search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2007-07-05 Marcus Brinkmann <marcus@g10code.de>
[gnupg.git] / g10 / sig-check.c
blob55afde02778bdb30ffe829688a8b102a8cb4c981
1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26
27 #include "gpg.h"
28 #include "util.h"
29 #include "packet.h"
30 #include "keydb.h"
31 #include "cipher.h"
32 #include "main.h"
33 #include "status.h"
34 #include "i18n.h"
35 #include "options.h"
36 #include "pkglue.h"
37
38 /* Context used by the compare function. */
39 struct cmp_help_context_s
40 {
41 PKT_signature *sig;
42 gcry_md_hd_t md;
43 };
44
45
46
47 static int do_check( PKT_public_key *pk, PKT_signature *sig,
48 gcry_md_hd_t digest,
49 int *r_expired, int *r_revoked, PKT_public_key *ret_pk);
50
51 /****************
52 * Check the signature which is contained in SIG.
53 * The MD_HANDLE should be currently open, so that this function
54 * is able to append some data, before finalizing the digest.
55 */
56 int
57 signature_check (PKT_signature *sig, gcry_md_hd_t digest)
58 {
59 return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
60 }
61
62 int
63 signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
64 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
65 {
66 PKT_public_key *pk = xmalloc_clear( sizeof *pk );
67 int rc=0;
68
69 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
70 ; /* We don't have this digest. */
71 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
72 ; /* We don't have this pubkey algo. */
73 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
74 {
75 /* Sanity check that the md has a context for the hash that the
76 sig is expecting. This can happen if a onepass sig header does
77 not match the actual sig, and also if the clearsign "Hash:"
78 header is missing or does not match the actual sig. */
79
80 log_info(_("WARNING: signature digest conflict in message\n"));
81 rc=G10ERR_GENERAL;
82 }
83 else if( get_pubkey( pk, sig->keyid ) )
84 rc = G10ERR_NO_PUBKEY;
85 else if(!pk->is_valid && !pk->is_primary)
86 rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
87 invalid subkey */
88 else
89 {
90 if(r_expiredate)
91 *r_expiredate = pk->expiredate;
92
93 rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
94
95 /* Check the backsig. This is a 0x19 signature from the
96 subkey on the primary key. The idea here is that it should
97 not be possible for someone to "steal" subkeys and claim
98 them as their own. The attacker couldn't actually use the
99 subkey, but they could try and claim ownership of any
100 signaures issued by it. */
101 if(rc==0 && !pk->is_primary && pk->backsig<2)
102 {
103 if(pk->backsig==0)
104 {
105 log_info(_("WARNING: signing subkey %s is not"
106 " cross-certified\n"),keystr_from_pk(pk));
107 log_info(_("please see %s for more information\n"),
108 "http://www.gnupg.org/faq/subkey-cross-certify.html");
109 /* --require-cross-certification makes this warning an
110 error. TODO: change the default to require this
111 after more keys have backsigs. */
112 if(opt.flags.require_cross_cert)
113 rc=G10ERR_GENERAL;
114 }
115 else if(pk->backsig==1)
116 {
117 log_info(_("WARNING: signing subkey %s has an invalid"
118 " cross-certification\n"),keystr_from_pk(pk));
119 rc=G10ERR_GENERAL;
120 }
121 }
122 }
123
124 free_public_key( pk );
125
126 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
127 /* This signature id works best with DLP algorithms because
128 * they use a random parameter for every signature. Instead of
129 * this sig-id we could have also used the hash of the document
130 * and the timestamp, but the drawback of this is, that it is
131 * not possible to sign more than one identical document within
132 * one second. Some remote batch processing applications might
133 * like this feature here */
134 gcry_md_hd_t md;
135
136 u32 a = sig->timestamp;
137 int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
138 byte *p, *buffer;
139
140 if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
141 BUG ();
142
143 /* FIXME: Why the hell are we updating DIGEST here??? */
144 gcry_md_putc( digest, sig->pubkey_algo );
145 gcry_md_putc( digest, sig->digest_algo );
146 gcry_md_putc( digest, (a >> 24) & 0xff );
147 gcry_md_putc( digest, (a >> 16) & 0xff );
148 gcry_md_putc( digest, (a >> 8) & 0xff );
149 gcry_md_putc( digest, a & 0xff );
150 for(i=0; i < nsig; i++ ) {
151 size_t n;
152 unsigned char *tmp;
153
154 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
155 BUG();
156 gcry_md_write (md, tmp, n);
157 xfree (tmp);
158 }
