From d91051242d10ada198b4ed59d59ad4aa8f59bcaf Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 14 Mar 2016 15:35:14 +0100
Subject: methods/gpgv: Reject weak digest algorithms

This keeps a list of weak digest algorithms. For now, only MD5
is disabled, as SHA1 breaks to many repos.
---
 methods/gpgv.cc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index f17990245..06e1612e6 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -17,7 +17,10 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
+#include <array>
 #include <algorithm>
+#include <sstream>
+#include <iterator>
 #include <iostream>
 #include <string>
 #include <vector>
@@ -36,6 +39,12 @@ using std::vector;
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
 
+static const std::array<string, 1> WeakDigests {
+   "1", // MD5
+// "2", // SHA1
+// "3", // RIPEMD-160
+};
+
 class GPGVMethod : public aptMethod
 {
    private:
@@ -139,12 +148,19 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
       else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0)
       {
          char *sig = buffer + sizeof(GNUPGVALIDSIG);
+         std::istringstream iss((string(sig)));
+         vector<string> tokens{std::istream_iterator<string>{iss},
+                               std::istream_iterator<string>{}};
          char *p = sig;
          while (*p && isxdigit(*p))
             p++;
          *p = 0;
          if (Debug == true)
             std::clog << "Got VALIDSIG, key ID: " << sig << std::endl;
+         // Reject weak digest algorithms
+         if (std::find(WeakDigests.begin(), WeakDigests.end(), tokens[7]) != WeakDigests.end())
+            BadSigners.push_back(string(sig));
+
          ValidSigners.push_back(string(sig));
       }
    }
-- 
cgit v1.2.3