search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2009-05-15 Marcus Brinkmann <marcus@g10code.de>
[gnupg.git] / g10 / sig-check.c
blobc415703f7394904186bf1efd0be1f47544b6ce82
1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26
27 #include "gpg.h"
28 #include "util.h"
29 #include "packet.h"
30 #include "keydb.h"
31 #include "cipher.h"
32 #include "main.h"
33 #include "status.h"
34 #include "i18n.h"
35 #include "options.h"
36 #include "pkglue.h"
37
38 /* Context used by the compare function. */
39 struct cmp_help_context_s
40 {
41 PKT_signature *sig;
42 gcry_md_hd_t md;
43 };
44
45
46
47 static int do_check( PKT_public_key *pk, PKT_signature *sig,
48 gcry_md_hd_t digest,
49 int *r_expired, int *r_revoked, PKT_public_key *ret_pk);
50
51 /****************
52 * Check the signature which is contained in SIG.
53 * The MD_HANDLE should be currently open, so that this function
54 * is able to append some data, before finalizing the digest.
55 */
56 int
57 signature_check (PKT_signature *sig, gcry_md_hd_t digest)
58 {
59 return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
60 }
61
62 int
63 signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
64 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
65 {
66 PKT_public_key *pk = xmalloc_clear( sizeof *pk );
67 int rc=0;
68
69 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
70 ; /* We don't have this digest. */
71 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
72 ; /* We don't have this pubkey algo. */
73 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
74 {
75 /* Sanity check that the md has a context for the hash that the
76 sig is expecting. This can happen if a onepass sig header does
77 not match the actual sig, and also if the clearsign "Hash:"
78 header is missing or does not match the actual sig. */
79
80 log_info(_("WARNING: signature digest conflict in message\n"));
81 rc=G10ERR_GENERAL;
82 }
83 else if( get_pubkey( pk, sig->keyid ) )
84 rc = G10ERR_NO_PUBKEY;
85 else if(!pk->is_valid && !pk->is_primary)
86 rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
87 invalid subkey */
88 else
89 {
90 if(r_expiredate)
91 *r_expiredate = pk->expiredate;
92
93 rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
94
95 /* Check the backsig. This is a 0x19 signature from the
96 subkey on the primary key. The idea here is that it should
97 not be possible for someone to "steal" subkeys and claim
98 them as their own. The attacker couldn't actually use the
99 subkey, but they could try and claim ownership of any
100 signaures issued by it. */
101 if(rc==0 && !pk->is_primary && pk->backsig<2)
102 {
103 if(pk->backsig==0)
104 {
105 log_info(_("WARNING: signing subkey %s is not"
106 " cross-certified\n"),keystr_from_pk(pk));
107 log_info(_("please see %s for more information\n"),
108 "http://www.gnupg.org/faq/subkey-cross-certify.html");
109 /* --require-cross-certification makes this warning an
110 error. TODO: change the default to require this
111 after more keys have backsigs. */
112 if(opt.flags.require_cross_cert)
113 rc=G10ERR_GENERAL;
114 }
115 else if(pk->backsig==1)
116 {
117 log_info(_("WARNING: signing subkey %s has an invalid"
118 " cross-certification\n"),keystr_from_pk(pk));
119 rc=G10ERR_GENERAL;
120 }
121 }
122 }
123
124 free_public_key( pk );
125
126 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
127 /* This signature id works best with DLP algorithms because
128 * they use a random parameter for every signature. Instead of
129 * this sig-id we could have also used the hash of the document
130 * and the timestamp, but the drawback of this is, that it is
131 * not possible to sign more than one identical document within
132 * one second. Some remote batch processing applications might
133 * like this feature here.
