/src/gnupg/g10/sig-check.c
Line | Count | Source |
1 | | /* sig-check.c - Check a signature |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, |
3 | | * 2004, 2006 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2015, 2016 g10 Code GmbH |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <config.h> |
23 | | #include <stdio.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | |
27 | | #include "gpg.h" |
28 | | #include "../common/util.h" |
29 | | #include "packet.h" |
30 | | #include "keydb.h" |
31 | | #include "main.h" |
32 | | #include "../common/status.h" |
33 | | #include "../common/i18n.h" |
34 | | #include "options.h" |
35 | | #include "pkglue.h" |
36 | | #include "../common/compliance.h" |
37 | | |
38 | | static int check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
39 | | gcry_md_hd_t digest, |
40 | | const void *extrahash, size_t extrahashlen, |
41 | | int *r_expired, int *r_revoked, |
42 | | PKT_public_key *ret_pk); |
43 | | |
44 | | static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
45 | | gcry_md_hd_t digest, |
46 | | const void *extrahash, |
47 | | size_t extrahashlen); |
48 | | |
49 | | |
50 | | /* Statistics for signature verification. */ |
51 | | struct |
52 | | { |
53 | | unsigned int total; /* Total number of verifications. */ |
54 | | unsigned int cached; /* Number of seen cache entries. */ |
55 | | unsigned int goodsig;/* Number of good verifications from the cache. */ |
56 | | unsigned int badsig; /* Number of bad verifications from the cache. */ |
57 | | } cache_stats; |
58 | | |
59 | | |
60 | | /* Dump verification stats. */ |
61 | | void |
62 | | sig_check_dump_stats (void) |
63 | 0 | { |
64 | 0 | log_info ("sig_cache: total=%u cached=%u good=%u bad=%u\n", |
65 | 0 | cache_stats.total, cache_stats.cached, |
66 | 0 | cache_stats.goodsig, cache_stats.badsig); |
67 | 0 | } |
68 | | |
69 | | |
70 | | static gpg_error_t |
71 | | check_key_verify_compliance (PKT_public_key *pk) |
72 | 0 | { |
73 | 0 | gpg_error_t err = 0; |
74 | |
|
75 | 0 | if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, |
76 | 0 | pk->pubkey_algo, 0, pk->pkey, |
77 | 0 | nbits_from_pk (pk), |
78 | 0 | NULL)) |
79 | 0 | { |
80 | | /* Compliance failure. */ |
81 | 0 | log_error (_("key %s may not be used for signing in %s mode\n"), |
82 | 0 | keystr_from_pk (pk), |
83 | 0 | gnupg_compliance_option_string (opt.compliance)); |
84 | 0 | err = gpg_error (GPG_ERR_PUBKEY_ALGO); |
85 | 0 | } |
86 | |
|
87 | 0 | return err; |
88 | 0 | } |
89 | | |
90 | | |
91 | | /* Check a signature. |
92 | | * |
93 | | * Looks up the public key that created the signature (SIG->KEYID) |
94 | | * from the key db. Makes sure that the signature is valid (it was |
95 | | * not created prior to the key, the public key was created in the |
96 | | * past, and the signature does not include any unsupported critical |
97 | | * features), finishes computing the hash of the signature data, and |
98 | | * checks that the signature verifies the digest. If the key that |
99 | | * generated the signature is a subkey, this function also verifies |
100 | | * that there is a valid backsig from the subkey to the primary key. |
101 | | * Finally, if status fd is enabled and the signature class is 0x00 or |
102 | | * 0x01, then a STATUS_SIG_ID is emitted on the status fd. |
103 | | * |
104 | | * SIG is the signature to check. |
105 | | * |
106 | | * DIGEST contains a valid hash context that already includes the |
107 | | * signed data. This function adds the relevant meta-data from the |
108 | | * signature packet to compute the final hash. (See Section 5.2 of |
109 | | * RFC 4880: "The concatenation of the data being signed and the |
110 | | * signature data from the version number through the hashed subpacket |
111 | | * data (inclusive) is hashed.") |
112 | | * |
113 | | * EXTRAHASH and EXTRAHASHLEN is additional data which is hashed with |
114 | | * v5 signatures. They may be NULL to use the default. |
115 | | * |
116 | | * If FORCED_PK is not NULL this public key is used to verify the |
117 | | * signature and no other public key is looked up. This is used to |
118 | | * verify against a key included in the signature. |
119 | | * |
120 | | * If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's |
121 | | * expiry. |
122 | | * |
123 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
124 | | * (0 otherwise). Note: PK being expired does not cause this function |
125 | | * to fail. |
126 | | * |
127 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
128 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
129 | | * function to fail. |
130 | | * |
131 | | * If R_PK is not NULL, the public key is stored at that address if it |
132 | | * was found; other wise NULL is stored. |
133 | | * |
134 | | * If R_KEYBLOCK is not NULL, the entire keyblock used to verify the |
135 | | * signature is stored at that address. If no key was found or on |
136 | | * some other errors NULL is stored there. The callers needs to |
137 | | * release the keyblock using release_kbnode (kb). |
138 | | * |
139 | | * Returns 0 on success. An error code otherwise. */ |
140 | | gpg_error_t |
141 | | check_signature (ctrl_t ctrl, |
142 | | PKT_signature *sig, gcry_md_hd_t digest, |
143 | | const void *extrahash, size_t extrahashlen, |
144 | | PKT_public_key *forced_pk, |
145 | | u32 *r_expiredate, int *r_expired, int *r_revoked, |
146 | | PKT_public_key **r_pk, kbnode_t *r_keyblock) |
147 | 529 | { |
148 | 529 | int rc=0; |
149 | 529 | PKT_public_key *pk; |
150 | | |
151 | 529 | if (r_expiredate) |
152 | 0 | *r_expiredate = 0; |
153 | 529 | if (r_expired) |
154 | 529 | *r_expired = 0; |
155 | 529 | if (r_revoked) |
156 | 529 | *r_revoked = 0; |
157 | 529 | if (r_pk) |
158 | 529 | *r_pk = NULL; |
159 | 529 | if (r_keyblock) |
160 | 529 | *r_keyblock = NULL; |
161 | | |
162 | 529 | pk = xtrycalloc (1, sizeof *pk); |
163 | 529 | if (!pk) |
164 | 0 | return gpg_error_from_syserror (); |
165 | | |
166 | 529 | if ((rc=openpgp_md_test_algo(sig->digest_algo))) |
167 | 0 | { |
168 | | /* We don't have this digest. */ |
169 | 0 | } |
170 | 529 | else if (!gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) |
171 | 0 | { |
172 | | /* Compliance failure. */ |
