/src/gnupg/g10/sig-check.c
Line | Count | Source |
1 | | /* sig-check.c - Check a signature |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, |
3 | | * 2004, 2006 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2015, 2016 g10 Code GmbH |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <config.h> |
23 | | #include <stdio.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | |
27 | | #include "gpg.h" |
28 | | #include "../common/util.h" |
29 | | #include "packet.h" |
30 | | #include "keydb.h" |
31 | | #include "main.h" |
32 | | #include "../common/status.h" |
33 | | #include "../common/i18n.h" |
34 | | #include "options.h" |
35 | | #include "pkglue.h" |
36 | | #include "../common/compliance.h" |
37 | | |
38 | | static int check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
39 | | gcry_md_hd_t digest, |
40 | | const void *extrahash, size_t extrahashlen, |
41 | | int *r_expired, int *r_revoked, |
42 | | PKT_public_key *ret_pk); |
43 | | |
44 | | static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
45 | | gcry_md_hd_t digest, |
46 | | const void *extrahash, |
47 | | size_t extrahashlen); |
48 | | |
49 | | |
50 | | /* Statistics for signature verification. */ |
51 | | struct |
52 | | { |
53 | | unsigned int total; /* Total number of verifications. */ |
54 | | unsigned int cached; /* Number of seen cache entries. */ |
55 | | unsigned int goodsig;/* Number of good verifications from the cache. */ |
56 | | unsigned int badsig; /* Number of bad verifications from the cache. */ |
57 | | } cache_stats; |
58 | | |
59 | | |
60 | | /* Dump verification stats. */ |
61 | | void |
62 | | sig_check_dump_stats (void) |
63 | 0 | { |
64 | 0 | log_info ("sig_cache: total=%u cached=%u good=%u bad=%u\n", |
65 | 0 | cache_stats.total, cache_stats.cached, |
66 | 0 | cache_stats.goodsig, cache_stats.badsig); |
67 | 0 | } |
68 | | |
69 | | |
70 | | static gpg_error_t |
71 | | check_key_verify_compliance (PKT_public_key *pk) |
72 | 0 | { |
73 | 0 | gpg_error_t err = 0; |
74 | |
|
75 | 0 | if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, |
76 | 0 | pk->pubkey_algo, 0, pk->pkey, |
77 | 0 | nbits_from_pk (pk), |
78 | 0 | NULL)) |
79 | 0 | { |
80 | | /* Compliance failure. */ |
81 | 0 | log_error (_("key %s may not be used for signing in %s mode\n"), |
82 | 0 | keystr_from_pk (pk), |
83 | 0 | gnupg_compliance_option_string (opt.compliance)); |
84 | 0 | err = gpg_error (GPG_ERR_PUBKEY_ALGO); |
85 | 0 | } |
86 | |
|
87 | 0 | return err; |
88 | 0 | } |
89 | | |
90 | | |
91 | | /* Check a signature. |
92 | | * |
93 | | * Looks up the public key that created the signature (SIG->KEYID) |
94 | | * from the key db. Makes sure that the signature is valid (it was |
95 | | * not created prior to the key, the public key was created in the |
96 | | * past, and the signature does not include any unsupported critical |
97 | | * features), finishes computing the hash of the signature data, and |
98 | | * checks that the signature verifies the digest. If the key that |
99 | | * generated the signature is a subkey, this function also verifies |
100 | | * that there is a valid backsig from the subkey to the primary key. |
101 | | * Finally, if status fd is enabled and the signature class is 0x00 or |
102 | | * 0x01, then a STATUS_SIG_ID is emitted on the status fd. |
103 | | * |
104 | | * SIG is the signature to check. |
105 | | * |
106 | | * DIGEST contains a valid hash context that already includes the |
107 | | * signed data. This function adds the relevant meta-data from the |
108 | | * signature packet to compute the final hash. (See Section 5.2 of |
109 | | * RFC 4880: "The concatenation of the data being signed and the |
110 | | * signature data from the version number through the hashed subpacket |
111 | | * data (inclusive) is hashed.") |
112 | | * |
113 | | * EXTRAHASH and EXTRAHASHLEN is additional data which is hashed with |
114 | | * v5 signatures. They may be NULL to use the default. |
115 | | * |
116 | | * If FORCED_PK is not NULL this public key is used to verify the |
117 | | * signature and no other public key is looked up. This is used to |
118 | | * verify against a key included in the signature. |
119 | | * |
120 | | * If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's |
121 | | * expiry. |
122 | | * |
123 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
124 | | * (0 otherwise). Note: PK being expired does not cause this function |
125 | | * to fail. |
126 | | * |
127 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
128 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
129 | | * function to fail. |
130 | | * |
131 | | * If R_PK is not NULL, the public key is stored at that address if it |
132 | | * was found; other wise NULL is stored. |
133 | | * |
134 | | * If R_KEYBLOCK is not NULL, the entire keyblock used to verify the |
135 | | * signature is stored at that address. If no key was found or on |
136 | | * some other errors NULL is stored there. The callers needs to |
137 | | * release the keyblock using release_kbnode (kb). |
138 | | * |
139 | | * Returns 0 on success. An error code otherwise. */ |
140 | | gpg_error_t |
141 | | check_signature (ctrl_t ctrl, |
142 | | PKT_signature *sig, gcry_md_hd_t digest, |
143 | | const void *extrahash, size_t extrahashlen, |
144 | | PKT_public_key *forced_pk, |
145 | | u32 *r_expiredate, int *r_expired, int *r_revoked, |
146 | | PKT_public_key **r_pk, kbnode_t *r_keyblock) |
147 | 9.26k | { |
148 | 9.26k | int rc=0; |
149 | 9.26k | PKT_public_key *pk; |
150 | | |
151 | 9.26k | if (r_expiredate) |
152 | 0 | *r_expiredate = 0; |
153 | 9.26k | if (r_expired) |
154 | 9.26k | *r_expired = 0; |
155 | 9.26k | if (r_revoked) |
156 | 9.26k | *r_revoked = 0; |
157 | 9.26k | if (r_pk) |
158 | 9.26k | *r_pk = NULL; |
159 | 9.26k | if (r_keyblock) |
160 | 9.26k | *r_keyblock = NULL; |
161 | | |
162 | 9.26k | pk = xtrycalloc (1, sizeof *pk); |
163 | 9.26k | if (!pk) |
164 | 0 | return gpg_error_from_syserror (); |
165 | | |
166 | 9.26k | if ((rc=openpgp_md_test_algo(sig->digest_algo))) |
167 | 0 | { |
168 | | /* We don't have this digest. */ |
169 | 0 | } |
