gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures.

* g10/sig-check.c (check_signature_over_key_or_uid): Reject cewrtain SHA-1 based signatures. -- Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from c4f2d9e3e1) Adjusted for changed added arguments in a function.
2024-09-21 15:01:41 +02:00 · 2019-10-03 17:43:26 +02:00 · 2019-10-03 17:43:26 +02:00 · edc36f59fc
commit edc36f59fc
parent de57b5bf91
1 changed files with 27 additions and 15 deletions
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@ -824,6 +824,10 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
  PKT_public_key *pripk = kb->pkt->pkt.public_key;
  gcry_md_hd_t md;
  int signer_alloced = 0;
+  int stub_is_selfsig;
+
+  if (!is_selfsig)
+    is_selfsig = &stub_is_selfsig;

  rc = openpgp_pk_test_algo (sig->pubkey_algo);
  if (rc)
@ -856,8 +860,6 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
  /* PACKET is the right type for SIG.  */

  if (signer)
-    {
-      if (is_selfsig)
    {
      if (signer->keyid[0] == pripk->keyid[0]
          && signer->keyid[1] == pripk->keyid[1])
@ -865,7 +867,6 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
      else
        *is_selfsig = 0;
    }
-    }
  else
    {
      /* Get the signer.  If possible, avoid a look up.  */
@ -874,7 +875,6 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
        {
          /* Issued by the primary key.  */
          signer = pripk;
-          if (is_selfsig)
          *is_selfsig = 1;
        }
      else
@ -904,7 +904,6 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
          if (! signer)
            {
              /* Signer by some other key.  */
-              if (is_selfsig)
              *is_selfsig = 0;
              if (ret_pk)
                {
@ -966,10 +965,23 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
  else if (IS_UID_SIG (sig) || IS_UID_REV (sig))
    {
      log_assert (packet->pkttype == PKT_USER_ID);
+      if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig
+          && sig->timestamp > 1547856000)
+        {
+          /* If the signature was created using SHA-1 we consider this
+           * signature invalid because it makes it possible to mount a
+           * chosen-prefix collision.  We don't do this for
+           * self-signatures or for signatures created before the
+           * somewhat arbitrary cut-off date 2019-01-19.  */
+          rc = gpg_error (GPG_ERR_DIGEST_ALGO);
+        }
+      else
+        {
          hash_public_key (md, pripk);
          hash_uid_packet (packet->pkt.user_id, md, sig);
          rc = check_signature_end_simple (signer, sig, md);
        }
+    }
  else
    {
      /* We should never get here.  (The first if above should have