X-Git-Url: http://the.earth.li/gitweb/?a=blobdiff_plain;f=sigcheck.c;h=d0ca3d1965e8a8c8fa3f2254d0b8f5ea3f8364ef;hb=ec38d8bd7e8a66645e75e3d6c8b9dadb5dd85ec7;hp=900d3514fab414bd30ee85580b58a5c7108c9067;hpb=7f6a0a82eafb84548e5a298485533a2fd506f98d;p=onak.git diff --git a/sigcheck.c b/sigcheck.c index 900d351..d0ca3d1 100644 --- a/sigcheck.c +++ b/sigcheck.c @@ -20,6 +20,7 @@ #include #include "config.h" +#include "decodekey.h" #include "keyid.h" #include "keystructs.h" #include "log.h" @@ -69,6 +70,7 @@ int check_packet_sighash(struct openpgp_publickey *key, size_t hashlen[8]; int chunks, i; uint64_t keyid; + onak_status_t res; keyheader[0] = 0x99; keyheader[1] = key->publickey->length >> 8; @@ -108,6 +110,38 @@ int check_packet_sighash(struct openpgp_publickey *key, case 4: hashtype = sig->data[3]; + /* Check to see if this is an X509 based signature */ + if (sig->data[2] == 0 || sig->data[2] == 100) { + size_t len; + + keyid = 0; + res = parse_subpackets(&sig->data[4], + sig->length - 4, &len, + &keyid, NULL); + if (res != ONAK_E_OK) { + /* If it parses badly, reject it */ + return 0; + } + if (keyid == 0 && + /* No unhashed data */ + sig->data[4 + len] == 0 && + sig->data[5 + len] == 0 && + /* Dummy 0 checksum */ + sig->data[6 + len] == 0 && + sig->data[7 + len] == 0 && + /* Dummy MPI of 1 */ + sig->data[8 + len] == 0 && + sig->data[9 + len] == 1 && + sig->data[10 + len] == 1) { + get_keyid(key, &keyid); + logthing(LOGTHING_DEBUG, + "Skipping X509 signature on 0x%016" + PRIX64, + keyid); + return -1; + } + } + if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { packetheader[0] = 0x99; @@ -136,6 +170,10 @@ int check_packet_sighash(struct openpgp_publickey *key, hashdata[chunks] = sig->data; hashlen[chunks] = siglen = (sig->data[4] << 8) + sig->data[5] + 6;; + if (siglen > sig->length) { + /* Signature data exceed packet length, bogus */ + return 0; + } chunks++; v4trailer[0] = 4;