LCOV - code coverage report
Current view: top level - g10 - sig-check.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 141 306 46.1 %
Date: 2015-11-05 17:10:59 Functions: 7 10 70.0 %

          Line data    Source code
       1             : /* sig-check.c -  Check a signature
       2             :  * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
       3             :  *               2004, 2006 Free Software Foundation, Inc.
       4             :  * Copyright (C) 2015 g10 Code GmbH
       5             :  *
       6             :  * This file is part of GnuPG.
       7             :  *
       8             :  * GnuPG is free software; you can redistribute it and/or modify
       9             :  * it under the terms of the GNU General Public License as published by
      10             :  * the Free Software Foundation; either version 3 of the License, or
      11             :  * (at your option) any later version.
      12             :  *
      13             :  * GnuPG is distributed in the hope that it will be useful,
      14             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :  * GNU General Public License for more details.
      17             :  *
      18             :  * You should have received a copy of the GNU General Public License
      19             :  * along with this program; if not, see <http://www.gnu.org/licenses/>.
      20             :  */
      21             : 
      22             : #include <config.h>
      23             : #include <stdio.h>
      24             : #include <stdlib.h>
      25             : #include <string.h>
      26             : #include <assert.h>
      27             : 
      28             : #include "gpg.h"
      29             : #include "util.h"
      30             : #include "packet.h"
      31             : #include "keydb.h"
      32             : #include "main.h"
      33             : #include "status.h"
      34             : #include "i18n.h"
      35             : #include "options.h"
      36             : #include "pkglue.h"
      37             : 
      38             : static int check_signature_end (PKT_public_key *pk, PKT_signature *sig,
      39             :                                 gcry_md_hd_t digest,
      40             :                                 int *r_expired, int *r_revoked,
      41             :                                 PKT_public_key *ret_pk);
      42             : 
      43             : /* Check a signature.  This is shorthand for check_signature2 with
      44             :    the unnamed arguments passed as NULL.  */
      45             : int
      46           0 : check_signature (PKT_signature *sig, gcry_md_hd_t digest)
      47             : {
      48           0 :     return check_signature2 (sig, digest, NULL, NULL, NULL, NULL);
      49             : }
      50             : 
      51             : /* Check a signature.
      52             : 
      53             :    Looks up the public key that created the signature (SIG->KEYID)
      54             :    from the key db.  Makes sure that the signature is valid (it was
      55             :    not created prior to the key, the public key was created in the
      56             :    past, and the signature does not include any unsupported critical
      57             :    features), finishes computing the hash of the signature data, and
      58             :    checks that the signature verifies the digest.  If the key that
      59             :    generated the signature is a subkey, this function also verifies
      60             :    that there is a valid backsig from the subkey to the primary key.
      61             :    Finally, if status fd is enabled and the signature class is 0x00 or
      62             :    0x01, then a STATUS_SIG_ID is emitted on the status fd.
      63             : 
      64             :    SIG is the signature to check.
      65             : 
      66             :    DIGEST contains a valid hash context that already includes the
      67             :    signed data.  This function adds the relevant meta-data from the
      68             :    signature packet to compute the final hash.  (See Section 5.2 of
      69             :    RFC 4880: "The concatenation of the data being signed and the
      70             :    signature data from the version number through the hashed subpacket
      71             :    data (inclusive) is hashed.")
      72             : 
      73             :    If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's
      74             :    expiry.
      75             : 
      76             :    If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
      77             :    (0 otherwise).  Note: PK being expired does not cause this function
      78             :    to fail.
      79             : 
      80             :    If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
      81             :    revoked (0 otherwise).  Note: PK being revoked does not cause this
      82             :    function to fail.
      83             : 
      84             :    If PK is not NULL, the public key is saved in *PK on success.
