search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix for bug 797.
[gnupg.git] / g10 / sig-check.c
blobac9d0da7df8985c525e5914e8370c6a40332dba7
1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA.
21 */
22
23 #include <config.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <assert.h>
28
29 #include "gpg.h"
30 #include "util.h"
31 #include "packet.h"
32 #include "keydb.h"
33 #include "cipher.h"
34 #include "main.h"
35 #include "status.h"
36 #include "i18n.h"
37 #include "options.h"
38 #include "pkglue.h"
39
40 /* Context used by the compare function. */
41 struct cmp_help_context_s
42 {
43 PKT_signature *sig;
44 gcry_md_hd_t md;
45 };
46
47
48
49 static int do_check( PKT_public_key *pk, PKT_signature *sig,
50 gcry_md_hd_t digest,
51 int *r_expired, int *r_revoked, PKT_public_key *ret_pk);
52
53 /****************
54 * Check the signature which is contained in SIG.
55 * The MD_HANDLE should be currently open, so that this function
56 * is able to append some data, before finalizing the digest.
57 */
58 int
59 signature_check (PKT_signature *sig, gcry_md_hd_t digest)
60 {
61 return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
62 }
63
64 int
65 signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
66 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
67 {
68 PKT_public_key *pk = xmalloc_clear( sizeof *pk );
69 int rc=0;
70
71 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
72 ; /* We don't have this digest. */
73 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
74 ; /* We don't have this pubkey algo. */
75 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
76 {
77 /* Sanity check that the md has a context for the hash that the
78 sig is expecting. This can happen if a onepass sig header does
79 not match the actual sig, and also if the clearsign "Hash:"
80 header is missing or does not match the actual sig. */
81
82 log_info(_("WARNING: signature digest conflict in message\n"));
83 rc=G10ERR_GENERAL;
84 }
85 else if( get_pubkey( pk, sig->keyid ) )
86 rc = G10ERR_NO_PUBKEY;
87 else if(!pk->is_valid && !pk->is_primary)
88 rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
89 invalid subkey */
90 else
91 {
92 if(r_expiredate)
93 *r_expiredate = pk->expiredate;
94
95 rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
96
97 /* Check the backsig. This is a 0x19 signature from the
98 subkey on the primary key. The idea here is that it should
99 not be possible for someone to "steal" subkeys and claim
100 them as their own. The attacker couldn't actually use the
101 subkey, but they could try and claim ownership of any
102 signaures issued by it. */
103 if(rc==0 && !pk->is_primary && pk->backsig<2)
104 {
105 if(pk->backsig==0)
106 {
107 log_info(_("WARNING: signing subkey %s is not"
108 " cross-certified\n"),keystr_from_pk(pk));
109 log_info(_("please see %s for more information\n"),
110 "http://www.gnupg.org/faq/subkey-cross-certify.html");
111 /* --require-cross-certification makes this warning an
112 error. TODO: change the default to require this
113 after more keys have backsigs. */
114 if(opt.flags.require_cross_cert)
115 rc=G10ERR_GENERAL;
116 }
117 else if(pk->backsig==1)
118 {
119 log_info(_("WARNING: signing subkey %s has an invalid"
120 " cross-certification\n"),keystr_from_pk(pk));
121 rc=G10ERR_GENERAL;
122 }
123 }
124 }
125
126 free_public_key( pk );
127
128 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
129 /* This signature id works best with DLP algorithms because
130 * they use a random parameter for every signature. Instead of
131 * this sig-id we could have also used the hash of the document
132 * and the timestamp, but the drawback of this is, that it is
133 * not possible to sign more than one identical document within
134 * one second. Some remote batch processing applications might
135 * like this feature here */
136 gcry_md_hd_t md;
137
138 u32 a = sig->timestamp;
139 int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
140 byte *p, *buffer;
141
142 if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
143 BUG ();
144
145 /* FIXME: Why the hell are we updating DIGEST here??? */
146 gcry_md_putc( digest, sig->pubkey_algo );
147 gcry_md_putc( digest, sig->digest_algo );
148 gcry_md_putc( digest, (a >> 24) & 0xff );
149 gcry_md_putc( digest, (a >> 16) & 0xff );
150 gcry_md_putc( digest, (a >> 8) & 0xff );
151 gcry_md_putc( digest, a & 0xff );
152 for(i=0; i < nsig; i++ ) {
153 size_t n;
154 unsigned char *tmp;
155
156 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
157 BUG();