170 | 9.26k | else if (!gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) |
171 | 0 | { |
172 | | /* Compliance failure. */ |
173 | 0 | log_info (_("digest algorithm '%s' may not be used in %s mode\n"), |
174 | 0 | gcry_md_algo_name (sig->digest_algo), |
175 | 0 | gnupg_compliance_option_string (opt.compliance)); |
176 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
177 | 0 | } |
178 | 9.26k | else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo))) |
179 | 591 | { |
180 | | /* We don't have this pubkey algo. */ |
181 | 591 | } |
182 | 8.67k | else if (!gcry_md_is_enabled (digest,sig->digest_algo)) |
183 | 228 | { |
184 | | /* Sanity check that the md has a context for the hash that the |
185 | | * sig is expecting. This can happen if a onepass sig header |
186 | | * does not match the actual sig, and also if the clearsign |
187 | | * "Hash:" header is missing or does not match the actual sig. */ |
188 | 228 | log_info(_("WARNING: signature digest conflict in message\n")); |
189 | 228 | rc = gpg_error (GPG_ERR_GENERAL); |
190 | 228 | } |
191 | 8.44k | else if (get_pubkey_for_sig (ctrl, pk, sig, forced_pk, r_keyblock)) |
192 | 8.44k | rc = gpg_error (GPG_ERR_NO_PUBKEY); |
193 | 0 | else if ((rc = check_key_verify_compliance (pk))) |
194 | 0 | ;/* Compliance failure. */ |
195 | 0 | else if (!pk->flags.valid) |
196 | 0 | { |
197 | | /* You cannot have a good sig from an invalid key. */ |
198 | 0 | rc = gpg_error (GPG_ERR_BAD_PUBKEY); |
199 | 0 | } |
200 | 0 | else |
201 | 0 | { |
202 | 0 | if (r_expiredate) |
203 | 0 | *r_expiredate = pk->expiredate; |
204 | |
|
205 | 0 | rc = check_signature_end (pk, sig, digest, extrahash, extrahashlen, |
206 | 0 | r_expired, r_revoked, NULL); |
207 | | |
208 | | /* Check the backsig. This is a back signature (0x19) from |
209 | | * the subkey on the primary key. The idea here is that it |
210 | | * should not be possible for someone to "steal" subkeys and |
211 | | * claim them as their own. The attacker couldn't actually |
212 | | * use the subkey, but they could try and claim ownership of |
213 | | * any signatures issued by it. */ |
214 | 0 | if (!rc && !pk->flags.primary && pk->flags.backsig < 2) |
215 | 0 | { |
216 | 0 | if (!pk->flags.backsig) |
217 | 0 | { |
218 | 0 | log_info (_("WARNING: signing subkey %s is not" |
219 | 0 | " cross-certified\n"),keystr_from_pk(pk)); |
220 | 0 | log_info (_("please see %s for more information\n"), |
221 | 0 | "https://gnupg.org/faq/subkey-cross-certify.html"); |
222 | | /* The default option --require-cross-certification |
223 | | * makes this warning an error. */ |
224 | 0 | if (opt.flags.require_cross_cert) |
225 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
226 | 0 | } |
227 | 0 | else if(pk->flags.backsig == 1) |
228 | 0 | { |
229 | 0 | log_info (_("WARNING: signing subkey %s has an invalid" |
230 | 0 | " cross-certification\n"), keystr_from_pk(pk)); |
231 | 0 | rc = gpg_error (GPG_ERR_GENERAL); |
232 | 0 | } |
233 | 0 | } |
234 | |
|
235 | 0 | } |
236 | | |
237 | 9.26k | if( !rc && sig->sig_class < 2 && is_status_enabled() ) { |
238 | | /* This signature id works best with DLP algorithms because |
239 | | * they use a random parameter for every signature. Instead of |
240 | | * this sig-id we could have also used the hash of the document |
241 | | * and the timestamp, but the drawback of this is, that it is |
242 | | * not possible to sign more than one identical document within |
243 | | * one second. Some remote batch processing applications might |
244 | | * like this feature here. |
245 | | * |
246 | | * Note that before 2.0.10, we used RIPE-MD160 for the hash |
247 | | * and accidentally didn't include the timestamp and algorithm |
248 | | * information in the hash. Given that this feature is not |
249 | | * commonly used and that a replay attacks detection should |
250 | | * not solely be based on this feature (because it does not |
251 | | * work with RSA), we take the freedom and switch to SHA-1 |
252 | | * with 2.0.10 to take advantage of hardware supported SHA-1 |
253 | | * implementations. We also include the missing information |
254 | | * in the hash. Note also the SIG_ID as computed by gpg 1.x |
255 | | * and gpg 2.x didn't matched either because 2.x used to print |
256 | | * MPIs not in PGP format. */ |
257 | 0 | u32 a = sig->timestamp; |
258 | 0 | int nsig = pubkey_get_nsig( sig->pubkey_algo ); |
259 | 0 | unsigned char *p, *buffer; |
260 | 0 | size_t n, nbytes; |
261 | 0 | int i; |
262 | 0 | char hashbuf[20]; /* We use SHA-1 here. */ |
263 | |
|
264 | 0 | nbytes = 6; |
265 | 0 | for (i=0; i < nsig; i++ ) |
266 | 0 | { |
267 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
268 | 0 | { |
269 | 0 | unsigned int nbits; |
270 | |
|
271 | 0 | gcry_mpi_get_opaque (sig->data[i], &nbits); |
272 | 0 | n = (nbits+7)/8 + 2; |
273 | 0 | } |
274 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, NULL, 0, &n, sig->data[i])) |
275 | 0 | BUG(); |
276 | 0 | nbytes += n; |
277 | 0 | } |
278 | | |
279 | | /* Make buffer large enough to be later used as output buffer. */ |
280 | 0 | if (nbytes < 100) |
281 | 0 | nbytes = 100; |
282 | 0 | nbytes += 10; /* Safety margin. */ |
283 | | |
284 | | /* Fill and hash buffer. */ |
285 | 0 | buffer = p = xmalloc (nbytes); |
286 | 0 | *p++ = sig->pubkey_algo; |
287 | 0 | *p++ = sig->digest_algo; |
288 | 0 | *p++ = (a >> 24) & 0xff; |
289 | 0 | *p++ = (a >> 16) & 0xff; |
290 | 0 | *p++ = (a >> 8) & 0xff; |
291 | 0 | *p++ = a & 0xff; |
292 | 0 | nbytes -= 6; |
293 | 0 | for (i=0; i < nsig; i++ ) |
294 | 0 | { |
295 | 0 | if (gcry_mpi_get_flag (sig->data[i], GCRYMPI_FLAG_OPAQUE)) |
296 | 0 | { |
297 | 0 | const byte *sigdata; |
298 | 0 | unsigned int nbits; |
299 | |
|
300 | 0 | sigdata = gcry_mpi_get_opaque (sig->data[i], &nbits); |
301 | 0 | n = (nbits+7)/8; |
302 | 0 | p[0] = nbits >> 8; |
303 | 0 | p[1] = (nbits & 0xff); |
304 | 0 | memcpy (p+2, sigdata, n); |
305 | 0 | n += 2; |
306 | 0 | } |
307 | 0 | else if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i])) |
308 | 0 | BUG(); |
309 | 0 | p += n; |
310 | 0 | nbytes -= n; |
311 | 0 | } |
312 | 0 | gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer); |
313 | |
|