159 gcry_md_final (md);
160 p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
161 buffer = xmalloc( strlen(p) + 60 );
162 sprintf( buffer, "%s %s %lu",
163 p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
164 write_status_text( STATUS_SIG_ID, buffer );
165 xfree(buffer);
166 xfree(p);
167 gcry_md_close(md);
168 }
169
170 return rc;
171 }
172
173
174 static int
175 do_check_messages( PKT_public_key *pk, PKT_signature *sig,
176 int *r_expired, int *r_revoked )
177 {
178 u32 cur_time;
179
180 if(r_expired)
181 *r_expired = 0;
182 if(r_revoked)
183 *r_revoked = 0;
184
185 if( pk->timestamp > sig->timestamp )
186 {
187 ulong d = pk->timestamp - sig->timestamp;
188 log_info(d==1
189 ?_("public key %s is %lu second newer than the signature\n")
190 :_("public key %s is %lu seconds newer than the signature\n"),
191 keystr_from_pk(pk),d );
192 if( !opt.ignore_time_conflict )
193 return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
194 }
195
196 cur_time = make_timestamp();
197 if( pk->timestamp > cur_time )
198 {
199 ulong d = pk->timestamp - cur_time;
200 log_info( d==1
201 ? _("key %s was created %lu second"
202 " in the future (time warp or clock problem)\n")
203 : _("key %s was created %lu seconds"
204 " in the future (time warp or clock problem)\n"),
205 keystr_from_pk(pk),d );
206 if( !opt.ignore_time_conflict )
207 return G10ERR_TIME_CONFLICT;
208 }
209
210 if( pk->expiredate && pk->expiredate < cur_time ) {
211 char buf[11];
212 if (opt.verbose)
213 log_info(_("NOTE: signature key %s expired %s\n"),
214 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
215 /* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
216 sprintf(buf,"%lu",(ulong)pk->expiredate);
217 write_status_text(STATUS_KEYEXPIRED,buf);
218 write_status(STATUS_SIGEXPIRED);
219 if(r_expired)
220 *r_expired = 1;
221 }
222
223 if(pk->is_revoked && r_revoked)
224 *r_revoked=1;
225
226 return 0;
227 }
228
229
230 static int
231 do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
232 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
233 {
234 gcry_mpi_t result = NULL;
235 int rc = 0;
236 struct cmp_help_context_s ctx;
237
238 if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
239 return rc;
240
241 /* Make sure the digest algo is enabled (in case of a detached
242 signature). */
243 gcry_md_enable (digest, sig->digest_algo);
244
245 /* Complete the digest. */
246 if( sig->version >= 4 )
247 gcry_md_putc( digest, sig->version );
248 gcry_md_putc( digest, sig->sig_class );
249 if( sig->version < 4 ) {
250 u32 a = sig->timestamp;
251 gcry_md_putc( digest, (a >> 24) & 0xff );
252 gcry_md_putc( digest, (a >> 16) & 0xff );
253 gcry_md_putc( digest, (a >> 8) & 0xff );
254 gcry_md_putc( digest, a & 0xff );
255 }
256 else {
257 byte buf[6];
258 size_t n;
259 gcry_md_putc( digest, sig->pubkey_algo );
260 gcry_md_putc( digest, sig->digest_algo );
261 if( sig->hashed ) {
262 n = sig->hashed->len;
263 gcry_md_putc (digest, (n >> 8) );
264 gcry_md_putc (digest, n );
265 gcry_md_write (digest, sig->hashed->data, n);
266 n += 6;
267 }
268 else {
269 /* Two octets for the (empty) length of the hashed
270 section. */
271 gcry_md_putc (digest, 0);
272 gcry_md_putc (digest, 0);
273 n = 6;
274 }
275 /* add some magic */
276 buf[0] = sig->version;
277 buf[1] = 0xff;
278 buf[2] = n >> 24;
279 buf[3] = n >> 16;
280 buf[4] = n >> 8;
281 buf[5] = n;
282 gcry_md_write( digest, buf, 6 );
283 }
284 gcry_md_final( digest );
285
286 result = encode_md_value( pk, NULL, digest, sig->digest_algo );
287 if (!result)
288 return G10ERR_GENERAL;
289 ctx.sig = sig;
290 ctx.md = digest;
291 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
292 gcry_mpi_release (result);
293
294 if( !rc && sig->flags.unknown_critical )
295 {
296 log_info(_("assuming bad signature from key %s"
297 " due to an unknown critical bit\n"),keystr_from_pk(pk));
298 rc = G10ERR_BAD_SIGN;
299 }
300
301 if(!rc && ret_pk)
302 copy_public_key(ret_pk,pk);
303
304 return rc;
305 }
306
307
308
309 static void
310 hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
311 {
312 PKT_user_id *uid = unode->pkt->pkt.user_id;
313
314 assert( unode->pkt->pkttype == PKT_USER_ID );
315 if( uid->attrib_data ) {
316 if( sig->version >=4 ) {
317 byte buf[5];
318 buf[0] = 0xd1; /* packet of type 17 */
319 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
320 buf[2] = uid->attrib_len >> 16;
321 buf[3] = uid->attrib_len >> 8;
322 buf[4] = uid->attrib_len;
323 gcry_md_write( md, buf, 5 );
324 }
325 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