158 gcry_md_write (md, tmp, n);
159 xfree (tmp);
160 }
161 gcry_md_final (md);
162 p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
163 buffer = xmalloc( strlen(p) + 60 );
164 sprintf( buffer, "%s %s %lu",
165 p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
166 write_status_text( STATUS_SIG_ID, buffer );
167 xfree(buffer);
168 xfree(p);
169 gcry_md_close(md);
170 }
171
172 return rc;
173 }
174
175
176 static int
177 do_check_messages( PKT_public_key *pk, PKT_signature *sig,
178 int *r_expired, int *r_revoked )
179 {
180 u32 cur_time;
181
182 if(r_expired)
183 *r_expired = 0;
184 if(r_revoked)
185 *r_revoked = 0;
186
187 if( pk->timestamp > sig->timestamp )
188 {
189 ulong d = pk->timestamp - sig->timestamp;
190 log_info(d==1
191 ?_("public key %s is %lu second newer than the signature\n")
192 :_("public key %s is %lu seconds newer than the signature\n"),
193 keystr_from_pk(pk),d );
194 if( !opt.ignore_time_conflict )
195 return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
196 }
197
198 cur_time = make_timestamp();
199 if( pk->timestamp > cur_time )
200 {
201 ulong d = pk->timestamp - cur_time;
202 log_info( d==1
203 ? _("key %s was created %lu second"
204 " in the future (time warp or clock problem)\n")
205 : _("key %s was created %lu seconds"
206 " in the future (time warp or clock problem)\n"),
207 keystr_from_pk(pk),d );
208 if( !opt.ignore_time_conflict )
209 return G10ERR_TIME_CONFLICT;
210 }
211
212 if( pk->expiredate && pk->expiredate < cur_time ) {
213 char buf[11];
214 if (opt.verbose)
215 log_info(_("NOTE: signature key %s expired %s\n"),
216 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
217 /* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
218 sprintf(buf,"%lu",(ulong)pk->expiredate);
219 write_status_text(STATUS_KEYEXPIRED,buf);
220 write_status(STATUS_SIGEXPIRED);
221 if(r_expired)
222 *r_expired = 1;
223 }
224
225 if(pk->is_revoked && r_revoked)
226 *r_revoked=1;
227
228 return 0;
229 }
230
231
232 static int
233 do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
234 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
235 {
236 gcry_mpi_t result = NULL;
237 int rc = 0;
238 struct cmp_help_context_s ctx;
239
240 if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
241 return rc;
242
243 /* Make sure the digest algo is enabled (in case of a detached
244 signature). */
245 gcry_md_enable (digest, sig->digest_algo);
246
247 /* Complete the digest. */
248 if( sig->version >= 4 )
249 gcry_md_putc( digest, sig->version );
250 gcry_md_putc( digest, sig->sig_class );
251 if( sig->version < 4 ) {
252 u32 a = sig->timestamp;
253 gcry_md_putc( digest, (a >> 24) & 0xff );
254 gcry_md_putc( digest, (a >> 16) & 0xff );
255 gcry_md_putc( digest, (a >> 8) & 0xff );
256 gcry_md_putc( digest, a & 0xff );
257 }
258 else {
259 byte buf[6];
260 size_t n;
261 gcry_md_putc( digest, sig->pubkey_algo );
262 gcry_md_putc( digest, sig->digest_algo );
263 if( sig->hashed ) {
264 n = sig->hashed->len;
265 gcry_md_putc (digest, (n >> 8) );
266 gcry_md_putc (digest, n );
267 gcry_md_write (digest, sig->hashed->data, n);
268 n += 6;
269 }
270 else {
271 /* Two octets for the (empty) length of the hashed
272 section. */
273 gcry_md_putc (digest, 0);
274 gcry_md_putc (digest, 0);
275 n = 6;
276 }
277 /* add some magic */
278 buf[0] = sig->version;
279 buf[1] = 0xff;
280 buf[2] = n >> 24;
281 buf[3] = n >> 16;
282 buf[4] = n >> 8;
283 buf[5] = n;
284 gcry_md_write( digest, buf, 6 );
285 }
286 gcry_md_final( digest );
287
288 result = encode_md_value( pk, NULL, digest, sig->digest_algo );
289 if (!result)
290 return G10ERR_GENERAL;
291 ctx.sig = sig;
292 ctx.md = digest;
293 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
294 gcry_mpi_release (result);
295
296 if( !rc && sig->flags.unknown_critical )
297 {
298 log_info(_("assuming bad signature from key %s"
299 " due to an unknown critical bit\n"),keystr_from_pk(pk));
300 rc = G10ERR_BAD_SIGN;
301 }
302
303 if(!rc && ret_pk)
304 copy_public_key(ret_pk,pk);
305
306 return rc;
307 }
308
309
310
311 static void
312 hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
313 {
314 PKT_user_id *uid = unode->pkt->pkt.user_id;
315
316 assert( unode->pkt->pkttype == PKT_USER_ID );
317 if( uid->attrib_data ) {
318 if( sig->version >=4 ) {
319 byte buf[5];
320 buf[0] = 0xd1; /* packet of type 17 */
321 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
322 buf[2] = uid->attrib_len >> 16;
323 buf[3] = uid->attrib_len >> 8;
324 buf[4] = uid->attrib_len;
325 gcry_md_write( md, buf, 5 );
326 }
