diff --git a/doc/manual/change-authors.yml b/doc/manual/change-authors.yml index bb1a5d7d0..60c0924c7 100644 --- a/doc/manual/change-authors.yml +++ b/doc/manual/change-authors.yml @@ -129,11 +129,6 @@ roberth: display_name: Robert Hensing github: roberth -tcmal: - display_name: Aria - forgejo: tcmal - github: tcmal - thufschmitt: display_name: Théophane Hufschmitt github: thufschmitt diff --git a/doc/manual/rl-next/reject-weak-hashes.md b/doc/manual/rl-next/reject-weak-hashes.md deleted file mode 100644 index 4b027a368..000000000 --- a/doc/manual/rl-next/reject-weak-hashes.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -synopsis: "Weak hash algorithms are now rejected in SRI form, and cause a warning otherwise" -category: Breaking Changes -credits: tcmal -cls: [2110] -issues: [8982, fj#114] ---- - -MD5 and SHA-1 algorithms are now no longer allowed in SRI form, as specified in [the spec](https://w3c.github.io/webappsec-subresource-integrity/#hash-functions). - -These hash types will also give a warning when used in other cases. diff --git a/src/libutil/hash.cc b/src/libutil/hash.cc index 280b815d2..d383e9802 100644 --- a/src/libutil/hash.cc +++ b/src/libutil/hash.cc @@ -8,7 +8,6 @@ #include "hash.hh" #include "archive.hh" #include "charptr-cast.hh" -#include "fmt.hh" #include "logging.hh" #include "split.hh" #include "strings.hh" @@ -211,17 +210,6 @@ Hash Hash::parseNonSRIUnprefixed(std::string_view s, HashType type) Hash::Hash(std::string_view rest, HashType type, bool isSRI) : Hash(type) { - if (type == HashType::MD5 || type == HashType::SHA1) { - if (isSRI) { - // Forbidden as per https://w3c.github.io/webappsec-csp/#grammardef-hash-algorithm - throw BadHash("%s values are not allowed in SRI hashes", printHashType(type)); - } else { - logWarning({ - .msg = HintFmt("%s hashes are considered weak, use a newer hashing algorithm instead. (value: %s)", Uncolored(printHashType(type)), rest) - }); - } - } - if (!isSRI && rest.size() == base16Len()) { auto parseHexDigit = [&](char c) { diff --git a/tests/functional/hash.sh b/tests/functional/hash.sh index aeebf298d..34c1bb38a 100644 --- a/tests/functional/hash.sh +++ b/tests/functional/hash.sh @@ -102,5 +102,6 @@ try3() { h16=$(nix hash to-base16 "$sri") [ "$h16" = "$2" ] } +try3 sha1 "800d59cfcd3c05e900cb4e214be48f6b886a08df" "vw46m23bizj4n8afrc0fj19wrp7mj3c0" "gA1Zz808BekAy04hS+SPa4hqCN8=" try3 sha256 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" "1b8m03r63zqhnjf7l5wnldhh7c134ap5vpj0850ymkq1iyzicy5s" "ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=" try3 sha512 "204a8fc6dda82f0a0ced7beb8e08a41657c16ef468b228a8279be331a703c33596fd15c13b1b07f9aa1d3bea57789ca031ad85c7a71dd70354ec631238ca3445" "12k9jiq29iyqm03swfsgiw5mlqs173qazm3n7daz43infy12pyrcdf30fkk3qwv4yl2ick8yipc2mqnlh48xsvvxl60lbx8vp38yji0" "IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ==" diff --git a/tests/functional/meson.build b/tests/functional/meson.build index fbf251042..f56ced48d 100644 --- a/tests/functional/meson.build +++ b/tests/functional/meson.build @@ -191,7 +191,6 @@ functional_tests_scripts = [ 'extra-sandbox-profile.sh', 'substitute-truncated-nar.sh', 'regression-484.sh', - 'reject-weak-hashes.sh' ] # Plugin tests require shared libraries support. diff --git a/tests/functional/reject-weak-hashes.sh b/tests/functional/reject-weak-hashes.sh deleted file mode 100644 index 3565604f1..000000000 --- a/tests/functional/reject-weak-hashes.sh +++ /dev/null @@ -1,11 +0,0 @@ -source common.sh - -expectStderr 1 nix hash to-sri md5-rrdBU2a35b2PM2ZO+n/zGw== \ - | grepQuiet "md5 values are not allowed" -expectStderr 1 nix hash to-sri sha1-SXZKz6Po0xFryhnhSDvvOfAuBOo= \ - | grepQuiet "sha1 values are not allowed" - -nix hash to-sri --type md5 a180c3fe91680389c210c99def54d9e0 2>&1 \ - | grepQuiet "md5 hashes are considered weak" -nix hash to-sri --type sha1 49764acfa3e8d3116bca19e1483bef39f02e04ea 2>&1 \ - | grepQuiet "sha1 hashes are considered weak"