un-trusting MD5 in gpg [was: Re: removing SHA1 from digest preference list]

David Shaw dshaw at jabberwocky.com
Mon May 4 04:44:04 CEST 2009 

On May 3, 2009, at 8:48 PM, Daniel Kahn Gillmor wrote:

> Gnupg warns when *creating* md5 signatures, but that doesn't protect
> against signatures that already exist, and it doesn't seem to protect
> against interpreting or trusting signatures that rely on this
> known-broken digest algorithm.
>
> To be clear: i'm not looking to tell gnupg today "do not trust SHA1
> digests," but i *am* looking to tell gnupg today "do not trust MD5
> digests".  I'm willing to take that risk of cutting myself off from
> older implementations with respect to MD5.  And i'm interested in  
> seeing
> what the consequences will be of taking such an action.

There is no way to do this aside from modifying the source.  It's a  
interesting idea, though.  At a minimum, it would imply cutting  
yourself off from most, if not all, PGP 2.x support.  I somewhat  
suspect it would also affect some versions of PGP that are newer than  
PGP 2.x, but yet aren't quite OpenPGPish (say, PGP 5 and 6 as they can  
sometimes use old format packets that might expect MD5).  It would  
certainly break the GPG selftest as that expects MD5 to be present in  
a number of places.

Funny, now that I think about it more, it doesn't really break all  
that much.  As a community, we've done a pretty good job of removing  
MD5 from our lives.

The main problem is that the GPG code isn't really built with the  
concept that MD5 might suddenly not be available.  That's changeable,  
of course (the selftest can be fixed, etc), but it's not trivial.

> Suggestions for how to go about doing this with gnupg?

Try this patch (against the 1.4 branch):

Index: g10/sig-check.c
===================================================================
--- g10/sig-check.c	(revision 4987)
+++ g10/sig-check.c	(working copy)
@@ -60,6 +60,9 @@
      PKT_public_key *pk = xmalloc_clear( sizeof *pk );
      int rc=0;

+    if(sig->digest_algo==DIGEST_ALGO_MD5)
+      return G10ERR_BAD_SIGN;
+
      if( (rc=check_digest_algo(sig->digest_algo)) )
        ; /* we don't have this digest */
      else if((rc=check_pubkey_algo(sig->pubkey_algo)))

That will artificially cause any signature made with MD5 to not  
verify.  Alternately (and a far more drastic change), in cipher/md.c  
there is a function load_digest_module().  In it there are two lines  
that read:

   if (!new_list_item (DIGEST_ALGO_MD5, md5_get_info))
     BUG ();

Remove or comment out those two lines.  This second method actually  
removes MD5 completely from GPG.  It will likely break in more places  
than the signature hack (for example --print-mds won't work, etc).

I'd be very interested to hear how well you get on without MD5.

David

More information about the Gnupg-devel mailing list