      85             : 
      86             :    Returns 0 on success.  An error code otherwise.  */
      87             : int
      88         147 : check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
      89             :                   int *r_expired, int *r_revoked, PKT_public_key *pk )
      90             : {
      91         147 :     int rc=0;
      92             :     int pk_internal;
      93             : 
      94         147 :     if (pk)
      95           0 :       pk_internal = 0;
      96             :     else
      97             :       {
      98         147 :         pk_internal = 1;
      99         147 :         pk = xmalloc_clear( sizeof *pk );
     100             :       }
     101             : 
     102         147 :     if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
     103             :       ; /* We don't have this digest. */
     104         147 :     else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
     105             :       ; /* We don't have this pubkey algo. */
     106         147 :     else if (!gcry_md_is_enabled (digest,sig->digest_algo))
     107             :       {
     108             :         /* Sanity check that the md has a context for the hash that the
     109             :            sig is expecting.  This can happen if a onepass sig header does
     110             :            not match the actual sig, and also if the clearsign "Hash:"
     111             :            header is missing or does not match the actual sig. */
     112             : 
     113           0 :         log_info(_("WARNING: signature digest conflict in message\n"));
     114           0 :         rc = GPG_ERR_GENERAL;
     115             :       }
     116         147 :     else if( get_pubkey( pk, sig->keyid ) )
     117           0 :         rc = GPG_ERR_NO_PUBKEY;
     118         147 :     else if(!pk->flags.valid && !pk->flags.primary)
     119             :       {
     120             :         /* You cannot have a good sig from an invalid subkey.  */
     121           0 :         rc = GPG_ERR_BAD_PUBKEY;
     122             :       }
     123             :     else
     124             :       {
     125         147 :         if(r_expiredate)
     126           0 :           *r_expiredate = pk->expiredate;
     127             : 
     128         147 :         rc = check_signature_end (pk, sig, digest, r_expired, r_revoked, NULL);
     129             : 
     130             :         /* Check the backsig.  This is a 0x19 signature from the
     131             :            subkey on the primary key.  The idea here is that it should
     132             :            not be possible for someone to "steal" subkeys and claim
     133             :            them as their own.  The attacker couldn't actually use the
     134             :            subkey, but they could try and claim ownership of any
     135             :            signatures issued by it. */
     136         147 :         if(rc==0 && !pk->flags.primary && pk->flags.backsig < 2)
     137             :           {
     138           0 :             if (!pk->flags.backsig)
     139             :               {
     140           0 :                 log_info(_("WARNING: signing subkey %s is not"
     141             :                            " cross-certified\n"),keystr_from_pk(pk));
     142           0 :                 log_info(_("please see %s for more information\n"),
     143             :                          "https://gnupg.org/faq/subkey-cross-certify.html");
     144             :                 /* --require-cross-certification makes this warning an
     145             :                      error.  TODO: change the default to require this
     146             :                      after more keys have backsigs. */
     147           0 :                 if(opt.flags.require_cross_cert)
     148           0 :                   rc = GPG_ERR_GENERAL;
     149             :               }
     150           0 :             else if(pk->flags.backsig == 1)
     151             :               {
     152           0 :                 log_info(_("WARNING: signing subkey %s has an invalid"
     153             :                            " cross-certification\n"),keystr_from_pk(pk));
     154           0 :                 rc = GPG_ERR_GENERAL;
     155             :               }
     156             :           }
     157             :       }
     158             : 
     159         147 :     if (pk_internal || rc)
     160             :       {
     161         147 :         release_public_key_parts (pk);
     162         147 :         if (pk_internal)
     163         147 :           xfree (pk);
     164             :         else
     165             :           /* Be very sure that the caller doesn't try to use *PK.  */
     166           0 :           memset (pk, 0, sizeof (*pk));
     167             :       }
     168             : 
     169         147 :     if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
     170             :         /* This signature id works best with DLP algorithms because
     171             :          * they use a random parameter for every signature.  Instead of
     172             :          * this sig-id we could have also used the hash of the document
     173             :          * and the timestamp, but the drawback of this is, that it is
     174             :          * not possible to sign more than one identical document within
     175             :          * one second.  Some remote batch processing applications might
     176             :          * like this feature here.
