/src/gnupg/g10/sig-check.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* sig-check.c - Check a signature |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, |
3 | | * 2004, 2006 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2015, 2016 g10 Code GmbH |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <config.h> |
23 | | #include <stdio.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | |
27 | | #include "gpg.h" |
28 | | #include "../common/util.h" |
29 | | #include "packet.h" |
30 | | #include "keydb.h" |
31 | | #include "main.h" |
32 | | #include "../common/status.h" |
33 | | #include "../common/i18n.h" |
34 | | #include "options.h" |
35 | | #include "pkglue.h" |
36 | | #include "../common/compliance.h" |
37 | | |
38 | | static int check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
39 | | gcry_md_hd_t digest, |
40 | | const void *extrahash, size_t extrahashlen, |
41 | | int *r_expired, int *r_revoked, |
42 | | PKT_public_key *ret_pk); |
43 | | |
44 | | static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
45 | | gcry_md_hd_t digest, |
46 | | const void *extrahash, |
47 | | size_t extrahashlen); |
48 | | |
49 | | |
50 | | /* Statistics for signature verification. */ |
51 | | struct |
52 | | { |
53 | | unsigned int total; /* Total number of verifications. */ |
54 | | unsigned int cached; /* Number of seen cache entries. */ |
55 | | unsigned int goodsig;/* Number of good verifications from the cache. */ |
56 | | unsigned int badsig; /* Number of bad verifications from the cache. */ |
57 | | } cache_stats; |
58 | | |
59 | | |
60 | | /* Dump verification stats. */ |
61 | | void |
62 | | sig_check_dump_stats (void) |
63 | 0 | { |
64 | 0 | log_info ("sig_cache: total=%u cached=%u good=%u bad=%u\n", |
65 | 0 | cache_stats.total, cache_stats.cached, |
66 | 0 | cache_stats.goodsig, cache_stats.badsig); |
67 | 0 | } |
68 | | |
69 | | |
70 | | static gpg_error_t |
71 | | check_key_verify_compliance (PKT_public_key *pk) |
72 | 0 | { |
73 | 0 | gpg_error_t err = 0; |
74 | |
|
75 | 0 | if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, |
76 | 0 | pk->pubkey_algo, 0, pk->pkey, |
77 | 0 | nbits_from_pk (pk), |
78 | 0 | NULL)) |
79 | 0 | { |
80 | | /* Compliance failure. */ |
81 | 0 | log_info (_("key %s may not be used for signing in %s mode\n"), |
82 | 0 | keystr_from_pk (pk), |
83 | 0 | gnupg_compliance_option_string (opt.compliance)); |
84 | 0 | if (opt.flags.override_compliance_check) |
85 | 0 | log_info (_("continuing verification anyway due to option %s\n"), |
86 | 0 | "--override-compliance-failure"); |
87 | 0 | else |
88 | 0 | { |
89 | 0 | log_inc_errorcount (); /* We used log info above. */ |
90 | 0 | err = gpg_error (GPG_ERR_PUBKEY_ALGO); |
91 | 0 | } |
92 | 0 | } |
93 | |
|
94 | 0 | return err; |
95 | 0 | } |
96 | | |
97 | | |
98 | | |
99 | | /* Check a signature. This is shorthand for check_signature2 with |
100 | | the unnamed arguments passed as NULL. */ |
101 | | int |
102 | | check_signature (ctrl_t ctrl, PKT_signature *sig, gcry_md_hd_t digest) |
103 | 0 | { |
104 | 0 | return check_signature2 (ctrl, sig, digest, NULL, 0, NULL, |
105 | 0 | NULL, NULL, NULL, NULL); |
106 | 0 | } |
107 | | |
108 | | |
109 | | /* Check a signature. |
110 | | * |
111 | | * Looks up the public key that created the signature (SIG->KEYID) |
112 | | * from the key db. Makes sure that the signature is valid (it was |
113 | | * not created prior to the key, the public key was created in the |
114 | | * past, and the signature does not include any unsupported critical |
115 | | * features), finishes computing the hash of the signature data, and |
116 | | * checks that the signature verifies the digest. If the key that |
117 | | * generated the signature is a subkey, this function also verifies |
118 | | * that there is a valid backsig from the subkey to the primary key. |
119 | | * Finally, if status fd is enabled and the signature class is 0x00 or |
120 | | * 0x01, then a STATUS_SIG_ID is emitted on the status fd. |
121 | | * |
122 | | * SIG is the signature to check. |
123 | | * |
124 | | * DIGEST contains a valid hash context that already includes the |
125 | | * signed data. This function adds the relevant meta-data from the |
126 | | * signature packet to compute the final hash. (See Section 5.2 of |
127 | | * RFC 4880: "The concatenation of the data being signed and the |
128 | | * signature data from the version number through the hashed subpacket |
129 | | * data (inclusive) is hashed.") |
130 | | * |
131 | | * EXTRAHASH and EXTRAHASHLEN is additional data which is hashed with |
132 | | * v5 signatures. They may be NULL to use the default. |
133 | | * |
134 | | * If FORCED_PK is not NULL this public key is used to verify the |
135 | | * signature and no other public key is looked up. This is used to |
136 | | * verify against a key included in the signature. |
137 | | * |
138 | | * If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's |
139 | | * expiry. |
140 | | * |
141 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
142 | | * (0 otherwise). Note: PK being expired does not cause this function |
143 | | * to fail. |
144 | | * |
145 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
146 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
147 | | * function to fail. |
148 | | * |
149 | | * If R_PK is not NULL, the public key is stored at that address if it |
150 | | * was found; other wise NULL is stored. |
151 | | * |
152 | | * Returns 0 on success. An error code otherwise. */ |
153 | | gpg_error_t |
154 | | check_signature2 (ctrl_t ctrl, |
155 | | PKT_signature *sig, gcry_md_hd_t digest, |
156 | | const void *extrahash, size_t extrahashlen, |
157 | | PKT_public_key *forced_pk, |
158 | | u32 *r_expiredate, |
159 | | int *r_expired, int *r_revoked, PKT_public_key **r_pk) |
160 | 0 | { |
161 | 0 | int rc=0; |
162 | 0 | PKT_public_key *pk; |
163 | |
|
164 | 0 | if (r_expiredate) |
165 | 0 | *r_expiredate = 0; |
166 | 0 | if (r_expired) |
167 | 0 | *r_expired = 0; |
168 | 0 | if (r_revoked) |
169 | 0 | *r_revoked = 0; |
170 | 0 | if (r_pk) |
171 | 0 | *r_pk = NULL; |
172 | |
|