314 | 0 | p = make_radix64_string (hashbuf, 20); |
315 | 0 | sprintf (buffer, "%s %s %lu", |
316 | 0 | p, strtimestamp (sig->timestamp), (ulong)sig->timestamp); |
317 | 0 | xfree (p); |
318 | 0 | write_status_text (STATUS_SIG_ID, buffer); |
319 | 0 | xfree (buffer); |
320 | 0 | } |
321 | | |
322 | 9.26k | if (r_pk) |
323 | 9.26k | *r_pk = pk; |
324 | 0 | else |
325 | 0 | { |
326 | 0 | release_public_key_parts (pk); |
327 | 0 | xfree (pk); |
328 | 0 | } |
329 | | |
330 | 9.26k | return rc; |
331 | 9.26k | } |
332 | | |
333 | | |
334 | | /* The signature SIG was generated with the public key PK. Check |
335 | | * whether the signature is valid in the following sense: |
336 | | * |
337 | | * - Make sure the public key was created before the signature was |
338 | | * generated. |
339 | | * |
340 | | * - Make sure the public key was created in the past |
341 | | * |
342 | | * - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0 |
343 | | * otherwise) |
344 | | * |
345 | | * - Check whether PK has been revoked (set *R_REVOKED to 1 if so |
346 | | * and 0 otherwise). |
347 | | * |
348 | | * If either of the first two tests fail, returns an error code. |
349 | | * Otherwise returns 0. (Thus, this function doesn't fail if the |
350 | | * public key is expired or revoked.) */ |
351 | | static int |
352 | | check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig, |
353 | | int *r_expired, int *r_revoked) |
354 | 0 | { |
355 | 0 | u32 cur_time; |
356 | |
|
357 | 0 | if (r_expired) |
358 | 0 | *r_expired = 0; |
359 | 0 | if (r_revoked) |
360 | 0 | *r_revoked = 0; |
361 | |
|
362 | 0 | if (pk->timestamp > sig->timestamp |
363 | 0 | && !(parse_key_usage (sig) & PUBKEY_USAGE_RENC)) |
364 | 0 | { |
365 | 0 | ulong d = pk->timestamp - sig->timestamp; |
366 | 0 | if ( d < 86400 ) |
367 | 0 | { |
368 | 0 | log_info (ngettext |
369 | 0 | ("public key %s is %lu second newer than the signature\n", |
370 | 0 | "public key %s is %lu seconds newer than the signature\n", |
371 | 0 | d), keystr_from_pk (pk), d); |
372 | 0 | } |
373 | 0 | else |
374 | 0 | { |
375 | 0 | d /= 86400; |
376 | 0 | log_info (ngettext |
377 | 0 | ("public key %s is %lu day newer than the signature\n", |
378 | 0 | "public key %s is %lu days newer than the signature\n", |
379 | 0 | d), keystr_from_pk (pk), d); |
380 | 0 | } |
381 | 0 | if (!opt.ignore_time_conflict) |
382 | 0 | return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */ |
383 | 0 | } |
384 | | |
385 | 0 | cur_time = make_timestamp (); |
386 | 0 | if (pk->timestamp > cur_time) |
387 | 0 | { |
388 | 0 | ulong d = pk->timestamp - cur_time; |
389 | 0 | if (d < 86400) |
390 | 0 | { |
391 | 0 | log_info (ngettext("key %s was created %lu second" |
392 | 0 | " in the future (time warp or clock problem)\n", |
393 | 0 | "key %s was created %lu seconds" |
394 | 0 | " in the future (time warp or clock problem)\n", |
395 | 0 | d), keystr_from_pk (pk), d); |
396 | 0 | } |
397 | 0 | else |
398 | 0 | { |
399 | 0 | d /= 86400; |
400 | 0 | log_info (ngettext("key %s was created %lu day" |
401 | 0 | " in the future (time warp or clock problem)\n", |
402 | 0 | "key %s was created %lu days" |
403 | 0 | " in the future (time warp or clock problem)\n", |
404 | 0 | d), keystr_from_pk (pk), d); |
405 | 0 | } |
406 | 0 | if (!opt.ignore_time_conflict) |
407 | 0 | return GPG_ERR_TIME_CONFLICT; |
408 | 0 | } |
409 | | |
410 | | /* Check whether the key has expired. We check the has_expired |
411 | | * flag which is set after a full evaluation of the key (getkey.c) |
412 | | * as well as a simple compare to the current time in case the |
413 | | * merge has for whatever reasons not been done. */ |
414 | 0 | if (pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) |
415 | 0 | { |
416 | 0 | char buf[11]; |
417 | 0 | if (opt.verbose) |
418 | 0 | log_info (_("Note: signature key %s expired %s\n"), |
419 | 0 | keystr_from_pk(pk), isotimestamp( pk->expiredate ) ); |
420 | 0 | snprintf (buf, sizeof buf, "%lu",(ulong)pk->expiredate); |
421 | 0 | write_status_text (STATUS_KEYEXPIRED, buf); |
422 | 0 | if (r_expired) |
423 | 0 | *r_expired = 1; |
424 | 0 | } |
425 | |
|
426 | 0 | if (pk->flags.revoked) |
427 | 0 | { |
428 | 0 | if (opt.verbose) |
429 | 0 | log_info (_("Note: signature key %s has been revoked\n"), |
430 | 0 | keystr_from_pk(pk)); |
431 | 0 | if (r_revoked) |
432 | 0 | *r_revoked=1; |
433 | 0 | } |
434 | |
|
435 | 0 | return 0; |
436 | 0 | } |
437 | | |
438 | | |
439 | | /* Finish generating a signature and check it. Concretely: make sure |
440 | | * that the signature is valid (it was not created prior to the key, |
441 | | * the public key was created in the past, and the signature does not |
442 | | * include any unsupported critical features), finish computing the |
443 | | * digest by adding the relevant data from the signature packet, and |
444 | | * check that the signature verifies the digest. |
445 | | * |
446 | | * DIGEST contains a hash context, which has already hashed the signed |
447 | | * data. This function adds the relevant meta-data from the signature |
448 | | * packet to compute the final hash. (See Section 5.2 of RFC 4880: |
449 | | * "The concatenation of the data being signed and the signature data |
450 | | * from the version number through the hashed subpacket data |
451 | | * (inclusive) is hashed.") |
452 | | * |
453 | | * SIG is the signature to check. |
454 | | * |
455 | | * PK is the public key used to generate the signature. |
456 | | * |
457 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired |
458 | | * (0 otherwise). Note: PK being expired does not cause this function |
459 | | * to fail. |
460 | | * |
461 | | * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been |
462 | | * revoked (0 otherwise). Note: PK being revoked does not cause this |
463 | | * function to fail. |
464 | | * |
465 | | * If RET_PK is not NULL, PK is copied into RET_PK on success. |
466 | | * |
467 | | * Returns 0 on success. An error code other. */ |
468 | | static int |
469 | | check_signature_end (PKT_public_key *pk, PKT_signature *sig, |
470 | | gcry_md_hd_t digest, |
471 | | const void *extrahash, size_t extrahashlen, |
