Check the validity of hash algo

If an RPM package has been signed and the hash algorithm is not supported by the current version, no error is reported during the verification of the RPM package, and "$?" return 0. Fix this problem.
rpm-software-management · Oct 30, 2024 · 8a22a51 · 8a22a51
1 parent ebc4068
commit 8a22a51
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/lib/rpmvs.cc b/lib/rpmvs.cc
@@ -131,6 +131,30 @@ int rpmIsValidHex(const char *str, size_t slen)
     return valid;
 }
 
+static int hashalgoValid(int algo)
+{
+    int rc = 0;
+
+    switch(algo) {
+    case RPM_HASH_MD5:
+    case RPM_HASH_SHA1:
+    case RPM_HASH_RIPEMD160:
+    case RPM_HASH_MD2:
+    case RPM_HASH_TIGER192:
+    case RPM_HASH_HAVAL_5_160:
+    case RPM_HASH_SHA256:
+    case RPM_HASH_SHA384:
+    case RPM_HASH_SHA512:
+    case RPM_HASH_SHA224:
+	rc = 1;
+	break;
+    default:
+	break;
+    }
+
+    return rc;
+}
+
 static void rpmsinfoInit(const struct vfyinfo_s *vinfo,
 			  const struct vfytag_s *tinfo,
 			  rpmtd td,  const char *origin,
@@ -213,6 +237,12 @@ static void rpmsinfoInit(const struct vfyinfo_s *vinfo,
 	    free(lints);
 	}
 	sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
+	if (!hashalgoValid(sinfo->hashalgo)) {
+	    rasprintf(&sinfo->msg,
+		      _("%s tag %u: invalid hash algorithm"),
+		      origin, td->tag);
+	    goto exit;
+	}
 	sinfo->keyid = rpmhex(pgpDigParamsSignID(sinfo->sig), PGP_KEYID_LEN);
     } else if (sinfo->type == RPMSIG_DIGEST_TYPE) {
 	if (td->type == RPM_BIN_TYPE) {