Retire MD4. It has been depecared in OpenSSL since 3.0.0 [7 Sep 2021]

0c015f92 · Nils Goroll · 517be163 · 0c015f92 · 0c015f92 · 0c015f92
Unverified Commit 0c015f92 authored Jun 13, 2023 by Nils Goroll
7 changed files
--- a/README.rst
+++ b/README.rst
@@ -98,6 +98,10 @@ BLOB xkey.use()
 Wrap the key in a blob to be passed to `crypto.verifier()`_
+Restricted to: ``vcl_init``.
 .. _xkey.pem_pubkey():
 VOID xkey.pem_pubkey(STRING)
@@ -111,13 +115,17 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _xkey.pem_privkey():
 VOID xkey.pem_privkey(STRING, STRING password=0)
 ------------------------------------------------
 Create a key from the PEM-encoded private key, optionally decrypting
-it using `password`.
+it using _password_.
 The cryptographic method to be used and the key length are
 automatically determined from _pem_. Typically supported methods
@@ -125,6 +133,10 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _xkey.rsa():
 VOID xkey.rsa(BLOB n, BLOB e, [BLOB d])
@@ -134,6 +146,10 @@ Create an RSA key from the parameters n, e, and optionally d.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _crypto.verifier():
 new xverifier = crypto.verifier(ENUM digest, [STRING pem], [BLOB key])
@@ -142,7 +158,7 @@ new xverifier = crypto.verifier(ENUM digest, [STRING pem], [BLOB key])
 ::
   new xverifier = crypto.verifier(
-      ENUM {md_null, md4, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
+      ENUM {md_null, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
      [STRING pem],
      [BLOB key]
   )
@@ -189,9 +205,10 @@ BOOL xverifier.valid(BLOB signature)
 Check if _signature_ is a valid signature for the _verifier_ object
 given the previous updates.
-Note that after calling .valid(), .update can be called again to add
+Note that after calling `xverifier.valid()`, `xverifier.update()` can
-additional data, which can then be validated against a (different)
+be called again to add additional data, which can then be validated
-signature using another call to .valid().
+against a (different) signature using another call to
+`xverifier.valid()`.
 .. _crypto.signer():
@@ -201,7 +218,7 @@ new xsigner = crypto.signer(ENUM digest, [STRING pem], [BLOB key])
 ::
   new xsigner = crypto.signer(
-      ENUM {md_null, md4, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
+      ENUM {md_null, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
      [STRING pem],
      [BLOB key]
   )

--- a/src/Makefile.am
+++ b/src/Makefile.am
--- a/src/md.c
+++ b/src/md.c
@@ -39,9 +39,6 @@ static const EVP_MD *mdtbl[_MD_E_MAX];
 void
 md_init (void) {
 	mdtbl[md_null] = EVP_md_null();
-#ifndef OPENSSL_NO_MD4
-	mdtbl[md4] = EVP_md4();
-#endif
 #ifndef OPENSSL_NO_MD5
 	mdtbl[md5] = EVP_md5();
 #endif

--- a/src/tbl_md.h
+++ b/src/tbl_md.h
 VMODENUM(md_null)
-VMODENUM(md4)
 VMODENUM(md5)
 VMODENUM(sha1)
 //VMODENUM(dss)

--- a/src/vmod_crypto.rst
+++ b/src/vmod_crypto.rst
@@ -155,7 +155,7 @@ new xverifier = crypto.verifier(ENUM digest, [STRING pem], [BLOB key])
 ::
   new xverifier = crypto.verifier(
-      ENUM {md_null, md4, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
+      ENUM {md_null, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
      [STRING pem],
      [BLOB key]
   )
@@ -215,7 +215,7 @@ new xsigner = crypto.signer(ENUM digest, [STRING pem], [BLOB key])
 ::
   new xsigner = crypto.signer(
-      ENUM {md_null, md4, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
+      ENUM {md_null, md5, sha1, sha224, sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
      [STRING pem],
      [BLOB key]
   )

--- a/src/vmod_crypto.vcc
+++ b/src/vmod_crypto.vcc
@@ -83,7 +83,7 @@ Any error is fatal to vcl initialization.
 $Restrict vcl_init
-$Object verifier(ENUM {md_null, md4, md5, sha1, sha224,
+$Object verifier(ENUM {md_null, md5, sha1, sha224,
 	sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
 	[STRING pem], [BLOB key])
@@ -122,7 +122,7 @@ be called again to add additional data, which can then be validated
 against a (different) signature using another call to
 `xverifier.valid()`.
-$Object signer(ENUM {md_null, md4, md5, sha1, sha224,
+$Object signer(ENUM {md_null, md5, sha1, sha224,
 	sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
 	[STRING pem], [BLOB key])

--- a/src/vtc/sigs/gen.sh
+++ b/src/vtc/sigs/gen.sh
@@ -7,7 +7,6 @@ set -eux
 cd $(dirname $0)
 typeset -ra mds=(
-	md4
 	md5
 	rmd160
 	sha1