472 | | int *r_expired, int *r_revoked, PKT_public_key *ret_pk) |
473 | 0 | { |
474 | 0 | int rc = 0; |
475 | |
|
476 | 0 | if ((rc = check_signature_metadata_validity (pk, sig, |
477 | 0 | r_expired, r_revoked))) |
478 | 0 | return rc; |
479 | | |
480 | 0 | if ((rc = check_signature_end_simple (pk, sig, digest, |
481 | 0 | extrahash, extrahashlen))) |
482 | 0 | return rc; |
483 | | |
484 | 0 | if (!rc && ret_pk) |
485 | 0 | copy_public_key(ret_pk,pk); |
486 | |
|
487 | 0 | return rc; |
488 | 0 | } |
489 | | |
490 | | |
491 | | /* This function is similar to check_signature_end, but it only checks |
492 | | * whether the signature was generated by PK. It does not check |
493 | | * expiration, revocation, etc. */ |
494 | | static int |
495 | | check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, |
496 | | gcry_md_hd_t digest, |
497 | | const void *extrahash, size_t extrahashlen) |
498 | 0 | { |
499 | 0 | gcry_mpi_t result = NULL; |
500 | 0 | int rc = 0; |
501 | |
|
502 | 0 | if (!opt.flags.allow_weak_digest_algos) |
503 | 0 | { |
504 | 0 | if (is_weak_digest (sig->digest_algo)) |
505 | 0 | { |
506 | 0 | print_digest_rejected_note (sig->digest_algo); |
507 | 0 | return GPG_ERR_DIGEST_ALGO; |
508 | 0 | } |
509 | 0 | } |
510 | | |
511 | | /* For key signatures check that the key has a cert usage. We may |
512 | | * do this only for subkeys because the primary may always issue key |
513 | | * signature. The latter may not be reflected in the pubkey_usage |
514 | | * field because we need to check the key signatures to extract the |
515 | | * key usage. */ |
516 | 0 | if (!pk->flags.primary |
517 | 0 | && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT)) |
518 | 0 | { |
519 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
520 | 0 | if (!opt.quiet) |
521 | 0 | log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"), |
522 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
523 | 0 | sig->sig_class, pk->pubkey_usage); |
524 | 0 | return rc; |
525 | 0 | } |
526 | | |
527 | | /* For data signatures check that the key has sign usage. */ |
528 | 0 | if (!IS_BACK_SIG (sig) && IS_SIG (sig) |
529 | 0 | && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) |
530 | 0 | { |
531 | 0 | rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); |
532 | 0 | if (!opt.quiet) |
533 | 0 | log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), |
534 | 0 | keystr_from_pk (pk), gpg_strerror (rc), |
535 | 0 | sig->sig_class, pk->pubkey_usage); |
536 | 0 | return rc; |
537 | 0 | } |
538 | | |
539 | | /* Make sure the digest algo is enabled (in case of a detached |
540 | | * signature). */ |
541 | 0 | gcry_md_enable (digest, sig->digest_algo); |
542 | | |
543 | | /* Complete the digest. */ |
544 | 0 | if (sig->version >= 4) |
545 | 0 | gcry_md_putc (digest, sig->version); |
546 | |
|
547 | 0 | gcry_md_putc( digest, sig->sig_class ); |
548 | 0 | if (sig->version < 4) |
549 | 0 | { |
550 | 0 | u32 a = sig->timestamp; |
551 | 0 | gcry_md_putc (digest, ((a >> 24) & 0xff)); |
552 | 0 | gcry_md_putc (digest, ((a >> 16) & 0xff)); |
553 | 0 | gcry_md_putc (digest, ((a >> 8) & 0xff)); |
554 | 0 | gcry_md_putc (digest, ( a & 0xff)); |
555 | 0 | } |
556 | 0 | else |
557 | 0 | { |
558 | 0 | byte buf[10]; |
559 | 0 | int i; |
560 | 0 | size_t n; |
561 | |
|
562 | 0 | gcry_md_putc (digest, sig->pubkey_algo); |
563 | 0 | gcry_md_putc (digest, sig->digest_algo); |
564 | 0 | if (sig->hashed) |
565 | 0 | { |
566 | 0 | n = sig->hashed->len; |
567 | 0 | gcry_md_putc (digest, (n >> 8) ); |
568 | 0 | gcry_md_putc (digest, n ); |
569 | 0 | gcry_md_write (digest, sig->hashed->data, n); |
570 | 0 | n += 6; |
571 | 0 | } |
572 | 0 | else |
573 | 0 | { |
574 | | /* Two octets for the (empty) length of the hashed |
575 | | * section. */ |
576 | 0 | gcry_md_putc (digest, 0); |
577 | 0 | gcry_md_putc (digest, 0); |
578 | 0 | n = 6; |
579 | 0 | } |
580 | | /* Hash data from the literal data packet. */ |
581 | 0 | if (sig->version >= 5 |
582 | 0 | && (sig->sig_class == 0x00 || sig->sig_class == 0x01)) |
583 | 0 | { |
584 | | /* - One octet content format |
585 | | * - File name (one octet length followed by the name) |
586 | | * - Four octet timestamp */ |
587 | 0 | if (extrahash && extrahashlen) |
588 | 0 | gcry_md_write (digest, extrahash, extrahashlen); |
589 | 0 | else /* Detached signature. */ |
590 | 0 | { |
591 | 0 | memset (buf, 0, 6); |
592 | 0 | gcry_md_write (digest, buf, 6); |
593 | 0 | } |
594 | 0 | } |
595 | | /* Add some magic per Section 5.2.4 of RFC 4880. */ |
596 | 0 | i = 0; |
597 | 0 | buf[i++] = sig->version; |
598 | 0 | buf[i++] = 0xff; |
599 | 0 | if (sig->version >= 5) |
600 | 0 | { |
601 | 0 | #if SIZEOF_SIZE_T > 4 |
602 | 0 | buf[i++] = n >> 56; |
603 | 0 | buf[i++] = n >> 48; |
604 | 0 | buf[i++] = n >> 40; |
605 | 0 | buf[i++] = n >> 32; |
606 | | #else |
607 | | buf[i++] = 0; |
608 | | buf[i++] = 0; |
609 | | buf[i++] = 0; |
610 | | buf[i++] = 0; |
611 | | #endif |
612 | 0 | } |
613 | 0 | buf[i++] = n >> 24; |
614 | 0 | buf[i++] = n >> 16; |
615 | 0 | buf[i++] = n >> 8; |
616 | 0 | buf[i++] = n; |
617 | 0 | gcry_md_write (digest, buf, i); |
618 | 0 | } |
619 | 0 | gcry_md_final( digest ); |
620 | | |
621 | | /* Convert the digest to an MPI. */ |
622 | 0 | result = encode_md_value (pk, digest, sig->digest_algo ); |
623 | 0 | if (!result) |
624 | 0 | return GPG_ERR_GENERAL; |
625 | | |
626 | | /* Verify the signature. */ |
627 | 0 | if (DBG_CLOCK && sig->sig_class <= 0x01) |
628 | 0 | log_clock ("enter pk_verify"); |
629 | 0 | rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey ); |
630 | 0 | if (DBG_CLOCK && sig->sig_class <= 0x01) |
631 | 0 | log_clock ("leave pk_verify"); |
632 | 0 | gcry_mpi_release (result); |
633 | |
|
634 | 0 | if (!rc && sig->flags.unknown_critical) |
635 | 0 | { |
636 | 0 | log_info(_("assuming bad signature from key %s" |
637 | 0 | " due to an unknown critical bit\n"),keystr_from_pk(pk)); |
638 | 0 | rc = GPG_ERR_BAD_SIGNATURE; |
639 | 0 | } |
640 | |
|
641 | 0 | return rc; |
642 | 0 | } |
643 | | |
644 | | |
645 | | /* Add a uid node to a hash context. See section 5.2.4, paragraph 4 |
646 | | * of RFC 4880. */ |
647 | | static void |