     177             :          *
     178             :          * Note that before 2.0.10, we used RIPE-MD160 for the hash
     179             :          * and accidently didn't include the timestamp and algorithm
     180             :          * information in the hash.  Given that this feature is not
     181             :          * commonly used and that a replay attacks detection should
     182             :          * not solely be based on this feature (because it does not
     183             :          * work with RSA), we take the freedom and switch to SHA-1
     184             :          * with 2.0.10 to take advantage of hardware supported SHA-1
     185             :          * implementations.  We also include the missing information
     186             :          * in the hash.  Note also the SIG_ID as computed by gpg 1.x
     187             :          * and gpg 2.x didn't matched either because 2.x used to print
     188             :          * MPIs not in PGP format.  */
     189           0 :         u32 a = sig->timestamp;
     190           0 :         int nsig = pubkey_get_nsig( sig->pubkey_algo );
     191             :         unsigned char *p, *buffer;
     192             :         size_t n, nbytes;
     193             :         int i;
     194             :         char hashbuf[20];
     195             : 
     196           0 :         nbytes = 6;
     197           0 :         for (i=0; i < nsig; i++ )
     198             :           {
     199           0 :             if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i]))
     200           0 :               BUG();
     201           0 :             nbytes += n;
     202             :           }
     203             : 
     204             :         /* Make buffer large enough to be later used as output buffer.  */
     205           0 :         if (nbytes < 100)
     206           0 :           nbytes = 100;
     207           0 :         nbytes += 10;  /* Safety margin.  */
     208             : 
     209             :         /* Fill and hash buffer.  */
     210           0 :         buffer = p = xmalloc (nbytes);
     211           0 :         *p++ = sig->pubkey_algo;
     212           0 :         *p++ = sig->digest_algo;
     213           0 :         *p++ = (a >> 24) & 0xff;
     214           0 :         *p++ = (a >> 16) & 0xff;
     215           0 :         *p++ = (a >>  8) & 0xff;
     216           0 :         *p++ =  a & 0xff;
     217           0 :         nbytes -= 6;
     218           0 :         for (i=0; i < nsig; i++ )
     219             :           {
     220           0 :             if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i]))
     221           0 :               BUG();
     222           0 :             p += n;
     223           0 :             nbytes -= n;
     224             :           }
     225           0 :         gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer);
     226             : 
     227           0 :         p = make_radix64_string (hashbuf, 20);
     228           0 :         sprintf (buffer, "%s %s %lu",
     229           0 :                  p, strtimestamp (sig->timestamp), (ulong)sig->timestamp);
     230           0 :         xfree (p);
     231           0 :         write_status_text (STATUS_SIG_ID, buffer);
     232           0 :         xfree (buffer);
     233             :     }
     234             : 
     235         147 :     return rc;
     236             : }
     237             : 
     238             : 
     239             : /* The signature SIG was generated with the public key PK.  Check
     240             :    whether the signature is valid in the following sense:
     241             : 
     242             :      - Make sure the public key was created before the signature was
     243             :        generated.
     244             : 
     245             :      - Make sure the public key was created in the past
     246             : 
     247             :      - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0
     248             :        otherwise)
     249             : 
     250             :      - Check whether PK has been revoked (set *R_REVOKED to 1 if so
     251             :        and 0 otherwise).
     252             : 
     253             :    If either of the first two tests fail, returns an error code.
     254             :    Otherwise returns 0.  (Thus, this function doesn't fail if the
     255             :    public key is expired or revoked.)  */
     256             : static int
     257        5326 : check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig,
     258             :                                    int *r_expired, int *r_revoked)
     259             : {
     260             :     u32 cur_time;
     261             : 
     262        5326 :     if(r_expired)
     263         147 :       *r_expired = 0;
     264        5326 :     if(r_revoked)
     265         147 :       *r_revoked = 0;
     266             : 
     267        5326 :     if( pk->timestamp > sig->timestamp )
     268             :       {
     269           0 :         ulong d = pk->timestamp - sig->timestamp;
     270           0 :         log_info(d==1
     271             :                  ?_("public key %s is %lu second newer than the signature\n")
     272             :                  :_("public key %s is %lu seconds newer than the signature\n"),
     273             :                  keystr_from_pk(pk),d );
     274           0 :         if( !opt.ignore_time_conflict )
     275           0 :           return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature.  */
     276             :       }
     277             : 
     278        5326 :     cur_time = make_timestamp();
     279        5326 :     if( pk->timestamp > cur_time )
     280             :       {
     281           0 :         ulong d = pk->timestamp - cur_time;
     282           0 :         log_info( d==1
     283             :                   ? _("key %s was created %lu second"
     284             :                       " in the future (time warp or clock problem)\n")
     285             :                   : _("key %s was created %lu seconds"
     286             :                       " in the future (time warp or clock problem)\n"),
     287             :                   keystr_from_pk(pk),d );
     288           0 :         if( !opt.ignore_time_conflict )
     289           0 :           return GPG_ERR_TIME_CONFLICT;
     290             :       }
     291             : 
     292             :     /* Check whether the key has expired.  We check the has_expired
     293             :        flag which is set after a full evaluation of the key (getkey.c)
     294             :        as well as a simple compare to the current time in case the
     295             :        merge has for whatever reasons not been done.  */
     296        5326 :     if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
     297             :         char buf[11];
     298           6 :         if (opt.verbose)
     299           0 :           log_info(_("Note: signature key %s expired %s\n"),
     300             :                    keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
     301           6 :         sprintf(buf,"%lu",(ulong)pk->expiredate);
     302           6 :         write_status_text(STATUS_KEYEXPIRED,buf);
     303           6 :         if(r_expired)
     304           0 :           *r_expired = 1;
     305             :     }
     306             : 
     307        5326 :     if (pk->flags.revoked)
     308             :       {
     309           0 :         if (opt.verbose)
     310           0 :           log_info (_("Note: signature key %s has been revoked\n"),
     311             :                     keystr_from_pk(pk));
     312           0 :         if (r_revoked)
     313           0 :           *r_revoked=1;
     314             :       }
     315             : 
     316        5326 :     return 0;
     317             : }
     318             : 
     319             : 
     320             : /* Finish generating a signature and check it.  Concretely: make sure
     321             :    that the signature is valid (it was not created prior to the key,
     322             :    the public key was created in the past, and the signature does not
     323             :    include any unsupported critical features), finish computing the
     324             :    digest by adding the relevant data from the signature packet, and
     325             :    check that the signature verifies the digest.
