security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

sm,dirmngr: Restrict allowed parameters used with rsaPSS.

Browse source 
* sm/certcheck.c (extract_pss_params): Check the used PSS params.
* dirmngr/crlcache.c (finish_sig_check): Ditto.
* dirmngr/validate.c (check_cert_sig): Ditto.
--

GnuPG-bug-id: 4538

# ------------------------ >8 ------------------------
See
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-04-15 11:05:41 +02:00
parent 50b320952e
commit c0d5c67354
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
3 changed files with 87 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

23
dirmngr/crlcache.c
View file

@ -1731,6 +1731,29 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
algo, hashalgo);
return gpg_error (GPG_ERR_INV_CRL);
}
/* Add some restrictions; see ../sm/certcheck.c for details. */
switch (algo)
{
case GCRY_MD_SHA1:
case GCRY_MD_SHA256:
case GCRY_MD_SHA384:
case GCRY_MD_SHA512:
case GCRY_MD_SHA3_256:
case GCRY_MD_SHA3_384:
case GCRY_MD_SHA3_512:
break;
default:
log_error ("PSS hash algorithm '%s' rejected\n",
gcry_md_algo_name (algo));
return gpg_error (GPG_ERR_DIGEST_ALGO);
}
if (gcry_md_get_algo_dlen (algo) != saltlen)
{
log_error ("PSS hash algorithm '%s' rejected due to salt length %u\n",
gcry_md_algo_name (algo), saltlen);
return gpg_error (GPG_ERR_DIGEST_ALGO);
}
}