648 | | hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig ) |
649 | 0 | { |
650 | 0 | if (uid->attrib_data) |
651 | 0 | { |
652 | 0 | if (sig->version >= 4) |
653 | 0 | { |
654 | 0 | byte buf[5]; |
655 | 0 | buf[0] = 0xd1; /* packet of type 17 */ |
656 | 0 | buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ |
657 | 0 | buf[2] = uid->attrib_len >> 16; |
658 | 0 | buf[3] = uid->attrib_len >> 8; |
659 | 0 | buf[4] = uid->attrib_len; |
660 | 0 | gcry_md_write( md, buf, 5 ); |
661 | 0 | } |
662 | 0 | gcry_md_write( md, uid->attrib_data, uid->attrib_len ); |
663 | 0 | } |
664 | 0 | else |
665 | 0 | { |
666 | 0 | if (sig->version >= 4) |
667 | 0 | { |
668 | 0 | byte buf[5]; |
669 | 0 | buf[0] = 0xb4; /* indicates a userid packet */ |
670 | 0 | buf[1] = uid->len >> 24; /* always use 4 length bytes */ |
671 | 0 | buf[2] = uid->len >> 16; |
672 | 0 | buf[3] = uid->len >> 8; |
673 | 0 | buf[4] = uid->len; |
674 | 0 | gcry_md_write( md, buf, 5 ); |
675 | 0 | } |
676 | 0 | gcry_md_write( md, uid->name, uid->len ); |
677 | 0 | } |
678 | 0 | } |
679 | | |
680 | | static void |
681 | | cache_sig_result ( PKT_signature *sig, int result ) |
682 | 0 | { |
683 | 0 | if (!result) |
684 | 0 | { |
685 | 0 | sig->flags.checked = 1; |
686 | 0 | sig->flags.valid = 1; |
687 | 0 | } |
688 | 0 | else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE) |
689 | 0 | { |
690 | 0 | sig->flags.checked = 1; |
691 | 0 | sig->flags.valid = 0; |
692 | 0 | } |
693 | 0 | else |
694 | 0 | { |
695 | 0 | sig->flags.checked = 0; |
696 | 0 | sig->flags.valid = 0; |
697 | 0 | } |
698 | 0 | } |
699 | | |
700 | | |
701 | | /* SIG is a key revocation signature. Check if this signature was |
702 | | * generated by any of the public key PK's designated revokers. |
703 | | * |
704 | | * PK is the public key that SIG allegedly revokes. |
705 | | * |
706 | | * SIG is the revocation signature to check. |
707 | | * |
708 | | * This function avoids infinite recursion, which can happen if two |
709 | | * keys are designed revokers for each other and they revoke each |
710 | | * other. This is done by observing that if a key A is revoked by key |
711 | | * B we still consider the revocation to be valid even if B is |
712 | | * revoked. Thus, we don't need to determine whether B is revoked to |
713 | | * determine whether A has been revoked by B, we just need to check |
714 | | * the signature. |
715 | | * |
716 | | * Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not |
717 | | * revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is |
718 | | * only returned when a revocation signature is from a valid |
719 | | * revocation key designated in a revkey subpacket, but the revocation |
720 | | * key itself isn't present. |
721 | | * |
722 | | * Note that this guarantees that a designated revocation sig will |
723 | | * never be considered valid unless it is actually valid, as well as |
724 | | * being issued by a revocation key in a valid direct signature. Note |
725 | | * also that this is written so that a revoked revoker can still issue |
726 | | * revocations: i.e. If A revokes B, but A is revoked, B is still |
727 | | * revoked. I'm not completely convinced this is the proper behavior, |
728 | | * but it matches how PGP does it. -dms |
729 | | */ |
730 | | gpg_error_t |
731 | | check_revocation_keys (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig) |
732 | 0 | { |
733 | 0 | int i; |
734 | 0 | gpg_error_t err = gpg_error (GPG_ERR_GENERAL); |
735 | |
|
736 | 0 | log_assert (IS_KEY_REV(sig)); |
737 | 0 | log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[1]!=pk->keyid[1])); |
738 | | |
739 | | /* Avoid infinite recursion. Consider the following: |
740 | | * |
741 | | * - We want to check if A is revoked. |
742 | | * |
743 | | * - C is a designated revoker for B and has revoked B. |
744 | | * |
745 | | * - B is a designated revoker for A and has revoked A. |
746 | | * |
747 | | * When checking if A is revoked (in merge_selfsigs_main), we |
748 | | * observe that A has a designed revoker. As such, we call this |
749 | | * function. This function sees that there is a valid revocation |
750 | | * signature, which is signed by B. It then calls check_signature() |
751 | | * to verify that the signature is good. To check the sig, we need |
752 | | * to lookup B. Looking up B means calling merge_selfsigs_main, |
753 | | * which checks whether B is revoked, which calls this function to |
754 | | * see if B was revoked by some key. |
755 | | * |
756 | | * In this case, the added level of indirection doesn't hurt. It |
757 | | * just means a bit more work. However, if C == A, then we'd end up |
758 | | * in a loop. But, it doesn't make sense to look up C anyways: even |
759 | | * if B is revoked, we conservatively consider a valid revocation |
760 | | * signed by B to revoke A. Since this is the only place where this |
761 | | * type of recursion can occur, we simply cause this function to |
762 | | * fail if it is entered recursively. */ |
763 | 0 | if (ctrl->in_check_revocation_keys) |
764 | 0 | { |
765 | | /* Return an error (i.e. not revoked), but mark the pk as |
766 | | uncacheable as we don't really know its revocation status |
767 | | until it is checked directly. */ |
768 | 0 | pk->flags.dont_cache = 1; |
769 | 0 | return err; |
770 | 0 | } |
771 | | |
772 | 0 | ctrl->in_check_revocation_keys = 1; |
773 | | |
774 | | /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1], |
775 | | (ulong)sig->keyid[1]); */ |
776 | | |
777 | | /* Is the issuer of the sig one of our revokers? */ |
778 | 0 | if (!pk->revkey && pk->numrevkeys) |
779 | 0 | BUG(); |
780 | | |
781 | 0 | for (i=0; i < pk->numrevkeys; i++) |
782 | 0 | { |
783 | 0 | u32 keyid[2]; /* Receives the revoker's keyid. */ |
784 | |
|
785 | 0 | keyid_from_fingerprint (ctrl, pk->revkey[i].fpr, pk->revkey[i].fprlen, |
786 | 0 | keyid); |
787 | | |
788 | | /* If the signature was generated by a designated revoker |
789 | | * verify the signature. */ |
790 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
791 | 0 | { |
792 | 0 | gcry_md_hd_t md; |
793 | |
|
794 | 0 | if (gcry_md_open (&md, sig->digest_algo, 0)) |
795 | 0 | BUG (); |
