X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;f=sigcheck.c;h=0bf6ae1e7eeb005499c3e47cec404702e4cbd830;hb=37801dca09e004c214604ae66323a628e100258d;hp=3ee8d3959e0e2db27e1c8c264d4b631cdec22896;hpb=0e735a0b184b202a0533c52171fc55506fa45db2;p=onak.git

diff --git a/sigcheck.c b/sigcheck.c
index 3ee8d39..0bf6ae1 100644
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -13,13 +13,12 @@
  * more details.
  *
  * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 51
- * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
 #include <stdint.h>
 
-#include "config.h"
+#include "build-config.h"
 #include "decodekey.h"
 #include "keyid.h"
 #include "keystructs.h"
@@ -47,19 +46,11 @@ int check_packet_sighash(struct openpgp_publickey *key,
 	struct sha1_ctx sha1_context;
 	struct sha1x_ctx sha1x_context;
 	struct md5_ctx md5_context;
-#ifdef NETTLE_WITH_RIPEMD160
+#ifdef HAVE_NETTLE
 	struct ripemd160_ctx ripemd160_context;
-#endif
-#ifdef NETTLE_WITH_SHA224
 	struct sha224_ctx sha224_context;
-#endif
-#ifdef NETTLE_WITH_SHA256
 	struct sha256_ctx sha256_context;
-#endif
-#ifdef NETTLE_WITH_SHA384
 	struct sha384_ctx sha384_context;
-#endif
-#ifdef NETTLE_WITH_SHA512
 	struct sha512_ctx sha512_context;
 #endif
 	uint8_t keyheader[3];
@@ -70,6 +61,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 	size_t hashlen[8];
 	int chunks, i;
 	uint64_t keyid;
+	onak_status_t res;
 
 	keyheader[0] = 0x99;
 	keyheader[1] = key->publickey->length >> 8;
@@ -114,7 +106,13 @@ int check_packet_sighash(struct openpgp_publickey *key,
 			size_t len;
 
 			keyid = 0;
-			len = parse_subpackets(&sig->data[4], &keyid, NULL);
+			res = parse_subpackets(&sig->data[4],
+						sig->length - 4, &len,
+						&keyid, NULL);
+			if (res != ONAK_E_OK) {
+				/* If it parses badly, reject it */
+				return 0;
+			}
 			if (keyid == 0 &&
 					/* No unhashed data */
 					sig->data[4 + len] == 0 &&
@@ -163,6 +161,10 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		hashdata[chunks] = sig->data;
 		hashlen[chunks] = siglen = (sig->data[4] << 8) +
 			sig->data[5] + 6;;
+		if (siglen > sig->length) {
+			/* Signature data exceed packet length, bogus */
+			return 0;
+		}
 		chunks++;
 
 		v4trailer[0] = 4;
@@ -202,8 +204,15 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		}
 		sha1_digest(&sha1_context, 20, hash);
 		break;
+	case OPENPGP_HASH_SHA1X:
+		sha1x_init(&sha1x_context);
+		for (i = 0; i < chunks; i++) {
+			sha1x_update(&sha1x_context, hashlen[i], hashdata[i]);
+		}
+		sha1x_digest(&sha1x_context, 20, hash);
+		break;
+#ifdef HAVE_NETTLE
 	case OPENPGP_HASH_RIPEMD160:
-#ifdef NETTLE_WITH_RIPEMD160
 		ripemd160_init(&ripemd160_context);
 		for (i = 0; i < chunks; i++) {
 			ripemd160_update(&ripemd160_context, hashlen[i],
@@ -212,19 +221,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		ripemd160_digest(&ripemd160_context, RIPEMD160_DIGEST_SIZE,
 			hash);
 		break;
-#else
-		logthing(LOGTHING_INFO, "RIPEMD160 support not available.");
-		return -1;
-#endif
-	case OPENPGP_HASH_SHA1X:
-		sha1x_init(&sha1x_context);
-		for (i = 0; i < chunks; i++) {
-			sha1x_update(&sha1x_context, hashlen[i], hashdata[i]);
-		}
-		sha1x_digest(&sha1x_context, 20, hash);
-		break;
 	case OPENPGP_HASH_SHA224:
-#ifdef NETTLE_WITH_SHA224
 		sha224_init(&sha224_context);
 		for (i = 0; i < chunks; i++) {
 			sha224_update(&sha224_context, hashlen[i],
@@ -232,12 +229,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		}
 		sha224_digest(&sha224_context, SHA224_DIGEST_SIZE, hash);
 		break;
-#else
-		logthing(LOGTHING_INFO, "SHA224 support not available.");
-		return -1;
-#endif
 	case OPENPGP_HASH_SHA256:
-#ifdef NETTLE_WITH_SHA256
 		sha256_init(&sha256_context);
 		for (i = 0; i < chunks; i++) {
 			sha256_update(&sha256_context, hashlen[i],
@@ -245,12 +237,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		}
 		sha256_digest(&sha256_context, SHA256_DIGEST_SIZE, hash);
 		break;
-#else
-		logthing(LOGTHING_INFO, "SHA256 support not available.");
-		return -1;
-#endif
 	case OPENPGP_HASH_SHA384:
-#ifdef NETTLE_WITH_SHA384
 		sha384_init(&sha384_context);
 		for (i = 0; i < chunks; i++) {
 			sha384_update(&sha384_context, hashlen[i],
@@ -258,12 +245,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		}
 		sha384_digest(&sha384_context, SHA384_DIGEST_SIZE, hash);
 		break;
-#else
-		logthing(LOGTHING_INFO, "SHA384 support not available.");
-		return -1;
-#endif
 	case OPENPGP_HASH_SHA512:
-#ifdef NETTLE_WITH_SHA512
 		sha512_init(&sha512_context);
 		for (i = 0; i < chunks; i++) {
 			sha512_update(&sha512_context, hashlen[i],
@@ -271,9 +253,6 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		}
 		sha512_digest(&sha512_context, SHA512_DIGEST_SIZE, hash);
 		break;
-#else
-		logthing(LOGTHING_INFO, "SHA512 support not available.");
-		return -1;
 #endif
 	default:
 		get_keyid(key, &keyid);