326 }
327 else {
328 if( sig->version >=4 ) {
329 byte buf[5];
330 buf[0] = 0xb4; /* indicates a userid packet */
331 buf[1] = uid->len >> 24; /* always use 4 length bytes */
332 buf[2] = uid->len >> 16;
333 buf[3] = uid->len >> 8;
334 buf[4] = uid->len;
335 gcry_md_write( md, buf, 5 );
336 }
337 gcry_md_write( md, uid->name, uid->len );
338 }
339 }
340
341 static void
342 cache_sig_result ( PKT_signature *sig, int result )
343 {
344 if ( !result ) {
345 sig->flags.checked = 1;
346 sig->flags.valid = 1;
347 }
348 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
349 sig->flags.checked = 1;
350 sig->flags.valid = 0;
351 }
352 else {
353 sig->flags.checked = 0;
354 sig->flags.valid = 0;
355 }
356 }
357
358 /* Check the revocation keys to see if any of them have revoked our
359 pk. sig is the revocation sig. pk is the key it is on. This code
360 will need to be modified if gpg ever becomes multi-threaded. Note
361 that this guarantees that a designated revocation sig will never be
362 considered valid unless it is actually valid, as well as being
363 issued by a revocation key in a valid direct signature. Note also
364 that this is written so that a revoked revoker can still issue
365 revocations: i.e. If A revokes B, but A is revoked, B is still
366 revoked. I'm not completely convinced this is the proper behavior,
367 but it matches how PGP does it. -dms */
368
369 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
370 revoked. It is important that G10ERR_NO_PUBKEY is only returned
371 when a revocation signature is from a valid revocation key
372 designated in a revkey subpacket, but the revocation key itself
373 isn't present. */
374 int
375 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
376 {
377 static int busy=0;
378 int i,rc=G10ERR_GENERAL;
379
380 assert(IS_KEY_REV(sig));
381 assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
382
383 if(busy)
384 {
385 /* return an error (i.e. not revoked), but mark the pk as
386 uncacheable as we don't really know its revocation status
387 until it is checked directly. */
388
389 pk->dont_cache=1;
390 return rc;
391 }
392
393 busy=1;
394
395 /* printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
396 (ulong)sig->keyid[1]); */
397
398 /* is the issuer of the sig one of our revokers? */
399 if( !pk->revkey && pk->numrevkeys )
400 BUG();
401 else
402 for(i=0;i<pk->numrevkeys;i++)
403 {
404 u32 keyid[2];
405
406 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
407
408 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
409 {
410 gcry_md_hd_t md;
411
412 if (gcry_md_open (&md, sig->digest_algo, 0))
413 BUG ();
414 hash_public_key(md,pk);
415 rc=signature_check(sig,md);
416 cache_sig_result(sig,rc);
417 break;
418 }
419 }
420
421 busy=0;
422
423 return rc;
424 }
425
426 /* Backsigs (0x19) have the same format as binding sigs (0x18), but
427 this function is simpler than check_key_signature in a few ways.
428 For example, there is no support for expiring backsigs since it is
429 questionable what such a thing actually means. Note also that the
430 sig cache check here, unlike other sig caches in GnuPG, is not
431 persistent. */
432 int
433 check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
434 PKT_signature *backsig)
435 {
436 gcry_md_hd_t md;
437 int rc;
438
439 /* Always check whether the algorithm is available. Although
440 gcry_md_open woyuld throw an error, some libgcrypt versions will
441 print a debug message in that case too. */
442 if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
443 return rc;
444
445 if(!opt.no_sig_cache && backsig->flags.checked)
446 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
447
448 rc = gcry_md_open (&md, backsig->digest_algo,0);
449 if (!rc)
450 {
451 hash_public_key(md,main_pk);
452 hash_public_key(md,sub_pk);
453 rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
454 cache_sig_result(backsig,rc);
455 gcry_md_close(md);
456 }
457
458 return rc;
459 }
460
461
462 /****************
463 * check the signature pointed to by NODE. This is a key signature.
464 * If the function detects a self-signature, it uses the PK from
465 * ROOT and does not read any public key.
466 */
467 int
468 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
469 {
470 return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
471 }
472
473 /* If check_pk is set, then use it to check the signature in node
474 rather than getting it from root or the keydb. If ret_pk is set,
475 fill in the public key that was used to verify the signature.