796 | 0 | hash_public_key (md, pk); |
797 | | /* Note: check_signature only checks that the signature |
798 | | * is good. It does not fail if the key is revoked. */ |
799 | 0 | err = check_signature (ctrl, sig, md, NULL, 0, NULL, |
800 | 0 | NULL, NULL, NULL, NULL, NULL); |
801 | 0 | cache_sig_result (sig, err); |
802 | 0 | gcry_md_close (md); |
803 | 0 | break; /* Fixme: We did not check RC. */ |
804 | 0 | } |
805 | 0 | } |
806 | | |
807 | 0 | ctrl->in_check_revocation_keys = 0; |
808 | |
|
809 | 0 | return err; |
810 | 0 | } |
811 | | |
812 | | |
813 | | /* Check that the backsig BACKSIG from the subkey SUB_PK to its |
814 | | * primary key MAIN_PK is valid. |
815 | | * |
816 | | * Backsigs (0x19) have the same format as binding sigs (0x18), but |
817 | | * this function is simpler than check_key_signature in a few ways. |
818 | | * For example, there is no support for expiring backsigs since it is |
819 | | * questionable what such a thing actually means. Note also that the |
820 | | * sig cache check here, unlike other sig caches in GnuPG, is not |
821 | | * persistent. */ |
822 | | int |
823 | | check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk, |
824 | | PKT_signature *backsig) |
825 | 0 | { |
826 | 0 | gcry_md_hd_t md; |
827 | 0 | int rc; |
828 | | |
829 | | /* Always check whether the algorithm is available. Although |
830 | | gcry_md_open would throw an error, some libgcrypt versions will |
831 | | print a debug message in that case too. */ |
832 | 0 | if ((rc=openpgp_md_test_algo (backsig->digest_algo))) |
833 | 0 | return rc; |
834 | | |
835 | 0 | if(!opt.no_sig_cache && backsig->flags.checked) |
836 | 0 | return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE); |
837 | | |
838 | 0 | rc = gcry_md_open (&md, backsig->digest_algo,0); |
839 | 0 | if (!rc) |
840 | 0 | { |
841 | 0 | hash_public_key(md,main_pk); |
842 | 0 | hash_public_key(md,sub_pk); |
843 | 0 | rc = check_signature_end (sub_pk, backsig, md, NULL, 0, NULL, NULL, NULL); |
844 | 0 | cache_sig_result(backsig,rc); |
845 | 0 | gcry_md_close(md); |
846 | 0 | } |
847 | |
|
848 | 0 | return rc; |
849 | 0 | } |
850 | | |
851 | | |
852 | | /* Check that a signature over a key is valid. This is a |
853 | | * specialization of check_key_signature2 with the unnamed parameters |
854 | | * passed as NULL. See the documentation for that function for more |
855 | | * details. */ |
856 | | int |
857 | | check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node, |
858 | | int *is_selfsig) |
859 | 0 | { |
860 | 0 | return check_key_signature2 (ctrl, root, node, NULL, NULL, |
861 | 0 | is_selfsig, NULL, NULL); |
862 | 0 | } |
863 | | |
864 | | |
865 | | /* Returns whether SIGNER generated the signature SIG over the packet |
866 | | * PACKET, which is a key, subkey or uid, and comes from the key block |
867 | | * KB. (KB is PACKET's corresponding keyblock; we don't assume that |
868 | | * SIG has been added to the keyblock.) |
869 | | * |
870 | | * If SIGNER is set, then checks whether SIGNER generated the |
871 | | * signature. Otherwise, uses SIG->KEYID to find the alleged signer. |
872 | | * This parameter can be used to effectively override the alleged |
873 | | * signer that is stored in SIG. |
874 | | * |
875 | | * KB may be NULL if SIGNER is set. |
876 | | * |
877 | | * Unlike check_key_signature, this function ignores any cached |
878 | | * results! That is, it does not consider SIG->FLAGS.CHECKED and |
879 | | * SIG->FLAGS.VALID nor does it set them. |
880 | | * |
881 | | * This doesn't check the signature's semantic mean. Concretely, it |
882 | | * doesn't check whether a non-self signed revocation signature was |
883 | | * created by a designated revoker. In fact, it doesn't return an |
884 | | * error for a binding generated by a completely different key! |
885 | | * |
886 | | * Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if |
887 | | * this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if |
888 | | * the key that generated the signature (according to SIG) could not |
889 | | * be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad. |
890 | | * Other errors codes may be returned if something else goes wrong. |
891 | | * |
892 | | * If IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a |
893 | | * self-signature (by the key's primary key) or 0 if not. |
894 | | * |
895 | | * If RET_PK is not NULL, returns a copy of the public key that |
896 | | * generated the signature (i.e., the signer) on success. This must |
897 | | * be released by the caller using release_public_key_parts (). */ |
898 | | gpg_error_t |
899 | | check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, |
900 | | PKT_signature *sig, KBNODE kb, PACKET *packet, |
901 | | int *is_selfsig, PKT_public_key *ret_pk) |
902 | 0 | { |
903 | 0 | int rc; |
904 | 0 | PKT_public_key *pripk = kb->pkt->pkt.public_key; |
905 | 0 | gcry_md_hd_t md; |
906 | 0 | int signer_alloced = 0; |
907 | 0 | int stub_is_selfsig; |
908 | |
|
909 | 0 | if (!is_selfsig) |
910 | 0 | is_selfsig = &stub_is_selfsig; |
911 | |
|
912 | 0 | *is_selfsig = 0; /* Init early to comply with function description. */ |
913 | |
|
914 | 0 | rc = openpgp_pk_test_algo (sig->pubkey_algo); |
915 | 0 | if (rc) |
916 | 0 | return rc; |
917 | 0 | rc = openpgp_md_test_algo (sig->digest_algo); |
918 | 0 | if (rc) |
919 | 0 | return rc; |
920 | | |
921 | | /* A signature's class indicates the type of packet that it |
922 | | signs. */ |
923 | 0 | if (IS_BACK_SIG (sig) || IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
924 | 0 | { |
925 | | /* Key revocations can only be over primary keys. */ |
926 | 0 | if (packet->pkttype != PKT_PUBLIC_KEY) |
927 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
928 | 0 | } |
929 | 0 | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
930 | 0 | { |
931 | 0 | if (packet->pkttype != PKT_PUBLIC_SUBKEY) |
932 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
933 | 0 | } |
934 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
935 | 0 | { |
936 | 0 | if (packet->pkttype != PKT_USER_ID) |
937 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
938 | 0 | } |
939 | 0 | else |
