diff options
author | Julian Andres Klode <jak@debian.org> | 2016-03-14 15:35:14 +0100 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2016-03-14 15:37:05 +0100 |
commit | d91051242d10ada198b4ed59d59ad4aa8f59bcaf (patch) | |
tree | 3bda3a75a4707d308507a142b6ebfde9217feab8 | |
parent | 0d80586a67622d4d58908fee41c3be8a6813d426 (diff) |
methods/gpgv: Reject weak digest algorithms
This keeps a list of weak digest algorithms. For now, only MD5
is disabled, as SHA1 breaks to many repos.
-rw-r--r-- | methods/gpgv.cc | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index f17990245..06e1612e6 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -17,7 +17,10 @@ #include <sys/wait.h> #include <unistd.h> +#include <array> #include <algorithm> +#include <sstream> +#include <iterator> #include <iostream> #include <string> #include <vector> @@ -36,6 +39,12 @@ using std::vector; #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" #define GNUPGNODATA "[GNUPG:] NODATA" +static const std::array<string, 1> WeakDigests { + "1", // MD5 +// "2", // SHA1 +// "3", // RIPEMD-160 +}; + class GPGVMethod : public aptMethod { private: @@ -139,12 +148,19 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) { char *sig = buffer + sizeof(GNUPGVALIDSIG); + std::istringstream iss((string(sig))); + vector<string> tokens{std::istream_iterator<string>{iss}, + std::istream_iterator<string>{}}; char *p = sig; while (*p && isxdigit(*p)) p++; *p = 0; if (Debug == true) std::clog << "Got VALIDSIG, key ID: " << sig << std::endl; + // Reject weak digest algorithms + if (std::find(WeakDigests.begin(), WeakDigests.end(), tokens[7]) != WeakDigests.end()) + BadSigners.push_back(string(sig)); + ValidSigners.push_back(string(sig)); } } |