diff --git a/g10/main.h b/g10/main.h index ce029063b..68360e218 100644 --- a/g10/main.h +++ b/g10/main.h @@ -95,6 +95,7 @@ void print_sha1_keysig_rejected_note (void); void print_reported_error (gpg_error_t err, gpg_err_code_t skip_if_ec); void print_further_info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); void additional_weak_digest (const char* digestname); +int is_weak_digest (digest_algo_t algo); /*-- armor.c --*/ char *make_radix64_string( const byte *data, size_t len ); diff --git a/g10/misc.c b/g10/misc.c index c344ff244..6577bb902 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -311,12 +311,11 @@ print_cipher_algo_note (cipher_algo_t algo) void print_digest_algo_note (digest_algo_t algo) { - const enum gcry_md_algos galgo = map_md_openpgp_to_gcry (algo); - const struct weakhash *weak; - if(algo >= 100 && algo <= 110) { static int warn=0; + const enum gcry_md_algos galgo = map_md_openpgp_to_gcry (algo); + if(!warn) { warn=1; @@ -325,14 +324,13 @@ print_digest_algo_note (digest_algo_t algo) gcry_md_algo_name (galgo)); } } - else - for (weak = opt.weak_digests; weak != NULL; weak = weak->next) - if (weak->algo == galgo) - { - es_fflush (es_stdout); - log_info (_("WARNING: digest algorithm %s is deprecated\n"), - gcry_md_algo_name (galgo)); - } + else if (is_weak_digest (algo)) + { + const enum gcry_md_algos galgo = map_md_openpgp_to_gcry (algo); + es_fflush (es_stdout); + log_info (_("WARNING: digest algorithm %s is deprecated\n"), + gcry_md_algo_name (galgo)); + } } @@ -1860,3 +1858,17 @@ additional_weak_digest (const char* digestname) weak->next = opt.weak_digests; opt.weak_digests = weak; } + + +/* Return true if ALGO is in the list of weak digests. */ +int +is_weak_digest (digest_algo_t algo) +{ + const enum gcry_md_algos galgo = map_md_openpgp_to_gcry (algo); + const struct weakhash *weak; + + for (weak = opt.weak_digests; weak; weak = weak->next) + if (weak->algo == galgo) + return 1; + return 0; +} diff --git a/g10/sig-check.c b/g10/sig-check.c index e71e662c2..a1dfe3817 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -457,16 +457,14 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, { gcry_mpi_t result = NULL; int rc = 0; - const struct weakhash *weak; if (!opt.flags.allow_weak_digest_algos) { - for (weak = opt.weak_digests; weak; weak = weak->next) - if (sig->digest_algo == weak->algo) - { - print_digest_rejected_note(sig->digest_algo); - return GPG_ERR_DIGEST_ALGO; - } + if (is_weak_digest (sig->digest_algo)) + { + print_digest_rejected_note (sig->digest_algo); + return GPG_ERR_DIGEST_ALGO; + } } /* For key signatures check that the key has a cert usage. We may diff --git a/g10/sign.c b/g10/sign.c index 4793dd137..8d575a100 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -583,7 +583,7 @@ hash_for (PKT_public_key *pk) { return opt.def_digest_algo; } - else if (recipient_digest_algo) + else if (recipient_digest_algo && !is_weak_digest (recipient_digest_algo)) { return recipient_digest_algo; } @@ -1095,10 +1095,13 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, single hash for all signatures. All this may well have to change as the cards add algorithms. */ - if (!smartcard || (smartcard && hint.digest_length==20)) - if ( (algo= - select_algo_from_prefs(pk_list,PREFTYPE_HASH,-1,&hint)) > 0) - recipient_digest_algo=algo; + if (!smartcard || (smartcard && hint.digest_length==20) + && (algo = select_algo_from_prefs(pk_list,PREFTYPE_HASH, + -1,&hint)) > 0) + { + /* Note that we later check that the algo is not weak. */ + recipient_digest_algo = algo; + } } }