search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
* gpg.texi (GPG Configuration Options): Make http_proxy option
[gnupg.git] / g10 / sig-check.c
blob5a3cb886fdf479a243cab80df4595ab15979ab8a
1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA.
21 */
22
23 #include <config.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <assert.h>
28
29 #include "gpg.h"
30 #include "util.h"
31 #include "packet.h"
32 #include "keydb.h"
33 #include "cipher.h"
34 #include "main.h"
35 #include "status.h"
36 #include "i18n.h"
37 #include "options.h"
38 #include "pkglue.h"
39
40 /* Context used by the compare function. */
41 struct cmp_help_context_s
42 {
43 PKT_signature *sig;
44 gcry_md_hd_t md;
45 };
46
47
48
49 static int do_check( PKT_public_key *pk, PKT_signature *sig,
50 gcry_md_hd_t digest,
51 int *r_expired, int *r_revoked, PKT_public_key *ret_pk);
52
53 /****************
54 * Check the signature which is contained in SIG.
55 * The MD_HANDLE should be currently open, so that this function
56 * is able to append some data, before finalizing the digest.
57 */
58 int
59 signature_check (PKT_signature *sig, gcry_md_hd_t digest)
60 {
61 return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
62 }
63
64 int
65 signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
66 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
67 {
68 PKT_public_key *pk = xmalloc_clear( sizeof *pk );
69 int rc=0;
70
71 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
72 ; /* We don't have this digest. */
73 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
74 ; /* We don't have this pubkey algo. */
75 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
76 {
77 /* Sanity check that the md has a context for the hash that the
78 sig is expecting. This can happen if a onepass sig header does
79 not match the actual sig, and also if the clearsign "Hash:"
80 header is missing or does not match the actual sig. */
81
82 log_info(_("WARNING: signature digest conflict in message\n"));
83 rc=G10ERR_GENERAL;
84 }
85 else if( get_pubkey( pk, sig->keyid ) )
86 rc = G10ERR_NO_PUBKEY;
87 else if(!pk->is_valid && !pk->is_primary)
88 rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
89 invalid subkey */
90 else
91 {
92 if(r_expiredate)
93 *r_expiredate = pk->expiredate;
94
95 rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
96
97 /* Check the backsig. This is a 0x19 signature from the
98 subkey on the primary key. The idea here is that it should
99 not be possible for someone to "steal" subkeys and claim
100 them as their own. The attacker couldn't actually use the
101 subkey, but they could try and claim ownership of any
102 signaures issued by it. */
103 if(rc==0 && !pk->is_primary && pk->backsig<2)
104 {
105 if(pk->backsig==0)
106 {
107 log_info(_("WARNING: signing subkey %s is not"
108 " cross-certified\n"),keystr_from_pk(pk));
109 log_info(_("please see %s for more information\n"),
110 "http://www.gnupg.org/faq/subkey-cross-certify.html");
111 /* --require-cross-certification makes this warning an
112 error. TODO: change the default to require this
113 after more keys have backsigs. */
114 if(opt.flags.require_cross_cert)
115 rc=G10ERR_GENERAL;
116 }
117 else if(pk->backsig==1)
118 {
119 log_info(_("WARNING: signing subkey %s has an invalid"
120 " cross-certification\n"),keystr_from_pk(pk));
121 rc=G10ERR_GENERAL;
122 }
123 }
124 }
125
126 free_public_key( pk );
127
128 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
129 /* This signature id works best with DLP algorithms because
130 * they use a random parameter for every signature. Instead of
131 * this sig-id we could have also used the hash of the document
132 * and the timestamp, but the drawback of this is, that it is
133 * not possible to sign more than one identical document within
134 * one second. Some remote batch processing applications might
135 * like this feature here */
136 gcry_md_hd_t md;
137
138 u32 a = sig->timestamp;
139 int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
140 byte *p, *buffer;
141
142 if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
143 BUG ();
144
145 /* FIXME: Why the hell are we updating DIGEST here??? */
146 gcry_md_putc( digest, sig->pubkey_algo );
147 gcry_md_putc( digest, sig->digest_algo );
148 gcry_md_putc( digest, (a >> 24) & 0xff );
149 gcry_md_putc( digest, (a >> 16) & 0xff );
150 gcry_md_putc( digest, (a >> 8) & 0xff );
151 gcry_md_putc( digest, a & 0xff );
152 for(i=0; i < nsig; i++ ) {
153 size_t n;
154 unsigned char *tmp;
