X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;ds=sidebyside;f=sigcheck.c;h=2401665b498bbfaf78c4662a55dcb0bf407bcb91;hb=85187675424f3854869f1607afd8a1e84e536946;hp=900d3514fab414bd30ee85580b58a5c7108c9067;hpb=7f6a0a82eafb84548e5a298485533a2fd506f98d;p=onak.git
diff --git a/sigcheck.c b/sigcheck.c
index 900d351..2401665 100644
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -13,13 +13,13 @@
* more details.
*
* You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 51
- * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * this program. If not, see .
*/
#include
-#include "config.h"
+#include "build-config.h"
+#include "decodekey.h"
#include "keyid.h"
#include "keystructs.h"
#include "log.h"
@@ -69,6 +69,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
size_t hashlen[8];
int chunks, i;
uint64_t keyid;
+ onak_status_t res;
keyheader[0] = 0x99;
keyheader[1] = key->publickey->length >> 8;
@@ -108,6 +109,38 @@ int check_packet_sighash(struct openpgp_publickey *key,
case 4:
hashtype = sig->data[3];
+ /* Check to see if this is an X509 based signature */
+ if (sig->data[2] == 0 || sig->data[2] == 100) {
+ size_t len;
+
+ keyid = 0;
+ res = parse_subpackets(&sig->data[4],
+ sig->length - 4, &len,
+ &keyid, NULL);
+ if (res != ONAK_E_OK) {
+ /* If it parses badly, reject it */
+ return 0;
+ }
+ if (keyid == 0 &&
+ /* No unhashed data */
+ sig->data[4 + len] == 0 &&
+ sig->data[5 + len] == 0 &&
+ /* Dummy 0 checksum */
+ sig->data[6 + len] == 0 &&
+ sig->data[7 + len] == 0 &&
+ /* Dummy MPI of 1 */
+ sig->data[8 + len] == 0 &&
+ sig->data[9 + len] == 1 &&
+ sig->data[10 + len] == 1) {
+ get_keyid(key, &keyid);
+ logthing(LOGTHING_DEBUG,
+ "Skipping X509 signature on 0x%016"
+ PRIX64,
+ keyid);
+ return -1;
+ }
+ }
+
if (packet != NULL) {
if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
packetheader[0] = 0x99;
@@ -136,6 +169,10 @@ int check_packet_sighash(struct openpgp_publickey *key,
hashdata[chunks] = sig->data;
hashlen[chunks] = siglen = (sig->data[4] << 8) +
sig->data[5] + 6;;
+ if (siglen > sig->length) {
+ /* Signature data exceed packet length, bogus */
+ return 0;
+ }
chunks++;
v4trailer[0] = 4;