173 | 0 | log_info (_("digest algorithm '%s' may not be used in %s mode\n"), |
174 | 0 | gcry_md_algo_name (sig->digest_algo), |
175 | 0 | gnupg_compliance_option_string (opt.compliance)); |
176 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
177 | 0 | } |
178 | 529 | else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo))) |
179 | 0 | { |
180 | | /* We don't have this pubkey algo. */ |
181 | 0 | } |
182 | 529 | else if (!gcry_md_is_enabled (digest,sig->digest_algo)) |
183 | 0 | { |
184 | | /* Sanity check that the md has a context for the hash that the |
185 | | * sig is expecting. This can happen if a onepass sig header |
186 | | * does not match the actual sig, and also if the clearsign |
187 | | * "Hash:" header is missing or does not match the actual sig. */ |
188 | 0 | log_info(_("WARNING: signature digest conflict in message\n")); |
189 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
190 | 0 | } |
191 | 529 | else if (get_pubkey_for_sig (ctrl, pk, sig, forced_pk, r_keyblock)) |
192 | 529 | rc = gpg_error (GPG_ERR_NO_PUBKEY); |
193 | 0 | else if ((rc = check_key_verify_compliance (pk))) |
194 | 0 | ;/* Compliance failure. */ |
195 | 0 | else if (!pk->flags.valid) |
196 | 0 | { |
197 | | /* You cannot have a good sig from an invalid key. */ |
198 | 0 | rc = gpg_error (GPG_ERR_BAD_PUBKEY); |
199 | 0 | } |
200 | 0 | else |
201 | 0 | { |
202 | 0 | if (r_expiredate) |
203 | 0 | *r_expiredate = pk->expiredate; |
204 | |
|
205 | 0 | rc = check_signature_end (pk, sig, digest, extrahash, extrahashlen, |
206 | 0 | r_expired, r_revoked, NULL); |
207 | | |
208 | | /* Check the backsig. This is a back signature (0x19) from |
209 | | * the subkey on the primary key. The idea here is that it |
210 | | * should not be possible for someone to "steal" subkeys and |
211 | | * claim them as their own. The attacker couldn't actually |
212 | | * use the subkey, but they could try and claim ownership of |
213 | | * any signatures issued by it. */ |
214 | 0 | if (!rc && !pk->flags.primary && pk->flags.backsig < 2) |
215 | 0 | { |
216 | 0 | if (!pk->flags.backsig) |
217 | 0 | { |
218 | 0 | log_info (_("WARNING: signing subkey %s is not" |
219 | 0 | " cross-certified\n"),keystr_from_pk(pk)); |
220 | 0 | log_info (_("please see %s for more information\n"), |
221 | 0 | "https://gnupg.org/faq/subkey-cross-certify.html"); |
222 | | /* The default option --require-cross-certification |
223 | | * makes this warning an error. */ |
224 | 0 | if (opt.flags.require_cross_cert) |
225 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
226 | 0 | } |
227 | 0 | else if(pk->flags.backsig == 1) |
228 | 0 | { |
229 | 0 | log_info (_("WARNING: signing subkey %s has an invalid" |
230 | 0 | " cross-certification\n"), keystr_from_pk(pk)); |
231 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
232 | 0 | } |
233 | 0 | } |
234 | |
|
235 | 0 | } |
236 | | |
237 | 529 | if( !rc && sig->sig_class < 2 && is_status_enabled() ) { |
238 | | /* This signature id works best with DLP algorithms because |
239 | | * they use a random parameter for every signature. Instead of |
240 | | * this sig-id we could have also used the hash of the document |
241 | | * and the timestamp, but the drawback of this is, that it is |
242 | | * not possible to sign more than one identical document within |
243 | | * one second. Some remote batch processing applications might |
244 | | * like this feature here. |
245 | | * |
246 | | * Note that before 2.0.10, we used RIPE-MD160 for the hash |
247 | | * and accidentally didn't include the timestamp and algorithm |
248 | | * information in the hash. Given that this feature is not |
249 | | * commonly used and that a replay attacks detection should |
250 | | * not solely be based on this feature (because it does not |
251 | | * work with RSA), we take the freedom and switch to SHA-1 |
252 | | * with 2.0.10 to take advantage of hardware supported SHA-1 |
253 | | * implementations. We also include the missing information |
254 | | * in the hash. Note also the SIG_ID as computed by gpg 1.x |
255 | | * and gpg 2.x didn't matched either because 2.x used to print |
256 | | * MPIs not in PGP format. */ |
257 | 0 | u32 a = sig->timestamp; |
258 | 0 | int nsig = pubkey_get_nsig( sig->pubkey_algo ); |
259 | 0 | unsigned char *p, *buffer; |
260 | 0 | size_t n, nbytes; |
261 | 0 | int i; |
262 | 0 | char hashbuf[20]; /* We use SHA-1 here. */ |
263 | |
|
264 | 0 | nbytes = 6; |
265 | 0 | for (i=0; i < nsig; i++ ) |
266 | 0 | { |
267 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
268 | 0 | { |
269 | 0 | unsigned int nbits; |
270 | |
|
271 | 0 | gcry_mpi_get_opaque (sig->data[i], &nbits); |
272 | 0 | n = (nbits+7)/8 + 2; |
273 | 0 | } |
274 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, NULL, 0, &n, sig->data[i])) |
275 | 0 | BUG(); |
276 | 0 | nbytes += n; |
277 | 0 | } |
278 | | |
279 | | /* Make buffer large enough to be later used as output buffer. */ |
280 | 0 | if (nbytes < 100) |
281 | 0 | nbytes = 100; |
282 | 0 | nbytes += 10; /* Safety margin. */ |
283 | | |
284 | | /* Fill and hash buffer. */ |
285 | 0 | buffer = p = xmalloc (nbytes); |
286 | 0 | *p++ = sig->pubkey_algo; |
287 | 0 | *p++ = sig->digest_algo; |
288 | 0 | *p++ = (a >> 24) & 0xff; |
289 | 0 | *p++ = (a >> 16) & 0xff; |
290 | 0 | *p++ = (a >> 8) & 0xff; |
291 | 0 | *p++ = a & 0xff; |
292 | 0 | nbytes -= 6; |
293 | 0 | for (i=0; i < nsig; i++ ) |
294 | 0 | { |
295 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
296 | 0 | { |
297 | 0 | const byte *sigdata; |
298 | 0 | unsigned int nbits; |
299 | |
|
300 | 0 | sigdata = gcry_mpi_get_opaque (sig->data[i], &nbits); |
301 | 0 | n = (nbits+7)/8; |
302 | 0 | p[0] = nbits >> 8; |
303 | 0 | p[1] = (nbits & 0xff); |
304 | 0 | memcpy (p+2, sigdata, n); |
305 | 0 | n += 2; |
306 | 0 | } |
307 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i])) |
308 | 0 | BUG(); |
309 | 0 | p += n; |
310 | 0 | nbytes -= n; |
311 | 0 | } |
312 | 0 | gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer); |
313 | |
|
314 | 0 | p = make_radix64_string (hashbuf, 20); |
315 | 0 | sprintf (buffer, "%s %s %lu", |
316 | 0 | p, strtimestamp (sig->timestamp), (ulong)sig->timestamp); |
317 | 0 | xfree (p); |
318 | 0 | write_status_text (STATUS_SIG_ID, buffer); |
