[strongSwan-dev] gmp and md5 plugin
Andreas Steffen
andreas.steffen at strongswan.org
Fri Nov 11 06:31:52 CET 2011
Hi,
the gmp plugin builds
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c;h=1b6c20817b9f07a4cf0f647f9fb68ebd1cea9c77;hb=HEAD#l211
and verifies
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c;h=a7ba80138af8cb54b044c5451793a95394248afd;hb=HEAD#l122
RSA signatures which involves hashing the data to be signed. As you
can see, any hash function could be used. Actually due to easily
constructed collisions MD5 is heavily deprecated and should not be
used any more. Even SHA-1 is endangered so in the future usually
SHA-2_256 or SHA-3_256 will be used in signatures. The IKEv2 protocol
does not have any requirement for the presence of MD5 so this
obsoleted algorithm can be disabled without problems.
As you can see, because the gmp plugin does not have any hard-coded
dependency on a specific hash algorithm we cannot check for the
presence of MD5, SHA-1 or SHA-2.
With strongSwan 4.6.x we introduced plugin dependencies which can
be inspected by the new "ipsec listplugins" command.
E.g. the pem plugin has an explicit requirement for the MD5 hash
algorithm:
pem:
PRIVKEY:ANY
HASHER:HASH_MD5
PRIVKEY:RSA
HASHER:HASH_MD5
PRIVKEY:ECDSA
HASHER:HASH_MD5
PRIVKEY:DSA
HASHER:HASH_MD5
since the PKCS#1 standard specifies that MD5 must be used
to hash the passphrase which optionally protects a private key
file.
Regards
Andreas
On 11/11/2011 03:08 AM, J. Tang wrote:
> I configured strongSwan with --disable-md5. I later discovered I
> needed the md5 plugin because of gmp. Should the configure script
> abort with an error if --enable-gmp and --disable-md5 are set?
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Dev
mailing list