From: Jonathan McDowell <noodles@earth.li>
Date: Tue, 5 Nov 2013 05:57:49 +0000 (-0800)
Subject: Skip signature hash verification for X509 signatures
X-Git-Tag: onak-0.4.3~34
X-Git-Url: http://the.earth.li/gitweb/?p=onak.git;a=commitdiff_plain;h=0e735a0b184b202a0533c52171fc55506fa45db2

Skip signature hash verification for X509 signatures

X509 signatures don't have a valid hash checksum and can't be easily
verified without full X509 support. Skip them in check_packet_sighash
entirely.
---

diff --git a/decodekey.h b/decodekey.h
index 11e2448..8cd5480 100644
--- a/decodekey.h
+++ b/decodekey.h
@@ -76,4 +76,17 @@ char **keyuids(struct openpgp_publickey *key, char **primary);
  */
 uint64_t *keysubkeys(struct openpgp_publickey *key);
 
+/**
+ *	parse_subpackets - Parse the subpackets of a Type 4 signature.
+ *	@data: The subpacket data.
+ *	@keyid: A pointer to where we should return the keyid.
+ *	@creationtime: A pointer to where we should return the creation time.
+ *
+ *	This function parses the subkey data of a Type 4 signature and fills
+ *	in the supplied variables. It also returns the length of the data
+ *	processed. If the value of any piece of data is not desired a NULL
+ *	can be passed instead of a pointer to a storage area for that value.
+ */
+int parse_subpackets(unsigned char *data, uint64_t *keyid, time_t *creation);
+
 #endif
diff --git a/sigcheck.c b/sigcheck.c
index 900d351..3ee8d39 100644
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -20,6 +20,7 @@
 #include <stdint.h>
 
 #include "config.h"
+#include "decodekey.h"
 #include "keyid.h"
 #include "keystructs.h"
 #include "log.h"
@@ -108,6 +109,32 @@ int check_packet_sighash(struct openpgp_publickey *key,
 	case 4:
 		hashtype = sig->data[3];
 
+		/* Check to see if this is an X509 based signature */
+		if (sig->data[2] == 0 || sig->data[2] == 100) {
+			size_t len;
+
+			keyid = 0;
+			len = parse_subpackets(&sig->data[4], &keyid, NULL);
+			if (keyid == 0 &&
+					/* No unhashed data */
+					sig->data[4 + len] == 0 &&
+					sig->data[5 + len] == 0 &&
+					/* Dummy 0 checksum */
+					sig->data[6 + len] == 0 &&
+					sig->data[7 + len] == 0 &&
+					/* Dummy MPI of 1 */
+					sig->data[8 + len] == 0 &&
+					sig->data[9 + len] == 1 &&
+					sig->data[10 + len] == 1) {
+				get_keyid(key, &keyid);
+				logthing(LOGTHING_DEBUG,
+					"Skipping X509 signature on 0x%016"
+					PRIX64,
+					keyid);
+				return -1;
+			}
+		}
+
 		if (packet != NULL) {
 			if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
 				packetheader[0] = 0x99;