X-Git-Url: https://the.earth.li/gitweb/?p=onak.git;a=blobdiff_plain;f=sigcheck.c;h=7732229abf75579516ea56cae281f7526bede028;hp=900d3514fab414bd30ee85580b58a5c7108c9067;hb=adc800dbc424a1e246dd4a82a0c2e88eeda25531;hpb=7f6a0a82eafb84548e5a298485533a2fd506f98d

diff --git a/sigcheck.c b/sigcheck.c
index 900d351..7732229 100644
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -13,13 +13,13 @@
  * more details.
  *
  * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 51
- * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
 #include <stdint.h>
 
 #include "config.h"
+#include "decodekey.h"
 #include "keyid.h"
 #include "keystructs.h"
 #include "log.h"
@@ -69,6 +69,7 @@ int check_packet_sighash(struct openpgp_publickey *key,
 	size_t hashlen[8];
 	int chunks, i;
 	uint64_t keyid;
+	onak_status_t res;
 
 	keyheader[0] = 0x99;
 	keyheader[1] = key->publickey->length >> 8;
@@ -108,6 +109,38 @@ int check_packet_sighash(struct openpgp_publickey *key,
 	case 4:
 		hashtype = sig->data[3];
 
+		/* Check to see if this is an X509 based signature */
+		if (sig->data[2] == 0 || sig->data[2] == 100) {
+			size_t len;
+
+			keyid = 0;
+			res = parse_subpackets(&sig->data[4],
+						sig->length - 4, &len,
+						&keyid, NULL);
+			if (res != ONAK_E_OK) {
+				/* If it parses badly, reject it */
+				return 0;
+			}
+			if (keyid == 0 &&
+					/* No unhashed data */
+					sig->data[4 + len] == 0 &&
+					sig->data[5 + len] == 0 &&
+					/* Dummy 0 checksum */
+					sig->data[6 + len] == 0 &&
+					sig->data[7 + len] == 0 &&
+					/* Dummy MPI of 1 */
+					sig->data[8 + len] == 0 &&
+					sig->data[9 + len] == 1 &&
+					sig->data[10 + len] == 1) {
+				get_keyid(key, &keyid);
+				logthing(LOGTHING_DEBUG,
+					"Skipping X509 signature on 0x%016"
+					PRIX64,
+					keyid);
+				return -1;
+			}
+		}
+
 		if (packet != NULL) {
 			if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
 				packetheader[0] = 0x99;
@@ -136,6 +169,10 @@ int check_packet_sighash(struct openpgp_publickey *key,
 		hashdata[chunks] = sig->data;
 		hashlen[chunks] = siglen = (sig->data[4] << 8) +
 			sig->data[5] + 6;;
+		if (siglen > sig->length) {
+			/* Signature data exceed packet length, bogus */
+			return 0;
+		}
 		chunks++;
 
 		v4trailer[0] = 4;