Line data Source code
1 : /* sig-check.c - Check a signature
2 : * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 : * 2004, 2006 Free Software Foundation, Inc.
4 : * Copyright (C) 2015 g10 Code GmbH
5 : *
6 : * This file is part of GnuPG.
7 : *
8 : * GnuPG is free software; you can redistribute it and/or modify
9 : * it under the terms of the GNU General Public License as published by
10 : * the Free Software Foundation; either version 3 of the License, or
11 : * (at your option) any later version.
12 : *
13 : * GnuPG is distributed in the hope that it will be useful,
14 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : * GNU General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU General Public License
19 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include <config.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <assert.h>
27 :
28 : #include "gpg.h"
29 : #include "util.h"
30 : #include "packet.h"
31 : #include "keydb.h"
32 : #include "main.h"
33 : #include "status.h"
34 : #include "i18n.h"
35 : #include "options.h"
36 : #include "pkglue.h"
37 :
38 : static int check_signature_end (PKT_public_key *pk, PKT_signature *sig,
39 : gcry_md_hd_t digest,
40 : int *r_expired, int *r_revoked,
41 : PKT_public_key *ret_pk);
42 :
43 : /* Check a signature. This is shorthand for check_signature2 with
44 : the unnamed arguments passed as NULL. */
45 : int
46 0 : check_signature (PKT_signature *sig, gcry_md_hd_t digest)
47 : {
48 0 : return check_signature2 (sig, digest, NULL, NULL, NULL, NULL);
49 : }
50 :
51 : /* Check a signature.
52 :
53 : Looks up the public key that created the signature (SIG->KEYID)
54 : from the key db. Makes sure that the signature is valid (it was
55 : not created prior to the key, the public key was created in the
56 : past, and the signature does not include any unsupported critical
57 : features), finishes computing the hash of the signature data, and
58 : checks that the signature verifies the digest. If the key that
59 : generated the signature is a subkey, this function also verifies
60 : that there is a valid backsig from the subkey to the primary key.
61 : Finally, if status fd is enabled and the signature class is 0x00 or
62 : 0x01, then a STATUS_SIG_ID is emitted on the status fd.
63 :
64 : SIG is the signature to check.
65 :
66 : DIGEST contains a valid hash context that already includes the
67 : signed data. This function adds the relevant meta-data from the
68 : signature packet to compute the final hash. (See Section 5.2 of
69 : RFC 4880: "The concatenation of the data being signed and the
70 : signature data from the version number through the hashed subpacket
71 : data (inclusive) is hashed.")
72 :
73 : If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's
74 : expiry.
75 :
76 : If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
77 : (0 otherwise). Note: PK being expired does not cause this function
78 : to fail.
79 :
80 : If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
81 : revoked (0 otherwise). Note: PK being revoked does not cause this
82 : function to fail.
83 :
84 : If PK is not NULL, the public key is saved in *PK on success.