     326             : 
     327             :    DIGEST contains a hash context, which has already hashed the signed
     328             :    data.  This function adds the relevant meta-data from the signature
     329             :    packet to compute the final hash.  (See Section 5.2 of RFC 4880:
     330             :    "The concatenation of the data being signed and the signature data
     331             :    from the version number through the hashed subpacket data
     332             :    (inclusive) is hashed.")
     333             : 
     334             :    SIG is the signature to check.
     335             : 
     336             :    PK is the public key used to generate the signature.
     337             : 
     338             :    If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
     339             :    (0 otherwise).  Note: PK being expired does not cause this function
     340             :    to fail.
     341             : 
     342             :    If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
     343             :    revoked (0 otherwise).  Note: PK being revoked does not cause this
     344             :    function to fail.
     345             : 
     346             :    If RET_PK is not NULL, PK is copied into RET_PK on success.
     347             : 
     348             :    Returns 0 on success.  An error code other.  */
     349             : static int
     350         367 : check_signature_end (PKT_public_key *pk, PKT_signature *sig,
     351             :                      gcry_md_hd_t digest,
     352             :                      int *r_expired, int *r_revoked, PKT_public_key *ret_pk)
     353             : {
     354         367 :     gcry_mpi_t result = NULL;
     355         367 :     int rc = 0;
     356             :     const struct weakhash *weak;
     357             : 
     358         367 :     if ((rc = check_signature_metadata_validity (pk, sig,
     359             :                                                  r_expired, r_revoked)))
     360           0 :         return rc;
     361             : 
     362         367 :     if (!opt.flags.allow_weak_digest_algos)
     363           0 :       for (weak = opt.weak_digests; weak; weak = weak->next)
     364           0 :         if (sig->digest_algo == weak->algo)
     365             :           {
     366           0 :             print_digest_rejected_note(sig->digest_algo);
     367           0 :             return GPG_ERR_DIGEST_ALGO;
     368             :           }
     369             : 
     370             :     /* Make sure the digest algo is enabled (in case of a detached
     371             :        signature).  */
     372         367 :     gcry_md_enable (digest, sig->digest_algo);
     373             : 
     374             :     /* Complete the digest. */
     375         367 :     if( sig->version >= 4 )
     376         342 :         gcry_md_putc( digest, sig->version );
     377         367 :     gcry_md_putc( digest, sig->sig_class );
     378         367 :     if( sig->version < 4 ) {
     379          25 :         u32 a = sig->timestamp;
     380          25 :         gcry_md_putc( digest, (a >> 24) & 0xff );
     381          25 :         gcry_md_putc( digest, (a >> 16) & 0xff );
     382          25 :         gcry_md_putc( digest, (a >>       8) & 0xff );
     383          25 :         gcry_md_putc( digest,  a           & 0xff );
     384             :     }
     385             :     else {
     386             :         byte buf[6];
     387             :         size_t n;
     388         342 :         gcry_md_putc( digest, sig->pubkey_algo );
     389         342 :         gcry_md_putc( digest, sig->digest_algo );
     390         342 :         if( sig->hashed ) {
     391         342 :             n = sig->hashed->len;
     392         342 :             gcry_md_putc (digest, (n >> 8) );
     393         342 :             gcry_md_putc (digest,  n       );
     394         342 :             gcry_md_write (digest, sig->hashed->data, n);
     395         342 :             n += 6;
     396             :         }
     397             :         else {
     398             :           /* Two octets for the (empty) length of the hashed
     399             :              section. */
     400           0 :           gcry_md_putc (digest, 0);
     401           0 :           gcry_md_putc (digest, 0);
     402           0 :           n = 6;
     403             :         }
     404             :         /* add some magic per Section 5.2.4 of RFC 4880.  */
     405         342 :         buf[0] = sig->version;
     406         342 :         buf[1] = 0xff;
     407         342 :         buf[2] = n >> 24;
     408         342 :         buf[3] = n >> 16;
     409         342 :         buf[4] = n >>  8;
     410         342 :         buf[5] = n;
     411         342 :         gcry_md_write( digest, buf, 6 );
     412             :     }
     413         367 :     gcry_md_final( digest );
     414             : 
     415             :     /* Convert the digest to an MPI.  */
     416         367 :     result = encode_md_value (pk, digest, sig->digest_algo );
     417         367 :     if (!result)
     418           0 :         return GPG_ERR_GENERAL;
     419             : 
     420             :     /* Verify the signature.  */
     421         367 :     rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
     422         367 :     gcry_mpi_release (result);
     423             : 
     424         367 :     if( !rc && sig->flags.unknown_critical )
     425             :       {
     426           0 :         log_info(_("assuming bad signature from key %s"
     427             :                    " due to an unknown critical bit\n"),keystr_from_pk(pk));
