search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
typo fixes.
[gnupg.git] / g10 / sig-check.c
blob995821c5e769c4c8bf085cf3739f93e36e5c5a6c
1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26
27 #include "gpg.h"
28 #include "util.h"
29 #include "packet.h"
30 #include "keydb.h"
31 #include "cipher.h"
32 #include "main.h"
33 #include "status.h"
34 #include "i18n.h"
35 #include "options.h"
36 #include "pkglue.h"
37
38 /* Context used by the compare function. */
39 struct cmp_help_context_s
40 {
41 PKT_signature *sig;
42 gcry_md_hd_t md;
43 };
44
45
46
47 static int do_check( PKT_public_key *pk, PKT_signature *sig,
48 gcry_md_hd_t digest,
49 int *r_expired, int *r_revoked, PKT_public_key *ret_pk);
50
51 /****************
52 * Check the signature which is contained in SIG.
53 * The MD_HANDLE should be currently open, so that this function
54 * is able to append some data, before finalizing the digest.
55 */
56 int
57 signature_check (PKT_signature *sig, gcry_md_hd_t digest)
58 {
59 return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
60 }
61
62 int
63 signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
64 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
65 {
66 PKT_public_key *pk = xmalloc_clear( sizeof *pk );
67 int rc=0;
68
69 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
70 ; /* We don't have this digest. */
71 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
72 ; /* We don't have this pubkey algo. */
73 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
74 {
75 /* Sanity check that the md has a context for the hash that the
76 sig is expecting. This can happen if a onepass sig header does
77 not match the actual sig, and also if the clearsign "Hash:"
78 header is missing or does not match the actual sig. */
79
80 log_info(_("WARNING: signature digest conflict in message\n"));
81 rc=G10ERR_GENERAL;
82 }
83 else if( get_pubkey( pk, sig->keyid ) )
84 rc = G10ERR_NO_PUBKEY;
85 else if(!pk->is_valid && !pk->is_primary)
86 rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
87 invalid subkey */
88 else
89 {
90 if(r_expiredate)
91 *r_expiredate = pk->expiredate;
92
93 rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
94
95 /* Check the backsig. This is a 0x19 signature from the
96 subkey on the primary key. The idea here is that it should
97 not be possible for someone to "steal" subkeys and claim
98 them as their own. The attacker couldn't actually use the
99 subkey, but they could try and claim ownership of any
100 signaures issued by it. */
101 if(rc==0 && !pk->is_primary && pk->backsig<2)
102 {
103 if(pk->backsig==0)
104 {
105 log_info(_("WARNING: signing subkey %s is not"
106 " cross-certified\n"),keystr_from_pk(pk));
107 log_info(_("please see %s for more information\n"),
108 "http://www.gnupg.org/faq/subkey-cross-certify.html");
109 /* --require-cross-certification makes this warning an
110 error. TODO: change the default to require this
111 after more keys have backsigs. */
112 if(opt.flags.require_cross_cert)
113 rc=G10ERR_GENERAL;
114 }
115 else if(pk->backsig==1)
116 {
117 log_info(_("WARNING: signing subkey %s has an invalid"
118 " cross-certification\n"),keystr_from_pk(pk));
119 rc=G10ERR_GENERAL;
120 }
121 }
122 }
123
124 free_public_key( pk );
125
126 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
127 /* This signature id works best with DLP algorithms because
128 * they use a random parameter for every signature. Instead of
129 * this sig-id we could have also used the hash of the document
130 * and the timestamp, but the drawback of this is, that it is
131 * not possible to sign more than one identical document within
132 * one second. Some remote batch processing applications might
133 * like this feature here */
134 gcry_md_hd_t md;
135
136 u32 a = sig->timestamp;
137 int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
138 byte *p, *buffer;
139
140 if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
141 BUG ();
142
143 /* FIXME: Why the hell are we updating DIGEST here??? */
144 gcry_md_putc( digest, sig->pubkey_algo );
145 gcry_md_putc( digest, sig->digest_algo );
146 gcry_md_putc( digest, (a >> 24) & 0xff );
147 gcry_md_putc( digest, (a >> 16) & 0xff );
148 gcry_md_putc( digest, (a >> 8) & 0xff );
149 gcry_md_putc( digest, a & 0xff );
150 for(i=0; i < nsig; i++ ) {
151 size_t n;
152 unsigned char *tmp;
153
154 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