155
156 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
157 BUG();
158 gcry_md_write (md, tmp, n);
159 xfree (tmp);
160 }
161 gcry_md_final (md);
162 p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
163 buffer = xmalloc( strlen(p) + 60 );
164 sprintf( buffer, "%s %s %lu",
165 p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
166 write_status_text( STATUS_SIG_ID, buffer );
167 xfree(buffer);
168 xfree(p);
169 gcry_md_close(md);
170 }
171
172 return rc;
173 }
174
175
176 static int
177 do_check_messages( PKT_public_key *pk, PKT_signature *sig,
178 int *r_expired, int *r_revoked )
179 {
180 u32 cur_time;
181
182 if(r_expired)
183 *r_expired = 0;
184 if(r_revoked)
185 *r_revoked = 0;
186
187 if( pk->timestamp > sig->timestamp )
188 {
189 ulong d = pk->timestamp - sig->timestamp;
190 log_info(d==1
191 ?_("public key %s is %lu second newer than the signature\n")
192 :_("public key %s is %lu seconds newer than the signature\n"),
193 keystr_from_pk(pk),d );
194 if( !opt.ignore_time_conflict )
195 return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
196 }
197
198 cur_time = make_timestamp();
199 if( pk->timestamp > cur_time )
200 {
201 ulong d = pk->timestamp - cur_time;
202 log_info( d==1
203 ? _("key %s was created %lu second"
204 " in the future (time warp or clock problem)\n")
205 : _("key %s was created %lu seconds"
206 " in the future (time warp or clock problem)\n"),
207 keystr_from_pk(pk),d );
208 if( !opt.ignore_time_conflict )
209 return G10ERR_TIME_CONFLICT;
210 }
211
212 if( pk->expiredate && pk->expiredate < cur_time ) {
213 char buf[11];
214 if (opt.verbose)
215 log_info(_("NOTE: signature key %s expired %s\n"),
216 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
217 /* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
218 sprintf(buf,"%lu",(ulong)pk->expiredate);
219 write_status_text(STATUS_KEYEXPIRED,buf);
220 write_status(STATUS_SIGEXPIRED);
221 if(r_expired)
222 *r_expired = 1;
223 }
224
225 if(pk->is_revoked && r_revoked)
226 *r_revoked=1;
227
228 return 0;
229 }
230
231
232 static int
233 do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
234 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
235 {
236 gcry_mpi_t result = NULL;
237 int rc = 0;
238 struct cmp_help_context_s ctx;
239
240 if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
241 return rc;
242
243 /* Make sure the digest algo is enabled (in case of a detached
244 signature). */
245 gcry_md_enable (digest, sig->digest_algo);
246
247 /* Complete the digest. */
248 if( sig->version >= 4 )
249 gcry_md_putc( digest, sig->version );
250 gcry_md_putc( digest, sig->sig_class );
251 if( sig->version < 4 ) {
252 u32 a = sig->timestamp;
253 gcry_md_putc( digest, (a >> 24) & 0xff );
254 gcry_md_putc( digest, (a >> 16) & 0xff );
255 gcry_md_putc( digest, (a >> 8) & 0xff );
256 gcry_md_putc( digest, a & 0xff );
257 }
258 else {
259 byte buf[6];
260 size_t n;
261 gcry_md_putc( digest, sig->pubkey_algo );
262 gcry_md_putc( digest, sig->digest_algo );
263 if( sig->hashed ) {
264 n = sig->hashed->len;
265 gcry_md_putc (digest, (n >> 8) );
266 gcry_md_putc (digest, n );
267 gcry_md_write (digest, sig->hashed->data, n);
268 n += 6;
269 }
270 else {
271 /* Two octets for the (empty) length of the hashed
272 section. */
273 gcry_md_putc (digest, 0);
274 gcry_md_putc (digest, 0);
275 n = 6;
276 }
277 /* add some magic */
278 buf[0] = sig->version;
279 buf[1] = 0xff;
280 buf[2] = n >> 24;
281 buf[3] = n >> 16;
282 buf[4] = n >> 8;
283 buf[5] = n;
284 gcry_md_write( digest, buf, 6 );
285 }
286 gcry_md_final( digest );
287
288 result = encode_md_value( pk, NULL, digest, sig->digest_algo );
289 if (!result)
290 return G10ERR_GENERAL;
291 ctx.sig = sig;
292 ctx.md = digest;
293 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
294 gcry_mpi_release (result);
295
296 if( !rc && sig->flags.unknown_critical )
297 {
298 log_info(_("assuming bad signature from key %s"
299 " due to an unknown critical bit\n"),keystr_from_pk(pk));
300 rc = G10ERR_BAD_SIGN;
301 }
302
303 if(!rc && ret_pk)
304 copy_public_key(ret_pk,pk);
305
306 return rc;
307 }
308
309
310
311 static void
312 hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
313 {
314 PKT_user_id *uid = unode->pkt->pkt.user_id;
315
316 assert( unode->pkt->pkttype == PKT_USER_ID );
317 if( uid->attrib_data ) {
318 if( sig->version >=4 ) {
319 byte buf[5];
320 buf[0] = 0xd1; /* packet of type 17 */
321 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
322 buf[2] = uid->attrib_len >> 16;
