From e624c41dbafd33af82c1153188d14de72fcc7cd8 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 7 Nov 2019 10:36:17 +0100 Subject: [PATCH] gpg: Add option --allow-weak-key-signatures. * g10/gpg.c (oAllowWeakKeySignatures): New. (opts): Add --allow-weak-key-signatures. (main): Set it. * g10/options.h (struct opt): Add flags.allow_weak_key_signatures. * g10/misc.c (print_sha1_keysig_rejected_note): New. * g10/sig-check.c (check_signature_over_key_or_uid): Print note and act on new option. Signed-off-by: Werner Koch --- doc/gpg.texi | 19 ++++++++++++++----- g10/gpg.c | 8 ++++++++ g10/main.h | 1 + g10/misc.c | 18 ++++++++++++++++++ g10/options.h | 1 + g10/sig-check.c | 4 +++- 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 450e521dc..674c4c6ba 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -113,9 +113,12 @@ only one command is allowed. Generally speaking, irrelevant options are silently ignored, and may not be checked for correctness. @command{@gpgname} may be run with no commands. In this case it will -perform a reasonable action depending on the type of file it is given -as input (an encrypted message is decrypted, a signature is verified, -a file containing keys is listed, etc.). +print a warning perform a reasonable action depending on the type of +file it is given as input (an encrypted message is decrypted, a +signature is verified, a file containing keys is listed, etc.). + +If you run into any problems, please add the option @option{--verbose} +to the invocation to see more diagnostics. @menu @@ -2387,10 +2390,10 @@ opposite meaning. The options are: @item self-sigs-only Accept only self-signatures while importing a key. All other - key-signatures are skipped at an early import stage. This option + key signatures are skipped at an early import stage. This option can be used with @code{keyserver-options} to mitigate attempts to flood a key with bogus signatures from a keyserver. The drawback is - that all other valid key-signatures, as required by the Web of Trust + that all other valid key signatures, as required by the Web of Trust are also not imported. @item repair-keys @@ -3340,6 +3343,12 @@ weak. See also @option{--allow-weak-digest-algos} to disable rejection of weak digests. MD5 is always considered weak, and does not need to be listed explicitly. +@item --allow-weak-key-signatures +@opindex allow-weak-key-signatures +To avoid a minor risk of collision attacks on third-party key +signatures made using SHA-1, those key signatures are considered +invalid. This options allows to override this restriction. + @item --no-default-keyring @opindex no-default-keyring Do not add the default keyrings to the list of keyrings. Note that diff --git a/g10/gpg.c b/g10/gpg.c index 332b46e39..2eb4fd51d 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -414,6 +414,7 @@ enum cmd_and_opt_values oEnableDSA2, oDisableDSA2, oAllowWeakDigestAlgos, + oAllowWeakKeySignatures, oFakedSystemTime, oNoAutostart, oPrintPKARecords, @@ -902,6 +903,9 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoSymkeyCache, "no-symkey-cache", "@"), ARGPARSE_s_n (oUseKeyboxd, "use-keyboxd", "@"), + /* Options to override new security defaults. */ + ARGPARSE_s_n (oAllowWeakKeySignatures, "allow-weak-key-signatures", "@"), + /* Options which can be used in special circumstances. They are not * published and we hope they are never required. */ ARGPARSE_s_n (oUseOnlyOpenPGPCard, "use-only-openpgp-card", "@"), @@ -3639,6 +3643,10 @@ main (int argc, char **argv) opt.flags.allow_weak_digest_algos = 1; break; + case oAllowWeakKeySignatures: + opt.flags.allow_weak_key_signatures = 1; + break; + case oFakedSystemTime: { size_t len = strlen (pargs.r.ret_str); diff --git a/g10/main.h b/g10/main.h index 981315a4a..2001c8646 100644 --- a/g10/main.h +++ b/g10/main.h @@ -101,6 +101,7 @@ void print_pubkey_algo_note (pubkey_algo_t algo); void print_cipher_algo_note (cipher_algo_t algo); void print_digest_algo_note (digest_algo_t algo); void print_digest_rejected_note (enum gcry_md_algos algo); +void print_sha1_keysig_rejected_note (void); void print_reported_error (gpg_error_t err, gpg_err_code_t skip_if_ec); void print_further_info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); void additional_weak_digest (const char* digestname); diff --git a/g10/misc.c b/g10/misc.c index d4ceb4db6..07ce1d41d 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -362,6 +362,24 @@ print_digest_rejected_note (enum gcry_md_algos algo) } +void +print_sha1_keysig_rejected_note (void) +{ + static int shown; + + if (shown) + return; + + shown = 1; + es_fflush (es_stdout); + log_info (_("Note: third-party key signatures using" + " the %s algorithm are rejected\n"), + gcry_md_algo_name (GCRY_MD_SHA1)); + print_further_info ("use option \"%s\" to override", + "--allow-weak-key-signatures"); +} + + /* Print a message * "(reported error: %s)\n * in verbose mode to further explain an error. If the error code has diff --git a/g10/options.h b/g10/options.h index 26c8439b6..339804f59 100644 --- a/g10/options.h +++ b/g10/options.h @@ -246,6 +246,7 @@ struct unsigned int utf8_filename:1; unsigned int dsa2:1; unsigned int allow_weak_digest_algos:1; + unsigned int allow_weak_key_signatures:1; unsigned int large_rsa:1; unsigned int disable_signer_uid:1; /* Flag to enable experimental features from RFC4880bis. */ diff --git a/g10/sig-check.c b/g10/sig-check.c index 3d8ed20f2..8a46f7653 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -1012,12 +1012,14 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) { log_assert (packet->pkttype == PKT_USER_ID); - if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig) + if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig + && !opt.flags.allow_weak_key_signatures) { /* If the signature was created using SHA-1 we consider this * signature invalid because it makes it possible to mount a * chosen-prefix collision. We don't do this for * self-signatures, though. */ + print_sha1_keysig_rejected_note (); rc = gpg_error (GPG_ERR_DIGEST_ALGO); } else