[strongSwan-dev] gmp and md5 plugin

Andreas Steffen andreas.steffen at strongswan.org
Fri Nov 11 06:31:52 CET 2011


Hi,

the gmp plugin builds

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c;h=1b6c20817b9f07a4cf0f647f9fb68ebd1cea9c77;hb=HEAD#l211

and verifies

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c;h=a7ba80138af8cb54b044c5451793a95394248afd;hb=HEAD#l122

RSA signatures which involves hashing the data to be signed. As you
can see, any hash function could be used. Actually due to easily
constructed collisions MD5 is heavily deprecated and should not be
used any more. Even SHA-1 is endangered so in the future usually
SHA-2_256 or SHA-3_256 will be used in signatures. The IKEv2 protocol
does not have any requirement for the presence of MD5 so this
obsoleted algorithm can be disabled without problems.

As you can see, because the gmp plugin does not have any hard-coded
dependency on a specific hash algorithm we cannot check for the
presence of MD5, SHA-1 or SHA-2.

With strongSwan 4.6.x we introduced plugin dependencies which can
be inspected by the new "ipsec listplugins" command.
E.g. the pem plugin has an explicit requirement for the MD5 hash
algorithm:

pem:
    PRIVKEY:ANY
        HASHER:HASH_MD5
    PRIVKEY:RSA
        HASHER:HASH_MD5
    PRIVKEY:ECDSA
        HASHER:HASH_MD5
    PRIVKEY:DSA
        HASHER:HASH_MD5

since the PKCS#1 standard specifies that MD5 must be used
to hash the passphrase which optionally protects a private key
file.

Regards

Andreas

On 11/11/2011 03:08 AM, J. Tang wrote:
> I configured strongSwan with --disable-md5. I later discovered I
> needed the md5 plugin because of gmp. Should the configure script
> abort with an error if --enable-gmp and --disable-md5 are set?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Dev mailing list