327 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
328 }
329 else {
330 if( sig->version >=4 ) {
331 byte buf[5];
332 buf[0] = 0xb4; /* indicates a userid packet */
333 buf[1] = uid->len >> 24; /* always use 4 length bytes */
334 buf[2] = uid->len >> 16;
335 buf[3] = uid->len >> 8;
336 buf[4] = uid->len;
337 gcry_md_write( md, buf, 5 );
338 }
339 gcry_md_write( md, uid->name, uid->len );
340 }
341 }
342
343 static void
344 cache_sig_result ( PKT_signature *sig, int result )
345 {
346 if ( !result ) {
347 sig->flags.checked = 1;
348 sig->flags.valid = 1;
349 }
350 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
351 sig->flags.checked = 1;
352 sig->flags.valid = 0;
353 }
354 else {
355 sig->flags.checked = 0;
356 sig->flags.valid = 0;
357 }
358 }
359
360 /* Check the revocation keys to see if any of them have revoked our
361 pk. sig is the revocation sig. pk is the key it is on. This code
362 will need to be modified if gpg ever becomes multi-threaded. Note
363 that this guarantees that a designated revocation sig will never be
364 considered valid unless it is actually valid, as well as being
365 issued by a revocation key in a valid direct signature. Note also
366 that this is written so that a revoked revoker can still issue
367 revocations: i.e. If A revokes B, but A is revoked, B is still
368 revoked. I'm not completely convinced this is the proper behavior,
369 but it matches how PGP does it. -dms */
370
371 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
372 revoked. It is important that G10ERR_NO_PUBKEY is only returned
373 when a revocation signature is from a valid revocation key
374 designated in a revkey subpacket, but the revocation key itself
375 isn't present. */
376 int
377 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
378 {
379 static int busy=0;
380 int i,rc=G10ERR_GENERAL;
381
382 assert(IS_KEY_REV(sig));
383 assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
384
385 if(busy)
386 {
387 /* return an error (i.e. not revoked), but mark the pk as
388 uncacheable as we don't really know its revocation status
389 until it is checked directly. */
390
391 pk->dont_cache=1;
392 return rc;
393 }
394
395 busy=1;
396
397 /* printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
398 (ulong)sig->keyid[1]); */
399
400 /* is the issuer of the sig one of our revokers? */
401 if( !pk->revkey && pk->numrevkeys )
402 BUG();
403 else
404 for(i=0;i<pk->numrevkeys;i++)
405 {
406 u32 keyid[2];
407
408 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
409
410 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
411 {
412 gcry_md_hd_t md;
413
414 if (gcry_md_open (&md, sig->digest_algo, 0))
415 BUG ();
416 hash_public_key(md,pk);
417 rc=signature_check(sig,md);
418 cache_sig_result(sig,rc);
419 break;
420 }
421 }
422
423 busy=0;
424
425 return rc;
426 }
427
428 /* Backsigs (0x19) have the same format as binding sigs (0x18), but
429 this function is simpler than check_key_signature in a few ways.
430 For example, there is no support for expiring backsigs since it is
431 questionable what such a thing actually means. Note also that the
432 sig cache check here, unlike other sig caches in GnuPG, is not
433 persistent. */
434 int
435 check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
436 PKT_signature *backsig)
437 {
438 gcry_md_hd_t md;
439 int rc;
440
441 /* Always check whether the algorithm is available. Although
442 gcry_md_open woyuld throw an error, some libgcrypt versions will
443 print a debug message in that case too. */
444 if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
445 return rc;
446
447 if(!opt.no_sig_cache && backsig->flags.checked)
448 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
449
450 rc = gcry_md_open (&md, backsig->digest_algo,0);
451 if (!rc)
452 {
453 hash_public_key(md,main_pk);
454 hash_public_key(md,sub_pk);
455 rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
456 cache_sig_result(backsig,rc);
457 gcry_md_close(md);
458 }
459
460 return rc;
461 }
462
463
464 /****************
465 * check the signature pointed to by NODE. This is a key signature.
466 * If the function detects a self-signature, it uses the PK from
467 * ROOT and does not read any public key.
468 */
469 int
470 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
471 {
472 return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
473 }
474
475 /* If check_pk is set, then use it to check the signature in node
476 rather than getting it from root or the keydb. If ret_pk is set,
477 fill in the public key that was used to verify the signature.