323 buf[3] = uid->attrib_len >> 8;
324 buf[4] = uid->attrib_len;
325 gcry_md_write( md, buf, 5 );
326 }
327 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
328 }
329 else {
330 if( sig->version >=4 ) {
331 byte buf[5];
332 buf[0] = 0xb4; /* indicates a userid packet */
333 buf[1] = uid->len >> 24; /* always use 4 length bytes */
334 buf[2] = uid->len >> 16;
335 buf[3] = uid->len >> 8;
336 buf[4] = uid->len;
337 gcry_md_write( md, buf, 5 );
338 }
339 gcry_md_write( md, uid->name, uid->len );
340 }
341 }
342
343 static void
344 cache_sig_result ( PKT_signature *sig, int result )
345 {
346 if ( !result ) {
347 sig->flags.checked = 1;
348 sig->flags.valid = 1;
349 }
350 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
351 sig->flags.checked = 1;
352 sig->flags.valid = 0;
353 }
354 else {
355 sig->flags.checked = 0;
356 sig->flags.valid = 0;
357 }
358 }
359
360 /* Check the revocation keys to see if any of them have revoked our
361 pk. sig is the revocation sig. pk is the key it is on. This code
362 will need to be modified if gpg ever becomes multi-threaded. Note
363 that this guarantees that a designated revocation sig will never be
364 considered valid unless it is actually valid, as well as being
365 issued by a revocation key in a valid direct signature. Note also
366 that this is written so that a revoked revoker can still issue
367 revocations: i.e. If A revokes B, but A is revoked, B is still
368 revoked. I'm not completely convinced this is the proper behavior,
369 but it matches how PGP does it. -dms */
370
371 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
372 revoked. It is important that G10ERR_NO_PUBKEY is only returned
373 when a revocation signature is from a valid revocation key
374 designated in a revkey subpacket, but the revocation key itself
375 isn't present. */
376 int
377 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
378 {
379 static int busy=0;
380 int i,rc=G10ERR_GENERAL;
381
382 assert(IS_KEY_REV(sig));
383 assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
384
385 if(busy)
386 {
387 /* return an error (i.e. not revoked), but mark the pk as
388 uncacheable as we don't really know its revocation status
389 until it is checked directly. */
390
391 pk->dont_cache=1;
392 return rc;
393 }
394
395 busy=1;
396
397 /* printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
398 (ulong)sig->keyid[1]); */
399
400 /* is the issuer of the sig one of our revokers? */
401 if( !pk->revkey && pk->numrevkeys )
402 BUG();
403 else
404 for(i=0;i<pk->numrevkeys;i++)
405 {
406 u32 keyid[2];
407
408 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
409
410 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
411 {
412 gcry_md_hd_t md;
413
414 if (gcry_md_open (&md, sig->digest_algo, 0))
415 BUG ();
416 hash_public_key(md,pk);
417 rc=signature_check(sig,md);
418 cache_sig_result(sig,rc);
419 break;
420 }
421 }
422
423 busy=0;
424
425 return rc;
426 }
427
428 /* Backsigs (0x19) have the same format as binding sigs (0x18), but
429 this function is simpler than check_key_signature in a few ways.
430 For example, there is no support for expiring backsigs since it is
431 questionable what such a thing actually means. Note also that the
432 sig cache check here, unlike other sig caches in GnuPG, is not
433 persistent. */
434 int
435 check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
436 PKT_signature *backsig)
437 {
438 gcry_md_hd_t md;
439 int rc;
440
441 if(!opt.no_sig_cache && backsig->flags.checked)
442 {
443 if((rc=openpgp_md_test_algo (backsig->digest_algo)))
444 return rc;
445
446 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
447 }
448
449 if (gcry_md_open (&md, backsig->digest_algo,0))
450 BUG ();
451 hash_public_key(md,main_pk);
452 hash_public_key(md,sub_pk);
453 rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
454 cache_sig_result(backsig,rc);
455 gcry_md_close(md);
456
457 return rc;
458 }
459
460
461 /****************
462 * check the signature pointed to by NODE. This is a key signature.
463 * If the function detects a self-signature, it uses the PK from
464 * ROOT and does not read any public key.
465 */
466 int
467 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
468 {
469 return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
470 }
471
472 /* If check_pk is set, then use it to check the signature in node
473 rather than getting it from root or the keydb. If ret_pk is set,
474 fill in the public key that was used to verify the signature.