173 | 0 | pk = xtrycalloc (1, sizeof *pk); |
174 | 0 | if (!pk) |
175 | 0 | return gpg_error_from_syserror (); |
176 | | |
177 | 0 | if ((rc=openpgp_md_test_algo(sig->digest_algo))) |
178 | 0 | { |
179 | | /* We don't have this digest. */ |
180 | 0 | } |
181 | 0 | else if (!gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) |
182 | 0 | { |
183 | | /* Compliance failure. */ |
184 | 0 | log_info (_("digest algorithm '%s' may not be used in %s mode\n"), |
185 | 0 | gcry_md_algo_name (sig->digest_algo), |
186 | 0 | gnupg_compliance_option_string (opt.compliance)); |
187 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
188 | 0 | } |
189 | 0 | else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo))) |
190 | 0 | { |
191 | | /* We don't have this pubkey algo. */ |
192 | 0 | } |
193 | 0 | else if (!gcry_md_is_enabled (digest,sig->digest_algo)) |
194 | 0 | { |
195 | | /* Sanity check that the md has a context for the hash that the |
196 | | * sig is expecting. This can happen if a onepass sig header |
197 | | * does not match the actual sig, and also if the clearsign |
198 | | * "Hash:" header is missing or does not match the actual sig. */ |
199 | 0 | log_info(_("WARNING: signature digest conflict in message\n")); |
200 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
201 | 0 | } |
202 | 0 | else if (get_pubkey_for_sig (ctrl, pk, sig, forced_pk)) |
203 | 0 | rc = gpg_error (GPG_ERR_NO_PUBKEY); |
204 | 0 | else if ((rc = check_key_verify_compliance (pk))) |
205 | 0 | ;/* Compliance failure. */ |
206 | 0 | else if (!pk->flags.valid) |
207 | 0 | { |
208 | | /* You cannot have a good sig from an invalid key. */ |
209 | 0 | rc = gpg_error (GPG_ERR_BAD_PUBKEY); |
210 | 0 | } |
211 | 0 | else |
212 | 0 | { |
213 | 0 | if (r_expiredate) |
214 | 0 | *r_expiredate = pk->expiredate; |
215 | |
|
216 | 0 | rc = check_signature_end (pk, sig, digest, extrahash, extrahashlen, |
217 | 0 | r_expired, r_revoked, NULL); |
218 | | |
219 | | /* Check the backsig. This is a back signature (0x19) from |
220 | | * the subkey on the primary key. The idea here is that it |
221 | | * should not be possible for someone to "steal" subkeys and |
222 | | * claim them as their own. The attacker couldn't actually |
223 | | * use the subkey, but they could try and claim ownership of |
224 | | * any signatures issued by it. */ |
225 | 0 | if (!rc && !pk->flags.primary && pk->flags.backsig < 2) |
226 | 0 | { |
227 | 0 | if (!pk->flags.backsig) |
228 | 0 | { |
229 | 0 | log_info (_("WARNING: signing subkey %s is not" |
230 | 0 | " cross-certified\n"),keystr_from_pk(pk)); |
231 | 0 | log_info (_("please see %s for more information\n"), |
232 | 0 | "https://gnupg.org/faq/subkey-cross-certify.html"); |
233 | | /* The default option --require-cross-certification |
234 | | * makes this warning an error. */ |
235 | 0 | if (opt.flags.require_cross_cert) |
236 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
237 | 0 | } |
238 | 0 | else if(pk->flags.backsig == 1) |
239 | 0 | { |
240 | 0 | log_info (_("WARNING: signing subkey %s has an invalid" |
241 | 0 | " cross-certification\n"), keystr_from_pk(pk)); |
242 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
243 | 0 | } |
244 | 0 | } |
245 | |
|
246 | 0 | } |
247 | |
|
248 | 0 | if( !rc && sig->sig_class < 2 && is_status_enabled() ) { |
249 | | /* This signature id works best with DLP algorithms because |
250 | | * they use a random parameter for every signature. Instead of |
251 | | * this sig-id we could have also used the hash of the document |
252 | | * and the timestamp, but the drawback of this is, that it is |
253 | | * not possible to sign more than one identical document within |
254 | | * one second. Some remote batch processing applications might |
255 | | * like this feature here. |
256 | | * |
257 | | * Note that before 2.0.10, we used RIPE-MD160 for the hash |
258 | | * and accidentally didn't include the timestamp and algorithm |
259 | | * information in the hash. Given that this feature is not |
260 | | * commonly used and that a replay attacks detection should |
261 | | * not solely be based on this feature (because it does not |
262 | | * work with RSA), we take the freedom and switch to SHA-1 |
263 | | * with 2.0.10 to take advantage of hardware supported SHA-1 |
264 | | * implementations. We also include the missing information |
265 | | * in the hash. Note also the SIG_ID as computed by gpg 1.x |
266 | | * and gpg 2.x didn't matched either because 2.x used to print |
267 | | * MPIs not in PGP format. */ |
268 | 0 | u32 a = sig->timestamp; |
269 | 0 | int nsig = pubkey_get_nsig( sig->pubkey_algo ); |
270 | 0 | unsigned char *p, *buffer; |
271 | 0 | size_t n, nbytes; |
272 | 0 | int i; |
273 | 0 | char hashbuf[20]; /* We use SHA-1 here. */ |
274 | |
|
275 | 0 | nbytes = 6; |
276 | 0 | for (i=0; i < nsig; i++ ) |
277 | 0 | { |
278 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
279 | 0 | { |
280 | 0 | unsigned int nbits; |
281 | |
|
282 | 0 | gcry_mpi_get_opaque (sig->data[i], &nbits); |
283 | 0 | n = (nbits+7)/8 + 2; |
284 | 0 | } |
285 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, NULL, 0, &n, sig->data[i])) |
286 | 0 | BUG(); |
287 | 0 | nbytes += n; |
288 | 0 | } |
289 | | |
290 | | /* Make buffer large enough to be later used as output buffer. */ |
291 | 0 | if (nbytes < 100) |
292 | 0 | nbytes = 100; |
293 | 0 | nbytes += 10; /* Safety margin. */ |
294 | | |
295 | | /* Fill and hash buffer. */ |
296 | 0 | buffer = p = xmalloc (nbytes); |
297 | 0 | *p++ = sig->pubkey_algo; |
298 | 0 | *p++ = sig->digest_algo; |
299 | 0 | *p++ = (a >> 24) & 0xff; |
300 | 0 | *p++ = (a >> 16) & 0xff; |
301 | 0 | *p++ = (a >> 8) & 0xff; |
302 | 0 | *p++ = a & 0xff; |
303 | 0 | nbytes -= 6; |
304 | 0 | for (i=0; i < nsig; i++ ) |
305 | 0 | { |
306 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
307 | 0 | { |
308 | 0 | const byte *sigdata; |
309 | 0 | unsigned int nbits; |
310 | |
|
311 | 0 | sigdata = gcry_mpi_get_opaque (sig->data[i], &nbits); |
312 | 0 | n = (nbits+7)/8; |
313 | 0 | p[0] = nbits >> 8; |
314 | 0 | p[1] = (nbits & 0xff); |
315 | 0 | memcpy (p+2, sigdata, n); |
316 | 0 | n += 2; |