134 *
135 * Note that before 2.0.10, we used RIPE-MD160 for the hash
136 * and accidently didn't include the timestamp and algorithm
137 * information in the hash. Given that this feature is not
138 * commonly used and that a replay attacks detection should
139 * not solely be based on this feature (because it does not
140 * work with RSA), we take the freedom and switch to SHA-1
141 * with 2.0.10 to take advantage of hardware supported SHA-1
142 * implementations. We also include the missing information
143 * in the hash. Note also the SIG_ID as computed by gpg 1.x
144 * and gpg 2.x didn't matched either because 2.x used to print
145 * MPIs not in PGP format. */
146 u32 a = sig->timestamp;
147 int nsig = pubkey_get_nsig( sig->pubkey_algo );
148 unsigned char *p, *buffer;
149 size_t n, nbytes;
150 int i;
151 char hashbuf[20];
152
153 nbytes = 6;
154 for (i=0; i < nsig; i++ )
155 {
156 if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i]))
157 BUG();
158 nbytes += n;
159 }
160
161 /* Make buffer large enough to be later used as output buffer. */
162 if (nbytes < 100)
163 nbytes = 100;
164 nbytes += 10; /* Safety margin. */
165
166 /* Fill and hash buffer. */
167 buffer = p = xmalloc (nbytes);
168 *p++ = sig->pubkey_algo;
169 *p++ = sig->digest_algo;
170 *p++ = (a >> 24) & 0xff;
171 *p++ = (a >> 16) & 0xff;
172 *p++ = (a >> 8) & 0xff;
173 *p++ = a & 0xff;
174 nbytes -= 6;
175 for (i=0; i < nsig; i++ )
176 {
177 if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i]))
178 BUG();
179 p += n;
180 nbytes -= n;
181 }
182 gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer);
183
184 p = make_radix64_string (hashbuf, 20);
185 sprintf (buffer, "%s %s %lu",
186 p, strtimestamp (sig->timestamp), (ulong)sig->timestamp);
187 xfree (p);
188 write_status_text (STATUS_SIG_ID, buffer);
189 xfree (buffer);
190 }
191
192 return rc;
193 }
194
195
196 static int
197 do_check_messages( PKT_public_key *pk, PKT_signature *sig,
198 int *r_expired, int *r_revoked )
199 {
200 u32 cur_time;
201
202 if(r_expired)
203 *r_expired = 0;
204 if(r_revoked)
205 *r_revoked = 0;
206
207 if( pk->timestamp > sig->timestamp )
208 {
209 ulong d = pk->timestamp - sig->timestamp;
210 log_info(d==1
211 ?_("public key %s is %lu second newer than the signature\n")
212 :_("public key %s is %lu seconds newer than the signature\n"),
213 keystr_from_pk(pk),d );
214 if( !opt.ignore_time_conflict )
215 return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
216 }
217
218 cur_time = make_timestamp();
219 if( pk->timestamp > cur_time )
220 {
221 ulong d = pk->timestamp - cur_time;
222 log_info( d==1
223 ? _("key %s was created %lu second"
224 " in the future (time warp or clock problem)\n")
225 : _("key %s was created %lu seconds"
226 " in the future (time warp or clock problem)\n"),
227 keystr_from_pk(pk),d );
228 if( !opt.ignore_time_conflict )
229 return G10ERR_TIME_CONFLICT;
230 }
231
232 if( pk->expiredate && pk->expiredate < cur_time ) {
233 char buf[11];
234 if (opt.verbose)
235 log_info(_("NOTE: signature key %s expired %s\n"),
236 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
237 /* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
238 sprintf(buf,"%lu",(ulong)pk->expiredate);
239 write_status_text(STATUS_KEYEXPIRED,buf);
240 write_status(STATUS_SIGEXPIRED);
241 if(r_expired)
242 *r_expired = 1;
243 }
244
245 if (pk->is_revoked)
246 {
247 if (opt.verbose)
248 log_info (_("NOTE: signature key %s has been revoked\n"),
249 keystr_from_pk(pk));
250 if (r_revoked)
251 *r_revoked=1;
252 }
253
254 return 0;
255 }
256
257
258 static int
