From 204cb7c11b81466e666ec57b8620ffac585aa167 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 1 Jul 2024 11:01:25 +0200
Subject: [PATCH] PGPSignature: Sanitize hash length when verifying

---
 .../bouncycastle/openpgp/PGPSignature.java    | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
index 5276f8e979..b70e6852e9 100644
--- a/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
+++ b/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
@@ -12,6 +12,7 @@
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.bcpg.HashUtils;
 import org.bouncycastle.bcpg.MPInteger;
 import org.bouncycastle.bcpg.Packet;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
@@ -163,14 +164,32 @@ PGPContentVerifierBuilder createVerifierProvider(PGPContentVerifierBuilderProvid
     }
 
     void init(PGPContentVerifier verifier)
+            throws PGPException
     {
         this.verifier = verifier;
         this.lastb = 0;
         this.sigOut = verifier.getOutputStream();
 
+        checkSaltSize();
         updateWithSalt();
     }
 
+    private void checkSaltSize()
+            throws PGPException
+    {
+        if (getVersion() != SignaturePacket.VERSION_6)
+        {
+            return;
+        }
+
+        int expectedSaltSize = HashUtils.getV6SignatureSaltSizeInBytes(getHashAlgorithm());
+        if (expectedSaltSize != sigPck.getSalt().length)
+        {
+            throw new PGPException("RFC9580 defines the salt size for " + PGPUtil.getDigestName(getHashAlgorithm()) +
+                    " as " + expectedSaltSize + " octets, but signature has " + sigPck.getSalt().length + " octets.");
+        }
+    }
+
     private void updateWithSalt()
     {
         if (getVersion() == SignaturePacket.VERSION_6)