319 | 0 | xfree (buffer); |
320 | 0 | } |
321 | | |
322 | 529 | if (r_pk) |
323 | 529 | *r_pk = pk; |
324 | 0 | else |
325 | 0 | { |
326 | 0 | release_public_key_parts (pk); |
327 | 0 | xfree (pk); |
328 | 0 | } |
329 | | |
330 | 529 | return rc; |
331 | 529 | } |
332 | | |
333 | | |
334 | | /* The signature SIG was generated with the public key PK. Check |
335 | | * whether the signature is valid in the following sense: |
336 | | * |
337 | | * - Make sure the public key was created before the signature was |
338 | | * generated. |
339 | | * |
340 | | * - Make sure the public key was created in the past |
341 | | * |
342 | | * - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0 |
343 | | * otherwise) |
344 | | * |
345 | | * - Check whether PK has been revoked (set *R_REVOKED to 1 if so |
346 | | * and 0 otherwise). |
347 | | * |
348 | | * If either of the first two tests fail, returns an error code. |
349 | | * Otherwise returns 0. (Thus, this function doesn't fail if the |
350 | | * public key is expired or revoked.) */ |
351 | | static int |
352 | | check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig, |
353 | | int *r_expired, int *r_revoked) |
354 | 1.68k | { |
355 | 1.68k | u32 cur_time; |
356 | | |
357 | 1.68k | if (r_expired) |
358 | 0 | *r_expired = 0; |
359 | 1.68k | if (r_revoked) |
360 | 0 | *r_revoked = 0; |
361 | | |
362 | 1.68k | if (pk->timestamp > sig->timestamp |
363 | 76 | && !(parse_key_usage (sig) & PUBKEY_USAGE_RENC)) |
364 | 76 | { |
365 | 76 | ulong d = pk->timestamp - sig->timestamp; |
366 | 76 | if ( d < 86400 ) |
367 | 0 | { |
368 | 0 | log_info (ngettext |
369 | 0 | ("public key %s is %lu second newer than the signature\n", |
370 | 0 | "public key %s is %lu seconds newer than the signature\n", |
371 | 0 | d), keystr_from_pk (pk), d); |
372 | 0 | } |
373 | 76 | else |
374 | 76 | { |
375 | 76 | d /= 86400; |
376 | 76 | log_info (ngettext |
377 | 76 | ("public key %s is %lu day newer than the signature\n", |
378 | 76 | "public key %s is %lu days newer than the signature\n", |
379 | 76 | d), keystr_from_pk (pk), d); |
380 | 76 | } |
381 | 76 | if (!opt.ignore_time_conflict) |
382 | 76 | return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */ |
383 | 76 | } |
384 | | |
385 | 1.61k | cur_time = make_timestamp (); |
386 | 1.61k | if (pk->timestamp > cur_time) |
387 | 0 | { |
388 | 0 | ulong d = pk->timestamp - cur_time; |
389 | 0 | if (d < 86400) |
390 | 0 | { |
391 | 0 | log_info (ngettext("key %s was created %lu second" |
392 | 0 | " in the future (time warp or clock problem)\n", |
393 | 0 | "key %s was created %lu seconds" |
394 | 0 | " in the future (time warp or clock problem)\n", |
395 | 0 | d), keystr_from_pk (pk), d); |
396 | 0 | } |
397 | 0 | else |
398 | 0 | { |
399 | 0 | d /= 86400; |
400 | 0 | log_info (ngettext("key %s was created %lu day" |
401 | 0 | " in the future (time warp or clock problem)\n", |
402 | 0 | "key %s was created %lu days" |
403 | 0 | " in the future (time warp or clock problem)\n", |
404 | 0 | d), keystr_from_pk (pk), d); |
405 | 0 | } |
406 | 0 | if (!opt.ignore_time_conflict) |
407 | 0 | return GPG_ERR_TIME_CONFLICT; |
408 | 0 | } |
409 | | |
410 | | /* Check whether the key has expired. We check the has_expired |
411 | | * flag which is set after a full evaluation of the key (getkey.c) |
412 | | * as well as a simple compare to the current time in case the |
413 | | * merge has for whatever reasons not been done. */ |
414 | 1.61k | if (pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) |
415 | 28 | { |
416 | 28 | char buf[11]; |
417 | 28 | if (opt.verbose) |
418 | 28 | log_info (_("Note: signature key %s expired %s\n"), |
419 | 0 | keystr_from_pk(pk), isotimestamp( pk->expiredate ) ); |
420 | 28 | snprintf (buf, sizeof buf, "%lu",(ulong)pk->expiredate); |
421 | 28 | write_status_text (STATUS_KEYEXPIRED, buf); |
422 | 28 | if (r_expired) |
423 | 0 | *r_expired = 1; |
424 | 28 | } |
425 | | |
426 | 1.61k | if (pk->flags.revoked) |
427 | 0 | { |
428 | 0 | if (opt.verbose) |
429 | 0 | log_info (_("Note: signature key %s has been revoked\n"), |
430 | 0 | keystr_from_pk(pk)); |
431 | 0 | if (r_revoked) |
432 | 0 | *r_revoked=1; |
433 | 0 | } |
434 | | |
435 | 1.61k | return 0; |
436 | 1.61k | } |
437 | | |
438 | | |
439 | | /* Finish generating a signature and check it. Concretely: make sure |
440 | | * that the signature is valid (it was not created prior to the key, |
441 | | * the public key was created in the past, and the signature does not |
442 | | * include any unsupported critical features), finish computing the |
443 | | * digest by adding the relevant data from the signature packet, and |
444 | | * check that the signature verifies the digest. |
445 | | * |
446 | | * DIGEST contains a hash context, which has already hashed the signed |
447 | | * data. This function adds the relevant meta-data from the signature |
448 | | * packet to compute the final hash. (See Section 5.2 of RFC 4880: |
449 | | * "The concatenation of the data being signed and the signature data |
450 | | * from the version number through the hashed subpacket data |
451 | | * (inclusive) is hashed.") |
452 | | * |
453 | | * SIG is the signature to check. |
454 | | * |
455 | | * PK is the public key used to generate the signature. |
456 | | * |
457 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
458 | | * (0 otherwise). Note: PK being expired does not cause this function |
459 | | * to fail. |
460 | | * |
461 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
462 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
463 | | * function to fail. |
464 | | * |
465 | | * If RET_PK is not NULL, PK is copied into RET_PK on success. |
466 | | * |
467 | | * Returns 0 on success. An error code other. */ |
468 | | static int |
469 | | check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
470 | | gcry_md_hd_t digest, |
471 | | const void *extrahash, size_t extrahashlen, |
472 | | int *r_expired, int *r_revoked, PKT_public_key *ret_pk) |
473 | 33 | { |
474 | 33 | int rc = 0; |
475 | | |
476 | 33 | if ((rc = check_signature_metadata_validity (pk, sig, |
477 | 33 | r_expired, r_revoked))) |
478 | 1 | return rc; |
479 | | |
480 | 32 | if ((rc = check_signature_end_simple (pk, sig, digest, |