317 | 0 | } |
318 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i])) |
319 | 0 | BUG(); |
320 | 0 | p += n; |
321 | 0 | nbytes -= n; |
322 | 0 | } |
323 | 0 | gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer); |
324 | |
|
325 | 0 | p = make_radix64_string (hashbuf, 20); |
326 | 0 | sprintf (buffer, "%s %s %lu", |
327 | 0 | p, strtimestamp (sig->timestamp), (ulong)sig->timestamp); |
328 | 0 | xfree (p); |
329 | 0 | write_status_text (STATUS_SIG_ID, buffer); |
330 | 0 | xfree (buffer); |
331 | 0 | } |
332 | | |
333 | 0 | if (r_pk) |
334 | 0 | *r_pk = pk; |
335 | 0 | else |
336 | 0 | { |
337 | 0 | release_public_key_parts (pk); |
338 | 0 | xfree (pk); |
339 | 0 | } |
340 | |
|
341 | 0 | return rc; |
342 | 0 | } |
343 | | |
344 | | |
345 | | /* The signature SIG was generated with the public key PK. Check |
346 | | * whether the signature is valid in the following sense: |
347 | | * |
348 | | * - Make sure the public key was created before the signature was |
349 | | * generated. |
350 | | * |
351 | | * - Make sure the public key was created in the past |
352 | | * |
353 | | * - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0 |
354 | | * otherwise) |
355 | | * |
356 | | * - Check whether PK has been revoked (set *R_REVOKED to 1 if so |
357 | | * and 0 otherwise). |
358 | | * |
359 | | * If either of the first two tests fail, returns an error code. |
360 | | * Otherwise returns 0. (Thus, this function doesn't fail if the |
361 | | * public key is expired or revoked.) */ |
362 | | static int |
363 | | check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig, |
364 | | int *r_expired, int *r_revoked) |
365 | 0 | { |
366 | 0 | u32 cur_time; |
367 | |
|
368 | 0 | if (r_expired) |
369 | 0 | *r_expired = 0; |
370 | 0 | if (r_revoked) |
371 | 0 | *r_revoked = 0; |
372 | |
|
373 | 0 | if (pk->timestamp > sig->timestamp ) |
374 | 0 | { |
375 | 0 | ulong d = pk->timestamp - sig->timestamp; |
376 | 0 | if ( d < 86400 ) |
377 | 0 | { |
378 | 0 | log_info (ngettext |
379 | 0 | ("public key %s is %lu second newer than the signature\n", |
380 | 0 | "public key %s is %lu seconds newer than the signature\n", |
381 | 0 | d), keystr_from_pk (pk), d); |
382 | 0 | } |
383 | 0 | else |
384 | 0 | { |
385 | 0 | d /= 86400; |
386 | 0 | log_info (ngettext |
387 | 0 | ("public key %s is %lu day newer than the signature\n", |
388 | 0 | "public key %s is %lu days newer than the signature\n", |
389 | 0 | d), keystr_from_pk (pk), d); |
390 | 0 | } |
391 | 0 | if (!opt.ignore_time_conflict) |
392 | 0 | return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */ |
393 | 0 | } |
394 | | |
395 | 0 | cur_time = make_timestamp (); |
396 | 0 | if (pk->timestamp > cur_time) |
397 | 0 | { |
398 | 0 | ulong d = pk->timestamp - cur_time; |
399 | 0 | if (d < 86400) |
400 | 0 | { |
401 | 0 | log_info (ngettext("key %s was created %lu second" |
402 | 0 | " in the future (time warp or clock problem)\n", |
403 | 0 | "key %s was created %lu seconds" |
404 | 0 | " in the future (time warp or clock problem)\n", |
405 | 0 | d), keystr_from_pk (pk), d); |
406 | 0 | } |
407 | 0 | else |
408 | 0 | { |
409 | 0 | d /= 86400; |
410 | 0 | log_info (ngettext("key %s was created %lu day" |
411 | 0 | " in the future (time warp or clock problem)\n", |
412 | 0 | "key %s was created %lu days" |
413 | 0 | " in the future (time warp or clock problem)\n", |
414 | 0 | d), keystr_from_pk (pk), d); |
415 | 0 | } |
416 | 0 | if (!opt.ignore_time_conflict) |
417 | 0 | return GPG_ERR_TIME_CONFLICT; |
418 | 0 | } |
419 | | |
420 | | /* Check whether the key has expired. We check the has_expired |
421 | | * flag which is set after a full evaluation of the key (getkey.c) |
422 | | * as well as a simple compare to the current time in case the |
423 | | * merge has for whatever reasons not been done. */ |
424 | 0 | if (pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) |
425 | 0 | { |
426 | 0 | char buf[11]; |
427 | 0 | if (opt.verbose) |
428 | 0 | log_info (_("Note: signature key %s expired %s\n"), |
429 | 0 | keystr_from_pk(pk), isotimestamp( pk->expiredate ) ); |
430 | 0 | snprintf (buf, sizeof buf, "%lu",(ulong)pk->expiredate); |
431 | 0 | write_status_text (STATUS_KEYEXPIRED, buf); |
432 | 0 | if (r_expired) |
433 | 0 | *r_expired = 1; |
434 | 0 | } |
435 | |
|
436 | 0 | if (pk->flags.revoked) |
437 | 0 | { |
438 | 0 | if (opt.verbose) |
439 | 0 | log_info (_("Note: signature key %s has been revoked\n"), |
440 | 0 | keystr_from_pk(pk)); |
441 | 0 | if (r_revoked) |
442 | 0 | *r_revoked=1; |
443 | 0 | } |
444 | |
|
445 | 0 | return 0; |
446 | 0 | } |
447 | | |
448 | | |
449 | | /* Finish generating a signature and check it. Concretely: make sure |
450 | | * that the signature is valid (it was not created prior to the key, |
451 | | * the public key was created in the past, and the signature does not |
452 | | * include any unsupported critical features), finish computing the |
453 | | * digest by adding the relevant data from the signature packet, and |
454 | | * check that the signature verifies the digest. |
455 | | * |
456 | | * DIGEST contains a hash context, which has already hashed the signed |
457 | | * data. This function adds the relevant meta-data from the signature |
458 | | * packet to compute the final hash. (See Section 5.2 of RFC 4880: |
459 | | * "The concatenation of the data being signed and the signature data |
460 | | * from the version number through the hashed subpacket data |
461 | | * (inclusive) is hashed.") |
462 | | * |
463 | | * SIG is the signature to check. |
464 | | * |
465 | | * PK is the public key used to generate the signature. |
466 | | * |
467 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
468 | | * (0 otherwise). Note: PK being expired does not cause this function |
469 | | * to fail. |
470 | | * |
471 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
472 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
473 | | * function to fail. |
474 | | * |
475 | | * If RET_PK is not NULL, PK is copied into RET_PK on success. |
476 | | * |
477 | | * Returns 0 on success. An error code other. */ |
478 | | static int |