     428           0 :         rc = GPG_ERR_BAD_SIGNATURE;
     429             :       }
     430             : 
     431         367 :     if(!rc && ret_pk)
     432           0 :       copy_public_key(ret_pk,pk);
     433             : 
     434         367 :     return rc;
     435             : }
     436             : 
     437             : 
     438             : /* Add a uid node to a hash context.  See section 5.2.4, paragraph 4
     439             :    of RFC 4880.  */
     440             : static void
     441         136 : hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
     442             : {
     443         136 :     PKT_user_id *uid = unode->pkt->pkt.user_id;
     444             : 
     445         136 :     assert( unode->pkt->pkttype == PKT_USER_ID );
     446         136 :     if( uid->attrib_data ) {
     447           0 :         if( sig->version >=4 ) {
     448             :             byte buf[5];
     449           0 :             buf[0] = 0xd1;                   /* packet of type 17 */
     450           0 :             buf[1] = uid->attrib_len >> 24;  /* always use 4 length bytes */
     451           0 :             buf[2] = uid->attrib_len >> 16;
     452           0 :             buf[3] = uid->attrib_len >>  8;
     453           0 :             buf[4] = uid->attrib_len;
     454           0 :             gcry_md_write( md, buf, 5 );
     455             :         }
     456           0 :         gcry_md_write( md, uid->attrib_data, uid->attrib_len );
     457             :     }
     458             :     else {
     459         136 :         if( sig->version >=4 ) {
     460             :             byte buf[5];
     461         136 :             buf[0] = 0xb4;            /* indicates a userid packet */
     462         136 :             buf[1] = uid->len >> 24;  /* always use 4 length bytes */
     463         136 :             buf[2] = uid->len >> 16;
     464         136 :             buf[3] = uid->len >>  8;
     465         136 :             buf[4] = uid->len;
     466         136 :             gcry_md_write( md, buf, 5 );
     467             :         }
     468         136 :         gcry_md_write( md, uid->name, uid->len );
     469             :     }
     470         136 : }
     471             : 
     472             : static void
     473         220 : cache_sig_result ( PKT_signature *sig, int result )
     474             : {
     475         220 :     if ( !result ) {
     476         219 :         sig->flags.checked = 1;
     477         219 :         sig->flags.valid = 1;
     478             :     }
     479           1 :     else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
     480           1 :         sig->flags.checked = 1;
     481           1 :         sig->flags.valid = 0;
     482             :     }
     483             :     else {
     484           0 :         sig->flags.checked = 0;
     485           0 :         sig->flags.valid = 0;
     486             :     }
     487         220 : }
     488             : 
     489             : /* SIG is a key revocation signature.  Check if this signature was
     490             :    generated by any of the public key PK's designated revokers.
     491             : 
     492             :      PK is the public key that SIG allegedly revokes.
     493             : 
     494             :      SIG is the revocation signature to check.
     495             : 
     496             :    This function avoids infinite recursion, which can happen if two
     497             :    keys are designed revokers for each other and they revoke each
     498             :    other.  This is done by observing that if a key A is revoked by key
     499             :    B we still consider the revocation to be valid even if B is
     500             :    revoked.  Thus, we don't need to determine whether B is revoked to
     501             :    determine whether A has been revoked by B, we just need to check
     502             :    the signature.
     503             : 
     504             :    Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
     505             :    revoked.  We are careful to make sure that GPG_ERR_NO_PUBKEY is
     506             :    only returned when a revocation signature is from a valid
     507             :    revocation key designated in a revkey subpacket, but the revocation
     508             :    key itself isn't present.  */
     509             : 
     510             : /* XXX: This code will need to be modified if gpg ever becomes
     511             :    multi-threaded.  Note that this guarantees that a designated
     512             :    revocation sig will never be considered valid unless it is actually
     513             :    valid, as well as being issued by a revocation key in a valid
     514             :    direct signature.  Note also that this is written so that a revoked
     515             :    revoker can still issue revocations: i.e. If A revokes B, but A is
     516             :    revoked, B is still revoked.  I'm not completely convinced this is
     517             :    the proper behavior, but it matches how PGP does it. -dms */
     518             : int
     519           0 : check_revocation_keys (PKT_public_key *pk, PKT_signature *sig)
     520             : {
     521             :   static int busy=0;
     522             :   int i;
     523           0 :   int rc = GPG_ERR_GENERAL;
     524             : 
     525           0 :   assert(IS_KEY_REV(sig));
     526           0 :   assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
     527             : 
     528             :   /* Avoid infinite recursion.  Consider the following:
     529             : 
     530             :        - We want to check if A is revoked.
