Received: by 2002:ab2:2994:0:b0:1ef:ca3e:3cd5 with SMTP id n20csp49801lqb; Thu, 14 Mar 2024 05:22:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUEPIGpAZyP7lGj6Bw6+fzi/SVEX7B4atde95mE3OqVUQyk86GeqTx86hH+Y69OjP1Ruu4coNEy1BS5B5FzrMB6BEPfRDqMUxIVbgz3ug== X-Google-Smtp-Source: AGHT+IF+4OEKnFJJv2uatCh1+7Yx62NcXjtzl5wkMWM/Pv73zvv2F+Hk1aq2MXu9dGX7Vp/Yp7O+ X-Received: by 2002:a05:6a00:a1b:b0:6e4:76b5:7dd3 with SMTP id p27-20020a056a000a1b00b006e476b57dd3mr1821878pfh.26.1710418972139; Thu, 14 Mar 2024 05:22:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710418972; cv=pass; d=google.com; s=arc-20160816; b=FKubdKKlJ4g1b1/Muu0aGTsgcLug2A+pc9UJGuEEs+9OxSthf7rAglxncC5gyVitWT 2gVoVo2AWEG3NH8S10AtJDt7m0MZPB48K0FFs9h7Ynlw01bHjTBkCP9Gf47Hw+hXxto8 2mAuYM4mRElFqHFVhvOTSQ9dP8RanOX1iOvEwaiZVWJUv6yEmlhHa/534jT1xyOF+gLF qqlZaqxK28DUXDLF5Knw6wStaUqwBxjBC0nmak+gRD9HqWElfRRs6LE+92n1oJTOlZiz 4zOHtmuzB2PkxGwpObJHVbk9q9KchjwFR6Akk4hMXBuJukLuHs0QM477vC9TeQuHJrpN GGyA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=1iCH082ZRe5Uw/TPji46uJmJi+ywsz3XRnte5QTQUG0=; fh=iheScL2iL9zDzkMBGSJHxaNFpymnFFi0Wshjg0k42Og=; b=Rl4jjVzS2jEVvB8hIv5Cw7Wq14yXd3ByamCU6DL7ai/hs+Kc8MV9JqHg5ChFbB74PP eWOGQIhUXgdfehlfiy3bVs8jQCaBTwNBEaxvNcra9AmeuFHpwN4zc/YeX5dkMDJ00RW4 2DdxtKaWmZjXRXjF1zDtu/vZ4sIgv5ARNYckh8cloEX+EAsHzB6escthXDdVstx/etQt n4yVAe8TNA2RbJWy6QwaJKr8XwULusPNDx/7+YSrZJJ1sP4IGe7k1Kjc2R1IE5jGqmTJ CFMeTbGYtLBWzQYE6hxqi6fTQjaXBi9mlufrH+gTluZQUplU9uJGYyXpeGj4ydzkMxY2 KivQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=UvBUPVua; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=UvBUPVua; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-wireless+bounces-4745-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4745-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id g12-20020aa79f0c000000b006e543d6fdcfsi1333362pfr.279.2024.03.14.05.22.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Mar 2024 05:22:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless+bounces-4745-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=UvBUPVua; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=UvBUPVua; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-wireless+bounces-4745-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4745-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B016228240C for ; Thu, 14 Mar 2024 12:22:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1E0496F529; Thu, 14 Mar 2024 12:22:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="UvBUPVua"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="UvBUPVua" X-Original-To: linux-wireless@vger.kernel.org Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A9576F09C; Thu, 14 Mar 2024 12:22:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710418967; cv=none; b=KuKemCbBhioOjGN+qtVgId4EosnMcRtrlfc9nJdBXfJj4tQzD4iZ92r3kLcqQDwixYjA0zMEhI1lQ8ocHOjh8feU6pRIT8rzMnZ3crLsAbYnKDTrnTo1H9IuVNjEjwrSSOvJYpDulfRQ5hYGlLh0wVnraNCj45+XBGCwUClKdMM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710418967; c=relaxed/simple; bh=uF11DoSFt961i+nkF6vLB5AG08D98tmA/0JbyoEeduA=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=f54zdYlTTE16SC3O79KtSJQyZmxt773CSw1te9QSO0pdVkj6v/izMEY9lB77uvyg1xYd3KGBlfAAo0MAqq1Xf7Dne+RvduAHvvZdbOvG2TpVbWNogh0Tc7TpDu28X0GZvW2t8QiUy1MrVyQ9ewe1IgJPkmOuYS1HRxQcyefkojE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=UvBUPVua; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=UvBUPVua; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1710418963; bh=uF11DoSFt961i+nkF6vLB5AG08D98tmA/0JbyoEeduA=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=UvBUPVuafM8nwhbmf+1Hg6nBV1/IyeoZtHbq1z8RHiZHxhwNuxkEsyH4HDtoxhgrg