259 do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
260 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
261 {
262 gcry_mpi_t result = NULL;
263 int rc = 0;
264 struct cmp_help_context_s ctx;
265
266 if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
267 return rc;
268
269 /* Make sure the digest algo is enabled (in case of a detached
270 signature). */
271 gcry_md_enable (digest, sig->digest_algo);
272
273 /* Complete the digest. */
274 if( sig->version >= 4 )
275 gcry_md_putc( digest, sig->version );
276 gcry_md_putc( digest, sig->sig_class );
277 if( sig->version < 4 ) {
278 u32 a = sig->timestamp;
279 gcry_md_putc( digest, (a >> 24) & 0xff );
280 gcry_md_putc( digest, (a >> 16) & 0xff );
281 gcry_md_putc( digest, (a >> 8) & 0xff );
282 gcry_md_putc( digest, a & 0xff );
283 }
284 else {
285 byte buf[6];
286 size_t n;
287 gcry_md_putc( digest, sig->pubkey_algo );
288 gcry_md_putc( digest, sig->digest_algo );
289 if( sig->hashed ) {
290 n = sig->hashed->len;
291 gcry_md_putc (digest, (n >> 8) );
292 gcry_md_putc (digest, n );
293 gcry_md_write (digest, sig->hashed->data, n);
294 n += 6;
295 }
296 else {
297 /* Two octets for the (empty) length of the hashed
298 section. */
299 gcry_md_putc (digest, 0);
300 gcry_md_putc (digest, 0);
301 n = 6;
302 }
303 /* add some magic */
304 buf[0] = sig->version;
305 buf[1] = 0xff;
306 buf[2] = n >> 24;
307 buf[3] = n >> 16;
308 buf[4] = n >> 8;
309 buf[5] = n;
310 gcry_md_write( digest, buf, 6 );
311 }
312 gcry_md_final( digest );
313
314 result = encode_md_value( pk, NULL, digest, sig->digest_algo );
315 if (!result)
316 return G10ERR_GENERAL;
317 ctx.sig = sig;
318 ctx.md = digest;
319 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
320 gcry_mpi_release (result);
321
322 if( !rc && sig->flags.unknown_critical )
323 {
324 log_info(_("assuming bad signature from key %s"
325 " due to an unknown critical bit\n"),keystr_from_pk(pk));
326 rc = G10ERR_BAD_SIGN;
327 }
328
329 if(!rc && ret_pk)
330 copy_public_key(ret_pk,pk);
331
332 return rc;
333 }
334
335
336
337 static void
338 hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
339 {
340 PKT_user_id *uid = unode->pkt->pkt.user_id;
341
342 assert( unode->pkt->pkttype == PKT_USER_ID );
343 if( uid->attrib_data ) {
344 if( sig->version >=4 ) {
345 byte buf[5];
346 buf[0] = 0xd1; /* packet of type 17 */
347 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
348 buf[2] = uid->attrib_len >> 16;
349 buf[3] = uid->attrib_len >> 8;
350 buf[4] = uid->attrib_len;
351 gcry_md_write( md, buf, 5 );
352 }
353 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
354 }
355 else {
356 if( sig->version >=4 ) {
357 byte buf[5];
358 buf[0] = 0xb4; /* indicates a userid packet */
359 buf[1] = uid->len >> 24; /* always use 4 length bytes */
360 buf[2] = uid->len >> 16;
361 buf[3] = uid->len >> 8;
362 buf[4] = uid->len;
363 gcry_md_write( md, buf, 5 );
364 }
365 gcry_md_write( md, uid->name, uid->len );
366 }
367 }
368
369 static void
370 cache_sig_result ( PKT_signature *sig, int result )
371 {
372 if ( !result ) {
373 sig->flags.checked = 1;
374 sig->flags.valid = 1;
375 }
376 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
377 sig->flags.checked = 1;
378 sig->flags.valid = 0;
379 }
380 else {
381 sig->flags.checked = 0;
382 sig->flags.valid = 0;
383 }
384 }
385
386 /* Check the revocation keys to see if any of them have revoked our
387 pk. sig is the revocation sig. pk is the key it is on. This code
388 will need to be modified if gpg ever becomes multi-threaded. Note
389 that this guarantees that a designated revocation sig will never be
