raven-rhel6/rpm/rpm-4.8.0-sigsanity.patch

commit 05ea39753dc5b99088fbf2774d72d33fe773eec0
Author: Panu Matilainen <pmatilai@redhat.com>
Date:   Tue Jun 29 10:47:18 2010 +0300

    Add some sanity checks for generated signatures (related to RhBug:608599)
    - GPG supports all sorts of algorithms NSS doesn't, do some basic tests
      to verify the generated signature is something we can actually use.
    (cherry picked from commit 0e143cfe9f11abc42733d2265dc6d61cb716e5a4)

diff --git a/lib/signature.c b/lib/signature.c
index 7d50db7..b21d5cc 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -314,6 +314,29 @@ Header rpmFreeSignature(Header sigh)
     return headerFree(sigh);
 }
 
+/*
+ * NSS doesn't support everything GPG does. Basic tests to see if the 
+ * generated signature is something we can use.
+ */
+static int validatePGPSig(pgpDigParams sigp)
+{
+    pgpHashAlgo pa = sigp->pubkey_algo;
+    /* TODO: query from the implementation instead of hardwiring here */
+    if (pa != PGPPUBKEYALGO_DSA && pa != PGPPUBKEYALGO_RSA) {
+	rpmlog(RPMLOG_ERR, _("Unsupported PGP pubkey algorithm %d\n"),
+		sigp->pubkey_algo);
+	return 1;
+    }
+
+    if (rpmDigestLength(sigp->hash_algo) == 0) {
+	rpmlog(RPMLOG_ERR, _("Unsupported PGP hash algorithm %d\n"),
+	       sigp->hash_algo);
+	return 1;
+    }
+
+    return 0;
+}
+
 /**
  * Generate GPG signature(s) for a header+payload file.
  * @param file		header+payload file name
@@ -443,8 +466,8 @@ static int makeGPGSignature(const char * file, rpmSigTag * sigTagp,
 	break;
     }
 
+    rc = validatePGPSig(sigp);
     dig = pgpFreeDig(dig);
-    rc = 0;
 
 exit:
     (void) unlink(sigfile);
first commit 2024-02-21 20:14:44 +06:00			`commit 05ea39753dc5b99088fbf2774d72d33fe773eec0`
			`Author: Panu Matilainen <pmatilai@redhat.com>`
			`Date: Tue Jun 29 10:47:18 2010 +0300`

			`Add some sanity checks for generated signatures (related to RhBug:608599)`
			`- GPG supports all sorts of algorithms NSS doesn't, do some basic tests`
			`to verify the generated signature is something we can actually use.`
			`(cherry picked from commit 0e143cfe9f11abc42733d2265dc6d61cb716e5a4)`

			`diff --git a/lib/signature.c b/lib/signature.c`
			`index 7d50db7..b21d5cc 100644`
			`--- a/lib/signature.c`
			`+++ b/lib/signature.c`
			`@@ -314,6 +314,29 @@ Header rpmFreeSignature(Header sigh)`
			`return headerFree(sigh);`
			`}`

			`+/*`
			`+ * NSS doesn't support everything GPG does. Basic tests to see if the`
			`+ * generated signature is something we can use.`
			`+ */`
			`+static int validatePGPSig(pgpDigParams sigp)`
			`+{`
			`+ pgpHashAlgo pa = sigp->pubkey_algo;`
			`+ /* TODO: query from the implementation instead of hardwiring here */`
			`+ if (pa != PGPPUBKEYALGO_DSA && pa != PGPPUBKEYALGO_RSA) {`
			`+ rpmlog(RPMLOG_ERR, _("Unsupported PGP pubkey algorithm %d\n"),`
			`+ sigp->pubkey_algo);`
			`+ return 1;`
			`+ }`
			`+`
			`+ if (rpmDigestLength(sigp->hash_algo) == 0) {`
			`+ rpmlog(RPMLOG_ERR, _("Unsupported PGP hash algorithm %d\n"),`
			`+ sigp->hash_algo);`
			`+ return 1;`
			`+ }`
			`+`
			`+ return 0;`
			`+}`
			`+`
			`/**`
			`* Generate GPG signature(s) for a header+payload file.`
			`* @param file header+payload file name`
			`@@ -443,8 +466,8 @@ static int makeGPGSignature(const char * file, rpmSigTag * sigTagp,`
			`break;`
			`}`

			`+ rc = validatePGPSig(sigp);`
			`dig = pgpFreeDig(dig);`
			`- rc = 0;`

			`exit:`
			`(void) unlink(sigfile);`