481 | 32 | extrahash, extrahashlen))) |
482 | 2 | return rc; |
483 | | |
484 | 30 | if (!rc && ret_pk) |
485 | 0 | copy_public_key(ret_pk,pk); |
486 | | |
487 | 30 | return rc; |
488 | 32 | } |
489 | | |
490 | | |
491 | | /* This function is similar to check_signature_end, but it only checks |
492 | | * whether the signature was generated by PK. It does not check |
493 | | * expiration, revocation, etc. */ |
494 | | static int |
495 | | check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
496 | | gcry_md_hd_t digest, |
497 | | const void *extrahash, size_t extrahashlen) |
498 | 1.61k | { |
499 | 1.61k | gcry_mpi_t result = NULL; |
500 | 1.61k | int rc = 0; |
501 | | |
502 | 1.61k | if (!opt.flags.allow_weak_digest_algos) |
503 | 1.61k | { |
504 | 1.61k | if (is_weak_digest (sig->digest_algo)) |
505 | 0 | { |
506 | 0 | print_digest_rejected_note (sig->digest_algo); |
507 | 0 | return GPG_ERR_DIGEST_ALGO; |
508 | 0 | } |
509 | 1.61k | } |
510 | | |
511 | | /* For key signatures check that the key has a cert usage. We may |
512 | | * do this only for subkeys because the primary may always issue key |
513 | | * signature. The latter may not be reflected in the pubkey_usage |
514 | | * field because we need to check the key signatures to extract the |
515 | | * key usage. */ |
516 | 1.61k | if (!pk->flags.primary |
517 | 32 | && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT)) |
518 | 0 | { |
519 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
520 | 0 | if (!opt.quiet) |
521 | 0 | log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"), |
522 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
523 | 0 | sig->sig_class, pk->pubkey_usage); |
524 | 0 | return rc; |
525 | 0 | } |
526 | | |
527 | | /* For data signatures check that the key has sign usage. */ |
528 | 1.61k | if (!IS_BACK_SIG (sig) && IS_SIG (sig) |
529 | 0 | && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) |
530 | 0 | { |
531 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
532 | 0 | if (!opt.quiet) |
533 | 0 | log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), |
534 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
535 | 0 | sig->sig_class, pk->pubkey_usage); |
536 | 0 | return rc; |
537 | 0 | } |
538 | | |
539 | | /* Make sure the digest algo is enabled (in case of a detached |
540 | | * signature). */ |
541 | 1.61k | gcry_md_enable (digest, sig->digest_algo); |
542 | | |
543 | | /* Complete the digest. */ |
544 | 1.61k | if (sig->version >= 4) |
545 | 1.61k | gcry_md_putc (digest, sig->version); |
546 | | |
547 | 1.61k | gcry_md_putc( digest, sig->sig_class ); |
548 | 1.61k | if (sig->version < 4) |
549 | 1 | { |
550 | 1 | u32 a = sig->timestamp; |
551 | 1 | gcry_md_putc (digest, ((a >> 24) & 0xff)); |
552 | 1 | gcry_md_putc (digest, ((a >> 16) & 0xff)); |
553 | 1 | gcry_md_putc (digest, ((a >> 8) & 0xff)); |
554 | 1 | gcry_md_putc (digest, ( a & 0xff)); |
555 | 1 | } |
556 | 1.61k | else |
557 | 1.61k | { |
558 | 1.61k | byte buf[10]; |
559 | 1.61k | int i; |
560 | 1.61k | size_t n; |
561 | | |
562 | 1.61k | gcry_md_putc (digest, sig->pubkey_algo); |
563 | 1.61k | gcry_md_putc (digest, sig->digest_algo); |
564 | 1.61k | if (sig->hashed) |
565 | 1.61k | { |
566 | 1.61k | n = sig->hashed->len; |
567 | 1.61k | gcry_md_putc (digest, (n >> 8) ); |
568 | 1.61k | gcry_md_putc (digest, n ); |
569 | 1.61k | gcry_md_write (digest, sig->hashed->data, n); |
570 | 1.61k | n += 6; |
571 | 1.61k | } |
572 | 0 | else |
573 | 0 | { |
574 | | /* Two octets for the (empty) length of the hashed |
575 | | * section. */ |
576 | 0 | gcry_md_putc (digest, 0); |
577 | 0 | gcry_md_putc (digest, 0); |
578 | 0 | n = 6; |
579 | 0 | } |
580 | | /* Hash data from the literal data packet. */ |
581 | 1.61k | if (sig->version >= 5 |
582 | 0 | && (sig->sig_class == 0x00 || sig->sig_class == 0x01)) |
583 | 0 | { |
584 | | /* - One octet content format |
585 | | * - File name (one octet length followed by the name) |
586 | | * - Four octet timestamp */ |
587 | 0 | if (extrahash && extrahashlen) |
588 | 0 | gcry_md_write (digest, extrahash, extrahashlen); |
589 | 0 | else /* Detached signature. */ |
590 | 0 | { |
591 | 0 | memset (buf, 0, 6); |
592 | 0 | gcry_md_write (digest, buf, 6); |
593 | 0 | } |
594 | 0 | } |
595 | | /* Add some magic per Section 5.2.4 of RFC 4880. */ |
596 | 1.61k | i = 0; |
597 | 1.61k | buf[i++] = sig->version; |
598 | 1.61k | buf[i++] = 0xff; |
599 | 1.61k | if (sig->version >= 5) |
600 | 0 | { |
601 | 0 | #if SIZEOF_SIZE_T > 4 |
602 | 0 | buf[i++] = n >> 56; |
603 | 0 | buf[i++] = n >> 48; |
604 | 0 | buf[i++] = n >> 40; |
605 | 0 | buf[i++] = n >> 32; |
606 | | #else |
607 | | buf[i++] = 0; |
608 | | buf[i++] = 0; |
609 | | buf[i++] = 0; |
610 | | buf[i++] = 0; |
611 | | #endif |
612 | 0 | } |
613 | 1.61k | buf[i++] = n >> 24; |
614 | 1.61k | buf[i++] = n >> 16; |
615 | 1.61k | buf[i++] = n >> 8; |
616 | 1.61k | buf[i++] = n; |
617 | 1.61k | gcry_md_write (digest, buf, i); |
618 | 1.61k | } |
619 | 1.61k | gcry_md_final( digest ); |
620 | | |
621 | | /* Convert the digest to an MPI. */ |
622 | 1.61k | result = encode_md_value (pk, digest, sig->digest_algo ); |
623 | 1.61k | if (!result) |
624 | 0 | return GPG_ERR_GENERAL; |
625 | | |
626 | | /* Verify the signature. */ |
627 | 1.61k | if (DBG_CLOCK && sig->sig_class <= 0x01) |
628 | 1.61k | log_clock ("enter pk_verify"); |
629 | 1.61k | rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey ); |
630 | 1.61k | if (DBG_CLOCK && sig->sig_class <= 0x01) |
631 | 1.61k | log_clock ("leave pk_verify"); |
632 | 1.61k | gcry_mpi_release (result); |
633 | | |
634 | 1.61k | if (!rc && sig->flags.unknown_critical) |
635 | 0 | { |
636 | 0 | log_info(_("assuming bad signature from key %s" |
637 | 0 | " due to an unknown critical bit\n"),keystr_from_pk(pk)); |
638 | 0 | rc = GPG_ERR_BAD_SIGNATURE; |
639 | 0 | } |
640 | | |
641 | 1.61k | return rc; |
642 | 1.61k | } |
643 | | |
644 | | |
645 | | /* Add a uid node to a hash context. See section 5.2.4, paragraph 4 |
646 | | * of RFC 4880. */ |
647 | | static void |
648 | | hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig ) |
649 | 1.05k | { |
650 | 1.05k | if (uid->attrib_data) |
651 | 0 | { |
652 | 0 | if (sig->version >= 4) |