390 considered valid unless it is actually valid, as well as being
391 issued by a revocation key in a valid direct signature. Note also
392 that this is written so that a revoked revoker can still issue
393 revocations: i.e. If A revokes B, but A is revoked, B is still
394 revoked. I'm not completely convinced this is the proper behavior,
395 but it matches how PGP does it. -dms */
396
397 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
398 revoked. It is important that G10ERR_NO_PUBKEY is only returned
399 when a revocation signature is from a valid revocation key
400 designated in a revkey subpacket, but the revocation key itself
401 isn't present. */
402 int
403 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
404 {
405 static int busy=0;
406 int i,rc=G10ERR_GENERAL;
407
408 assert(IS_KEY_REV(sig));
409 assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
410
411 if(busy)
412 {
413 /* return an error (i.e. not revoked), but mark the pk as
414 uncacheable as we don't really know its revocation status
415 until it is checked directly. */
416
417 pk->dont_cache=1;
418 return rc;
419 }
420
421 busy=1;
422
423 /* printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
424 (ulong)sig->keyid[1]); */
425
426 /* is the issuer of the sig one of our revokers? */
427 if( !pk->revkey && pk->numrevkeys )
428 BUG();
429 else
430 for(i=0;i<pk->numrevkeys;i++)
431 {
432 u32 keyid[2];
433
434 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
435
436 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
437 {
438 gcry_md_hd_t md;
439
440 if (gcry_md_open (&md, sig->digest_algo, 0))
441 BUG ();
442 hash_public_key(md,pk);
443 rc=signature_check(sig,md);
444 cache_sig_result(sig,rc);
445 gcry_md_close (md);
446 break;
447 }
448 }
449
450 busy=0;
451
452 return rc;
453 }
454
455 /* Backsigs (0x19) have the same format as binding sigs (0x18), but
456 this function is simpler than check_key_signature in a few ways.
457 For example, there is no support for expiring backsigs since it is
458 questionable what such a thing actually means. Note also that the
459 sig cache check here, unlike other sig caches in GnuPG, is not
460 persistent. */
461 int
462 check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
463 PKT_signature *backsig)
464 {
465 gcry_md_hd_t md;
466 int rc;
467
468 /* Always check whether the algorithm is available. Although
469 gcry_md_open woyuld throw an error, some libgcrypt versions will
470 print a debug message in that case too. */
471 if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
472 return rc;
473
474 if(!opt.no_sig_cache && backsig->flags.checked)
475 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
476
477 rc = gcry_md_open (&md, backsig->digest_algo,0);
478 if (!rc)
479 {
480 hash_public_key(md,main_pk);
481 hash_public_key(md,sub_pk);
482 rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
483 cache_sig_result(backsig,rc);
484 gcry_md_close(md);
485 }
486
487 return rc;
488 }
489
490
491 /****************
492 * check the signature pointed to by NODE. This is a key signature.
493 * If the function detects a self-signature, it uses the PK from
494 * ROOT and does not read any public key.
495 */
496 int
497 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
498 {
499 return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
500 }
501
502 /* If check_pk is set, then use it to check the signature in node
503 rather than getting it from root or the keydb. If ret_pk is set,
504 fill in the public key that was used to verify the signature.