479 | | check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
480 | | gcry_md_hd_t digest, |
481 | | const void *extrahash, size_t extrahashlen, |
482 | | int *r_expired, int *r_revoked, PKT_public_key *ret_pk) |
483 | 0 | { |
484 | 0 | int rc = 0; |
485 | |
|
486 | 0 | if ((rc = check_signature_metadata_validity (pk, sig, |
487 | 0 | r_expired, r_revoked))) |
488 | 0 | return rc; |
489 | | |
490 | 0 | if ((rc = check_signature_end_simple (pk, sig, digest, |
491 | 0 | extrahash, extrahashlen))) |
492 | 0 | return rc; |
493 | | |
494 | 0 | if (!rc && ret_pk) |
495 | 0 | copy_public_key(ret_pk,pk); |
496 | |
|
497 | 0 | return rc; |
498 | 0 | } |
499 | | |
500 | | |
501 | | /* This function is similar to check_signature_end, but it only checks |
502 | | * whether the signature was generated by PK. It does not check |
503 | | * expiration, revocation, etc. */ |
504 | | static int |
505 | | check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
506 | | gcry_md_hd_t digest, |
507 | | const void *extrahash, size_t extrahashlen) |
508 | 0 | { |
509 | 0 | gcry_mpi_t result = NULL; |
510 | 0 | int rc = 0; |
511 | |
|
512 | 0 | if (!opt.flags.allow_weak_digest_algos) |
513 | 0 | { |
514 | 0 | if (is_weak_digest (sig->digest_algo)) |
515 | 0 | { |
516 | 0 | print_digest_rejected_note (sig->digest_algo); |
517 | 0 | return GPG_ERR_DIGEST_ALGO; |
518 | 0 | } |
519 | 0 | } |
520 | | |
521 | | /* For key signatures check that the key has a cert usage. We may |
522 | | * do this only for subkeys because the primary may always issue key |
523 | | * signature. The latter may not be reflected in the pubkey_usage |
524 | | * field because we need to check the key signatures to extract the |
525 | | * key usage. */ |
526 | 0 | if (!pk->flags.primary |
527 | 0 | && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT)) |
528 | 0 | { |
529 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
530 | 0 | if (!opt.quiet) |
531 | 0 | log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"), |
532 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
533 | 0 | sig->sig_class, pk->pubkey_usage); |
534 | 0 | return rc; |
535 | 0 | } |
536 | | |
537 | | /* For data signatures check that the key has sign usage. */ |
538 | 0 | if (!IS_BACK_SIG (sig) && IS_SIG (sig) |
539 | 0 | && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) |
540 | 0 | { |
541 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
542 | 0 | if (!opt.quiet) |
543 | 0 | log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), |
544 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
545 | 0 | sig->sig_class, pk->pubkey_usage); |
546 | 0 | return rc; |
547 | 0 | } |
548 | | |
549 | | /* Make sure the digest algo is enabled (in case of a detached |
550 | | * signature). */ |
551 | 0 | gcry_md_enable (digest, sig->digest_algo); |
552 | | |
553 | | /* Complete the digest. */ |
554 | 0 | if (sig->version >= 4) |
555 | 0 | gcry_md_putc (digest, sig->version); |
556 | |
|
557 | 0 | gcry_md_putc( digest, sig->sig_class ); |
558 | 0 | if (sig->version < 4) |
559 | 0 | { |
560 | 0 | u32 a = sig->timestamp; |
561 | 0 | gcry_md_putc (digest, ((a >> 24) & 0xff)); |
562 | 0 | gcry_md_putc (digest, ((a >> 16) & 0xff)); |
563 | 0 | gcry_md_putc (digest, ((a >> 8) & 0xff)); |
564 | 0 | gcry_md_putc (digest, ( a & 0xff)); |
565 | 0 | } |
566 | 0 | else |
567 | 0 | { |
568 | 0 | byte buf[10]; |
569 | 0 | int i; |
570 | 0 | size_t n; |
571 | |
|
572 | 0 | gcry_md_putc (digest, sig->pubkey_algo); |
573 | 0 | gcry_md_putc (digest, sig->digest_algo); |
574 | 0 | if (sig->hashed) |
575 | 0 | { |
576 | 0 | n = sig->hashed->len; |
577 | 0 | gcry_md_putc (digest, (n >> 8) ); |
578 | 0 | gcry_md_putc (digest, n ); |
579 | 0 | gcry_md_write (digest, sig->hashed->data, n); |
580 | 0 | n += 6; |
581 | 0 | } |
582 | 0 | else |
583 | 0 | { |
584 | | /* Two octets for the (empty) length of the hashed |
585 | | * section. */ |
586 | 0 | gcry_md_putc (digest, 0); |
587 | 0 | gcry_md_putc (digest, 0); |
588 | 0 | n = 6; |
589 | 0 | } |
590 | | /* Hash data from the literal data packet. */ |
591 | 0 | if (sig->version >= 5 |
592 | 0 | && (sig->sig_class == 0x00 || sig->sig_class == 0x01)) |
593 | 0 | { |
594 | | /* - One octet content format |
595 | | * - File name (one octet length followed by the name) |
596 | | * - Four octet timestamp */ |
597 | 0 | if (extrahash && extrahashlen) |
598 | 0 | gcry_md_write (digest, extrahash, extrahashlen); |
599 | 0 | else /* Detached signature. */ |
600 | 0 | { |
601 | 0 | memset (buf, 0, 6); |
602 | 0 | gcry_md_write (digest, buf, 6); |
603 | 0 | } |
604 | 0 | } |
605 | | /* Add some magic per Section 5.2.4 of RFC 4880. */ |
606 | 0 | i = 0; |
607 | 0 | buf[i++] = sig->version; |
608 | 0 | buf[i++] = 0xff; |
609 | 0 | if (sig->version >= 5) |
610 | 0 | { |
611 | 0 | #if SIZEOF_SIZE_T > 4 |
612 | 0 | buf[i++] = n >> 56; |
613 | 0 | buf[i++] = n >> 48; |
614 | 0 | buf[i++] = n >> 40; |
615 | 0 | buf[i++] = n >> 32; |
616 | | #else |
617 | | buf[i++] = 0; |
618 | | buf[i++] = 0; |
619 | | buf[i++] = 0; |
620 | | buf[i++] = 0; |
621 | | #endif |
622 | 0 | } |
623 | 0 | buf[i++] = n >> 24; |
624 | 0 | buf[i++] = n >> 16; |
625 | 0 | buf[i++] = n >> 8; |
626 | 0 | buf[i++] = n; |
627 | 0 | gcry_md_write (digest, buf, i); |
628 | 0 | } |
629 | 0 | gcry_md_final( digest ); |
630 | | |
631 | | /* Convert the digest to an MPI. */ |
632 | 0 | result = encode_md_value (pk, digest, sig->digest_algo ); |
633 | 0 | if (!result) |
634 | 0 | return GPG_ERR_GENERAL; |
635 | | |
636 | | /* Verify the signature. */ |
637 | 0 | if (DBG_CLOCK && sig->sig_class <= 0x01) |
638 | 0 | log_clock ("enter pk_verify"); |
639 | 0 | rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey ); |
640 | 0 | if (DBG_CLOCK && sig->sig_class <= 0x01) |
641 | 0 | log_clock ("leave pk_verify"); |
642 | 0 | gcry_mpi_release (result); |
643 | |
|
644 | 0 | if (!rc && sig->flags.unknown_critical) |
645 | 0 | { |
646 | 0 | log_info(_("assuming bad signature from key %s" |
647 | 0 | " due to an unknown critical bit\n"),keystr_from_pk(pk)); |
648 | 0 | rc = GPG_ERR_BAD_SIGNATURE; |
649 | 0 | } |
650 | |
|
651 | 0 | return rc; |