85 :
86 : Returns 0 on success. An error code otherwise. */
87 : int
88 147 : check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
89 : int *r_expired, int *r_revoked, PKT_public_key *pk )
90 : {
91 147 : int rc=0;
92 : int pk_internal;
93 :
94 147 : if (pk)
95 0 : pk_internal = 0;
96 : else
97 : {
98 147 : pk_internal = 1;
99 147 : pk = xmalloc_clear( sizeof *pk );
100 : }
101 :
102 147 : if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
103 : ; /* We don't have this digest. */
104 147 : else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
105 : ; /* We don't have this pubkey algo. */
106 147 : else if (!gcry_md_is_enabled (digest,sig->digest_algo))
107 : {
108 : /* Sanity check that the md has a context for the hash that the
109 : sig is expecting. This can happen if a onepass sig header does
110 : not match the actual sig, and also if the clearsign "Hash:"
111 : header is missing or does not match the actual sig. */
112 :
113 0 : log_info(_("WARNING: signature digest conflict in message\n"));
114 0 : rc = GPG_ERR_GENERAL;
115 : }
116 147 : else if( get_pubkey( pk, sig->keyid ) )
117 0 : rc = GPG_ERR_NO_PUBKEY;
118 147 : else if(!pk->flags.valid && !pk->flags.primary)
119 : {
120 : /* You cannot have a good sig from an invalid subkey. */
121 0 : rc = GPG_ERR_BAD_PUBKEY;
122 : }
123 : else
124 : {
125 147 : if(r_expiredate)
126 0 : *r_expiredate = pk->expiredate;
127 :
128 147 : rc = check_signature_end (pk, sig, digest, r_expired, r_revoked, NULL);
129 :
130 : /* Check the backsig. This is a 0x19 signature from the
131 : subkey on the primary key. The idea here is that it should
132 : not be possible for someone to "steal" subkeys and claim
133 : them as their own. The attacker couldn't actually use the
134 : subkey, but they could try and claim ownership of any
135 : signatures issued by it. */
136 147 : if(rc==0 && !pk->flags.primary && pk->flags.backsig < 2)
137 : {
138 0 : if (!pk->flags.backsig)
139 : {
140 0 : log_info(_("WARNING: signing subkey %s is not"
141 : " cross-certified\n"),keystr_from_pk(pk));
142 0 : log_info(_("please see %s for more information\n"),
143 : "https://gnupg.org/faq/subkey-cross-certify.html");
144 : /* --require-cross-certification makes this warning an
145 : error. TODO: change the default to require this
146 : after more keys have backsigs. */
147 0 : if(opt.flags.require_cross_cert)
148 0 : rc = GPG_ERR_GENERAL;
149 : }
150 0 : else if(pk->flags.backsig == 1)
151 : {
152 0 : log_info(_("WARNING: signing subkey %s has an invalid"
153 : " cross-certification\n"),keystr_from_pk(pk));
154 0 : rc = GPG_ERR_GENERAL;
155 : }
156 : }
157 : }
158 :
159 147 : if (pk_internal || rc)
160 : {
161 147 : release_public_key_parts (pk);
162 147 : if (pk_internal)
163 147 : xfree (pk);
164 : else
165 : /* Be very sure that the caller doesn't try to use *PK. */
166 0 : memset (pk, 0, sizeof (*pk));
167 : }
168 :
169 147 : if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
170 : /* This signature id works best with DLP algorithms because
171 : * they use a random parameter for every signature. Instead of
172 : * this sig-id we could have also used the hash of the document
173 : * and the timestamp, but the drawback of this is, that it is
174 : * not possible to sign more than one identical document within
175 : * one second. Some remote batch processing applications might
176 : * like this feature here.
177 : *
178 : * Note that before 2.0.10, we used RIPE-MD160 for the hash
179 : * and accidently didn't include the timestamp and algorithm
180 : * information in the hash. Given that this feature is not
181 : * commonly used and that a replay attacks detection should
182 : * not solely be based on this feature (because it does not
183 : * work with RSA), we take the freedom and switch to SHA-1
184 : * with 2.0.10 to take advantage of hardware supported SHA-1
185 : * implementations. We also include the missing information
186 : * in the hash. Note also the SIG_ID as computed by gpg 1.x
187 : * and gpg 2.x didn't matched either because 2.x used to print
188 : * MPIs not in PGP format. */
189 0 : u32 a = sig->timestamp;
190 0 : int nsig = pubkey_get_nsig( sig->pubkey_algo );
191 : unsigned char *p, *buffer;
192 : size_t n, nbytes;
193 : int i;
194 : char hashbuf[20];
195 :
196 0 : nbytes = 6;
197 0 : for (i=0; i < nsig; i++ )
198 : {
199 0 : if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i]))
200 0 : BUG();
201 0 : nbytes += n;
202 : }
203 :
204 : /* Make buffer large enough to be later used as output buffer. */
205 0 : if (nbytes < 100)
206 0 : nbytes = 100;
207 0 : nbytes += 10; /* Safety margin. */
208 :
209 : /* Fill and hash buffer. */
210 0 : buffer = p = xmalloc (nbytes);
211 0 : *p++ = sig->pubkey_algo;
212 0 : *p++ = sig->digest_algo;
213 0 : *p++ = (a >> 24) & 0xff;
214 0 : *p++ = (a >> 16) & 0xff;
215 0 : *p++ = (a >> 8) & 0xff;
216 0 : *p++ = a & 0xff;
217 0 : nbytes -= 6;
218 0 : for (i=0; i < nsig; i++ )
219 : {
220 0 : if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i]))
221 0 : BUG();
222 0 : p += n;
223 0 : nbytes -= n;
224 : }
225 0 : gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer);
226 :
227 0 : p = make_radix64_string (hashbuf, 20);
228 0 : sprintf (buffer, "%s %s %lu",
229 0 : p, strtimestamp (sig->timestamp), (ulong)sig->timestamp);
230 0 : xfree (p);
231 0 : write_status_text (STATUS_SIG_ID, buffer);
232 0 : xfree (buffer);
233 : }
234 :
235 147 : return rc;
236 : }
237 :
238 :
239 : /* The signature SIG was generated with the public key PK. Check
240 : whether the signature is valid in the following sense:
241 :
242 : - Make sure the public key was created before the signature was
243 : generated.