478 ret_pk is only meaningful when the verification was successful. */
479 /* TODO: add r_revoked here as well. It has the same problems as
480 r_expiredate and r_expired and the cache. */
481 int
482 check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
483 PKT_public_key *ret_pk, int *is_selfsig,
484 u32 *r_expiredate, int *r_expired )
485 {
486 gcry_md_hd_t md;
487 PKT_public_key *pk;
488 PKT_signature *sig;
489 int algo;
490 int rc;
491
492 if( is_selfsig )
493 *is_selfsig = 0;
494 if( r_expiredate )
495 *r_expiredate = 0;
496 if( r_expired )
497 *r_expired = 0;
498 assert( node->pkt->pkttype == PKT_SIGNATURE );
499 assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
500
501 pk = root->pkt->pkt.public_key;
502 sig = node->pkt->pkt.signature;
503 algo = sig->digest_algo;
504
505 /* Check whether we have cached the result of a previous signature
506 check. Note that we may no longer have the pubkey or hash
507 needed to verify a sig, but can still use the cached value. A
508 cache refresh detects and clears these cases. */
509 if ( !opt.no_sig_cache ) {
510 if (sig->flags.checked) { /*cached status available*/
511 if( is_selfsig ) {
512 u32 keyid[2];
513
514 keyid_from_pk( pk, keyid );
515 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
516 *is_selfsig = 1;
517 }
518 /* BUG: This is wrong for non-self-sigs.. needs to be the
519 actual pk */
520 if((rc=do_check_messages(pk,sig,r_expired,NULL)))
521 return rc;
522 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
523 }
524 }
525
526 if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
527 return rc;
528 if( (rc=openpgp_md_test_algo(algo)) )
529 return rc;
530
531 if( sig->sig_class == 0x20 ) { /* key revocation */
532 u32 keyid[2];
533 keyid_from_pk( pk, keyid );
534
535 /* is it a designated revoker? */
536 if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
537 rc=check_revocation_keys(pk,sig);
538 else
539 {
540 if (gcry_md_open (&md, algo, 0 ))
541 BUG ();
542 hash_public_key( md, pk );
543 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
544 cache_sig_result ( sig, rc );
545 gcry_md_close(md);
546 }
547 }
548 else if( sig->sig_class == 0x28 ) { /* subkey revocation */
549 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
550
551 if( snode ) {
552 if (gcry_md_open (&md, algo, 0))
553 BUG ();
554 hash_public_key( md, pk );
555 hash_public_key( md, snode->pkt->pkt.public_key );
556 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
557 cache_sig_result ( sig, rc );
558 gcry_md_close(md);
559 }
560 else
561 {
562 if (opt.verbose)
563 log_info (_("key %s: no subkey for subkey"
564 " revocation signature\n"),keystr_from_pk(pk));
565 rc = G10ERR_SIG_CLASS;
566 }
567 }
568 else if( sig->sig_class == 0x18 ) { /* key binding */
569 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
570
571 if( snode ) {
572 if( is_selfsig ) { /* does this make sense????? */
573 u32 keyid[2]; /* it should always be a selfsig */
574
575 keyid_from_pk( pk, keyid );
576 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
577 *is_selfsig = 1;
578 }
579 if (gcry_md_open (&md, algo, 0))
580 BUG ();
581 hash_public_key( md, pk );
582 hash_public_key( md, snode->pkt->pkt.public_key );
583 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
584 cache_sig_result ( sig, rc );
585 gcry_md_close(md);
586 }
587 else
588 {
589 if (opt.verbose)
590 log_info(_("key %s: no subkey for subkey"
591 " binding signature\n"),keystr_from_pk(pk));
592 rc = G10ERR_SIG_CLASS;
593 }
594 }
595 else if( sig->sig_class == 0x1f ) { /* direct key signature */
596 if (gcry_md_open (&md, algo, 0 ))
597 BUG ();
598 hash_public_key( md, pk );
599 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
600 cache_sig_result ( sig, rc );
601 gcry_md_close(md);
602 }
603 else { /* all other classes */
604 KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
605
606 if( unode ) {
607 u32 keyid[2];
608
609 keyid_from_pk( pk, keyid );
610 if (gcry_md_open (&md, algo, 0 ))
611 BUG ();
612 hash_public_key( md, pk );
613 hash_uid_node( unode, md, sig );
614 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
615 {
616 if( is_selfsig )
617 *is_selfsig = 1;
618 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
619 }
620 else if (check_pk)
621 rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
622 else
623 rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
624
625 cache_sig_result ( sig, rc );
626 gcry_md_close(md);
627 }
628 else
629 {
630 if (!opt.quiet)
631 log_info ("key %s: no user ID for key signature packet"
632 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
633 rc = G10ERR_SIG_CLASS;
634 }
635 }
636
637 return rc;
638 }
gnupg svn clone