652 | 0 | } |
653 | | |
654 | | |
655 | | /* Add a uid node to a hash context. See section 5.2.4, paragraph 4 |
656 | | * of RFC 4880. */ |
657 | | static void |
658 | | hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig ) |
659 | 0 | { |
660 | 0 | if (uid->attrib_data) |
661 | 0 | { |
662 | 0 | if (sig->version >= 4) |
663 | 0 | { |
664 | 0 | byte buf[5]; |
665 | 0 | buf[0] = 0xd1; /* packet of type 17 */ |
666 | 0 | buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ |
667 | 0 | buf[2] = uid->attrib_len >> 16; |
668 | 0 | buf[3] = uid->attrib_len >> 8; |
669 | 0 | buf[4] = uid->attrib_len; |
670 | 0 | gcry_md_write( md, buf, 5 ); |
671 | 0 | } |
672 | 0 | gcry_md_write( md, uid->attrib_data, uid->attrib_len ); |
673 | 0 | } |
674 | 0 | else |
675 | 0 | { |
676 | 0 | if (sig->version >= 4) |
677 | 0 | { |
678 | 0 | byte buf[5]; |
679 | 0 | buf[0] = 0xb4; /* indicates a userid packet */ |
680 | 0 | buf[1] = uid->len >> 24; /* always use 4 length bytes */ |
681 | 0 | buf[2] = uid->len >> 16; |
682 | 0 | buf[3] = uid->len >> 8; |
683 | 0 | buf[4] = uid->len; |
684 | 0 | gcry_md_write( md, buf, 5 ); |
685 | 0 | } |
686 | 0 | gcry_md_write( md, uid->name, uid->len ); |
687 | 0 | } |
688 | 0 | } |
689 | | |
690 | | static void |
691 | | cache_sig_result ( PKT_signature *sig, int result ) |
692 | 0 | { |
693 | 0 | if (!result) |
694 | 0 | { |
695 | 0 | sig->flags.checked = 1; |
696 | 0 | sig->flags.valid = 1; |
697 | 0 | } |
698 | 0 | else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE) |
699 | 0 | { |
700 | 0 | sig->flags.checked = 1; |
701 | 0 | sig->flags.valid = 0; |
702 | 0 | } |
703 | 0 | else |
704 | 0 | { |
705 | 0 | sig->flags.checked = 0; |
706 | 0 | sig->flags.valid = 0; |
707 | 0 | } |
708 | 0 | } |
709 | | |
710 | | |
711 | | /* SIG is a key revocation signature. Check if this signature was |
712 | | * generated by any of the public key PK's designated revokers. |
713 | | * |
714 | | * PK is the public key that SIG allegedly revokes. |
715 | | * |
716 | | * SIG is the revocation signature to check. |
717 | | * |
718 | | * This function avoids infinite recursion, which can happen if two |
719 | | * keys are designed revokers for each other and they revoke each |
720 | | * other. This is done by observing that if a key A is revoked by key |
721 | | * B we still consider the revocation to be valid even if B is |
722 | | * revoked. Thus, we don't need to determine whether B is revoked to |
723 | | * determine whether A has been revoked by B, we just need to check |
724 | | * the signature. |
725 | | * |
726 | | * Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not |
727 | | * revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is |
728 | | * only returned when a revocation signature is from a valid |
729 | | * revocation key designated in a revkey subpacket, but the revocation |
730 | | * key itself isn't present. |
731 | | * |
732 | | * XXX: This code will need to be modified if gpg ever becomes |
733 | | * multi-threaded. Note that this guarantees that a designated |
734 | | * revocation sig will never be considered valid unless it is actually |
735 | | * valid, as well as being issued by a revocation key in a valid |
736 | | * direct signature. Note also that this is written so that a revoked |
737 | | * revoker can still issue revocations: i.e. If A revokes B, but A is |
738 | | * revoked, B is still revoked. I'm not completely convinced this is |
739 | | * the proper behavior, but it matches how PGP does it. -dms */ |
740 | | int |
741 | | check_revocation_keys (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig) |
742 | 0 | { |
743 | 0 | static int busy=0; |
744 | 0 | int i; |
745 | 0 | int rc = GPG_ERR_GENERAL; |
746 | |
|
747 | 0 | log_assert (IS_KEY_REV(sig)); |
748 | 0 | log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1])); |
749 | | |
750 | | /* Avoid infinite recursion. Consider the following: |
751 | | * |
752 | | * - We want to check if A is revoked. |
753 | | * |
754 | | * - C is a designated revoker for B and has revoked B. |
755 | | * |
756 | | * - B is a designated revoker for A and has revoked A. |
757 | | * |
758 | | * When checking if A is revoked (in merge_selfsigs_main), we |
759 | | * observe that A has a designed revoker. As such, we call this |
760 | | * function. This function sees that there is a valid revocation |
761 | | * signature, which is signed by B. It then calls check_signature() |
762 | | * to verify that the signature is good. To check the sig, we need |
763 | | * to lookup B. Looking up B means calling merge_selfsigs_main, |
764 | | * which checks whether B is revoked, which calls this function to |
765 | | * see if B was revoked by some key. |
766 | | * |
767 | | * In this case, the added level of indirection doesn't hurt. It |
768 | | * just means a bit more work. However, if C == A, then we'd end up |
769 | | * in a loop. But, it doesn't make sense to look up C anyways: even |
770 | | * if B is revoked, we conservatively consider a valid revocation |
771 | | * signed by B to revoke A. Since this is the only place where this |
772 | | * type of recursion can occur, we simply cause this function to |
773 | | * fail if it is entered recursively. */ |
774 | 0 | if (busy) |
775 | 0 | { |
776 | | /* Return an error (i.e. not revoked), but mark the pk as |
777 | | uncacheable as we don't really know its revocation status |
778 | | until it is checked directly. */ |
779 | 0 | pk->flags.dont_cache = 1; |
780 | 0 | return rc; |
781 | 0 | } |
782 | | |
783 | 0 | busy=1; |
784 | | |
785 | | /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1], |
786 | | (ulong)sig->keyid[1]); */ |
787 | | |
788 | | /* is the issuer of the sig one of our revokers? */ |
789 | 0 | if( !pk->revkey && pk->numrevkeys ) |
790 | 0 | BUG(); |
791 | 0 | else |
792 | 0 | for(i=0;i<pk->numrevkeys;i++) |
793 | 0 | { |
794 | | /* The revoker's keyid. */ |
795 | 0 | u32 keyid[2]; |
796 | |
|
797 | 0 | keyid_from_fingerprint (ctrl, pk->revkey[i].fpr, pk->revkey[i].fprlen, |
798 | 0 | keyid); |
799 | |
|
800 | 0 | if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1]) |
