IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Wed, 01 March 2023 11:42 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78D8C151555 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 03:42:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.693
X-Spam-Level:
X-Spam-Status: No, score=-1.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-nFwandb6ZR for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 03:42:29 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59B18C14CE44 for <openpgp@ietf.org>; Wed, 1 Mar 2023 03:42:28 -0800 (PST)
Received: (qmail 13643 invoked by uid 500); 1 Mar 2023 11:42:25 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
In-Reply-To: <87wn41ru96.fsf@fifthhorseman.net>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net>
Date: Wed, 01 Mar 2023 12:42:24 +0100
Message-ID: <87cz5sbsv3.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: -
X-Rspamd-Report: MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.511654)
X-Rspamd-Score: -1.711654
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Wed, 01 Mar 2023 12:42:25 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=bqaLduWyYURXhZrTtg9KFKdCRqBfnWpsO9sBecL5QE0=; b=yLmqs1AUFuL/Wqw2nEOiTiSFmBYSIVbzm9fLlGAd1IJLJaUIw48J+Bv71MbCMNebJPE6jZ5iye S2V9JHVh2Z5VQ12LsTE/0XCLk0TMarfbSsdoGWAgrbyn5kO2PD9xx58Qr6gxj7SRp78dvsYsOi9w 4TCwwsO/iCf/7pzsaPaL0lU+FN5RH8JRqd2FiAScJ6h5DZxx5DV5NmxZiHPqb3If/uYhkEKXK5tH so/3HjUPHDqx3qKz6ebt3oPiE4Kn/zzY1WgE3vgX6C0smg5vYUWQbATbEfEoBrEHwLHBuB6fGPxN EFYC6GaBFrC6LmrPpFqATiWFWYSDdgxSKtqlFm3v9JWkUGOcw0PQ5Z7WlakutuzAMETwLyUlIHJN Rb7OUir9npSBdXFql/cmZroGdpkpxF19y3etpdpR88kwc3gIoMXBfqY4Td4DFriwf3VyHphwih6A pIr34Es48GEJ9YjhHRAnOgR3g2o7JpKIjr7/lWlyb8/2Evc7oiaHocdCiEOxWIsezyTYJwQ4CVPS 5s1tUoirv1b1JyW17qKlLfwiYmkxkXzAiUdAJE17JM/be4pyWW0ZBauVQsfwJtHm0qghD8LnYLu5 NV9Fo3OdlaUwHN2SaDoDSSt4316lCX00RnVlfTyFuaLKRav0Mw7Xd4Sufr/tPqPgMlcrCpRmthHd w=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aXtaKjrpJvqjGSV1haAm15_qr0M>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 11:42:34 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>> It MUST NOT modify such malformed signatures.
>
> Where does this constraint come from?  Why is it here?

I'm also very skeptical of this requirement.  Andrew, in your mail you wrote:

>> This is more or less a statement of current reality, with an added
>> prohibition against invalidating any checksum over the signature
>> packet.

Note that checksum over signatures in the OpenPGP sense do neither
include the digest prefix nor the unhashed subpacket area.

Any code that relies on signatures not changing their on-wire
representation is likely wrong.  If you checksum or compare signatures,
you must exclude information not covered by the OpenPGP hash, like the
unhashed subpacket area and the packet framing.  The unhashed subpacket
area is there for the sole purpose of being able to add information to
the signature after the fact (or strip them, or reorder them).  You
cannot rely on others not doing that.

Best,
Justus

v2.23.0 | Report a Bug | By Email