un-trusting MD5 in gpg [was: Re: removing SHA1 from digest preference list]

David Shaw dshaw at jabberwocky.com
Mon May 4 05:11:44 CEST 2009


On May 3, 2009, at 10:44 PM, David Shaw wrote:
>
>> Suggestions for how to go about doing this with gnupg?
>
> Try this patch (against the 1.4 branch):

Better patch:

Index: g10/sig-check.c
===================================================================
--- g10/sig-check.c	(revision 4987)
+++ g10/sig-check.c	(working copy)
@@ -60,6 +60,9 @@
      PKT_public_key *pk = xmalloc_clear( sizeof *pk );
      int rc=0;

+    if(sig->digest_algo==DIGEST_ALGO_MD5)
+      return G10ERR_BAD_SIGN;
+
      if( (rc=check_digest_algo(sig->digest_algo)) )
        ; /* we don't have this digest */
      else if((rc=check_pubkey_algo(sig->pubkey_algo)))
@@ -522,6 +525,10 @@
      sig = node->pkt->pkt.signature;
      algo = sig->digest_algo;

+    if(algo==DIGEST_ALGO_MD5)
+      return G10ERR_BAD_SIGN;
+
+
      /* Check whether we have cached the result of a previous signature
         check.  Note that we may no longer have the pubkey or hash
         needed to verify a sig, but can still use the cached value.  A

David




More information about the Gnupg-devel mailing list