crypto: document insecure algorithms

This change explicitly documents that DES, MD5, RC4 and SHA-1 are insecure / broken - at all or at least within a commonly used scenario. Fixes #14395 Change-Id: Id1d543c85d67968ba64ed7495313501953c3ef3a Reviewed-on: https://go-review.googlesource.com/42511Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

crypto: document insecure algorithms
This change explicitly documents that DES, MD5, RC4 and SHA-1 are insecure / broken - at all or at least within a commonly used scenario. Fixes #14395 Change-Id: Id1d543c85d67968ba64ed7495313501953c3ef3a Reviewed-on: https://go-review.googlesource.com/42511Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
25db5d1a · Andreas Auernhammer · Brad Fitzpatrick · 724fd131 · 25db5d1a · 25db5d1a
Commit 25db5d1a authored May 02, 2017 by Andreas Auernhammer Committed by Brad Fitzpatrick May 03, 2017
12 changed files
--- a/src/crypto/des/const.go
+++ b/src/crypto/des/const.go
@@ -5,6 +5,8 @@
 // Package des implements the Data Encryption Standard (DES) and the
 // Triple Data Encryption Algorithm (TDEA) as defined
 // in U.S. Federal Information Processing Standards Publication 46-3.
+//
+// DES is broken and should not be used anymore.
 package des

 // Used to perform an initial permutation of a 64-bit input block.

--- a/src/crypto/md5/md5.go
+++ b/src/crypto/md5/md5.go
@@ -5,6 +5,8 @@
 //go:generate go run gen.go -full -output md5block.go

 // Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
+//
+// MD5 is broken and should not be used anymore.
 package md5

 import (

--- a/src/crypto/rc4/rc4.go
+++ b/src/crypto/rc4/rc4.go
@@ -4,11 +4,10 @@

 // Package rc4 implements RC4 encryption, as defined in Bruce Schneier's
 // Applied Cryptography.
+//
+// RC4 is broken and should not be used anymore.
 package rc4

-// BUG(agl): RC4 is in common use but has design weaknesses that make
-// it a poor choice for new protocols.
-
 import "strconv"

 // A Cipher is an instance of RC4 using a particular key.

--- a/src/crypto/sha1/sha1.go
+++ b/src/crypto/sha1/sha1.go
@@ -2,7 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174.
+// Package sha1 implements the SHA-1 hash algorithm as defined in RFC 3174.
+//
+// SHA-1 is broken and should not be used anymore.
 package sha1

 import (
@@ -14,10 +16,10 @@ func init() {
 	crypto.RegisterHash(crypto.SHA1, New)
 }

-// The size of a SHA1 checksum in bytes.
+// The size of a SHA-1 checksum in bytes.
 const Size = 20

-// The blocksize of SHA1 in bytes.
+// The blocksize of SHA-1 in bytes.
 const BlockSize = 64

 const (
@@ -189,7 +191,7 @@ func (d *digest) constSum() [Size]byte {
 	return digest
 }

-// Sum returns the SHA1 checksum of the data.
+// Sum returns the SHA-1 checksum of the data.
 func Sum(data []byte) [Size]byte {
 	var d digest
 	d.Reset()

--- a/src/crypto/sha1/sha1_test.go
+++ b/src/crypto/sha1/sha1_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// SHA1 hash algorithm. See RFC 3174.
+// SHA-1 hash algorithm. See RFC 3174.

 package sha1


--- a/src/crypto/sha1/sha1block.go
+++ b/src/crypto/sha1/sha1block.go
@@ -11,7 +11,7 @@ const (
 	_K3 = 0xCA62C1D6
 )

-// blockGeneric is a portable, pure Go version of the SHA1 block step.
+// blockGeneric is a portable, pure Go version of the SHA-1 block step.
 // It's used by sha1block_generic.go and tests.
 func blockGeneric(dig *digest, p []byte) {
 	var w [16]uint32

--- a/src/crypto/sha1/sha1block_386.s
+++ b/src/crypto/sha1/sha1block_386.s
@@ -4,7 +4,7 @@

 #include "textflag.h"

-// SHA1 block routine. See sha1block.go for Go equivalent.
+// SHA-1 block routine. See sha1block.go for Go equivalent.
 //
 // There are 80 rounds of 4 types:
 //   - rounds 0-15 are type 1 and load data (ROUND1 macro).