     531             : 
     532             :        - C is a designated revoker for B and has revoked B.
     533             : 
     534             :        - B is a designated revoker for A and has revoked A.
     535             : 
     536             :      When checking if A is revoked (in merge_selfsigs_main), we
     537             :      observe that A has a designed revoker.  As such, we call this
     538             :      function.  This function sees that there is a valid revocation
     539             :      signature, which is signed by B.  It then calls check_signature()
     540             :      to verify that the signature is good.  To check the sig, we need
     541             :      to lookup B.  Looking up B means calling merge_selfsigs_main,
     542             :      which checks whether B is revoked, which calls this function to
     543             :      see if B was revoked by some key.
     544             : 
     545             :      In this case, the added level of indirection doesn't hurt.  It
     546             :      just means a bit more work.  However, if C == A, then we'd end up
     547             :      in a loop.  But, it doesn't make sense to look up C anyways: even
     548             :      if B is revoked, we conservatively consider a valid revocation
     549             :      signed by B to revoke A.  Since this is the only place where this
     550             :      type of recursion can occur, we simply cause this function to
     551             :      fail if it is entered recursively.  */
     552           0 :   if (busy)
     553             :     {
     554             :       /* Return an error (i.e. not revoked), but mark the pk as
     555             :          uncacheable as we don't really know its revocation status
     556             :          until it is checked directly.  */
     557           0 :       pk->flags.dont_cache = 1;
     558           0 :       return rc;
     559             :     }
     560             : 
     561           0 :   busy=1;
     562             : 
     563             :   /*  es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
     564             :       (ulong)sig->keyid[1]); */
     565             : 
     566             :   /* is the issuer of the sig one of our revokers? */
     567           0 :   if( !pk->revkey && pk->numrevkeys )
     568           0 :      BUG();
     569             :   else
     570           0 :       for(i=0;i<pk->numrevkeys;i++)
     571             :         {
     572             :           /* The revoker's keyid.  */
     573             :           u32 keyid[2];
     574             : 
     575           0 :           keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
     576             : 
     577           0 :           if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
     578             :             /* The signature was generated by a designated revoker.
     579             :                Verify the signature.  */
     580             :             {
     581             :               gcry_md_hd_t md;
     582             : 
     583           0 :               if (gcry_md_open (&md, sig->digest_algo, 0))
     584           0 :                 BUG ();
     585           0 :               hash_public_key(md,pk);
     586             :               /* Note: check_signature only checks that the signature
     587             :                  is good.  It does not fail if the key is revoked.  */
     588           0 :               rc=check_signature(sig,md);
     589           0 :               cache_sig_result(sig,rc);
     590           0 :               gcry_md_close (md);
     591           0 :               break;
     592             :             }
     593             :         }
     594             : 
     595           0 :   busy=0;
     596             : 
     597           0 :   return rc;
     598             : }
     599             : 
     600             : /* Check that the backsig BACKSIG from the subkey SUB_PK to its
     601             :    primary key MAIN_PK is valid.
     602             : 
     603             :    Backsigs (0x19) have the same format as binding sigs (0x18), but
     604             :    this function is simpler than check_key_signature in a few ways.
