In the aftermath of https://shattered.it we looked at the usage of sha1 in DebianInstaller and what we found was a debacle…

Tasks

Overview

Each official Debian release publishes a Release file, with a detached Release.gpg signature file to authenticate it. Packages files exist for each architecture (and for each component: main, contrib, non-free), but they do not have GnuPG signatures. Instead, the Release file contains checksums to authenticate each of the Packages files.

The 'woody' release (2002) was the first to publish SHA1 sums of Packages files in the Release file. Prior to that, only an MD5Sum field was present.

The 'etch' release (2007) also added a field for SHA256 sums. But to date, libdebian-installer does not parse it, so anna (which fetches .udeb installer component) and cdebootstrap (which fetches .deb base system packages) can not yet verify the SHA256 sums.

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L43

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L58

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/package.h/#L115

To date, anna still only implements MD5 verification of .udeb files, and cdebootstrap only implements MD5 verification of .deb files, despite its formal deprecation as a digital signature algorithm by RFC6151 (2011) and recommendations of academic literature years prior. The files are typically downloaded via insecure HTTP transport, so the checksum verification is critical for the security of the installed system.

https://tools.ietf.org/html/rfc6151#section-2

http://sources.debian.net/src/anna/1.57/anna.c/#L321

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L61

cdebootstrap did however, in version 0.5.8 (2011) implement verification of the Packages files using the SHA1 field of the Release file. That first featured in the installer of the 'wheezy' release (2013).

But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte hex string. cdebootstrap did not consider this, and so it would only compare the first 32 bytes of the hex string against the expected value (effectively truncating the SHA1 hash from 160 to only 128 bits):

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54

  if (!strncmp (buf, sum, 32))

The current Debian 'testing' release - the upcoming 'stretch' release candidate - removed the SHA1 sums from the Release file. That was intended to deprecate it in favour of SHA256. An unintended consequence is that cdebootstrap, when SHA1 sums are unavailable, falls back to using only the MD5Sum field instead:

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79

  if (item->sum[1])
    return check_sum (target, "sha1sum", item->sum[1], buf_name);
  if (item->sum[0])
    return check_sum (target, "md5sum", item->sum[0], buf_name);

APT, the package manager used on an already-installed system, is not affected. SHA256 has already replaced SHA1 and MD5 there:

https://wiki.debian.org/Teams/Apt/Sha1Removal

Acknowledgements

Work on these issues began at the Berlin BSP, 2017-02. Many thanks to our hosts, Endocode AG!