801 | | /* The signature was generated by a designated revoker. |
802 | | Verify the signature. */ |
803 | 0 | { |
804 | 0 | gcry_md_hd_t md; |
805 | |
|
806 | 0 | rc = gcry_md_open (&md, sig->digest_algo, 0); |
807 | 0 | if (rc) |
808 | 0 | return rc; |
809 | 0 | hash_public_key(md,pk); |
810 | | /* Note: check_signature only checks that the signature |
811 | | is good. It does not fail if the key is revoked. */ |
812 | 0 | rc = check_signature (ctrl, sig, md); |
813 | 0 | cache_sig_result(sig,rc); |
814 | 0 | gcry_md_close (md); |
815 | 0 | break; |
816 | 0 | } |
817 | 0 | } |
818 | | |
819 | 0 | busy=0; |
820 | |
|
821 | 0 | return rc; |
822 | 0 | } |
823 | | |
824 | | /* Check that the backsig BACKSIG from the subkey SUB_PK to its |
825 | | * primary key MAIN_PK is valid. |
826 | | * |
827 | | * Backsigs (0x19) have the same format as binding sigs (0x18), but |
828 | | * this function is simpler than check_key_signature in a few ways. |
829 | | * For example, there is no support for expiring backsigs since it is |
830 | | * questionable what such a thing actually means. Note also that the |
831 | | * sig cache check here, unlike other sig caches in GnuPG, is not |
832 | | * persistent. */ |
833 | | int |
834 | | check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk, |
835 | | PKT_signature *backsig) |
836 | 0 | { |
837 | 0 | gcry_md_hd_t md; |
838 | 0 | int rc; |
839 | | |
840 | | /* Always check whether the algorithm is available. Although |
841 | | gcry_md_open would throw an error, some libgcrypt versions will |
842 | | print a debug message in that case too. */ |
843 | 0 | if ((rc=openpgp_md_test_algo (backsig->digest_algo))) |
844 | 0 | return rc; |
845 | | |
846 | 0 | if(!opt.no_sig_cache && backsig->flags.checked) |
847 | 0 | return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE); |
848 | | |
849 | 0 | rc = gcry_md_open (&md, backsig->digest_algo,0); |
850 | 0 | if (!rc) |
851 | 0 | { |
852 | 0 | hash_public_key(md,main_pk); |
853 | 0 | hash_public_key(md,sub_pk); |
854 | 0 | rc = check_signature_end (sub_pk, backsig, md, NULL, 0, NULL, NULL, NULL); |
855 | 0 | cache_sig_result(backsig,rc); |
856 | 0 | gcry_md_close(md); |
857 | 0 | } |
858 | |
|
859 | 0 | return rc; |
860 | 0 | } |
861 | | |
862 | | |
863 | | /* Check that a signature over a key is valid. This is a |
864 | | * specialization of check_key_signature2 with the unnamed parameters |
865 | | * passed as NULL. See the documentation for that function for more |
866 | | * details. */ |
867 | | int |
868 | | check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node, |
869 | | int *is_selfsig) |
870 | 0 | { |
871 | 0 | return check_key_signature2 (ctrl, root, node, NULL, NULL, |
872 | 0 | is_selfsig, NULL, NULL); |
873 | 0 | } |
874 | | |
875 | | |
876 | | /* Returns whether SIGNER generated the signature SIG over the packet |
877 | | * PACKET, which is a key, subkey or uid, and comes from the key block |
878 | | * KB. (KB is PACKET's corresponding keyblock; we don't assume that |
879 | | * SIG has been added to the keyblock.) |
880 | | * |
881 | | * If SIGNER is set, then checks whether SIGNER generated the |
882 | | * signature. Otherwise, uses SIG->KEYID to find the alleged signer. |
883 | | * This parameter can be used to effectively override the alleged |
884 | | * signer that is stored in SIG. |
885 | | * |
886 | | * KB may be NULL if SIGNER is set. |
887 | | * |
888 | | * Unlike check_key_signature, this function ignores any cached |
889 | | * results! That is, it does not consider SIG->FLAGS.CHECKED and |
890 | | * SIG->FLAGS.VALID nor does it set them. |
891 | | * |
892 | | * This doesn't check the signature's semantic mean. Concretely, it |
893 | | * doesn't check whether a non-self signed revocation signature was |
894 | | * created by a designated revoker. In fact, it doesn't return an |
895 | | * error for a binding generated by a completely different key! |
896 | | * |
897 | | * Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if |
898 | | * this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if |
899 | | * the key that generated the signature (according to SIG) could not |
900 | | * be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad. |
901 | | * Other errors codes may be returned if something else goes wrong. |
902 | | * |
903 | | * IF IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a |
904 | | * self-signature (by the key's primary key) or 0 if not. |
905 | | * |
906 | | * If RET_PK is not NULL, returns a copy of the public key that |
907 | | * generated the signature (i.e., the signer) on success. This must |
908 | | * be released by the caller using release_public_key_parts (). */ |
909 | | gpg_error_t |
910 | | check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, |
911 | | PKT_signature *sig, KBNODE kb, PACKET *packet, |
912 | | int *is_selfsig, PKT_public_key *ret_pk) |
913 | 0 | { |
914 | 0 | int rc; |
915 | 0 | PKT_public_key *pripk = kb->pkt->pkt.public_key; |
916 | 0 | gcry_md_hd_t md; |
917 | 0 | int signer_alloced = 0; |
918 | 0 | int stub_is_selfsig; |
919 | |
|
920 | 0 | if (!is_selfsig) |
921 | 0 | is_selfsig = &stub_is_selfsig; |
922 | |
|
923 | 0 | rc = openpgp_pk_test_algo (sig->pubkey_algo); |
924 | 0 | if (rc) |
925 | 0 | return rc; |
926 | 0 | rc = openpgp_md_test_algo (sig->digest_algo); |
927 | 0 | if (rc) |
928 | 0 | return rc; |
929 | | |
930 | | /* A signature's class indicates the type of packet that it |
931 | | signs. */ |
932 | 0 | if (IS_BACK_SIG (sig) || IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
933 | 0 | { |
934 | | /* Key revocations can only be over primary keys. */ |
935 | 0 | if (packet->pkttype != PKT_PUBLIC_KEY) |
936 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
937 | 0 | } |
938 | 0 | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
939 | 0 | { |
940 | 0 | if (packet->pkttype != PKT_PUBLIC_SUBKEY) |
941 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
942 | 0 | } |
943 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
944 | 0 | { |
945 | 0 | if (packet->pkttype != PKT_USER_ID) |
946 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