505 ret_pk is only meaningful when the verification was successful. */
506 /* TODO: add r_revoked here as well. It has the same problems as
507 r_expiredate and r_expired and the cache. */
508 int
509 check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
510 PKT_public_key *ret_pk, int *is_selfsig,
511 u32 *r_expiredate, int *r_expired )
512 {
513 gcry_md_hd_t md;
514 PKT_public_key *pk;
515 PKT_signature *sig;
516 int algo;
517 int rc;
518
519 if( is_selfsig )
520 *is_selfsig = 0;
521 if( r_expiredate )
522 *r_expiredate = 0;
523 if( r_expired )
524 *r_expired = 0;
525 assert( node->pkt->pkttype == PKT_SIGNATURE );
526 assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
527
528 pk = root->pkt->pkt.public_key;
529 sig = node->pkt->pkt.signature;
530 algo = sig->digest_algo;
531
532 /* Check whether we have cached the result of a previous signature
533 check. Note that we may no longer have the pubkey or hash
534 needed to verify a sig, but can still use the cached value. A
535 cache refresh detects and clears these cases. */
536 if ( !opt.no_sig_cache ) {
537 if (sig->flags.checked) { /*cached status available*/
538 if( is_selfsig ) {
539 u32 keyid[2];
540
541 keyid_from_pk( pk, keyid );
542 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
543 *is_selfsig = 1;
544 }
545 /* BUG: This is wrong for non-self-sigs.. needs to be the
546 actual pk */
547 if((rc=do_check_messages(pk,sig,r_expired,NULL)))
548 return rc;
549 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
550 }
551 }
552
553 if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
554 return rc;
555 if( (rc=openpgp_md_test_algo(algo)) )
556 return rc;
557
558 if( sig->sig_class == 0x20 ) { /* key revocation */
559 u32 keyid[2];
560 keyid_from_pk( pk, keyid );
561
562 /* is it a designated revoker? */
563 if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
564 rc=check_revocation_keys(pk,sig);
565 else
566 {
567 if (gcry_md_open (&md, algo, 0 ))
568 BUG ();
569 hash_public_key( md, pk );
570 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
571 cache_sig_result ( sig, rc );
572 gcry_md_close(md);
573 }
574 }
575 else if( sig->sig_class == 0x28 ) { /* subkey revocation */
576 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
577
578 if( snode ) {
579 if (gcry_md_open (&md, algo, 0))
580 BUG ();
581 hash_public_key( md, pk );
582 hash_public_key( md, snode->pkt->pkt.public_key );
583 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
584 cache_sig_result ( sig, rc );
585 gcry_md_close(md);
586 }
587 else
588 {
589 if (opt.verbose)
590 log_info (_("key %s: no subkey for subkey"
591 " revocation signature\n"),keystr_from_pk(pk));
592 rc = G10ERR_SIG_CLASS;
593 }
594 }
595 else if( sig->sig_class == 0x18 ) { /* key binding */
596 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
597
598 if( snode ) {
599 if( is_selfsig ) { /* does this make sense????? */
600 u32 keyid[2]; /* it should always be a selfsig */
601
602 keyid_from_pk( pk, keyid );
603 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
604 *is_selfsig = 1;
605 }
606 if (gcry_md_open (&md, algo, 0))
607 BUG ();
608 hash_public_key( md, pk );
609 hash_public_key( md, snode->pkt->pkt.public_key );
610 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
611 cache_sig_result ( sig, rc );
612 gcry_md_close(md);
613 }
614 else
615 {
616 if (opt.verbose)
617 log_info(_("key %s: no subkey for subkey"
618 " binding signature\n"),keystr_from_pk(pk));
619 rc = G10ERR_SIG_CLASS;
620 }
621 }
622 else if( sig->sig_class == 0x1f ) { /* direct key signature */
623 if (gcry_md_open (&md, algo, 0 ))
624 BUG ();
625 hash_public_key( md, pk );
626 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
627 cache_sig_result ( sig, rc );
628 gcry_md_close(md);
629 }
630 else { /* all other classes */
631 KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
632
633 if( unode ) {
634 u32 keyid[2];
635
636 keyid_from_pk( pk, keyid );
637 if (gcry_md_open (&md, algo, 0 ))
638 BUG ();
639 hash_public_key( md, pk );
640 hash_uid_node( unode, md, sig );
641 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
642 {
643 if( is_selfsig )
644 *is_selfsig = 1;
645 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
646 }
647 else if (check_pk)
648 rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
649 else
650 rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
651
652 cache_sig_result ( sig, rc );
653 gcry_md_close(md);
654 }
655 else
656 {
657 if (!opt.quiet)
658 log_info ("key %s: no user ID for key signature packet"
659 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
660 rc = G10ERR_SIG_CLASS;
661 }
662 }
663
664 return rc;
665 }
gnupg svn clone