155 BUG();
156 gcry_md_write (md, tmp, n);
157 xfree (tmp);
158 }
159 gcry_md_final (md);
160 p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
161 buffer = xmalloc( strlen(p) + 60 );
162 sprintf( buffer, "%s %s %lu",
163 p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
164 write_status_text( STATUS_SIG_ID, buffer );
165 xfree(buffer);
166 xfree(p);
167 gcry_md_close(md);
168 }
169
170 return rc;
171 }
172
173
174 static int
175 do_check_messages( PKT_public_key *pk, PKT_signature *sig,
176 int *r_expired, int *r_revoked )
177 {
178 u32 cur_time;
179
180 if(r_expired)
181 *r_expired = 0;
182 if(r_revoked)
183 *r_revoked = 0;
184
185 if( pk->timestamp > sig->timestamp )
186 {
187 ulong d = pk->timestamp - sig->timestamp;
188 log_info(d==1
189 ?_("public key %s is %lu second newer than the signature\n")
190 :_("public key %s is %lu seconds newer than the signature\n"),
191 keystr_from_pk(pk),d );
192 if( !opt.ignore_time_conflict )
193 return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
194 }
195
196 cur_time = make_timestamp();
197 if( pk->timestamp > cur_time )
198 {
199 ulong d = pk->timestamp - cur_time;
200 log_info( d==1
201 ? _("key %s was created %lu second"
202 " in the future (time warp or clock problem)\n")
203 : _("key %s was created %lu seconds"
204 " in the future (time warp or clock problem)\n"),
205 keystr_from_pk(pk),d );
206 if( !opt.ignore_time_conflict )
207 return G10ERR_TIME_CONFLICT;
208 }
209
210 if( pk->expiredate && pk->expiredate < cur_time ) {
211 char buf[11];
212 if (opt.verbose)
213 log_info(_("NOTE: signature key %s expired %s\n"),
214 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
215 /* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
216 sprintf(buf,"%lu",(ulong)pk->expiredate);
217 write_status_text(STATUS_KEYEXPIRED,buf);
218 write_status(STATUS_SIGEXPIRED);
219 if(r_expired)
220 *r_expired = 1;
221 }
222
223 if (pk->is_revoked)
224 {
225 if (opt.verbose)
226 log_info (_("NOTE: signature key %s has been revoked\n"),
227 keystr_from_pk(pk));
228 if (r_revoked)
229 *r_revoked=1;
230 }
231
232 return 0;
233 }
234
235
236 static int
237 do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
238 int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
239 {
240 gcry_mpi_t result = NULL;
241 int rc = 0;
242 struct cmp_help_context_s ctx;
243
244 if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
245 return rc;
246
247 /* Make sure the digest algo is enabled (in case of a detached
248 signature). */
249 gcry_md_enable (digest, sig->digest_algo);
250
251 /* Complete the digest. */
252 if( sig->version >= 4 )
253 gcry_md_putc( digest, sig->version );
254 gcry_md_putc( digest, sig->sig_class );
255 if( sig->version < 4 ) {
256 u32 a = sig->timestamp;
257 gcry_md_putc( digest, (a >> 24) & 0xff );
258 gcry_md_putc( digest, (a >> 16) & 0xff );
259 gcry_md_putc( digest, (a >> 8) & 0xff );
260 gcry_md_putc( digest, a & 0xff );
261 }
262 else {
263 byte buf[6];
264 size_t n;
265 gcry_md_putc( digest, sig->pubkey_algo );
266 gcry_md_putc( digest, sig->digest_algo );
267 if( sig->hashed ) {
268 n = sig->hashed->len;
269 gcry_md_putc (digest, (n >> 8) );
270 gcry_md_putc (digest, n );
271 gcry_md_write (digest, sig->hashed->data, n);
272 n += 6;
273 }
274 else {
275 /* Two octets for the (empty) length of the hashed
276 section. */
277 gcry_md_putc (digest, 0);
278 gcry_md_putc (digest, 0);
279 n = 6;
280 }
281 /* add some magic */
282 buf[0] = sig->version;
283 buf[1] = 0xff;
284 buf[2] = n >> 24;
285 buf[3] = n >> 16;
286 buf[4] = n >> 8;
287 buf[5] = n;
288 gcry_md_write( digest, buf, 6 );
289 }
290 gcry_md_final( digest );
291
292 result = encode_md_value( pk, NULL, digest, sig->digest_algo );
293 if (!result)
294 return G10ERR_GENERAL;
295 ctx.sig = sig;
296 ctx.md = digest;
297 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
298 gcry_mpi_release (result);
299
300 if( !rc && sig->flags.unknown_critical )
301 {
302 log_info(_("assuming bad signature from key %s"
303 " due to an unknown critical bit\n"),keystr_from_pk(pk));
304 rc = G10ERR_BAD_SIGN;
305 }
306
307 if(!rc && ret_pk)
308 copy_public_key(ret_pk,pk);
309
310 return rc;
311 }
312
313
314
315 static void
316 hash_uid_node( KBNODE unode, gcry_md_hd_t md, PKT_signature *sig )
317 {
318 PKT_user_id *uid = unode->pkt->pkt.user_id;
319
320 assert( unode->pkt->pkttype == PKT_USER_ID );
321 if( uid->attrib_data ) {