244 :
245 : - Make sure the public key was created in the past
246 :
247 : - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0
248 : otherwise)
249 :
250 : - Check whether PK has been revoked (set *R_REVOKED to 1 if so
251 : and 0 otherwise).
252 :
253 : If either of the first two tests fail, returns an error code.
254 : Otherwise returns 0. (Thus, this function doesn't fail if the
255 : public key is expired or revoked.) */
256 : static int
257 5326 : check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig,
258 : int *r_expired, int *r_revoked)
259 : {
260 : u32 cur_time;
261 :
262 5326 : if(r_expired)
263 147 : *r_expired = 0;
264 5326 : if(r_revoked)
265 147 : *r_revoked = 0;
266 :
267 5326 : if( pk->timestamp > sig->timestamp )
268 : {
269 0 : ulong d = pk->timestamp - sig->timestamp;
270 0 : log_info(d==1
271 : ?_("public key %s is %lu second newer than the signature\n")
272 : :_("public key %s is %lu seconds newer than the signature\n"),
273 : keystr_from_pk(pk),d );
274 0 : if( !opt.ignore_time_conflict )
275 0 : return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */
276 : }
277 :
278 5326 : cur_time = make_timestamp();
279 5326 : if( pk->timestamp > cur_time )
280 : {
281 0 : ulong d = pk->timestamp - cur_time;
282 0 : log_info( d==1
283 : ? _("key %s was created %lu second"
284 : " in the future (time warp or clock problem)\n")
285 : : _("key %s was created %lu seconds"
286 : " in the future (time warp or clock problem)\n"),
287 : keystr_from_pk(pk),d );
288 0 : if( !opt.ignore_time_conflict )
289 0 : return GPG_ERR_TIME_CONFLICT;
290 : }
291 :
292 : /* Check whether the key has expired. We check the has_expired
293 : flag which is set after a full evaluation of the key (getkey.c)
294 : as well as a simple compare to the current time in case the
295 : merge has for whatever reasons not been done. */
296 5326 : if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
297 : char buf[11];
298 6 : if (opt.verbose)
299 0 : log_info(_("Note: signature key %s expired %s\n"),
300 : keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
301 6 : sprintf(buf,"%lu",(ulong)pk->expiredate);
302 6 : write_status_text(STATUS_KEYEXPIRED,buf);
303 6 : if(r_expired)
304 0 : *r_expired = 1;
305 : }
306 :
307 5326 : if (pk->flags.revoked)
308 : {
309 0 : if (opt.verbose)
310 0 : log_info (_("Note: signature key %s has been revoked\n"),
311 : keystr_from_pk(pk));
312 0 : if (r_revoked)
313 0 : *r_revoked=1;
314 : }
315 :
316 5326 : return 0;
317 : }
318 :
319 :
320 : /* Finish generating a signature and check it. Concretely: make sure
321 : that the signature is valid (it was not created prior to the key,
322 : the public key was created in the past, and the signature does not
323 : include any unsupported critical features), finish computing the
324 : digest by adding the relevant data from the signature packet, and
325 : check that the signature verifies the digest.
