation, inclusion of an algorithm for any
reason will result in the algorithm's ASN.1 object identifier being
included in the "asn1_algorithms" table, which consequently allows the
algorithm to be used for any ASN1-identified purpose.  For example: if
the MD5 algorithm is included in order to support HTTP digest
authentication, then iPXE would accept a (validly signed) TLS
certificate using an MD5 digest.

Split the ASN.1 object identifiers into separate files that are
required only if explicitly enabled in config/crypto.h.  This allows
an algorithm to be omitted from the "asn1_algorithms" table even if
the algorithm implementation is dragged in for some other purpose.

The end result is that only the algorithms that are explicitly enabled
in config/crypto.h can be used for ASN1-identified purposes such as
signature verification.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2020-06-16 17:14:54 +01:00

3 Commits