launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~cjwatson/launchpad/digest-algo-sha384 into lp:launchpad

To: mp+289479@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Fri, 18 Mar 2016 10:49:28 -0000
Reply-to: mp+289479@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging lp:~cjwatson/launchpad/digest-algo-sha384 into lp:launchpad.

Commit message:
Drop back to SHA-384 digests to avoid things like length extension attacks.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/digest-algo-sha384/+merge/289479

Drop back to SHA-384 digests to avoid things like length extension attacks.  Suggested by Jason Gerard DeRose.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/digest-algo-sha384 into lp:launchpad.

=== modified file 'lib/lp/services/gpg/handler.py'
--- lib/lp/services/gpg/handler.py	2016-03-18 00:48:59 +0000
+++ lib/lp/services/gpg/handler.py	2016-03-18 10:48:40 +0000
@@ -51,7 +51,6 @@
     SecretGPGKeyImportDetected,
     valid_fingerprint,
     )
-from lp.services.openid.model.openididentifier import OpenIdIdentifier
 from lp.services.timeline.requesttimeline import get_request_timeline
 from lp.services.timeout import (
     TimeoutError,
@@ -102,8 +101,7 @@
             conf.write('no-auto-check-trustdb\n')
             # Prefer a SHA-2 hash where possible, otherwise GPG will fall
             # back to a hash it can use.
-            conf.write(
-                'personal-digest-preferences SHA512 SHA384 SHA256 SHA224\n')
+            conf.write('personal-digest-preferences SHA384 SHA256 SHA224\n')
         # create a local atexit handler to remove the configuration directory
         # on normal termination.
 

=== modified file 'lib/lp/services/gpg/tests/test_gpghandler.py'
--- lib/lp/services/gpg/tests/test_gpghandler.py	2016-03-18 00:48:59 +0000
+++ lib/lp/services/gpg/tests/test_gpghandler.py	2016-03-18 10:48:40 +0000
@@ -205,7 +205,7 @@
             GPGKeyDoesNotExistOnServer,
             removeSecurityProxy(self.gpg_handler)._getPubKey, fingerprint)
 
-    def test_signContent_uses_sha512_digests(self):
+    def test_signContent_uses_sha384_digests(self):
         secret_keys = [
             ("ppa-sample@xxxxxxxxxxxxxxxxx", ""),       # 1024R
             ("ppa-sample-4096@xxxxxxxxxxxxxxxxx", ""),  # 4096R
@@ -234,7 +234,7 @@
             [validsig_line] = [
                 line for line in status if line.startswith(validsig_prefix)]
             validsig_tokens = validsig_line[len(validsig_prefix):].split()
-            self.assertEqual(gpgme.MD_SHA512, int(validsig_tokens[7]))
+            self.assertEqual(gpgme.MD_SHA384, int(validsig_tokens[7]))
 
 
 class GPGServiceZopelessLayer(ZopelessDatabaseLayer, GPGServiceLayer):

Follow ups

Re: [Merge] lp:~cjwatson/launchpad/digest-algo-sha384 into lp:launchpad
From: William Grant, 2016-03-20
[Merge] lp:~cjwatson/launchpad/digest-algo-sha384 into lp:launchpad
From: William Grant, 2016-03-20