326 :
327 : DIGEST contains a hash context, which has already hashed the signed
328 : data. This function adds the relevant meta-data from the signature
329 : packet to compute the final hash. (See Section 5.2 of RFC 4880:
330 : "The concatenation of the data being signed and the signature data
331 : from the version number through the hashed subpacket data
332 : (inclusive) is hashed.")
333 :
334 : SIG is the signature to check.
335 :
336 : PK is the public key used to generate the signature.
337 :
338 : If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
339 : (0 otherwise). Note: PK being expired does not cause this function
340 : to fail.
341 :
342 : If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
343 : revoked (0 otherwise). Note: PK being revoked does not cause this
344 : function to fail.
345 :
346 : If RET_PK is not NULL, PK is copied into RET_PK on success.
347 :
348 : Returns 0 on success. An error code other. */
349 : static int
350 367 : check_signature_end (PKT_public_key *pk, PKT_signature *sig,
351 : gcry_md_hd_t digest,
352 : int *r_expired, int *r_revoked, PKT_public_key *ret_pk)
353 : {
354 367 : gcry_mpi_t result = NULL;
355 367 : int rc = 0;
356 : const struct weakhash *weak;
357 :
358 367 : if ((rc = check_signature_metadata_validity (pk, sig,
359 : r_expired, r_revoked)))
360 0 : return rc;
361 :
362 367 : if (!opt.flags.allow_weak_digest_algos)
363 0 : for (weak = opt.weak_digests; weak; weak = weak->next)
364 0 : if (sig->digest_algo == weak->algo)
365 : {
366 0 : print_digest_rejected_note(sig->digest_algo);
367 0 : return GPG_ERR_DIGEST_ALGO;
368 : }
369 :
370 : /* Make sure the digest algo is enabled (in case of a detached
371 : signature). */
372 367 : gcry_md_enable (digest, sig->digest_algo);
373 :
374 : /* Complete the digest. */
375 367 : if( sig->version >= 4 )
376 342 : gcry_md_putc( digest, sig->version );
377 367 : gcry_md_putc( digest, sig->sig_class );
378 367 : if( sig->version < 4 ) {
379 25 : u32 a = sig->timestamp;
380 25 : gcry_md_putc( digest, (a >> 24) & 0xff );
381 25 : gcry_md_putc( digest, (a >> 16) & 0xff );
382 25 : gcry_md_putc( digest, (a >> 8) & 0xff );
383 25 : gcry_md_putc( digest, a & 0xff );
384 : }
385 : else {
386 : byte buf[6];
387 : size_t n;
388 342 : gcry_md_putc( digest, sig->pubkey_algo );
389 342 : gcry_md_putc( digest, sig->digest_algo );
390 342 : if( sig->hashed ) {
391 342 : n = sig->hashed->len;
392 342 : gcry_md_putc (digest, (n >> 8) );
393 342 : gcry_md_putc (digest, n );
394 342 : gcry_md_write (digest, sig->hashed->data, n);
395 342 : n += 6;
396 : }
397 : else {
398 : /* Two octets for the (empty) length of the hashed
399 : section. */
400 0 : gcry_md_putc (digest, 0);
401 0 : gcry_md_putc (digest, 0);
402 0 : n = 6;
403 : }
404 : /* add some magic per Section 5.2.4 of RFC 4880. */
405 342 : buf[0] = sig->version;
406 342 : buf[1] = 0xff;
407 342 : buf[2] = n >> 24;
408 342 : buf[3] = n >> 16;
409 342 : buf[4] = n >> 8;
410 342 : buf[5] = n;
411 342 : gcry_md_write( digest, buf, 6 );
412 : }
413 367 : gcry_md_final( digest );
414 :
415 : /* Convert the digest to an MPI. */
416 367 : result = encode_md_value (pk, digest, sig->digest_algo );
417 367 : if (!result)
418 0 : return GPG_ERR_GENERAL;
419 :
420 : /* Verify the signature. */
421 367 : rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
422 367 : gcry_mpi_release (result);
423 :
424 367 : if( !rc && sig->flags.unknown_critical )
425 : {
426 0 : log_info(_("assuming bad signature from key %s"
427 : " due to an unknown critical bit\n"),keystr_from_pk(pk));
428 0 : rc = GPG_ERR_BAD_SIGNATURE;
429 : }
430 :