940 | 0 | return gpg_error (GPG_ERR_SIG_CLASS); |
941 | | |
942 | | /* PACKET is the right type for SIG. */ |
943 | | |
944 | 0 | if (signer) |
945 | 0 | { |
946 | 0 | if (signer->keyid[0] == pripk->keyid[0] |
947 | 0 | && signer->keyid[1] == pripk->keyid[1]) |
948 | 0 | *is_selfsig = 1; |
949 | 0 | else |
950 | 0 | *is_selfsig = 0; |
951 | 0 | } |
952 | 0 | else |
953 | 0 | { |
954 | | /* Get the signer. If possible, avoid a look up. */ |
955 | 0 | if (sig->keyid[0] == pripk->keyid[0] |
956 | 0 | && sig->keyid[1] == pripk->keyid[1]) |
957 | 0 | { |
958 | | /* Issued by the primary key. */ |
959 | 0 | signer = pripk; |
960 | 0 | *is_selfsig = 1; |
961 | 0 | } |
962 | 0 | else |
963 | 0 | { |
964 | | /* See if one of the subkeys was the signer (although this |
965 | | * is extremely unlikely). */ |
966 | 0 | kbnode_t ctx = NULL; |
967 | 0 | kbnode_t n; |
968 | |
|
969 | 0 | while ((n = walk_kbnode (kb, &ctx, 0))) |
970 | 0 | { |
971 | 0 | PKT_public_key *subk; |
972 | |
|
973 | 0 | if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY) |
974 | 0 | continue; |
975 | | |
976 | 0 | subk = n->pkt->pkt.public_key; |
977 | 0 | if (sig->keyid[0] == subk->keyid[0] |
978 | 0 | && sig->keyid[1] == subk->keyid[1]) |
979 | 0 | { |
980 | | /* Issued by a subkey. */ |
981 | 0 | signer = subk; |
982 | 0 | break; |
983 | 0 | } |
984 | 0 | } |
985 | |
|
986 | 0 | if (! signer) |
987 | 0 | { |
988 | | /* Signer by some other key. */ |
989 | 0 | *is_selfsig = 0; |
990 | 0 | if (ret_pk) |
991 | 0 | { |
992 | 0 | signer = ret_pk; |
993 | | /* FIXME: Using memset here is problematic because it |
994 | | * assumes that there are no allocated fields in |
995 | | * SIGNER. */ |
996 | 0 | memset (signer, 0, sizeof (*signer)); |
997 | 0 | signer_alloced = 1; |
998 | 0 | } |
999 | 0 | else |
1000 | 0 | { |
1001 | 0 | signer = xmalloc_clear (sizeof (*signer)); |
1002 | 0 | signer_alloced = 2; |
1003 | 0 | } |
1004 | |
|
1005 | 0 | if (IS_CERT (sig)) |
1006 | 0 | signer->req_usage = PUBKEY_USAGE_CERT; |
1007 | |
|
1008 | 0 | rc = get_pubkey_for_sig (ctrl, signer, sig, NULL, NULL); |
1009 | 0 | if (rc) |
1010 | 0 | { |
1011 | 0 | if (signer_alloced != 1) |
1012 | 0 | xfree (signer); |
1013 | 0 | signer = NULL; |
1014 | 0 | signer_alloced = 0; |
1015 | 0 | goto leave; |
1016 | 0 | } |
1017 | 0 | } |
1018 | 0 | } |
1019 | 0 | } |
1020 | | |
1021 | | /* We checked above that we supported this algo, so an error here is |
1022 | | * a bug. */ |
1023 | 0 | if (gcry_md_open (&md, sig->digest_algo, 0)) |
1024 | 0 | BUG (); |
1025 | | |
1026 | | /* Hash the relevant data. */ |
1027 | | |
1028 | 0 | if (IS_KEY_SIG (sig) || IS_KEY_REV (sig)) |
1029 | 0 | { |
1030 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1031 | 0 | hash_public_key (md, packet->pkt.public_key); |
1032 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1033 | 0 | } |
1034 | 0 | else if (IS_BACK_SIG (sig)) |
1035 | 0 | { |
1036 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_KEY); |
1037 | 0 | hash_public_key (md, packet->pkt.public_key); |
1038 | 0 | hash_public_key (md, signer); |
1039 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1040 | 0 | } |
1041 | 0 | else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) |
1042 | 0 | { |
1043 | 0 | log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY); |
1044 | 0 | hash_public_key (md, pripk); |
1045 | 0 | hash_public_key (md, packet->pkt.public_key); |
1046 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1047 | 0 | } |
1048 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1049 | 0 | { |
1050 | 0 | log_assert (packet->pkttype == PKT_USER_ID); |
1051 | 0 | if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig |
1052 | 0 | && !opt.flags.allow_weak_key_signatures) |
1053 | 0 | { |
1054 | | /* If the signature was created using SHA-1 we consider this |
1055 | | * signature invalid because it makes it possible to mount a |
1056 | | * chosen-prefix collision. We don't do this for |
1057 | | * self-signatures, though. */ |
1058 | 0 | print_sha1_keysig_rejected_note (); |
1059 | 0 | rc = gpg_error (GPG_ERR_DIGEST_ALGO); |
1060 | 0 | } |
1061 | 0 | else |
1062 | 0 | { |
1063 | 0 | hash_public_key (md, pripk); |
1064 | 0 | hash_uid_packet (packet->pkt.user_id, md, sig); |
1065 | 0 | rc = check_signature_end_simple (signer, sig, md, NULL, 0); |
1066 | 0 | } |
1067 | 0 | } |
1068 | 0 | else |
1069 | 0 | { |
1070 | | /* We should never get here. (The first if above should have |
1071 | | * already caught this error.) */ |
1072 | 0 | BUG (); |
1073 | 0 | } |
1074 | | |
1075 | 0 | gcry_md_close (md); |
1076 | |
|
1077 | 0 | leave: |
1078 | 0 | if (! rc && ret_pk && ret_pk != signer) |
1079 | 0 | copy_public_key (ret_pk, signer); |
1080 | |
|
1081 | 0 | if (signer_alloced) |
1082 | 0 | { |
1083 | | /* We looked up SIGNER; it is not a pointer into KB. */ |
1084 | 0 | release_public_key_parts (signer); |
1085 | | /* Free if we also allocated the memory. */ |
1086 | 0 | if (signer_alloced == 2) |
1087 | 0 | xfree (signer); |
1088 | 0 | } |
1089 | |
|
1090 | 0 | return rc; |
1091 | 0 | } |
1092 | | |
1093 | | |
1094 | | /* Check that a signature over a key (e.g., a key revocation, key |
1095 | | * binding, user id certification, etc.) is valid. If the function |
1096 | | * detects a self-signature, it uses the public key from the specified |
1097 | | * key block and does not bother looking up the key specified in the |
1098 | | * signature packet. |
1099 | | * |
1100 | | * ROOT is a keyblock. |
1101 | | * |
1102 | | * NODE references a signature packet that appears in the keyblock |
1103 | | * that should be verified. |
1104 | | * |
1105 | | * If CHECK_PK is set, the specified key is sometimes preferred for |
1106 | | * verifying signatures. See the implementation for details. |
1107 | | * |
1108 | | * If RET_PK is not NULL, the public key that successfully verified |
1109 | | * the signature is copied into *RET_PK. |
1110 | | * |
1111 | | * If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a |
1112 | | * self-signature. |
1113 | | * |
1114 | | * If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry |
1115 | | * date. |
1116 | | * |