     605             :    For example, there is no support for expiring backsigs since it is
     606             :    questionable what such a thing actually means.  Note also that the
     607             :    sig cache check here, unlike other sig caches in GnuPG, is not
     608             :    persistent. */
     609             : int
     610           0 : check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk,
     611             :                PKT_signature *backsig)
     612             : {
     613             :   gcry_md_hd_t md;
     614             :   int rc;
     615             : 
     616             :   /* Always check whether the algorithm is available.  Although
     617             :      gcry_md_open would throw an error, some libgcrypt versions will
     618             :      print a debug message in that case too. */
     619           0 :   if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
     620           0 :     return rc;
     621             : 
     622           0 :   if(!opt.no_sig_cache && backsig->flags.checked)
     623           0 :     return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
     624             : 
     625           0 :   rc = gcry_md_open (&md, backsig->digest_algo,0);
     626           0 :   if (!rc)
     627             :     {
     628           0 :       hash_public_key(md,main_pk);
     629           0 :       hash_public_key(md,sub_pk);
     630           0 :       rc = check_signature_end (sub_pk, backsig, md, NULL, NULL, NULL);
     631           0 :       cache_sig_result(backsig,rc);
     632           0 :       gcry_md_close(md);
     633             :     }
     634             : 
     635           0 :   return rc;
     636             : }
     637             : 
     638             : 
     639             : /* Check that a signature over a key is valid.  This is a
     640             :    specialization of check_key_signature2 with the unnamed parameters
     641             :    passed as NULL.  See the documentation for that function for more
     642             :    details.  */
     643             : int
     644        5179 : check_key_signature (KBNODE root, KBNODE node, int *is_selfsig)
     645             : {
     646        5179 :   return check_key_signature2 (root, node, NULL, NULL, is_selfsig, NULL, NULL);
     647             : }
     648             : 
     649             : /* Check that a signature over a key (e.g., a key revocation, key
     650             :    binding, user id certification, etc.) is valid.  If the function
     651             :    detects a self-signature, it uses the public key from the specified
     652             :    key block and does not bother looking up the key specified in the
     653             :    signature packet.
     654             : 
     655             :    ROOT is a keyblock.
     656             : 
     657             :    NODE references a signature packet that appears in the keyblock
     658             :    that should be verified.
     659             : 
     660             :    If CHECK_PK is set, the specified key is sometimes preferred for
     661             :    verifying signatures.  See the implementation for details.
     662             : 
     663             :    If RET_PK is not NULL, the public key that successfully verified
     664             :    the signature is copied into *RET_PK.
     665             : 
     666             :    If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a
     667             :    self-signature.
     668             : 
     669             :    If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry
     670             :    date.
     671             : 
     672             :    If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been
     673             :    expired (0 otherwise).  Note: PK being revoked does not cause this
     674             :    function to fail.
     675             : 
     676             : 
     677             :    If OPT.NO_SIG_CACHE is not set, this function will first check if
     678             :    the result of a previous verification is already cached in the
     679             :    signature packet's data structure.  */
     680             : /* TODO: add r_revoked here as well.  It has the same problems as
     681             :    r_expiredate and r_expired and the cache. */
     682             : int
     683        5179 : check_key_signature2(KBNODE root, KBNODE node, PKT_public_key *check_pk,
     684             :                      PKT_public_key *ret_pk, int *is_selfsig,
     685             :                      u32 *r_expiredate, int *r_expired )
     686             : {
     687             :     gcry_md_hd_t md;
     688             :     PKT_public_key *pk;
     689             :     PKT_signature *sig;
     690             :     int algo;
     691             :     int rc;
     692             : 
     693        5179 :     if( is_selfsig )
     694           0 :         *is_selfsig = 0;
     695        5179 :     if( r_expiredate )
     696           0 :         *r_expiredate = 0;
     697        5179 :     if( r_expired )
     698           0 :         *r_expired = 0;
     699        5179 :     assert( node->pkt->pkttype == PKT_SIGNATURE );
     700        5179 :     assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
     701             : 
     702        5179 :     pk = root->pkt->pkt.public_key;
     703        5179 :     sig = node->pkt->pkt.signature;
     704        5179 :     algo = sig->digest_algo;
     705             : 
     706             :     /* Check whether we have cached the result of a previous signature
     707             :        check.  Note that we may no longer have the pubkey or hash
     708             :        needed to verify a sig, but can still use the cached value.  A
     709             :        cache refresh detects and clears these cases. */
     710        5179 :     if ( !opt.no_sig_cache ) {
     711        5179 :         if (sig->flags.checked) { /*cached status available*/
     712        4959 :             if( is_selfsig ) {
     713             :                 u32 keyid[2];
     714             : 
     715           0 :                 keyid_from_pk( pk, keyid );
     716           0 :                 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
     717           0 :                     *is_selfsig = 1;
     718             :             }
     719             :             /* BUG: This is wrong for non-self-sigs.. needs to be the
     720             :                actual pk */
     721        4959 :             if((rc = check_signature_metadata_validity (pk, sig,
     722             :                                                         r_expired, NULL)))
     723           0 :               return rc;
     724        4959 :             return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
     725             :         }
