From 0e735a0b184b202a0533c52171fc55506fa45db2 Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Mon, 4 Nov 2013 21:57:49 -0800 Subject: [PATCH] Skip signature hash verification for X509 signatures X509 signatures don't have a valid hash checksum and can't be easily verified without full X509 support. Skip them in check_packet_sighash entirely. --- decodekey.h | 13 +++++++++++++ sigcheck.c | 27 +++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/decodekey.h b/decodekey.h index 11e2448..8cd5480 100644 --- a/decodekey.h +++ b/decodekey.h @@ -76,4 +76,17 @@ char **keyuids(struct openpgp_publickey *key, char **primary); */ uint64_t *keysubkeys(struct openpgp_publickey *key); +/** + * parse_subpackets - Parse the subpackets of a Type 4 signature. + * @data: The subpacket data. + * @keyid: A pointer to where we should return the keyid. + * @creationtime: A pointer to where we should return the creation time. + * + * This function parses the subkey data of a Type 4 signature and fills + * in the supplied variables. It also returns the length of the data + * processed. If the value of any piece of data is not desired a NULL + * can be passed instead of a pointer to a storage area for that value. + */ +int parse_subpackets(unsigned char *data, uint64_t *keyid, time_t *creation); + #endif diff --git a/sigcheck.c b/sigcheck.c index 900d351..3ee8d39 100644 --- a/sigcheck.c +++ b/sigcheck.c @@ -20,6 +20,7 @@ #include #include "config.h" +#include "decodekey.h" #include "keyid.h" #include "keystructs.h" #include "log.h" @@ -108,6 +109,32 @@ int check_packet_sighash(struct openpgp_publickey *key, case 4: hashtype = sig->data[3]; + /* Check to see if this is an X509 based signature */ + if (sig->data[2] == 0 || sig->data[2] == 100) { + size_t len; + + keyid = 0; + len = parse_subpackets(&sig->data[4], &keyid, NULL); + if (keyid == 0 && + /* No unhashed data */ + sig->data[4 + len] == 0 && + sig->data[5 + len] == 0 && + /* Dummy 0 checksum */ + sig->data[6 + len] == 0 && + sig->data[7 + len] == 0 && + /* Dummy MPI of 1 */ + sig->data[8 + len] == 0 && + sig->data[9 + len] == 1 && + sig->data[10 + len] == 1) { + get_keyid(key, &keyid); + logthing(LOGTHING_DEBUG, + "Skipping X509 signature on 0x%016" + PRIX64, + keyid); + return -1; + } + } + if (packet != NULL) { if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) { packetheader[0] = 0x99; -- 2.39.5