947 | 0 | } |
948 | 0 | else |
949 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
950 | | |
951 | | /* PACKET is the right type for SIG. */ |
952 | | |
953 | 0 | if (signer) |
954 | 0 | { |
955 | 0 | if (signer->keyid[0] == pripk->keyid[0] |
956 | 0 | && signer->keyid[1] == pripk->keyid[1]) |
957 | 0 | *is_selfsig = 1; |
958 | 0 | else |
959 | 0 | *is_selfsig = 0; |
960 | 0 | } |
961 | 0 | else |
962 | 0 | { |
963 | | /* Get the signer. If possible, avoid a look up. */ |
964 | 0 | if (sig->keyid[0] == pripk->keyid[0] |
965 | 0 | && sig->keyid[1] == pripk->keyid[1]) |
966 | 0 | { |
967 | | /* Issued by the primary key. */ |
968 | 0 | signer = pripk; |
969 | 0 | *is_selfsig = 1; |
970 | 0 | } |
971 | 0 | else |
972 | 0 | { |
973 | | /* See if one of the subkeys was the signer (although this |
974 | | * is extremely unlikely). */ |
975 | 0 | kbnode_t ctx = NULL; |
976 | 0 | kbnode_t n; |
977 | |
|
978 | 0 | while ((n = walk_kbnode (kb, &ctx, 0))) |
979 | 0 | { |
980 | 0 | PKT_public_key *subk; |
981 | |
|
982 | 0 | if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY) |
983 | 0 | continue; |
984 | | |
985 | 0 | subk = n->pkt->pkt.public_key; |
986 | 0 | if (sig->keyid[0] == subk->keyid[0] |
987 | 0 | && sig->keyid[1] == subk->keyid[1]) |
988 | 0 | { |
989 | | /* Issued by a subkey. */ |
990 | 0 | signer = subk; |
991 | 0 | break; |
992 | 0 | } |
993 | 0 | } |
994 | |
|
995 | 0 | if (! signer) |
996 | 0 | { |
997 | | /* Signer by some other key. */ |
998 | 0 | *is_selfsig = 0; |
999 | 0 | if (ret_pk) |
1000 | 0 | { |
1001 | 0 | signer = ret_pk; |
1002 | | /* FIXME: Using memset here is probematic because it |
1003 | | * assumes that there are no allocated fields in |
1004 | | * SIGNER. */ |
1005 | 0 | memset (signer, 0, sizeof (*signer)); |
1006 | 0 | signer_alloced = 1; |
1007 | 0 | } |
1008 | 0 | else |
1009 | 0 | { |
1010 | 0 | signer = xmalloc_clear (sizeof (*signer)); |
1011 | 0 | signer_alloced = 2; |
1012 | 0 | } |
1013 | |
|
1014 | 0 | if (IS_CERT (sig)) |
1015 | 0 | signer->req_usage = PUBKEY_USAGE_CERT; |
1016 | |
|
1017 | 0 | rc = get_pubkey_for_sig (ctrl, signer, sig, NULL); |
1018 | 0 | if (rc) |
1019 | 0 | { |
1020 | 0 | xfree (signer); |
1021 | 0 | signer = NULL; |
1022 | 0 | signer_alloced = 0; |
1023 | 0 | goto leave; |
1024 | 0 | } |
1025 | 0 | } |
1026 | 0 | } |
1027 | 0 | } |
1028 | | |
1029 | | /* We checked above that we supported this algo, so an error here is |
1030 | | * a bug. */ |
1031 | 0 | if (gcry_md_open (&md, sig->digest_algo, 0)) |
1032 | 0 | BUG (); |
1033 | | |
1034 | | /* Hash the relevant data. */ |
1035 | | |
1036 | 0 | if (IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
1037 | 0 | { |
1038 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1039 | 0 | hash_public_key (md, packet->pkt.public_key); |
1040 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1041 | 0 | } |
1042 | 0 | else if (IS_BACK_SIG (sig)) |
1043 | 0 | { |
1044 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1045 | 0 | hash_public_key (md, packet->pkt.public_key); |
1046 | 0 | hash_public_key (md, signer); |
1047 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1048 | 0 | } |
1049 | 0 | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
1050 | 0 | { |
1051 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY); |
1052 | 0 | hash_public_key (md, pripk); |
1053 | 0 | hash_public_key (md, packet->pkt.public_key); |
1054 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1055 | 0 | } |
1056 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1057 | 0 | { |
1058 | 0 | log_assert (packet->pkttype == PKT_USER_ID); |
1059 | 0 | if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig |
1060 | 0 | && !opt.flags.allow_weak_key_signatures) |
1061 | 0 | { |
1062 | | /* If the signature was created using SHA-1 we consider this |
1063 | | * signature invalid because it makes it possible to mount a |
1064 | | * chosen-prefix collision. We don't do this for |
1065 | | * self-signatures, though. */ |
1066 | 0 | print_sha1_keysig_rejected_note (); |
1067 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
1068 | 0 | } |
1069 | 0 | else |
1070 | 0 | { |
1071 | 0 | hash_public_key (md, pripk); |
1072 | 0 | hash_uid_packet (packet->pkt.user_id, md, sig); |
1073 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1074 | 0 | } |
1075 | 0 | } |
1076 | 0 | else |
1077 | 0 | { |
1078 | | /* We should never get here. (The first if above should have |
1079 | | * already caught this error.) */ |
1080 | 0 | BUG (); |
1081 | 0 | } |
1082 | | |
1083 | 0 | gcry_md_close (md); |
1084 | |
|
1085 | 0 | leave: |
1086 | 0 | if (! rc && ret_pk && ret_pk != signer) |
1087 | 0 | copy_public_key (ret_pk, signer); |
1088 | |
|
1089 | 0 | if (signer_alloced) |
1090 | 0 | { |
1091 | | /* We looked up SIGNER; it is not a pointer into KB. */ |
1092 | 0 | release_public_key_parts (signer); |
1093 | | /* Free if we also allocated the memory. */ |
1094 | 0 | if (signer_alloced == 2) |
1095 | 0 | xfree (signer); |
1096 | 0 | } |
1097 | |
|
1098 | 0 | return rc; |
1099 | 0 | } |
1100 | | |
1101 | | |
1102 | | /* Check that a signature over a key (e.g., a key revocation, key |
1103 | | * binding, user id certification, etc.) is valid. If the function |
1104 | | * detects a self-signature, it uses the public key from the specified |
1105 | | * key block and does not bother looking up the key specified in the |
1106 | | * signature packet. |
1107 | | * |
1108 | | * ROOT is a keyblock. |
1109 | | * |
1110 | | * NODE references a signature packet that appears in the keyblock |
1111 | | * that should be verified. |
1112 | | * |
1113 | | * If CHECK_PK is set, the specified key is sometimes preferred for |
1114 | | * verifying signatures. See the implementation for details. |
1115 | | * |
1116 | | * If RET_PK is not NULL, the public key that successfully verified |
1117 | | * the signature is copied into *RET_PK. |
1118 | | * |
1119 | | * If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a |
1120 | | * self-signature. |
1121 | | * |
1122 | | * If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry |
1123 | | * date. |
1124 | | * |