--- a/src/crypto/sha1/sha1block_amd64.s
+++ b/src/crypto/sha1/sha1block_amd64.s
@@ -13,7 +13,7 @@

 #include "textflag.h"

-// SHA1 block routine. See sha1block.go for Go equivalent.
+// SHA-1 block routine. See sha1block.go for Go equivalent.
 //
 // There are 80 rounds of 4 types:
 //   - rounds 0-15 are type 1 and load data (ROUND1 macro).

--- a/src/crypto/sha1/sha1block_amd64p32.s
+++ b/src/crypto/sha1/sha1block_amd64p32.s
@@ -4,7 +4,7 @@

 #include "textflag.h"

-// SHA1 block routine. See sha1block.go for Go equivalent.
+// SHA-1 block routine. See sha1block.go for Go equivalent.
 //
 // There are 80 rounds of 4 types:
 //   - rounds 0-15 are type 1 and load data (ROUND1 macro).

--- a/src/crypto/sha1/sha1block_arm.s
+++ b/src/crypto/sha1/sha1block_arm.s
@@ -6,7 +6,7 @@

 #include "textflag.h"

-// SHA1 block routine. See sha1block.go for Go equivalent.
+// SHA-1 block routine. See sha1block.go for Go equivalent.
 //
 // There are 80 rounds of 4 types:
 //   - rounds 0-15 are type 1 and load data (ROUND1 macro).
@@ -25,11 +25,11 @@
 // Register definitions
 #define Rdata	R0	// Pointer to incoming data
 #define Rconst	R1	// Current constant for SHA round
-#define Ra	R2		// SHA1 accumulator
-#define Rb	R3		// SHA1 accumulator
-#define Rc	R4		// SHA1 accumulator
-#define Rd	R5		// SHA1 accumulator
-#define Re	R6		// SHA1 accumulator
+#define Ra	R2		// SHA-1 accumulator
+#define Rb	R3		// SHA-1 accumulator
+#define Rc	R4		// SHA-1 accumulator
+#define Rd	R5		// SHA-1 accumulator
+#define Re	R6		// SHA-1 accumulator
 #define Rt0	R7		// Temporary
 #define Rt1	R8		// Temporary
 // r9, r10 are forbidden
@@ -143,7 +143,7 @@ TEXT	·block(SB), 0, $352-16
 	ADD	Rdata, Rt0
 	MOVW	Rt0, p_end	// pointer to end of data

-	// Load up initial SHA1 accumulator
+	// Load up initial SHA-1 accumulator
 	MOVW	dig+0(FP), Rt0
 	MOVM.IA (Rt0), [Ra,Rb,Rc,Rd,Re]

@@ -210,7 +210,7 @@ loop4:	ROUND4(Ra, Rb, Rc, Rd, Re)
 	CMP	Rt0, Rdata
 	BLO	loop

-	// Save final SHA1 accumulator
+	// Save final SHA-1 accumulator
 	MOVW	dig+0(FP), Rt0
 	MOVM.IA [Ra,Rb,Rc,Rd,Re], (Rt0)


--- a/src/crypto/sha1/sha1block_s390x.go
+++ b/src/crypto/sha1/sha1block_s390x.go
@@ -5,7 +5,7 @@
 package sha1

 // featureCheck reports whether the CPU supports the
-// SHA1 compute intermediate message digest (KIMD)
+// SHA-1 compute intermediate message digest (KIMD)
 // function code.
 func featureCheck() bool


--- a/src/crypto/sha1/sha1block_s390x.s
+++ b/src/crypto/sha1/sha1block_s390x.s
@@ -10,7 +10,7 @@ TEXT ·featureCheck(SB),NOSPLIT,$16-1
 	XOR	R0, R0         // query function code is 0
 	WORD    $0xB93E0006    // KIMD (R6 is ignored)
 	MOVBZ	tmp-16(SP), R4 // get the first byte
-	AND	$0x40, R4      // bit 1 (big endian) for SHA1
+	AND	$0x40, R4      // bit 1 (big endian) for SHA-1
 	CMPBEQ	R4, $0, nosha1
 	MOVB	$1, ret+0(FP)
 	RET
@@ -23,7 +23,7 @@ TEXT ·block(SB),NOSPLIT,$0-32
 	MOVBZ	·useAsm(SB), R4
 	LMG	dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p)
 	CMPBNE	R4, $1, generic
-	MOVBZ	$1, R0        // SHA1 function code
+	MOVBZ	$1, R0        // SHA-1 function code
 loop:
 	WORD	$0xB93E0002   // KIMD R2
 	BVS	loop          // continue if interrupted