653 | 0 | { |
654 | 0 | byte buf[5]; |
655 | 0 | buf[0] = 0xd1; /* packet of type 17 */ |
656 | 0 | buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ |
657 | 0 | buf[2] = uid->attrib_len >> 16; |
658 | 0 | buf[3] = uid->attrib_len >> 8; |
659 | 0 | buf[4] = uid->attrib_len; |
660 | 0 | gcry_md_write( md, buf, 5 ); |
661 | 0 | } |
662 | 0 | gcry_md_write( md, uid->attrib_data, uid->attrib_len ); |
663 | 0 | } |
664 | 1.05k | else |
665 | 1.05k | { |
666 | 1.05k | if (sig->version >= 4) |
667 | 1.05k | { |
668 | 1.05k | byte buf[5]; |
669 | 1.05k | buf[0] = 0xb4; /* indicates a userid packet */ |
670 | 1.05k | buf[1] = uid->len >> 24; /* always use 4 length bytes */ |
671 | 1.05k | buf[2] = uid->len >> 16; |
672 | 1.05k | buf[3] = uid->len >> 8; |
673 | 1.05k | buf[4] = uid->len; |
674 | 1.05k | gcry_md_write( md, buf, 5 ); |
675 | 1.05k | } |
676 | 1.05k | gcry_md_write( md, uid->name, uid->len ); |
677 | 1.05k | } |
678 | 1.05k | } |
679 | | |
680 | | static void |
681 | | cache_sig_result ( PKT_signature *sig, int result ) |
682 | 1.77k | { |
683 | 1.77k | if (!result) |
684 | 1.29k | { |
685 | 1.29k | sig->flags.checked = 1; |
686 | 1.29k | sig->flags.valid = 1; |
687 | 1.29k | } |
688 | 485 | else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE) |
689 | 320 | { |
690 | 320 | sig->flags.checked = 1; |
691 | 320 | sig->flags.valid = 0; |
692 | 320 | } |
693 | 165 | else |
694 | 165 | { |
695 | 165 | sig->flags.checked = 0; |
696 | 165 | sig->flags.valid = 0; |
697 | 165 | } |
698 | 1.77k | } |
699 | | |
700 | | |
701 | | /* SIG is a key revocation signature. Check if this signature was |
702 | | * generated by any of the public key PK's designated revokers. |
703 | | * |
704 | | * PK is the public key that SIG allegedly revokes. |
705 | | * |
706 | | * SIG is the revocation signature to check. |
707 | | * |
708 | | * This function avoids infinite recursion, which can happen if two |
709 | | * keys are designed revokers for each other and they revoke each |
710 | | * other. This is done by observing that if a key A is revoked by key |
711 | | * B we still consider the revocation to be valid even if B is |
712 | | * revoked. Thus, we don't need to determine whether B is revoked to |
713 | | * determine whether A has been revoked by B, we just need to check |
714 | | * the signature. |
715 | | * |
716 | | * Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not |
717 | | * revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is |
718 | | * only returned when a revocation signature is from a valid |
719 | | * revocation key designated in a revkey subpacket, but the revocation |
720 | | * key itself isn't present. |
721 | | * |
722 | | * XXX: This code will need to be modified if gpg ever becomes |
723 | | * multi-threaded. Note that this guarantees that a designated |
724 | | * revocation sig will never be considered valid unless it is actually |
725 | | * valid, as well as being issued by a revocation key in a valid |
726 | | * direct signature. Note also that this is written so that a revoked |
727 | | * revoker can still issue revocations: i.e. If A revokes B, but A is |
728 | | * revoked, B is still revoked. I'm not completely convinced this is |
729 | | * the proper behavior, but it matches how PGP does it. -dms */ |
730 | | int |
731 | | check_revocation_keys (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig) |
732 | 0 | { |
733 | 0 | static int busy=0; |
734 | 0 | int i; |
735 | 0 | int rc = GPG_ERR_GENERAL; |
736 | |
|
737 | 0 | log_assert (IS_KEY_REV(sig)); |
738 | 0 | log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1])); |
739 | | |
740 | | /* Avoid infinite recursion. Consider the following: |
741 | | * |
742 | | * - We want to check if A is revoked. |
743 | | * |
744 | | * - C is a designated revoker for B and has revoked B. |
745 | | * |
746 | | * - B is a designated revoker for A and has revoked A. |
747 | | * |
748 | | * When checking if A is revoked (in merge_selfsigs_main), we |
749 | | * observe that A has a designed revoker. As such, we call this |
750 | | * function. This function sees that there is a valid revocation |
751 | | * signature, which is signed by B. It then calls check_signature() |
752 | | * to verify that the signature is good. To check the sig, we need |
753 | | * to lookup B. Looking up B means calling merge_selfsigs_main, |
754 | | * which checks whether B is revoked, which calls this function to |
755 | | * see if B was revoked by some key. |
756 | | * |
757 | | * In this case, the added level of indirection doesn't hurt. It |
758 | | * just means a bit more work. However, if C == A, then we'd end up |
759 | | * in a loop. But, it doesn't make sense to look up C anyways: even |
760 | | * if B is revoked, we conservatively consider a valid revocation |
761 | | * signed by B to revoke A. Since this is the only place where this |
762 | | * type of recursion can occur, we simply cause this function to |
763 | | * fail if it is entered recursively. */ |
764 | 0 | if (busy) |
765 | 0 | { |
766 | | /* Return an error (i.e. not revoked), but mark the pk as |
767 | | uncacheable as we don't really know its revocation status |
768 | | until it is checked directly. */ |
769 | 0 | pk->flags.dont_cache = 1; |
770 | 0 | return rc; |
771 | 0 | } |
772 | | |
773 | 0 | busy=1; |
774 | | |
775 | | /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1], |
776 | | (ulong)sig->keyid[1]); */ |
777 | | |
778 | | /* is the issuer of the sig one of our revokers? */ |
779 | 0 | if( !pk->revkey && pk->numrevkeys ) |
780 | 0 | BUG(); |
781 | 0 | else |
782 | 0 | for(i=0;i<pk->numrevkeys;i++) |
783 | 0 | { |
784 | | /* The revoker's keyid. */ |
785 | 0 | u32 keyid[2]; |
786 | |
|
787 | 0 | keyid_from_fingerprint (ctrl, pk->revkey[i].fpr, pk->revkey[i].fprlen, |
788 | 0 | keyid); |
789 | | |
790 | | /* If the signature was generated by a designated revoker |
791 | | * verify the signature. */ |
792 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
793 | 0 | { |
794 | 0 | gcry_md_hd_t md; |
795 | |
|
796 | 0 | if (gcry_md_open (&md, sig->digest_algo, 0)) |
797 | 0 | BUG (); |
798 | 0 | hash_public_key(md,pk); |
799 | | /* Note: check_signature only checks that the signature |
