Open Bug 482882 Opened 15 years ago Updated 1 year ago
All uses of MD2 algorithm should be disabled
These 2 hashing algorithms have been broken and are no longer in wide use. There was agreement in bug 471539 that they should be turned off for signature verification by default. I haven't heard any rationale for continuing to support them for any other uses. So, I propose that we turn off these algorithms for all uses. This would necessitate changes in 2 places : 1) in pk11wrap This should take care of all uses by higher levels, including for certificate signatures, S/MIME, VFY APIs, and of course pk11wrap APIs, regardless of which PKCS#11 module provides the mechanisms for MD2 and MD4. These algorithms should be off by default. It should be possible to turn them back on either by environment variable or programmatically. For the environment variable method, we may want fine-grain control for each algorithm, not one variable controlling a bunch of algorithms together. 2) in softoken or freebl This is needed to prevent use of MD2 and MD4 by programs such as Java apps that only use the softoken PKCS#11 library, but not the higher-level NSS libraries. softoken already has a method of passing initialization parameters in to C_Initialize. This may not be acceptable to many applications, however. So we may want to also use the same environment variables as I propose to use in pk11wrap to turn off these algorithms in softoken/freebl.
I have verified that MD4 not only has no implementation in softoken, but has no way to hook a PKCS #11 module up. There is no MD4 mechanism defined for PKCS #11, and the MD4 OID in NSS maps to CKM_INVALID_MECHANISM. bob
Bob, Thanks ! I think that means we can make this bug about MD2 only.
Summary: All uses of MD2 and MD4 algorithms should be disabled → All uses of MD2 algorithm should be disabled
In today's meeting, Bob suggested that we only disable MD2/MD4 in the VFY layer, the rationale for that being that they can still be used for checksum type, non cryptographic operations. MD4 is no longer an issue. That leaves MD2, which Nelson said is a fairly slow algorithm, and thus would seem to be a poor choice of checksum algorithm. Do we know anyone who is using MD2 in that fashion ? I also don't think it's the role of NSS to provide algorithms for non-secure uses. However, MD2 support is a compatibility issue, and is still needed for several SSL2 cipher suites, for those people still intent on using that broken protocol. Regardless of what default we choose, I still think we need a switch for it, and I would prefer it to be an all-off switch than a partial one (as in bug 471539) or just for VFY.
I thought all uses of MD2 had already been disabled. Is this bug still open for a reason?
We don't disable MD2 everywhere currently. We do reject it for signatures*, but we do have an implementation for MD2 internally. We don't actually explicitly use it anywhere, but it is possible that it could show up in, say, an S/MIME signature or something. *I think it's only turned off for CRL, Cert and soon to be OCSP signatures.
Assignee: nobody → kjacobs.bugzilla
Status: NEW → ASSIGNED
Priority: -- → P1
QA Contact: jjones
Assignee: kjacobs.bugzilla → nobody
Status: ASSIGNED → NEW
Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.