431 367 : if(!rc && ret_pk)
432 0 : copy_public_key(ret_pk,pk);
433 :
434 367 : return rc;
435 : }
436 :
437 :
438 : /* Add a uid node to a hash context. See section 5.2.4, paragraph 4
439 : of RFC 4880. */
440 : static void
441 136 : hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
442 : {
443 136 : PKT_user_id *uid = unode->pkt->pkt.user_id;
444 :
445 136 : assert( unode->pkt->pkttype == PKT_USER_ID );
446 136 : if( uid->attrib_data ) {
447 0 : if( sig->version >=4 ) {
448 : byte buf[5];
449 0 : buf[0] = 0xd1; /* packet of type 17 */
450 0 : buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
451 0 : buf[2] = uid->attrib_len >> 16;
452 0 : buf[3] = uid->attrib_len >> 8;
453 0 : buf[4] = uid->attrib_len;
454 0 : gcry_md_write( md, buf, 5 );
455 : }
456 0 : gcry_md_write( md, uid->attrib_data, uid->attrib_len );
457 : }
458 : else {
459 136 : if( sig->version >=4 ) {
460 : byte buf[5];
461 136 : buf[0] = 0xb4; /* indicates a userid packet */
462 136 : buf[1] = uid->len >> 24; /* always use 4 length bytes */
463 136 : buf[2] = uid->len >> 16;
464 136 : buf[3] = uid->len >> 8;
465 136 : buf[4] = uid->len;
466 136 : gcry_md_write( md, buf, 5 );
467 : }
468 136 : gcry_md_write( md, uid->name, uid->len );
469 : }
470 136 : }
471 :
472 : static void
473 220 : cache_sig_result ( PKT_signature *sig, int result )
474 : {
475 220 : if ( !result ) {
476 219 : sig->flags.checked = 1;
477 219 : sig->flags.valid = 1;
478 : }
479 1 : else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
480 1 : sig->flags.checked = 1;
481 1 : sig->flags.valid = 0;
482 : }
483 : else {
484 0 : sig->flags.checked = 0;
485 0 : sig->flags.valid = 0;
486 : }
487 220 : }
488 :
489 : /* SIG is a key revocation signature. Check if this signature was
490 : generated by any of the public key PK's designated revokers.
491 :
492 : PK is the public key that SIG allegedly revokes.
493 :
494 : SIG is the revocation signature to check.
495 :
496 : This function avoids infinite recursion, which can happen if two
497 : keys are designed revokers for each other and they revoke each
498 : other. This is done by observing that if a key A is revoked by key
499 : B we still consider the revocation to be valid even if B is
500 : revoked. Thus, we don't need to determine whether B is revoked to
501 : determine whether A has been revoked by B, we just need to check
502 : the signature.
503 :
504 : Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
505 : revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is
506 : only returned when a revocation signature is from a valid
507 : revocation key designated in a revkey subpacket, but the revocation
508 : key itself isn't present. */
509 :
510 : /* XXX: This code will need to be modified if gpg ever becomes
511 : multi-threaded. Note that this guarantees that a designated
512 : revocation sig will never be considered valid unless it is actually
513 : valid, as well as being issued by a revocation key in a valid
514 : direct signature. Note also that this is written so that a revoked
515 : revoker can still issue revocations: i.e. If A revokes B, but A is
516 : revoked, B is still revoked. I'm not completely convinced this is
517 : the proper behavior, but it matches how PGP does it. -dms */
518 : int
519 0 : check_revocation_keys (PKT_public_key *pk, PKT_signature *sig)
520 : {
521 : static int busy=0;
522 : int i;
523 0 : int rc = GPG_ERR_GENERAL;
524 :
525 0 : assert(IS_KEY_REV(sig));
526 0 : assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
527 :
528 : /* Avoid infinite recursion. Consider the following:
529 :
530 : - We want to check if A is revoked.