800 | | * is good. It does not fail if the key is revoked. */ |
801 | 0 | rc = check_signature (ctrl, sig, md, NULL, 0, NULL, |
802 | 0 | NULL, NULL, NULL, NULL, NULL); |
803 | 0 | cache_sig_result(sig,rc); |
804 | 0 | gcry_md_close (md); |
805 | 0 | break; |
806 | 0 | } |
807 | 0 | } |
808 | | |
809 | 0 | busy=0; |
810 | |
|
811 | 0 | return rc; |
812 | 0 | } |
813 | | |
814 | | /* Check that the backsig BACKSIG from the subkey SUB_PK to its |
815 | | * primary key MAIN_PK is valid. |
816 | | * |
817 | | * Backsigs (0x19) have the same format as binding sigs (0x18), but |
818 | | * this function is simpler than check_key_signature in a few ways. |
819 | | * For example, there is no support for expiring backsigs since it is |
820 | | * questionable what such a thing actually means. Note also that the |
821 | | * sig cache check here, unlike other sig caches in GnuPG, is not |
822 | | * persistent. */ |
823 | | int |
824 | | check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk, |
825 | | PKT_signature *backsig) |
826 | 33 | { |
827 | 33 | gcry_md_hd_t md; |
828 | 33 | int rc; |
829 | | |
830 | | /* Always check whether the algorithm is available. Although |
831 | | gcry_md_open would throw an error, some libgcrypt versions will |
832 | | print a debug message in that case too. */ |
833 | 33 | if ((rc=openpgp_md_test_algo (backsig->digest_algo))) |
834 | 0 | return rc; |
835 | | |
836 | 33 | if(!opt.no_sig_cache && backsig->flags.checked) |
837 | 0 | return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE); |
838 | | |
839 | 33 | rc = gcry_md_open (&md, backsig->digest_algo,0); |
840 | 33 | if (!rc) |
841 | 33 | { |
842 | 33 | hash_public_key(md,main_pk); |
843 | 33 | hash_public_key(md,sub_pk); |
844 | 33 | rc = check_signature_end (sub_pk, backsig, md, NULL, 0, NULL, NULL, NULL); |
845 | 33 | cache_sig_result(backsig,rc); |
846 | 33 | gcry_md_close(md); |
847 | 33 | } |
848 | | |
849 | 33 | return rc; |
850 | 33 | } |
851 | | |
852 | | |
853 | | /* Check that a signature over a key is valid. This is a |
854 | | * specialization of check_key_signature2 with the unnamed parameters |
855 | | * passed as NULL. See the documentation for that function for more |
856 | | * details. */ |
857 | | int |
858 | | check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node, |
859 | | int *is_selfsig) |
860 | 1.74k | { |
861 | 1.74k | return check_key_signature2 (ctrl, root, node, NULL, NULL, |
862 | 1.74k | is_selfsig, NULL, NULL); |
863 | 1.74k | } |
864 | | |
865 | | |
866 | | /* Returns whether SIGNER generated the signature SIG over the packet |
867 | | * PACKET, which is a key, subkey or uid, and comes from the key block |
868 | | * KB. (KB is PACKET's corresponding keyblock; we don't assume that |
869 | | * SIG has been added to the keyblock.) |
870 | | * |
871 | | * If SIGNER is set, then checks whether SIGNER generated the |
872 | | * signature. Otherwise, uses SIG->KEYID to find the alleged signer. |
873 | | * This parameter can be used to effectively override the alleged |
874 | | * signer that is stored in SIG. |
875 | | * |
876 | | * KB may be NULL if SIGNER is set. |
877 | | * |
878 | | * Unlike check_key_signature, this function ignores any cached |
879 | | * results! That is, it does not consider SIG->FLAGS.CHECKED and |
880 | | * SIG->FLAGS.VALID nor does it set them. |
881 | | * |
882 | | * This doesn't check the signature's semantic mean. Concretely, it |
883 | | * doesn't check whether a non-self signed revocation signature was |
884 | | * created by a designated revoker. In fact, it doesn't return an |
885 | | * error for a binding generated by a completely different key! |
886 | | * |
887 | | * Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if |
888 | | * this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if |
889 | | * the key that generated the signature (according to SIG) could not |
890 | | * be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad. |
891 | | * Other errors codes may be returned if something else goes wrong. |
892 | | * |
893 | | * If IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a |
894 | | * self-signature (by the key's primary key) or 0 if not. |
895 | | * |
896 | | * If RET_PK is not NULL, returns a copy of the public key that |
897 | | * generated the signature (i.e., the signer) on success. This must |
898 | | * be released by the caller using release_public_key_parts (). */ |
899 | | gpg_error_t |
900 | | check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, |
901 | | PKT_signature *sig, KBNODE kb, PACKET *packet, |
902 | | int *is_selfsig, PKT_public_key *ret_pk) |
903 | 1.58k | { |
904 | 1.58k | int rc; |
905 | 1.58k | PKT_public_key *pripk = kb->pkt->pkt.public_key; |
906 | 1.58k | gcry_md_hd_t md; |
907 | 1.58k | int signer_alloced = 0; |
908 | 1.58k | int stub_is_selfsig; |
909 | | |
910 | 1.58k | if (!is_selfsig) |
911 | 1.58k | is_selfsig = &stub_is_selfsig; |
912 | | |
913 | 1.58k | *is_selfsig = 0; /* Init early to comply with function description. */ |
914 | | |
915 | 1.58k | rc = openpgp_pk_test_algo (sig->pubkey_algo); |
916 | 1.58k | if (rc) |
917 | 0 | return rc; |
918 | 1.58k | rc = openpgp_md_test_algo (sig->digest_algo); |
919 | 1.58k | if (rc) |
920 | 0 | return rc; |
921 | | |
922 | | /* A signature's class indicates the type of packet that it |
923 | | signs. */ |
924 | 1.58k | if (IS_BACK_SIG (sig) || IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
925 | 0 | { |
926 | | /* Key revocations can only be over primary keys. */ |
927 | 0 | if (packet->pkttype != PKT_PUBLIC_KEY) |
928 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
929 | 0 | } |
930 | 1.58k | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
931 | 525 | { |
932 | 525 | if (packet->pkttype != PKT_PUBLIC_SUBKEY) |
933 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
934 | 525 | } |
935 | 1.05k | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
936 | 1.05k | { |
937 | 1.05k | if (packet->pkttype != PKT_USER_ID) |
938 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
939 | 1.05k | } |
940 | 0 | else |
941 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
942 | | |
943 | | /* PACKET is the right type for SIG. */ |
944 | | |
945 | 1.58k | if (signer) |
946 | 1.05k | { |