Y9nheLFZYYlBQlrR83z/myUdmiIr3pC+Iqvt9YLvosJx1bkdYh/ehBZGXqQJNwRrBD GlY+t+sdgsvvgIVhMOt0QDcmxgiDicffdr3iRrK8= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 96A7312861A8; Thu, 14 Mar 2024 08:22:43 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id GuyOpsDknp7T; Thu, 14 Mar 2024 08:22:43 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1710418963; bh=uF11DoSFt961i+nkF6vLB5AG08D98tmA/0JbyoEeduA=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=UvBUPVuafM8nwhbmf+1Hg6nBV1/IyeoZtHbq1z8RHiZHxhwNuxkEsyH4HDtoxhgrg Y9nheLFZYYlBQlrR83z/myUdmiIr3pC+Iqvt9YLvosJx1bkdYh/ehBZGXqQJNwRrBD GlY+t+sdgsvvgIVhMOt0QDcmxgiDicffdr3iRrK8= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::a774]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 9F5BE12860BE; Thu, 14 Mar 2024 08:22:41 -0400 (EDT) Message-ID: <7133628a2f45ad63e90c481387ed5b44906df54f.camel@HansenPartnership.com> Subject: Re: [REGRESSION] Re: [PATCH] crypto: pkcs7: remove sha1 support From: James Bottomley To: James Prestwood , Eric Biggers , Jeff Johnson Cc: Johannes Berg , Karel Balej , dimitri.ledkov@canonical.com, alexandre.torgue@foss.st.com, davem@davemloft.net, dhowells@redhat.com, herbert@gondor.apana.org.au, keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, mcgrof@kernel.org, mcoquelin.stm32@gmail.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, iwd@lists.linux.dev Date: Thu, 14 Mar 2024 08:22:38 -0400 In-Reply-To: References: <005f998ec59e27633b1b99fdf929e40ccfd401c1.camel@sipsolutions.net> <20240313194423.GA1111@sol.localdomain> <20240313202223.GB1111@sol.localdomain> <20240313221043.GC1111@sol.localdomain> <20240313230611.GD1111@sol.localdomain> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit On Thu, 2024-03-14 at 04:52 -0700, James Prestwood wrote: > I'm also not entirely sure why this stuff continues to be removed > from the kernel. First MD4, then it got reverted, then this (now > reverted, thanks). Both cases there was not clear justification of > why it was being removed. I think this is some misunderstanding of the NIST and FIPS requirements with regards to hashes, ciphers and bits of security. The bottom line is that neither NIST nor FIPS requires the removal of the sha1 algorithm at all. Both of them still support it for HMAC (for now). In addition, the FIPS requirement is only that you not *issue* sha1 hashed signatures. FIPS still allows you to verify legacy signatures with sha1 as the signing hash (for backwards compatibility reasons). Enterprises with no legacy and no HMAC requirements *may* remove the hash, but it's not mandated. So *removing* sha1 from the certificate code was the wrong thing to do. We should have configurably prevented using sha1 as the algorithm for new signatures but kept it for signature verification. Can we please get this sorted out before 2025, because next up is the FIPS requirement to move to at least 128 bits of security which will see RSA2048 deprecated in a similar way: We should refuse to issue RSA2048 signatures, but will still be allowed to verify them for legacy reasons. James