[PATCH] Disable importing V3 public keys from keyservers

David Leon Gil coruus at gmail.com
Fri Oct 10 15:41:21 CEST 2014 

On Fri, Oct 10, 2014 at 4:44 AM, Werner Koch <wk at gnupg.org> wrote:
(quoting from multiple emails)
> On Fri, 10 Oct 2014 08:01, coruus at gmail.com said:
> Actually v3 keys are not anymore usable in 2.x unless you use
> --allow-weak-digest-algos (or --pgp2 in 2.0).

I don't think that this is, in fact, correct. Using default settings
(by creating a new blank home directory), GnuPG 2.0.26 (and 1.0.18)
will import V3 keys from keyservers. (Note: my test keys have V4
signatures.)

There's some test code here:
https://github.com/coruus/cooperpair/tree/master/keysteak

And a keyring with spoofed keys here:
https://github.com/coruus/cooperpair/raw/master/keysteak/test/pubring.gpg

The output of --list-packets for one of the keys:

    :public key packet:
    version 3, algo 1, created 1375731712, expires 0
    pkey[0]: [4091 bits]
    pkey[1]: [17 bits]
    keyid: 1202821CBE2CD9C1
    :user ID packet: "Tails developers (signing key) <tails at boum.org>"
    :signature packet: algo 1, keyid 1202821CBE2CD9C1
    version 4, created 1412873043, md5len 0, sigclass 0x13
    digest algo 10, begin of digest cf a6
    hashed subpkt 2 len 4 (sig created 2014-10-09)
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    subpkt 16 len 8 (issuer key ID 1202821CBE2CD9C1)
    data: [4090 bits]

(You can retrieve the real key from
https://tails.boum.org/tails-signing.key to confirm it is a V4 public
key.)

If the current behavior isn't the intended one (particularly for
import via --import), then this may be CVE-worthy; it's a classic
protocol-format crossgrade.

> Having MD5 disabled is sufficient to reject this key.

Is there any way to disable it completely? Only some operations seem
to warn when using MD5.

(Note: I may be missing something in the code of GnuPG 2.1; I'm
struggling with getting bits of 2.1 to build at the moment, so this
has only been tested to not cause a build error HEAD.)

> Adding extra code and more translatable strings is not needed.

Sorry; I forgot about translation. Silently failing (or reusing a
current string, though I didn't see anything quite right) would be
fine. (Corrected patch attached.)

I'd rather see V3 import from external sources -- even for key refresh
-- disabled entirely. There's some other code that could be removed in
that case.

> OTOH, everything received form a
> keyserver is not checked at that point and thus the version number my
> also be bogus.

Yes; but won't a V3 key with version number set to 4 be treated by
hash_public_key as a V4 key? (In that case, the keyid/fingerprint will
still be a -- meaningless -- SHA1 hash of the key.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Disable-importing-V3-or-older-public-keys-from-keyse.patch
Type: application/octet-stream
Size: 887 bytes
Desc: not available
URL: </pipermail/attachments/20141010/fae2d405/attachment.obj>

More information about the Gnupg-devel mailing list