947 | 1.05k | if (signer->keyid[0] == pripk->keyid[0] |
948 | 1.05k | && signer->keyid[1] == pripk->keyid[1]) |
949 | 1.05k | *is_selfsig = 1; |
950 | 0 | else |
951 | 0 | *is_selfsig = 0; |
952 | 1.05k | } |
953 | 525 | else |
954 | 525 | { |
955 | | /* Get the signer. If possible, avoid a look up. */ |
956 | 525 | if (sig->keyid[0] == pripk->keyid[0] |
957 | 525 | && sig->keyid[1] == pripk->keyid[1]) |
958 | 525 | { |
959 | | /* Issued by the primary key. */ |
960 | 525 | signer = pripk; |
961 | 525 | *is_selfsig = 1; |
962 | 525 | } |
963 | 0 | else |
964 | 0 | { |
965 | | /* See if one of the subkeys was the signer (although this |
966 | | * is extremely unlikely). */ |
967 | 0 | kbnode_t ctx = NULL; |
968 | 0 | kbnode_t n; |
969 | |
|
970 | 0 | while ((n = walk_kbnode (kb, &ctx, 0))) |
971 | 0 | { |
972 | 0 | PKT_public_key *subk; |
973 | |
|
974 | 0 | if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY) |
975 | 0 | continue; |
976 | | |
977 | 0 | subk = n->pkt->pkt.public_key; |
978 | 0 | if (sig->keyid[0] == subk->keyid[0] |
979 | 0 | && sig->keyid[1] == subk->keyid[1]) |
980 | 0 | { |
981 | | /* Issued by a subkey. */ |
982 | 0 | signer = subk; |
983 | 0 | break; |
984 | 0 | } |
985 | 0 | } |
986 | |
|
987 | 0 | if (! signer) |
988 | 0 | { |
989 | | /* Signer by some other key. */ |
990 | 0 | *is_selfsig = 0; |
991 | 0 | if (ret_pk) |
992 | 0 | { |
993 | 0 | signer = ret_pk; |
994 | | /* FIXME: Using memset here is problematic because it |
995 | | * assumes that there are no allocated fields in |
996 | | * SIGNER. */ |
997 | 0 | memset (signer, 0, sizeof (*signer)); |
998 | 0 | signer_alloced = 1; |
999 | 0 | } |
1000 | 0 | else |
1001 | 0 | { |
1002 | 0 | signer = xmalloc_clear (sizeof (*signer)); |
1003 | 0 | signer_alloced = 2; |
1004 | 0 | } |
1005 | |
|
1006 | 0 | if (IS_CERT (sig)) |
1007 | 0 | signer->req_usage = PUBKEY_USAGE_CERT; |
1008 | |
|
1009 | 0 | rc = get_pubkey_for_sig (ctrl, signer, sig, NULL, NULL); |
1010 | 0 | if (rc) |
1011 | 0 | { |
1012 | 0 | if (signer_alloced != 1) |
1013 | 0 | xfree (signer); |
1014 | 0 | signer = NULL; |
1015 | 0 | signer_alloced = 0; |
1016 | 0 | goto leave; |
1017 | 0 | } |
1018 | 0 | } |
1019 | 0 | } |
1020 | 525 | } |
1021 | | |
1022 | | /* We checked above that we supported this algo, so an error here is |
1023 | | * a bug. */ |
1024 | 1.58k | if (gcry_md_open (&md, sig->digest_algo, 0)) |
1025 | 0 | BUG (); |
1026 | | |
1027 | | /* Hash the relevant data. */ |
1028 | | |
1029 | 1.58k | if (IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
1030 | 0 | { |
1031 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1032 | 0 | hash_public_key (md, packet->pkt.public_key); |
1033 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1034 | 0 | } |
1035 | 1.58k | else if (IS_BACK_SIG (sig)) |
1036 | 0 | { |
1037 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1038 | 0 | hash_public_key (md, packet->pkt.public_key); |
1039 | 0 | hash_public_key (md, signer); |
1040 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1041 | 0 | } |
1042 | 1.58k | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
1043 | 525 | { |
1044 | 525 | log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY); |
1045 | 525 | hash_public_key (md, pripk); |
1046 | 525 | hash_public_key (md, packet->pkt.public_key); |
1047 | 525 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1048 | 525 | } |
1049 | 1.05k | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1050 | 1.05k | { |
1051 | 1.05k | log_assert (packet->pkttype == PKT_USER_ID); |
1052 | 1.05k | if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig |
1053 | 0 | && !opt.flags.allow_weak_key_signatures) |
1054 | 0 | { |
1055 | | /* If the signature was created using SHA-1 we consider this |
1056 | | * signature invalid because it makes it possible to mount a |
1057 | | * chosen-prefix collision. We don't do this for |
1058 | | * self-signatures, though. */ |
1059 | 0 | print_sha1_keysig_rejected_note (); |
1060 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
1061 | 0 | } |
1062 | 1.05k | else |
1063 | 1.05k | { |
1064 | 1.05k | hash_public_key (md, pripk); |
1065 | 1.05k | hash_uid_packet (packet->pkt.user_id, md, sig); |
1066 | 1.05k | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1067 | 1.05k | } |
1068 | 1.05k | } |
1069 | 0 | else |
1070 | 0 | { |
1071 | | /* We should never get here. (The first if above should have |
1072 | | * already caught this error.) */ |
1073 | 0 | BUG (); |
1074 | 0 | } |
1075 | | |
1076 | 1.58k | gcry_md_close (md); |
1077 | | |
1078 | 1.58k | leave: |
1079 | 1.58k | if (! rc && ret_pk && ret_pk != signer) |
1080 | 0 | copy_public_key (ret_pk, signer); |
1081 | | |
1082 | 1.58k | if (signer_alloced) |
1083 | 0 | { |
1084 | | /* We looked up SIGNER; it is not a pointer into KB. */ |
1085 | 0 | release_public_key_parts (signer); |
1086 | | /* Free if we also allocated the memory. */ |
1087 | 0 | if (signer_alloced == 2) |
1088 | 0 | xfree (signer); |
1089 | 0 | } |
1090 | | |
1091 | 1.58k | return rc; |
1092 | 1.58k | } |
1093 | | |
1094 | | |
1095 | | /* Check that a signature over a key (e.g., a key revocation, key |
1096 | | * binding, user id certification, etc.) is valid. If the function |
1097 | | * detects a self-signature, it uses the public key from the specified |
1098 | | * key block and does not bother looking up the key specified in the |
1099 | | * signature packet. |
1100 | | * |
1101 | | * ROOT is a keyblock. |
1102 | | * |
1103 | | * NODE references a signature packet that appears in the keyblock |
1104 | | * that should be verified. |
1105 | | * |
1106 | | * If CHECK_PK is set, the specified key is sometimes preferred for |
1107 | | * verifying signatures. See the implementation for details. |
1108 | | * |
1109 | | * If RET_PK is not NULL, the public key that successfully verified |
1110 | | * the signature is copied into *RET_PK. |
1111 | | * |
1112 | | * If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a |
1113 | | * self-signature. |
1114 | | * |
1115 | | * If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry |
1116 | | * date. |
1117 | | * |
1118 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been |
1119 | | * expired (0 otherwise). Note: PK being revoked does not cause this |
