fix(clearsign): Enforce acceptable hash functions in clearsign

lubux · lubux · commit 244eb1cfffe5 · 2025-05-21T11:11:51.000+02:00
diff --git a/openpgp/clearsign/clearsign.go b/openpgp/clearsign/clearsign.go
@@ -206,7 +206,7 @@ func Decode(data []byte) (b *Block, rest []byte) {
 type dashEscaper struct {
 	buffered    *bufio.Writer
 	hashers     []hash.Hash // one per key in privateKeys
-	hashType    crypto.Hash
+	hashTypes   []crypto.Hash
 	toHash      io.Writer         // writes to all the hashes in hashers
 	salts       [][]byte          // salts for the signatures if v6
 	armorHeader map[string]string // Armor headers
@@ -328,7 +328,7 @@ func (d *dashEscaper) Close() (err error) {
 		sig.Version = k.Version
 		sig.SigType = packet.SigTypeText
 		sig.PubKeyAlgo = k.PubKeyAlgo
-		sig.Hash = d.hashType
+		sig.Hash = d.hashTypes[i]
 		sig.CreationTime = t
 		sig.IssuerKeyId = &k.KeyId
 		sig.IssuerFingerprint = k.Fingerprint
@@ -398,11 +398,22 @@ func EncodeMultiWithHeader(w io.Writer, privateKeys []*packet.PrivateKey, config
 	if !hashType.Available() {
 		return nil, errors.UnsupportedError("unsupported hash type: " + strconv.Itoa(int(hashType)))
 	}
+
 	var hashers []hash.Hash
+	var hashTypes []crypto.Hash
 	var ws []io.Writer
 	var salts [][]byte
 	for _, sk := range privateKeys {
-		h := hashType.New()
+		acceptedHashes := acceptableHashesToWrite(&sk.PublicKey)
+		// acceptedHashes contains at least one hash
+		selectedHashType := acceptedHashes[0]
+		for _, acceptedHash := range acceptedHashes {
+			if hashType == acceptedHash {
+				selectedHashType = hashType
+				break
+			}
+		}
+		h := selectedHashType.New()
 		if sk.Version == 6 {
 			// generate salt
 			var salt []byte
@@ -416,6 +427,7 @@ func EncodeMultiWithHeader(w io.Writer, privateKeys []*packet.PrivateKey, config
 			salts = append(salts, salt)
 		}
 		hashers = append(hashers, h)
+		hashTypes = append(hashTypes, selectedHashType)
 		ws = append(ws, h)
 	}
 	toHash := io.MultiWriter(ws...)
@@ -446,7 +458,7 @@ func EncodeMultiWithHeader(w io.Writer, privateKeys []*packet.PrivateKey, config
 	plaintext = &dashEscaper{
 		buffered:    buffered,
 		hashers:     hashers,
-		hashType:    hashType,
+		hashTypes:   hashTypes,
 		toHash:      toHash,
 		salts:       salts,
 		armorHeader: headers,
@@ -489,3 +501,38 @@ func nameOfHash(h crypto.Hash) string {
 	}
 	return ""
 }
+
+func acceptableHashesToWrite(singingKey *packet.PublicKey) []crypto.Hash {
+	switch singingKey.PubKeyAlgo {
+	case packet.PubKeyAlgoEd448:
+		return []crypto.Hash{
+			crypto.SHA512,
+			crypto.SHA3_512,
+		}
+	case packet.PubKeyAlgoECDSA, packet.PubKeyAlgoEdDSA:
+		if curve, err := singingKey.Curve(); err == nil {
+			if curve == packet.Curve448 ||
+				curve == packet.CurveNistP521 ||
+				curve == packet.CurveBrainpoolP512 {
+				return []crypto.Hash{
+					crypto.SHA512,
+					crypto.SHA3_512,
+				}
+			} else if curve == packet.CurveBrainpoolP384 ||
+				curve == packet.CurveNistP384 {
+				return []crypto.Hash{
+					crypto.SHA384,
+					crypto.SHA512,
+					crypto.SHA3_512,
+				}
+			}
+		}
+	}
+	return []crypto.Hash{
+		crypto.SHA256,
+		crypto.SHA384,
+		crypto.SHA512,
+		crypto.SHA3_256,
+		crypto.SHA3_512,
+	}
+}
