From 4a971af5abe70d41485df141a3d9fa97eaab5f1c Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@sequoia-pgp.org>
Date: Mon, 7 Dec 2020 17:45:25 +0100
Subject: openpgp: Include a random salt when creating signatures.

  - This makes it harder for an attacker to convince a victim to sign
    a predetermined text.  See Leurent, G. and Peyrin, T., 2020. SHA-1
    is a Shambles, Section 7.2:

    > [...] if the serial number is unpredictable then the [chosen
    > prefix] collision attack is thwarted as a crucial part of the
    > hashed input is not controlled by the attacker.

  - We use 32 bytes of randomness, which provides plenty of entropy,
    yet is way smaller than the block size of the average hash function.
    Adding random data that is included in the signature provides an
    opportunity to mutate this data to attack the hash function.
    Limiting the amount to less than the block size is should avoid
    this concern.

  - We use a notation to include the data, because this is the least
    intrusive way to add it.  It is also self-describing.

  - Fixes #597.
---
 openpgp/src/packet/signature.rs           | 6 ++++++
 openpgp/src/packet/signature/subpacket.rs | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs
index 9128332d..7021f9a4 100644
--- a/openpgp/src/packet/signature.rs
+++ b/openpgp/src/packet/signature.rs
@@ -1588,6 +1588,12 @@ impl SignatureBuilder {
                 .set_issuer_fingerprint(signer.public().fingerprint())?;
         }
 
+        // Add a salt to make the signature unpredictable.
+        let mut salt = [0; 32];
+        crate::crypto::random(&mut salt);
+        self = self.set_notation("salt@notations.sequoia-pgp.org",
+                                 salt, None, false)?;
+
         self.sort();
 
         Ok(self)
diff --git a/openpgp/src/packet/signature/subpacket.rs b/openpgp/src/packet/signature/subpacket.rs
index e747bd05..129c5cb1 100644
--- a/openpgp/src/packet/signature/subpacket.rs
+++ b/openpgp/src/packet/signature/subpacket.rs
@@ -5369,7 +5369,7 @@ impl signature::SignatureBuilder {
     /// #    .iter()
     /// #    .filter(|sp| sp.tag() == SubpacketTag::NotationData)
     /// #    .count(),
-    /// #    2);
+    /// #    3);
     ///
     /// // Merge in the new signature.
     /// let cert = cert.insert_packets(sig)?;
@@ -5465,7 +5465,7 @@ impl signature::SignatureBuilder {
     /// #    .iter()
     /// #    .filter(|sp| sp.tag() == SubpacketTag::NotationData)
     /// #    .count(),
-    /// #    2);
+    /// #    3);
     ///
     /// // Merge in the new signature.
     /// let cert = cert.insert_packets(sig)?;
-- 
cgit v1.2.3