1120 | | * function to fail. |
1121 | | * |
1122 | | * |
1123 | | * If OPT.NO_SIG_CACHE is not set, this function will first check if |
1124 | | * the result of a previous verification is already cached in the |
1125 | | * signature packet's data structure. |
1126 | | * |
1127 | | * TODO: add r_revoked here as well. It has the same problems as |
1128 | | * r_expiredate and r_expired and the cache [nw]. Which problems [wk]? */ |
1129 | | int |
1130 | | check_key_signature2 (ctrl_t ctrl, |
1131 | | kbnode_t root, kbnode_t node, PKT_public_key *check_pk, |
1132 | | PKT_public_key *ret_pk, int *is_selfsig, |
1133 | | u32 *r_expiredate, int *r_expired ) |
1134 | 1.74k | { |
1135 | 1.74k | PKT_public_key *pk; |
1136 | 1.74k | PKT_signature *sig; |
1137 | 1.74k | int algo; |
1138 | 1.74k | int rc; |
1139 | | |
1140 | 1.74k | if (is_selfsig) |
1141 | 0 | *is_selfsig = 0; |
1142 | 1.74k | if (r_expiredate) |
1143 | 0 | *r_expiredate = 0; |
1144 | 1.74k | if (r_expired) |
1145 | 0 | *r_expired = 0; |
1146 | 1.74k | log_assert (node->pkt->pkttype == PKT_SIGNATURE); |
1147 | 1.74k | log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY); |
1148 | | |
1149 | 1.74k | pk = root->pkt->pkt.public_key; |
1150 | 1.74k | sig = node->pkt->pkt.signature; |
1151 | 1.74k | algo = sig->digest_algo; |
1152 | | |
1153 | | /* Check whether we have cached the result of a previous signature |
1154 | | * check. Note that we may no longer have the pubkey or hash |
1155 | | * needed to verify a sig, but can still use the cached value. A |
1156 | | * cache refresh detects and clears these cases. */ |
1157 | 1.74k | if ( !opt.no_sig_cache ) |
1158 | 1.74k | { |
1159 | 1.74k | cache_stats.total++; |
1160 | 1.74k | if (sig->flags.checked) /* Cached status available. */ |
1161 | 0 | { |
1162 | 0 | cache_stats.cached++; |
1163 | 0 | if (is_selfsig) |
1164 | 0 | { |
1165 | 0 | u32 keyid[2]; |
1166 | |
|
1167 | 0 | keyid_from_pk (pk, keyid); |
1168 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
1169 | 0 | *is_selfsig = 1; |
1170 | 0 | } |
1171 | | /* BUG: This is wrong for non-self-sigs... needs to be the |
1172 | | * actual pk. */ |
1173 | 0 | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1174 | 0 | if (rc) |
1175 | 0 | return rc; |
1176 | 0 | if (sig->flags.valid) |
1177 | 0 | { |
1178 | 0 | cache_stats.goodsig++; |
1179 | 0 | return 0; |
1180 | 0 | } |
1181 | 0 | cache_stats.badsig++; |
1182 | 0 | return gpg_error (GPG_ERR_BAD_SIGNATURE); |
1183 | 0 | } |
1184 | 1.74k | } |
1185 | | |
1186 | 1.74k | rc = openpgp_pk_test_algo(sig->pubkey_algo); |
1187 | 1.74k | if (rc) |
1188 | 0 | return rc; |
1189 | 1.74k | rc = openpgp_md_test_algo(algo); |
1190 | 1.74k | if (rc) |
1191 | 1 | return rc; |
1192 | | |
1193 | 1.74k | if (IS_KEY_REV (sig)) |
1194 | 0 | { |
1195 | 0 | u32 keyid[2]; |
1196 | 0 | keyid_from_pk( pk, keyid ); |
1197 | | |
1198 | | /* Is it a designated revoker? */ |
1199 | 0 | if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1]) |
1200 | 0 | rc = check_revocation_keys (ctrl, pk, sig); |
1201 | 0 | else |
1202 | 0 | { |
1203 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1204 | 0 | r_expired, NULL); |
1205 | 0 | if (! rc) |
1206 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, |
1207 | 0 | root, root->pkt, |
1208 | 0 | is_selfsig, ret_pk); |
1209 | 0 | } |
1210 | 0 | } |
1211 | 1.74k | else if (IS_SUBKEY_REV (sig) || IS_SUBKEY_SIG (sig)) |
1212 | 614 | { |
1213 | 614 | kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY); |
1214 | | |
1215 | 614 | if (snode) |
1216 | 525 | { |
1217 | 525 | rc = check_signature_metadata_validity (pk, sig, |
1218 | 525 | r_expired, NULL); |
1219 | 525 | if (! rc) |
1220 | 525 | { |
1221 | | /* A subkey revocation (0x28) must be a self-sig, but a |
1222 | | * subkey signature (0x18) needn't be. */ |
1223 | 525 | rc = check_signature_over_key_or_uid (ctrl, |
1224 | 525 | IS_SUBKEY_SIG (sig) |
1225 | 525 | ? NULL : pk, |
1226 | 525 | sig, root, snode->pkt, |
1227 | 525 | is_selfsig, ret_pk); |
1228 | 525 | } |
1229 | 525 | } |
1230 | 89 | else |
1231 | 89 | { |
1232 | 89 | if (opt.verbose) |
1233 | 0 | { |
1234 | 0 | if (IS_SUBKEY_REV (sig)) |
1235 | 0 | log_info (_("key %s: no subkey for subkey" |
1236 | 0 | " revocation signature\n"), keystr_from_pk(pk)); |
1237 | 0 | else if (sig->sig_class == 0x18) |
1238 | 0 | log_info(_("key %s: no subkey for subkey" |
1239 | 0 | " binding signature\n"), keystr_from_pk(pk)); |
1240 | 0 | } |
1241 | 89 | rc = GPG_ERR_SIG_CLASS; |
1242 | 89 | } |
1243 | 614 | } |
1244 | 1.13k | else if (IS_KEY_SIG (sig)) /* direct key signature */ |
1245 | 0 | { |
1246 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1247 | 0 | r_expired, NULL); |
1248 | 0 | if (! rc) |
1249 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, root, root->pkt, |
1250 | 0 | is_selfsig, ret_pk); |
1251 | 0 | } |
1252 | 1.13k | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1253 | 1.13k | { |
1254 | 1.13k | kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID); |
1255 | | |
1256 | 1.13k | if (unode) |
1257 | 1.13k | { |
1258 | 1.13k | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1259 | 1.13k | if (! rc) |
1260 | 1.05k | { |
1261 | | /* If this is a self-sig, ignore check_pk. */ |
1262 | 1.05k | rc = check_signature_over_key_or_uid |
1263 | 1.05k | (ctrl, |
1264 | 1.05k | keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk, |
1265 | 1.05k | sig, root, unode->pkt, NULL, ret_pk); |
1266 | 1.05k | } |
1267 | 1.13k | } |
1268 | 0 | else |
1269 | 0 | { |
1270 | 0 | if (!opt.quiet) |
1271 | 0 | log_info ("key %s: no user ID for key signature packet" |
1272 | 0 | " of class %02x\n",keystr_from_pk(pk),sig->sig_class); |
1273 | 0 | rc = GPG_ERR_SIG_CLASS; |
1274 | 0 | } |
1275 | 1.13k | } |
1276 | 0 | else |
1277 | 0 | { |
1278 | 0 | log_info ("sig issued by %s with class %d (digest: %02x %02x)" |
1279 | 0 | " is not valid over a user id or a key id, ignoring.\n", |
1280 | 0 | keystr (sig->keyid), sig->sig_class, |
1281 | 0 | sig->digest_start[0], sig->digest_start[1]); |
1282 | 0 | rc = gpg_error (GPG_ERR_BAD_SIGNATURE); |
1283 | 0 | } |
1284 | | |
1285 | 1.74k | cache_sig_result (sig, rc); |
1286 | | |
1287 | 1.74k | return rc; |
1288 | 1.74k | } |