476 ret_pk is only meaningful when the verification was successful. */
477 /* TODO: add r_revoked here as well. It has the same problems as
478 r_expiredate and r_expired and the cache. */
479 int
480 check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
481 PKT_public_key *ret_pk, int *is_selfsig,
482 u32 *r_expiredate, int *r_expired )
483 {
484 gcry_md_hd_t md;
485 PKT_public_key *pk;
486 PKT_signature *sig;
487 int algo;
488 int rc;
489
490 if( is_selfsig )
491 *is_selfsig = 0;
492 if( r_expiredate )
493 *r_expiredate = 0;
494 if( r_expired )
495 *r_expired = 0;
496 assert( node->pkt->pkttype == PKT_SIGNATURE );
497 assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
498
499 pk = root->pkt->pkt.public_key;
500 sig = node->pkt->pkt.signature;
501 algo = sig->digest_algo;
502
503 /* Check whether we have cached the result of a previous signature
504 check. Note that we may no longer have the pubkey or hash
505 needed to verify a sig, but can still use the cached value. A
506 cache refresh detects and clears these cases. */
507 if ( !opt.no_sig_cache ) {
508 if (sig->flags.checked) { /*cached status available*/
509 if( is_selfsig ) {
510 u32 keyid[2];
511
512 keyid_from_pk( pk, keyid );
513 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
514 *is_selfsig = 1;
515 }
516 /* BUG: This is wrong for non-self-sigs.. needs to be the
517 actual pk */
518 if((rc=do_check_messages(pk,sig,r_expired,NULL)))
519 return rc;
520 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
521 }
522 }
523
524 if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
525 return rc;
526 if( (rc=openpgp_md_test_algo(algo)) )
527 return rc;
528
529 if( sig->sig_class == 0x20 ) { /* key revocation */
530 u32 keyid[2];
531 keyid_from_pk( pk, keyid );
532
533 /* is it a designated revoker? */
534 if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
535 rc=check_revocation_keys(pk,sig);
536 else
537 {
538 if (gcry_md_open (&md, algo, 0 ))
539 BUG ();
540 hash_public_key( md, pk );
541 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
542 cache_sig_result ( sig, rc );
543 gcry_md_close(md);
544 }
545 }
546 else if( sig->sig_class == 0x28 ) { /* subkey revocation */
547 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
548
549 if( snode ) {
550 if (gcry_md_open (&md, algo, 0))
551 BUG ();
552 hash_public_key( md, pk );
553 hash_public_key( md, snode->pkt->pkt.public_key );
554 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
555 cache_sig_result ( sig, rc );
556 gcry_md_close(md);
557 }
558 else
559 {
560 if (opt.verbose)
561 log_info (_("key %s: no subkey for subkey"
562 " revocation signature\n"),keystr_from_pk(pk));
563 rc = G10ERR_SIG_CLASS;
564 }
565 }
566 else if( sig->sig_class == 0x18 ) { /* key binding */
567 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
568
569 if( snode ) {
570 if( is_selfsig ) { /* does this make sense????? */
571 u32 keyid[2]; /* it should always be a selfsig */
572
573 keyid_from_pk( pk, keyid );
574 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
575 *is_selfsig = 1;
576 }
577 if (gcry_md_open (&md, algo, 0))
578 BUG ();
579 hash_public_key( md, pk );
580 hash_public_key( md, snode->pkt->pkt.public_key );
581 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
582 cache_sig_result ( sig, rc );
583 gcry_md_close(md);
584 }
585 else
586 {
587 if (opt.verbose)
588 log_info(_("key %s: no subkey for subkey"
589 " binding signature\n"),keystr_from_pk(pk));
590 rc = G10ERR_SIG_CLASS;
591 }
592 }
593 else if( sig->sig_class == 0x1f ) { /* direct key signature */
594 if (gcry_md_open (&md, algo, 0 ))
595 BUG ();
596 hash_public_key( md, pk );
597 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
598 cache_sig_result ( sig, rc );
599 gcry_md_close(md);
600 }
601 else { /* all other classes */
602 KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
603
604 if( unode ) {
605 u32 keyid[2];
606
607 keyid_from_pk( pk, keyid );
608 if (gcry_md_open (&md, algo, 0 ))
609 BUG ();
610 hash_public_key( md, pk );
611 hash_uid_node( unode, md, sig );
612 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
613 {
614 if( is_selfsig )
615 *is_selfsig = 1;
616 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
617 }
618 else if (check_pk)
619 rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
620 else
621 rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
622
623 cache_sig_result ( sig, rc );
624 gcry_md_close(md);
625 }
626 else
627 {
628 if (!opt.quiet)
629 log_info ("key %s: no user ID for key signature packet"
630 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
631 rc = G10ERR_SIG_CLASS;
632 }
633 }
634
635 return rc;
636 }
gnupg svn clone