531 :
532 : - C is a designated revoker for B and has revoked B.
533 :
534 : - B is a designated revoker for A and has revoked A.
535 :
536 : When checking if A is revoked (in merge_selfsigs_main), we
537 : observe that A has a designed revoker. As such, we call this
538 : function. This function sees that there is a valid revocation
539 : signature, which is signed by B. It then calls check_signature()
540 : to verify that the signature is good. To check the sig, we need
541 : to lookup B. Looking up B means calling merge_selfsigs_main,
542 : which checks whether B is revoked, which calls this function to
543 : see if B was revoked by some key.
544 :
545 : In this case, the added level of indirection doesn't hurt. It
546 : just means a bit more work. However, if C == A, then we'd end up
547 : in a loop. But, it doesn't make sense to look up C anyways: even
548 : if B is revoked, we conservatively consider a valid revocation
549 : signed by B to revoke A. Since this is the only place where this
550 : type of recursion can occur, we simply cause this function to
551 : fail if it is entered recursively. */
552 0 : if (busy)
553 : {
554 : /* Return an error (i.e. not revoked), but mark the pk as
555 : uncacheable as we don't really know its revocation status
556 : until it is checked directly. */
557 0 : pk->flags.dont_cache = 1;
558 0 : return rc;
559 : }
560 :
561 0 : busy=1;
562 :
563 : /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
564 : (ulong)sig->keyid[1]); */
565 :
566 : /* is the issuer of the sig one of our revokers? */
567 0 : if( !pk->revkey && pk->numrevkeys )
568 0 : BUG();
569 : else
570 0 : for(i=0;i<pk->numrevkeys;i++)
571 : {
572 : /* The revoker's keyid. */
573 : u32 keyid[2];
574 :
575 0 : keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
576 :
577 0 : if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
578 : /* The signature was generated by a designated revoker.
579 : Verify the signature. */
580 : {
581 : gcry_md_hd_t md;
582 :
583 0 : if (gcry_md_open (&md, sig->digest_algo, 0))
584 0 : BUG ();
585 0 : hash_public_key(md,pk);
586 : /* Note: check_signature only checks that the signature
587 : is good. It does not fail if the key is revoked. */
588 0 : rc=check_signature(sig,md);
589 0 : cache_sig_result(sig,rc);
590 0 : gcry_md_close (md);
591 0 : break;
592 : }
593 : }
594 :
595 0 : busy=0;
596 :
597 0 : return rc;
598 : }
599 :
600 : /* Check that the backsig BACKSIG from the subkey SUB_PK to its
601 : primary key MAIN_PK is valid.
602 :
603 : Backsigs (0x19) have the same format as binding sigs (0x18), but
604 : this function is simpler than check_key_signature in a few ways.
