gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures.

* g10/sig-check.c (check_signature_over_key_or_uid): Reject cewrtain SHA-1 based signatures. -- Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2019-10-03 15:43:26 +0000
committer: Werner Koch <[email protected]> 2019-10-03 15:43:26 +0000
commit: c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4 (patch)
tree: be1eda90d80fd9a7e15307c63c035fb227b0c8b6 /g10/sig-check.c
parent: gpg: Read the UBID from the keybox and detect wrong blob type. (diff)
download: gnupg-c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4.tar.gz
gnupg-c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4.zip
1 files changed, 29 insertions, 15 deletions
diff --git a/g10/sig-check.c b/g10/sig-check.c
index 4c172d692..139ad93eb 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -871,6 +871,10 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   PKT_public_key *pripk = kb->pkt->pkt.public_key;
   gcry_md_hd_t md;
   int signer_alloced = 0;
+  int stub_is_selfsig;
+
+  if (!is_selfsig)
+    is_selfsig = &stub_is_selfsig;
 
   rc = openpgp_pk_test_algo (sig->pubkey_algo);
   if (rc)
@@ -904,14 +908,11 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
 
   if (signer)
     {
-      if (is_selfsig)
-        {
-          if (signer->keyid[0] == pripk->keyid[0]
-              && signer->keyid[1] == pripk->keyid[1])
-            *is_selfsig = 1;
-          else
-            *is_selfsig = 0;
-        }
+      if (signer->keyid[0] == pripk->keyid[0]
+          && signer->keyid[1] == pripk->keyid[1])
+        *is_selfsig = 1;
+      else
+        *is_selfsig = 0;
     }
   else
     {
@@ -921,8 +922,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
         {
           /* Issued by the primary key.  */
           signer = pripk;
-          if (is_selfsig)
-            *is_selfsig = 1;
+          *is_selfsig = 1;
         }
       else
         {
@@ -951,8 +951,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
           if (! signer)
             {
               /* Signer by some other key.  */
-              if (is_selfsig)
-                *is_selfsig = 0;
+              *is_selfsig = 0;
               if (ret_pk)
                 {
                   signer = ret_pk;
@@ -1013,9 +1012,24 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   else if (IS_UID_SIG (sig) || IS_UID_REV (sig))
     {
       log_assert (packet->pkttype == PKT_USER_ID);
-      hash_public_key (md, pripk);
-      hash_uid_packet (packet->pkt.user_id, md, sig);
-      rc = check_signature_end_simple (signer, sig, md, NULL, 0);
+      log_debug ("algo=%d selfsig=%d tm=%lu\n",
+                 sig->digest_algo, *is_selfsig, (unsigned long)sig->timestamp);
+      if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig
+          && sig->timestamp > 1547856000)
+        {
+          /* If the signature was created using SHA-1 we consider this
+           * signature invalid because it makes it possible to mount a
+           * chosen-prefix collision.  We don't do this for
+           * self-signatures or for signatures created before the
+           * somewhat arbitrary cut-off date 2019-01-19.  */
+          rc = gpg_error (GPG_ERR_DIGEST_ALGO);
+        }
+      else
+        {
+          hash_public_key (md, pripk);
+          hash_uid_packet (packet->pkt.user_id, md, sig);
+          rc = check_signature_end_simple (signer, sig, md, NULL, 0);
+        }
     }
   else
     {
author	Werner Koch <[email protected]>	2019-10-03 15:43:26 +0000
committer	Werner Koch <[email protected]>	2019-10-03 15:43:26 +0000
commit	c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4 (patch)
tree	be1eda90d80fd9a7e15307c63c035fb227b0c8b6 /g10/sig-check.c
parent	gpg: Read the UBID from the keybox and detect wrong blob type. (diff)
download	gnupg-c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4.tar.gz gnupg-c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4.zip