     726             :     }
     727             : 
     728         220 :     if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
     729           0 :         return rc;
     730         220 :     if( (rc=openpgp_md_test_algo(algo)) )
     731           0 :         return rc;
     732             : 
     733         220 :     if( sig->sig_class == 0x20 ) { /* key revocation */
     734             :         u32 keyid[2];
     735           0 :         keyid_from_pk( pk, keyid );
     736             : 
     737             :         /* is it a designated revoker? */
     738           0 :         if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
     739           0 :           rc=check_revocation_keys(pk,sig);
     740             :         else
     741             :           {
     742           0 :             if (gcry_md_open (&md, algo, 0 ))
     743           0 :               BUG ();
     744           0 :             hash_public_key( md, pk );
     745           0 :             rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
     746           0 :             cache_sig_result ( sig, rc );
     747           0 :             gcry_md_close(md);
     748             :           }
     749             :     }
     750         220 :     else if( sig->sig_class == 0x28 ) { /* subkey revocation */
     751           0 :         KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
     752             : 
     753           0 :         if( snode ) {
     754           0 :             if (gcry_md_open (&md, algo, 0))
     755           0 :               BUG ();
     756           0 :             hash_public_key( md, pk );
     757           0 :             hash_public_key( md, snode->pkt->pkt.public_key );
     758           0 :             rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
     759           0 :             cache_sig_result ( sig, rc );
     760           0 :             gcry_md_close(md);
     761             :         }
     762             :         else
     763             :           {
     764           0 :             if (opt.verbose)
     765           0 :               log_info (_("key %s: no subkey for subkey"
     766             :                           " revocation signature\n"),keystr_from_pk(pk));
     767           0 :             rc = GPG_ERR_SIG_CLASS;
     768             :           }
     769             :     }
     770         220 :     else if( sig->sig_class == 0x18 ) { /* key binding */
     771          80 :         KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
     772             : 
     773          80 :         if( snode ) {
     774          80 :             if( is_selfsig ) {  /* does this make sense????? */
     775             :                 u32 keyid[2];   /* it should always be a selfsig */
     776             : 
     777           0 :                 keyid_from_pk( pk, keyid );
     778           0 :                 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
     779           0 :                     *is_selfsig = 1;
     780             :             }
     781          80 :             if (gcry_md_open (&md, algo, 0))
     782           0 :               BUG ();
     783          80 :             hash_public_key( md, pk );
     784          80 :             hash_public_key( md, snode->pkt->pkt.public_key );
     785          80 :             rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
     786          80 :             cache_sig_result ( sig, rc );
     787          80 :             gcry_md_close(md);
     788             :         }
     789             :         else
     790             :           {
     791           0 :             if (opt.verbose)
     792           0 :               log_info(_("key %s: no subkey for subkey"
     793             :                          " binding signature\n"),keystr_from_pk(pk));
     794           0 :             rc = GPG_ERR_SIG_CLASS;
     795             :           }
     796             :     }
     797         140 :     else if( sig->sig_class == 0x1f ) { /* direct key signature */
     798           4 :         if (gcry_md_open (&md, algo, 0 ))
     799           0 :           BUG ();
     800           4 :         hash_public_key( md, pk );
     801           4 :         rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
     802           4 :         cache_sig_result ( sig, rc );
     803           4 :         gcry_md_close(md);
     804             :     }
     805             :     else { /* all other classes */
     806         136 :         KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
     807             : 
     808         136 :         if( unode ) {
     809             :             u32 keyid[2];
     810             : 
     811         136 :             keyid_from_pk( pk, keyid );
     812         136 :             if (gcry_md_open (&md, algo, 0 ))
     813           0 :               BUG ();
     814         136 :             hash_public_key( md, pk );
     815         136 :             hash_uid_node( unode, md, sig );
     816         136 :             if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
     817             :               /* The primary key is the signing key.  */
     818             :               {
     819         136 :                 if( is_selfsig )
     820           0 :                   *is_selfsig = 1;
     821         136 :                 rc = check_signature_end (pk, sig, md, r_expired, NULL, ret_pk);
     822             :               }
     823           0 :             else if (check_pk)
     824             :               /* The caller specified a key.  Try that.  */
     825           0 :               rc = check_signature_end (check_pk, sig, md,
     826             :                                         r_expired, NULL, ret_pk);
     827             :             else
     828             :               /* Look up the key.  XXX: Could it be that the key is
     829             :                  not is not in this keyblock?  */
     830           0 :               rc = check_signature2 (sig, md, r_expiredate, r_expired,
     831             :                                      NULL, ret_pk);
     832             : 
     833         136 :             cache_sig_result ( sig, rc );
     834         136 :             gcry_md_close(md);
     835             :         }
     836             :         else
     837             :           {
     838           0 :             if (!opt.quiet)
     839           0 :               log_info ("key %s: no user ID for key signature packet"
     840           0 :                         " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
     841           0 :             rc = GPG_ERR_SIG_CLASS;
     842             :           }
     843             :     }
     844             : 
     845         220 :     return rc;
     846             : }

Generated by: LCOV version 1.11