1125 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been |
1126 | | * expired (0 otherwise). Note: PK being revoked does not cause this |
1127 | | * function to fail. |
1128 | | * |
1129 | | * |
1130 | | * If OPT.NO_SIG_CACHE is not set, this function will first check if |
1131 | | * the result of a previous verification is already cached in the |
1132 | | * signature packet's data structure. |
1133 | | * |
1134 | | * TODO: add r_revoked here as well. It has the same problems as |
1135 | | * r_expiredate and r_expired and the cache [nw]. Which problems [wk]? */ |
1136 | | int |
1137 | | check_key_signature2 (ctrl_t ctrl, |
1138 | | kbnode_t root, kbnode_t node, PKT_public_key *check_pk, |
1139 | | PKT_public_key *ret_pk, int *is_selfsig, |
1140 | | u32 *r_expiredate, int *r_expired ) |
1141 | 0 | { |
1142 | 0 | PKT_public_key *pk; |
1143 | 0 | PKT_signature *sig; |
1144 | 0 | int algo; |
1145 | 0 | int rc; |
1146 | |
|
1147 | 0 | if (is_selfsig) |
1148 | 0 | *is_selfsig = 0; |
1149 | 0 | if (r_expiredate) |
1150 | 0 | *r_expiredate = 0; |
1151 | 0 | if (r_expired) |
1152 | 0 | *r_expired = 0; |
1153 | 0 | log_assert (node->pkt->pkttype == PKT_SIGNATURE); |
1154 | 0 | log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY); |
1155 | | |
1156 | 0 | pk = root->pkt->pkt.public_key; |
1157 | 0 | sig = node->pkt->pkt.signature; |
1158 | 0 | algo = sig->digest_algo; |
1159 | | |
1160 | | /* Check whether we have cached the result of a previous signature |
1161 | | * check. Note that we may no longer have the pubkey or hash |
1162 | | * needed to verify a sig, but can still use the cached value. A |
1163 | | * cache refresh detects and clears these cases. */ |
1164 | 0 | if ( !opt.no_sig_cache ) |
1165 | 0 | { |
1166 | 0 | cache_stats.total++; |
1167 | 0 | if (sig->flags.checked) /* Cached status available. */ |
1168 | 0 | { |
1169 | 0 | cache_stats.cached++; |
1170 | 0 | if (is_selfsig) |
1171 | 0 | { |
1172 | 0 | u32 keyid[2]; |
1173 | |
|
1174 | 0 | keyid_from_pk (pk, keyid); |
1175 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
1176 | 0 | *is_selfsig = 1; |
1177 | 0 | } |
1178 | | /* BUG: This is wrong for non-self-sigs... needs to be the |
1179 | | * actual pk. */ |
1180 | 0 | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1181 | 0 | if (rc) |
1182 | 0 | return rc; |
1183 | 0 | if (sig->flags.valid) |
1184 | 0 | { |
1185 | 0 | cache_stats.goodsig++; |
1186 | 0 | return 0; |
1187 | 0 | } |
1188 | 0 | cache_stats.badsig++; |
1189 | 0 | return gpg_error (GPG_ERR_BAD_SIGNATURE); |
1190 | 0 | } |
1191 | 0 | } |
1192 | | |
1193 | 0 | rc = openpgp_pk_test_algo(sig->pubkey_algo); |
1194 | 0 | if (rc) |
1195 | 0 | return rc; |
1196 | 0 | rc = openpgp_md_test_algo(algo); |
1197 | 0 | if (rc) |
1198 | 0 | return rc; |
1199 | | |
1200 | 0 | if (IS_KEY_REV (sig)) |
1201 | 0 | { |
1202 | 0 | u32 keyid[2]; |
1203 | 0 | keyid_from_pk( pk, keyid ); |
1204 | | |
1205 | | /* Is it a designated revoker? */ |
1206 | 0 | if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1]) |
1207 | 0 | rc = check_revocation_keys (ctrl, pk, sig); |
1208 | 0 | else |
1209 | 0 | { |
1210 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1211 | 0 | r_expired, NULL); |
1212 | 0 | if (! rc) |
1213 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, |
1214 | 0 | root, root->pkt, |
1215 | 0 | is_selfsig, ret_pk); |
1216 | 0 | } |
1217 | 0 | } |
1218 | 0 | else if (IS_SUBKEY_REV (sig) || IS_SUBKEY_SIG (sig)) |
1219 | 0 | { |
1220 | 0 | kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY); |
1221 | |
|
1222 | 0 | if (snode) |
1223 | 0 | { |
1224 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1225 | 0 | r_expired, NULL); |
1226 | 0 | if (! rc) |
1227 | 0 | { |
1228 | | /* A subkey revocation (0x28) must be a self-sig, but a |
1229 | | * subkey signature (0x18) needn't be. */ |
1230 | 0 | rc = check_signature_over_key_or_uid (ctrl, |
1231 | 0 | IS_SUBKEY_SIG (sig) |
1232 | 0 | ? NULL : pk, |
1233 | 0 | sig, root, snode->pkt, |
1234 | 0 | is_selfsig, ret_pk); |
1235 | 0 | } |
1236 | 0 | } |
1237 | 0 | else |
1238 | 0 | { |
1239 | 0 | if (opt.verbose) |
1240 | 0 | { |
1241 | 0 | if (IS_SUBKEY_REV (sig)) |
1242 | 0 | log_info (_("key %s: no subkey for subkey" |
1243 | 0 | " revocation signature\n"), keystr_from_pk(pk)); |
1244 | 0 | else if (sig->sig_class == 0x18) |
1245 | 0 | log_info(_("key %s: no subkey for subkey" |
1246 | 0 | " binding signature\n"), keystr_from_pk(pk)); |
1247 | 0 | } |
1248 | 0 | rc = GPG_ERR_SIG_CLASS; |
1249 | 0 | } |
1250 | 0 | } |
1251 | 0 | else if (IS_KEY_SIG (sig)) /* direct key signature */ |
1252 | 0 | { |
1253 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1254 | 0 | r_expired, NULL); |
1255 | 0 | if (! rc) |
1256 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, root, root->pkt, |
1257 | 0 | is_selfsig, ret_pk); |
1258 | 0 | } |
1259 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1260 | 0 | { |
1261 | 0 | kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID); |
1262 | |
|
1263 | 0 | if (unode) |
1264 | 0 | { |
1265 | 0 | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1266 | 0 | if (! rc) |
1267 | 0 | { |
1268 | | /* If this is a self-sig, ignore check_pk. */ |
1269 | 0 | rc = check_signature_over_key_or_uid |
1270 | 0 | (ctrl, |
1271 | 0 | keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk, |
1272 | 0 | sig, root, unode->pkt, NULL, ret_pk); |
1273 | 0 | } |
1274 | 0 | } |
1275 | 0 | else |
1276 | 0 | { |
1277 | 0 | if (!opt.quiet) |
1278 | 0 | log_info ("key %s: no user ID for key signature packet" |
1279 | 0 | " of class %02x\n",keystr_from_pk(pk),sig->sig_class); |
1280 | 0 | rc = GPG_ERR_SIG_CLASS; |
1281 | 0 | } |
1282 | 0 | } |
1283 | 0 | else |
1284 | 0 | { |
1285 | 0 | log_info ("sig issued by %s with class %d (digest: %02x %02x)" |
1286 | 0 | " is not valid over a user id or a key id, ignoring.\n", |
1287 | 0 | keystr (sig->keyid), sig->sig_class, |
1288 | 0 | sig->digest_start[0], sig->digest_start[1]); |
1289 | 0 | rc = gpg_error (GPG_ERR_BAD_SIGNATURE); |
1290 | 0 | } |
1291 | |
|
1292 | 0 | cache_sig_result (sig, rc); |
1293 | |
|
1294 | 0 | return rc; |
1295 | 0 | } |