1117 | | * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been |
1118 | | * expired (0 otherwise). Note: PK being revoked does not cause this |
1119 | | * function to fail. |
1120 | | * |
1121 | | * |
1122 | | * If OPT.NO_SIG_CACHE is not set, this function will first check if |
1123 | | * the result of a previous verification is already cached in the |
1124 | | * signature packet's data structure. |
1125 | | * |
1126 | | * TODO: add r_revoked here as well. It has the same problems as |
1127 | | * r_expiredate and r_expired and the cache [nw]. Which problems [wk]? */ |
1128 | | int |
1129 | | check_key_signature2 (ctrl_t ctrl, |
1130 | | kbnode_t root, kbnode_t node, PKT_public_key *check_pk, |
1131 | | PKT_public_key *ret_pk, int *is_selfsig, |
1132 | | u32 *r_expiredate, int *r_expired ) |
1133 | 0 | { |
1134 | 0 | PKT_public_key *pk; |
1135 | 0 | PKT_signature *sig; |
1136 | 0 | int algo; |
1137 | 0 | int rc; |
1138 | |
|
1139 | 0 | if (is_selfsig) |
1140 | 0 | *is_selfsig = 0; |
1141 | 0 | if (r_expiredate) |
1142 | 0 | *r_expiredate = 0; |
1143 | 0 | if (r_expired) |
1144 | 0 | *r_expired = 0; |
1145 | 0 | log_assert (node->pkt->pkttype == PKT_SIGNATURE); |
1146 | 0 | log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY); |
1147 | | |
1148 | 0 | pk = root->pkt->pkt.public_key; |
1149 | 0 | sig = node->pkt->pkt.signature; |
1150 | 0 | algo = sig->digest_algo; |
1151 | | |
1152 | | /* Check whether we have cached the result of a previous signature |
1153 | | * check. Note that we may no longer have the pubkey or hash |
1154 | | * needed to verify a sig, but can still use the cached value. A |
1155 | | * cache refresh detects and clears these cases. */ |
1156 | 0 | if ( !opt.no_sig_cache ) |
1157 | 0 | { |
1158 | 0 | cache_stats.total++; |
1159 | 0 | if (sig->flags.checked) /* Cached status available. */ |
1160 | 0 | { |
1161 | 0 | cache_stats.cached++; |
1162 | 0 | if (is_selfsig) |
1163 | 0 | { |
1164 | 0 | u32 keyid[2]; |
1165 | |
|
1166 | 0 | keyid_from_pk (pk, keyid); |
1167 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
1168 | 0 | *is_selfsig = 1; |
1169 | 0 | } |
1170 | | /* BUG: This is wrong for non-self-sigs... needs to be the |
1171 | | * actual pk. */ |
1172 | 0 | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1173 | 0 | if (rc) |
1174 | 0 | return rc; |
1175 | 0 | if (sig->flags.valid) |
1176 | 0 | { |
1177 | 0 | cache_stats.goodsig++; |
1178 | 0 | return 0; |
1179 | 0 | } |
1180 | 0 | cache_stats.badsig++; |
1181 | 0 | return gpg_error (GPG_ERR_BAD_SIGNATURE); |
1182 | 0 | } |
1183 | 0 | } |
1184 | | |
1185 | 0 | rc = openpgp_pk_test_algo(sig->pubkey_algo); |
1186 | 0 | if (rc) |
1187 | 0 | return rc; |
1188 | 0 | rc = openpgp_md_test_algo(algo); |
1189 | 0 | if (rc) |
1190 | 0 | return rc; |
1191 | | |
1192 | 0 | if (IS_KEY_REV (sig)) |
1193 | 0 | { |
1194 | 0 | u32 keyid[2]; |
1195 | 0 | keyid_from_pk( pk, keyid ); |
1196 | | |
1197 | | /* Is it a designated revoker? */ |
1198 | 0 | if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1]) |
1199 | 0 | rc = check_revocation_keys (ctrl, pk, sig); |
1200 | 0 | else |
1201 | 0 | { |
1202 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1203 | 0 | r_expired, NULL); |
1204 | 0 | if (! rc) |
1205 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, |
1206 | 0 | root, root->pkt, |
1207 | 0 | is_selfsig, ret_pk); |
1208 | 0 | } |
1209 | 0 | } |
1210 | 0 | else if (IS_SUBKEY_REV (sig) || IS_SUBKEY_SIG (sig)) |
1211 | 0 | { |
1212 | 0 | kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY); |
1213 | |
|
1214 | 0 | if (snode) |
1215 | 0 | { |
1216 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1217 | 0 | r_expired, NULL); |
1218 | 0 | if (! rc) |
1219 | 0 | { |
1220 | | /* A subkey revocation (0x28) must be a self-sig, but a |
1221 | | * subkey signature (0x18) needn't be. */ |
1222 | 0 | rc = check_signature_over_key_or_uid (ctrl, |
1223 | 0 | IS_SUBKEY_SIG (sig) |
1224 | 0 | ? NULL : pk, |
1225 | 0 | sig, root, snode->pkt, |
1226 | 0 | is_selfsig, ret_pk); |
1227 | 0 | } |
1228 | 0 | } |
1229 | 0 | else |
1230 | 0 | { |
1231 | 0 | if (opt.verbose) |
1232 | 0 | { |
1233 | 0 | if (IS_SUBKEY_REV (sig)) |
1234 | 0 | log_info (_("key %s: no subkey for subkey" |
1235 | 0 | " revocation signature\n"), keystr_from_pk(pk)); |
1236 | 0 | else if (sig->sig_class == 0x18) |
1237 | 0 | log_info(_("key %s: no subkey for subkey" |
1238 | 0 | " binding signature\n"), keystr_from_pk(pk)); |
1239 | 0 | } |
1240 | 0 | rc = GPG_ERR_SIG_CLASS; |
1241 | 0 | } |
1242 | 0 | } |
1243 | 0 | else if (IS_KEY_SIG (sig)) /* direct key signature */ |
1244 | 0 | { |
1245 | 0 | rc = check_signature_metadata_validity (pk, sig, |
1246 | 0 | r_expired, NULL); |
1247 | 0 | if (! rc) |
1248 | 0 | rc = check_signature_over_key_or_uid (ctrl, pk, sig, root, root->pkt, |
1249 | 0 | is_selfsig, ret_pk); |
1250 | 0 | } |
1251 | 0 | else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) |
1252 | 0 | { |
1253 | 0 | kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID); |
1254 | |
|
1255 | 0 | if (unode) |
1256 | 0 | { |
1257 | 0 | rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); |
1258 | 0 | if (! rc) |
1259 | 0 | { |
1260 | | /* If this is a self-sig, ignore check_pk. */ |
1261 | 0 | rc = check_signature_over_key_or_uid |
1262 | 0 | (ctrl, |
1263 | 0 | keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk, |
1264 | 0 | sig, root, unode->pkt, NULL, ret_pk); |
1265 | 0 | } |
1266 | 0 | } |
1267 | 0 | else |
1268 | 0 | { |
1269 | 0 | if (!opt.quiet) |
1270 | 0 | log_info ("key %s: no user ID for key signature packet" |
1271 | 0 | " of class %02x\n",keystr_from_pk(pk),sig->sig_class); |
1272 | 0 | rc = GPG_ERR_SIG_CLASS; |
1273 | 0 | } |
1274 | 0 | } |
1275 | 0 | else |
1276 | 0 | { |
1277 | 0 | log_info ("sig issued by %s with class %d (digest: %02x %02x)" |
1278 | 0 | " is not valid over a user id or a key id, ignoring.\n", |
1279 | 0 | keystr (sig->keyid), sig->sig_class, |
1280 | 0 | sig->digest_start[0], sig->digest_start[1]); |
1281 | 0 | rc = gpg_error (GPG_ERR_BAD_SIGNATURE); |
1282 | 0 | } |
1283 | |
|
1284 | 0 | cache_sig_result (sig, rc); |
1285 | |
|
1286 | 0 | return rc; |
1287 | 0 | } |