605 : For example, there is no support for expiring backsigs since it is
606 : questionable what such a thing actually means. Note also that the
607 : sig cache check here, unlike other sig caches in GnuPG, is not
608 : persistent. */
609 : int
610 0 : check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk,
611 : PKT_signature *backsig)
612 : {
613 : gcry_md_hd_t md;
614 : int rc;
615 :
616 : /* Always check whether the algorithm is available. Although
617 : gcry_md_open would throw an error, some libgcrypt versions will
618 : print a debug message in that case too. */
619 0 : if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
620 0 : return rc;
621 :
622 0 : if(!opt.no_sig_cache && backsig->flags.checked)
623 0 : return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
624 :
625 0 : rc = gcry_md_open (&md, backsig->digest_algo,0);
626 0 : if (!rc)
627 : {
628 0 : hash_public_key(md,main_pk);
629 0 : hash_public_key(md,sub_pk);
630 0 : rc = check_signature_end (sub_pk, backsig, md, NULL, NULL, NULL);
631 0 : cache_sig_result(backsig,rc);
632 0 : gcry_md_close(md);
633 : }
634 :
635 0 : return rc;
636 : }
637 :
638 :
639 : /* Check that a signature over a key is valid. This is a
640 : specialization of check_key_signature2 with the unnamed parameters
641 : passed as NULL. See the documentation for that function for more
642 : details. */
643 : int
644 5179 : check_key_signature (KBNODE root, KBNODE node, int *is_selfsig)
645 : {
646 5179 : return check_key_signature2 (root, node, NULL, NULL, is_selfsig, NULL, NULL);
647 : }
648 :
649 : /* Check that a signature over a key (e.g., a key revocation, key
650 : binding, user id certification, etc.) is valid. If the function
651 : detects a self-signature, it uses the public key from the specified
652 : key block and does not bother looking up the key specified in the
653 : signature packet.
654 :
655 : ROOT is a keyblock.
656 :
657 : NODE references a signature packet that appears in the keyblock
658 : that should be verified.
659 :
660 : If CHECK_PK is set, the specified key is sometimes preferred for
661 : verifying signatures. See the implementation for details.
662 :
663 : If RET_PK is not NULL, the public key that successfully verified
664 : the signature is copied into *RET_PK.
665 :
666 : If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a
667 : self-signature.
668 :
669 : If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry
670 : date.
671 :
672 : If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been
673 : expired (0 otherwise). Note: PK being revoked does not cause this
674 : function to fail.
675 :
676 :
677 : If OPT.NO_SIG_CACHE is not set, this function will first check if
678 : the result of a previous verification is already cached in the
679 : signature packet's data structure. */
680 : /* TODO: add r_revoked here as well. It has the same problems as
681 : r_expiredate and r_expired and the cache. */
682 : int
683 5179 : check_key_signature2(KBNODE root, KBNODE node, PKT_public_key *check_pk,
684 : PKT_public_key *ret_pk, int *is_selfsig,
685 : u32 *r_expiredate, int *r_expired )
686 : {
687 : gcry_md_hd_t md;
688 : PKT_public_key *pk;
689 : PKT_signature *sig;
690 : int algo;
691 : int rc;
692 :
693 5179 : if( is_selfsig )
694 0 : *is_selfsig = 0;
695 5179 : if( r_expiredate )
696 0 : *r_expiredate = 0;
697 5179 : if( r_expired )
698 0 : *r_expired = 0;
699 5179 : assert( node->pkt->pkttype == PKT_SIGNATURE );
700 5179 : assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
701 :
702 5179 : pk = root->pkt->pkt.public_key;
703 5179 : sig = node->pkt->pkt.signature;
704 5179 : algo = sig->digest_algo;
705 :
706 : /* Check whether we have cached the result of a previous signature
707 : check. Note that we may no longer have the pubkey or hash
708 : needed to verify a sig, but can still use the cached value. A
709 : cache refresh detects and clears these cases. */
710 5179 : if ( !opt.no_sig_cache ) {
711 5179 : if (sig->flags.checked) { /*cached status available*/
712 4959 : if( is_selfsig ) {
713 : u32 keyid[2];
714 :
715 0 : keyid_from_pk( pk, keyid );
716 0 : if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
