X-Git-Url: http://the.earth.li/gitweb/?a=blobdiff_plain;f=sigcheck.c;h=3ee8d3959e0e2db27e1c8c264d4b631cdec22896;hb=0e735a0b184b202a0533c52171fc55506fa45db2;hp=a0f4feb2d6bada946f8eaf2f73088e64d997f8e6;hpb=a8eae82dbcc70ecb4380cf6393c6b594b9abe995;p=onak.git diff --git a/sigcheck.c b/sigcheck.c index a0f4feb..3ee8d39 100644 --- a/sigcheck.c +++ b/sigcheck.c @@ -20,6 +20,8 @@ #include #include "config.h" +#include "decodekey.h" +#include "keyid.h" #include "keystructs.h" #include "log.h" #include "openpgp.h" @@ -33,6 +35,7 @@ #include "md5.h" #include "sha1.h" #endif +#include "sha1x.h" int check_packet_sighash(struct openpgp_publickey *key, struct openpgp_packet *packet, @@ -42,6 +45,7 @@ int check_packet_sighash(struct openpgp_publickey *key, uint8_t *sighash; size_t siglen, unhashedlen; struct sha1_ctx sha1_context; + struct sha1x_ctx sha1x_context; struct md5_ctx md5_context; #ifdef NETTLE_WITH_RIPEMD160 struct ripemd160_ctx ripemd160_context; @@ -65,6 +69,7 @@ int check_packet_sighash(struct openpgp_publickey *key, uint8_t *hashdata[8]; size_t hashlen[8]; int chunks, i; + uint64_t keyid; keyheader[0] = 0x99; keyheader[1] = key->publickey->length >> 8; @@ -104,6 +109,32 @@ int check_packet_sighash(struct openpgp_publickey *key, case 4: hashtype = sig->data[3]; + /* Check to see if this is an X509 based signature */ + if (sig->data[2] == 0 || sig->data[2] == 100) { + size_t len; + + keyid = 0; + len = parse_subpackets(&sig->data[4], &keyid, NULL); + if (keyid == 0 && + /* No unhashed data */ + sig->data[4 + len] == 0 && + sig->data[5 + len] == 0 && + /* Dummy 0 checksum */ + sig->data[6 + len] == 0 && + sig->data[7 + len] == 0 && + /* Dummy MPI of 1 */ + sig->data[8 + len] == 0 && + sig->data[9 + len] == 1 && + sig->data[10 + len] == 1) { + get_keyid(key, &keyid); + logthing(LOGTHING_DEBUG, + "Skipping X509 signature on 0x%016" + PRIX64, + keyid); + return -1; + } + } + if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { packetheader[0] = 0x99; @@ -149,8 +180,10 @@ int check_packet_sighash(struct openpgp_publickey *key, sighash = &sig->data[siglen + unhashedlen + 2]; break; default: - logthing(LOGTHING_ERROR, "Unknown signature version %d", - sig->data[0]); + get_keyid(key, &keyid); + logthing(LOGTHING_ERROR, + "Unknown signature version %d on 0x%016" PRIX64, + sig->data[0], keyid); return -1; } @@ -178,10 +211,18 @@ int check_packet_sighash(struct openpgp_publickey *key, } ripemd160_digest(&ripemd160_context, RIPEMD160_DIGEST_SIZE, hash); + break; #else logthing(LOGTHING_INFO, "RIPEMD160 support not available."); return -1; #endif + case OPENPGP_HASH_SHA1X: + sha1x_init(&sha1x_context); + for (i = 0; i < chunks; i++) { + sha1x_update(&sha1x_context, hashlen[i], hashdata[i]); + } + sha1x_digest(&sha1x_context, 20, hash); + break; case OPENPGP_HASH_SHA224: #ifdef NETTLE_WITH_SHA224 sha224_init(&sha224_context); @@ -235,13 +276,16 @@ int check_packet_sighash(struct openpgp_publickey *key, return -1; #endif default: - logthing(LOGTHING_ERROR, "Unsupported signature hash type %d", - hashtype); + get_keyid(key, &keyid); + logthing(LOGTHING_ERROR, + "Unsupported signature hash type %d on 0x%016" PRIX64, + hashtype, + keyid); return -1; } logthing(LOGTHING_DEBUG, "Hash type: %d, %d chunks, " - "calculated: %02X%02X / actual: %02X%02X\n", + "calculated: %02X%02X / actual: %02X%02X", hashtype, chunks, hash[0], hash[1], sighash[0], sighash[1]);