475 ret_pk is only meaningful when the verification was successful. */
476 /* TODO: add r_revoked here as well. It has the same problems as
477 r_expiredate and r_expired and the cache. */
478 int
479 check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
480 PKT_public_key *ret_pk, int *is_selfsig,
481 u32 *r_expiredate, int *r_expired )
482 {
483 gcry_md_hd_t md;
484 PKT_public_key *pk;
485 PKT_signature *sig;
486 int algo;
487 int rc;
488
489 if( is_selfsig )
490 *is_selfsig = 0;
491 if( r_expiredate )
492 *r_expiredate = 0;
493 if( r_expired )
494 *r_expired = 0;
495 assert( node->pkt->pkttype == PKT_SIGNATURE );
496 assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
497
498 pk = root->pkt->pkt.public_key;
499 sig = node->pkt->pkt.signature;
500 algo = sig->digest_algo;
501
502 /* Check whether we have cached the result of a previous signature
503 check. Note that we may no longer have the pubkey or hash
504 needed to verify a sig, but can still use the cached value. A
505 cache refresh detects and clears these cases. */
506 if ( !opt.no_sig_cache ) {
507 if (sig->flags.checked) { /*cached status available*/
508 if( is_selfsig ) {
509 u32 keyid[2];
510
511 keyid_from_pk( pk, keyid );
512 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
513 *is_selfsig = 1;
514 }
515 /* BUG: This is wrong for non-self-sigs.. needs to be the
516 actual pk */
517 if((rc=do_check_messages(pk,sig,r_expired,NULL)))
518 return rc;
519 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
520 }
521 }
522
523 if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
524 return rc;
525 if( (rc=openpgp_md_test_algo(algo)) )
526 return rc;
527
528 if( sig->sig_class == 0x20 ) { /* key revocation */
529 u32 keyid[2];
530 keyid_from_pk( pk, keyid );
531
532 /* is it a designated revoker? */
533 if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
534 rc=check_revocation_keys(pk,sig);
535 else
536 {
537 if (gcry_md_open (&md, algo, 0 ))
538 BUG ();
539 hash_public_key( md, pk );
540 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
541 cache_sig_result ( sig, rc );
542 gcry_md_close(md);
543 }
544 }
545 else if( sig->sig_class == 0x28 ) { /* subkey revocation */
546 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
547
548 if( snode ) {
549 if (gcry_md_open (&md, algo, 0))
550 BUG ();
551 hash_public_key( md, pk );
552 hash_public_key( md, snode->pkt->pkt.public_key );
553 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
554 cache_sig_result ( sig, rc );
555 gcry_md_close(md);
556 }
557 else
558 {
559 if (opt.verbose)
560 log_info (_("key %s: no subkey for subkey"
561 " revocation signature\n"),keystr_from_pk(pk));
562 rc = G10ERR_SIG_CLASS;
563 }
564 }
565 else if( sig->sig_class == 0x18 ) { /* key binding */
566 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
567
568 if( snode ) {
569 if( is_selfsig ) { /* does this make sense????? */
570 u32 keyid[2]; /* it should always be a selfsig */
571
572 keyid_from_pk( pk, keyid );
573 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
574 *is_selfsig = 1;
575 }
576 if (gcry_md_open (&md, algo, 0))
577 BUG ();
578 hash_public_key( md, pk );
579 hash_public_key( md, snode->pkt->pkt.public_key );
580 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
581 cache_sig_result ( sig, rc );
582 gcry_md_close(md);
583 }
584 else
585 {
586 if (opt.verbose)
587 log_info(_("key %s: no subkey for subkey"
588 " binding signature\n"),keystr_from_pk(pk));
589 rc = G10ERR_SIG_CLASS;
590 }
591 }
592 else if( sig->sig_class == 0x1f ) { /* direct key signature */
593 if (gcry_md_open (&md, algo, 0 ))
594 BUG ();
595 hash_public_key( md, pk );
596 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
597 cache_sig_result ( sig, rc );
598 gcry_md_close(md);
599 }
600 else { /* all other classes */
601 KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
602
603 if( unode ) {
604 u32 keyid[2];
605
606 keyid_from_pk( pk, keyid );
607 if (gcry_md_open (&md, algo, 0 ))
608 BUG ();
609 hash_public_key( md, pk );
610 hash_uid_node( unode, md, sig );
611 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
612 {
613 if( is_selfsig )
614 *is_selfsig = 1;
615 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
616 }
617 else if (check_pk)
618 rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
619 else
620 rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
621
622 cache_sig_result ( sig, rc );
623 gcry_md_close(md);
624 }
625 else
626 {
627 if (!opt.quiet)
628 log_info ("key %s: no user ID for key signature packet"
629 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
630 rc = G10ERR_SIG_CLASS;
631 }
632 }
633
634 return rc;
635 }
gnupg svn clone