717 0 : *is_selfsig = 1;
718 : }
719 : /* BUG: This is wrong for non-self-sigs.. needs to be the
720 : actual pk */
721 4959 : if((rc = check_signature_metadata_validity (pk, sig,
722 : r_expired, NULL)))
723 0 : return rc;
724 4959 : return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
725 : }
726 : }
727 :
728 220 : if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
729 0 : return rc;
730 220 : if( (rc=openpgp_md_test_algo(algo)) )
731 0 : return rc;
732 :
733 220 : if( sig->sig_class == 0x20 ) { /* key revocation */
734 : u32 keyid[2];
735 0 : keyid_from_pk( pk, keyid );
736 :
737 : /* is it a designated revoker? */
738 0 : if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
739 0 : rc=check_revocation_keys(pk,sig);
740 : else
741 : {
742 0 : if (gcry_md_open (&md, algo, 0 ))
743 0 : BUG ();
744 0 : hash_public_key( md, pk );
745 0 : rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
746 0 : cache_sig_result ( sig, rc );
747 0 : gcry_md_close(md);
748 : }
749 : }
750 220 : else if( sig->sig_class == 0x28 ) { /* subkey revocation */
751 0 : KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
752 :
753 0 : if( snode ) {
754 0 : if (gcry_md_open (&md, algo, 0))
755 0 : BUG ();
756 0 : hash_public_key( md, pk );
757 0 : hash_public_key( md, snode->pkt->pkt.public_key );
758 0 : rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
759 0 : cache_sig_result ( sig, rc );
760 0 : gcry_md_close(md);
761 : }
762 : else
763 : {
764 0 : if (opt.verbose)
765 0 : log_info (_("key %s: no subkey for subkey"
766 : " revocation signature\n"),keystr_from_pk(pk));
767 0 : rc = GPG_ERR_SIG_CLASS;
768 : }
769 : }
770 220 : else if( sig->sig_class == 0x18 ) { /* key binding */
771 80 : KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
772 :
773 80 : if( snode ) {
774 80 : if( is_selfsig ) { /* does this make sense????? */
775 : u32 keyid[2]; /* it should always be a selfsig */
776 :
777 0 : keyid_from_pk( pk, keyid );
778 0 : if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
779 0 : *is_selfsig = 1;
780 : }
781 80 : if (gcry_md_open (&md, algo, 0))
782 0 : BUG ();
783 80 : hash_public_key( md, pk );
784 80 : hash_public_key( md, snode->pkt->pkt.public_key );
785 80 : rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
786 80 : cache_sig_result ( sig, rc );
787 80 : gcry_md_close(md);
788 : }
789 : else
790 : {
791 0 : if (opt.verbose)
792 0 : log_info(_("key %s: no subkey for subkey"
793 : " binding signature\n"),keystr_from_pk(pk));
794 0 : rc = GPG_ERR_SIG_CLASS;
795 : }
796 : }
797 140 : else if( sig->sig_class == 0x1f ) { /* direct key signature */
798 4 : if (gcry_md_open (&md, algo, 0 ))
799 0 : BUG ();
800 4 : hash_public_key( md, pk );
801 4 : rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
802 4 : cache_sig_result ( sig, rc );
803 4 : gcry_md_close(md);
804 : }
805 : else { /* all other classes */
806 136 : KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
807 :
808 136 : if( unode ) {
809 : u32 keyid[2];
810 :
811 136 : keyid_from_pk( pk, keyid );
812 136 : if (gcry_md_open (&md, algo, 0 ))
813 0 : BUG ();
814 136 : hash_public_key( md, pk );
815 136 : hash_uid_node( unode, md, sig );
816 136 : if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
817 : /* The primary key is the signing key. */
818 : {
819 136 : if( is_selfsig )
820 0 : *is_selfsig = 1;
821 136 : rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
822 : }
823 0 : else if (check_pk)
824 : /* The caller specified a key. Try that. */
825 0 : rc = check_signature_end (check_pk, sig, md,
826 : r_expired, NULL, ret_pk);
827 : else
828 : /* Look up the key. XXX: Could it be that the key is
829 : not is not in this keyblock? */
830 0 : rc = check_signature2 (sig, md, r_expiredate, r_expired,
831 : NULL, ret_pk);
832 :
833 136 : cache_sig_result ( sig, rc );
834 136 : gcry_md_close(md);
835 : }
836 : else
837 : {
838 0 : if (!opt.quiet)
839 0 : log_info ("key %s: no user ID for key signature packet"
840 0 : " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
841 0 : rc = GPG_ERR_SIG_CLASS;
842 : }
843 : }
844 :
845 220 : return rc;
846 : }
|