From 7d9aad63c4f1aefe97da61baf5acd96c12c0278e Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 3 Oct 2019 18:20:59 +0200
Subject: [PATCH] gpg: Ignore all SHA-1 signatures in 3rd party key signatures.

* g10/sig-check.c (check_signature_over_key_or_uid): No cut-off date
and remove debug output.
--

With 2.2 we do not not support SHA-1 key signatures anymore even if
that means that the WoT shrinks.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/sig-check.c | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/g10/sig-check.c b/g10/sig-check.c
index a93b496..c1498ef 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -824,6 +824,10 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   PKT_public_key *pripk = kb->pkt->pkt.public_key;
   gcry_md_hd_t md;
   int signer_alloced = 0;
+  int stub_is_selfsig;
+
+  if (!is_selfsig)
+  is_selfsig = &stub_is_selfsig;

   rc = openpgp_pk_test_algo (sig->pubkey_algo);
   if (rc)
@@ -857,14 +861,11 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,

   if (signer)
     {
-      if (is_selfsig)
-        {
-          if (signer->keyid[0] == pripk->keyid[0]
-              && signer->keyid[1] == pripk->keyid[1])
-            *is_selfsig = 1;
-          else
-            *is_selfsig = 0;
-        }
+      if (signer->keyid[0] == pripk->keyid[0]
+          && signer->keyid[1] == pripk->keyid[1])
+        *is_selfsig = 1;
+      else
+        *is_selfsig = 0;
     }
   else
     {
@@ -874,8 +875,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
         {
           /* Issued by the primary key.  */
           signer = pripk;
-          if (is_selfsig)
-            *is_selfsig = 1;
+          *is_selfsig = 1;
         }
       else
         {
@@ -904,8 +904,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
           if (! signer)
             {
               /* Signer by some other key.  */
-              if (is_selfsig)
-                *is_selfsig = 0;
+              *is_selfsig = 0;
               if (ret_pk)
                 {
                   signer = ret_pk;
@@ -966,9 +965,20 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   else if (IS_UID_SIG (sig) || IS_UID_REV (sig))
     {
       log_assert (packet->pkttype == PKT_USER_ID);
-      hash_public_key (md, pripk);
-      hash_uid_packet (packet->pkt.user_id, md, sig);
-      rc = check_signature_end_simple (signer, sig, md);
+      if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig)
+        {
+          /* If the signature was created using SHA-1 we consider this
+           * signature invalid because it makes it possible to mount a
+           * chosen-prefix collision.  We don't do this for
+           * self-signatures, though.  */
+          rc = gpg_error (GPG_ERR_DIGEST_ALGO);
+        }
+      else
+        {
+          hash_public_key (md, pripk);
+          hash_uid_packet (packet->pkt.user_id, md, sig);
+          rc = check_signature_end_simple (signer, sig, md);
+        }
     }
   else
     {
--
2.19.1