From d91051242d10ada198b4ed59d59ad4aa8f59bcaf Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 14 Mar 2016 15:35:14 +0100 Subject: [PATCH] methods/gpgv: Reject weak digest algorithms This keeps a list of weak digest algorithms. For now, only MD5 is disabled, as SHA1 breaks to many repos. --- methods/gpgv.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/methods/gpgv.cc b/methods/gpgv.cc index f17990245..06e1612e6 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -17,7 +17,10 @@ #include #include +#include #include +#include +#include #include #include #include @@ -36,6 +39,12 @@ using std::vector; #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" #define GNUPGNODATA "[GNUPG:] NODATA" +static const std::array WeakDigests { + "1", // MD5 +// "2", // SHA1 +// "3", // RIPEMD-160 +}; + class GPGVMethod : public aptMethod { private: @@ -139,12 +148,19 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) { char *sig = buffer + sizeof(GNUPGVALIDSIG); + std::istringstream iss((string(sig))); + vector tokens{std::istream_iterator{iss}, + std::istream_iterator{}}; char *p = sig; while (*p && isxdigit(*p)) p++; *p = 0; if (Debug == true) std::clog << "Got VALIDSIG, key ID: " << sig << std::endl; + // Reject weak digest algorithms + if (std::find(WeakDigests.begin(), WeakDigests.end(), tokens[7]) != WeakDigests.end()) + BadSigners.push_back(string(sig)); + ValidSigners.push_back(string(sig)); } } -- 2.45.2