322 if( sig->version >=4 ) {
323 byte buf[5];
324 buf[0] = 0xd1; /* packet of type 17 */
325 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
326 buf[2] = uid->attrib_len >> 16;
327 buf[3] = uid->attrib_len >> 8;
328 buf[4] = uid->attrib_len;
329 gcry_md_write( md, buf, 5 );
330 }
331 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
332 }
333 else {
334 if( sig->version >=4 ) {
335 byte buf[5];
336 buf[0] = 0xb4; /* indicates a userid packet */
337 buf[1] = uid->len >> 24; /* always use 4 length bytes */
338 buf[2] = uid->len >> 16;
339 buf[3] = uid->len >> 8;
340 buf[4] = uid->len;
341 gcry_md_write( md, buf, 5 );
342 }
343 gcry_md_write( md, uid->name, uid->len );
344 }
345 }
346
347 static void
348 cache_sig_result ( PKT_signature *sig, int result )
349 {
350 if ( !result ) {
351 sig->flags.checked = 1;
352 sig->flags.valid = 1;
353 }
354 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
355 sig->flags.checked = 1;
356 sig->flags.valid = 0;
357 }
358 else {
359 sig->flags.checked = 0;
360 sig->flags.valid = 0;
361 }
362 }
363
364 /* Check the revocation keys to see if any of them have revoked our
365 pk. sig is the revocation sig. pk is the key it is on. This code
366 will need to be modified if gpg ever becomes multi-threaded. Note
367 that this guarantees that a designated revocation sig will never be
368 considered valid unless it is actually valid, as well as being
369 issued by a revocation key in a valid direct signature. Note also
370 that this is written so that a revoked revoker can still issue
371 revocations: i.e. If A revokes B, but A is revoked, B is still
372 revoked. I'm not completely convinced this is the proper behavior,
373 but it matches how PGP does it. -dms */
374
375 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
376 revoked. It is important that G10ERR_NO_PUBKEY is only returned
377 when a revocation signature is from a valid revocation key
378 designated in a revkey subpacket, but the revocation key itself
379 isn't present. */
380 int
381 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
382 {
383 static int busy=0;
384 int i,rc=G10ERR_GENERAL;
385
386 assert(IS_KEY_REV(sig));
387 assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
388
389 if(busy)
390 {
391 /* return an error (i.e. not revoked), but mark the pk as
392 uncacheable as we don't really know its revocation status
393 until it is checked directly. */
394
395 pk->dont_cache=1;
396 return rc;
397 }
398
399 busy=1;
400
401 /* printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
402 (ulong)sig->keyid[1]); */
403
404 /* is the issuer of the sig one of our revokers? */
405 if( !pk->revkey && pk->numrevkeys )
406 BUG();
407 else
408 for(i=0;i<pk->numrevkeys;i++)
409 {
410 u32 keyid[2];
411
412 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
413
414 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
415 {
416 gcry_md_hd_t md;
417
418 if (gcry_md_open (&md, sig->digest_algo, 0))
419 BUG ();
420 hash_public_key(md,pk);
421 rc=signature_check(sig,md);
422 cache_sig_result(sig,rc);
423 break;
424 }
425 }
426
427 busy=0;
428
429 return rc;
430 }
431
432 /* Backsigs (0x19) have the same format as binding sigs (0x18), but
433 this function is simpler than check_key_signature in a few ways.
434 For example, there is no support for expiring backsigs since it is
435 questionable what such a thing actually means. Note also that the
436 sig cache check here, unlike other sig caches in GnuPG, is not
437 persistent. */
438 int
439 check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
440 PKT_signature *backsig)
441 {
442 gcry_md_hd_t md;
443 int rc;
444
445 /* Always check whether the algorithm is available. Although
446 gcry_md_open woyuld throw an error, some libgcrypt versions will
447 print a debug message in that case too. */
448 if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
449 return rc;
450
451 if(!opt.no_sig_cache && backsig->flags.checked)
452 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
453
454 rc = gcry_md_open (&md, backsig->digest_algo,0);
455 if (!rc)
456 {
457 hash_public_key(md,main_pk);
458 hash_public_key(md,sub_pk);
459 rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
460 cache_sig_result(backsig,rc);
461 gcry_md_close(md);
462 }
463
464 return rc;
465 }
466
467
468 /****************
469 * check the signature pointed to by NODE. This is a key signature.
470 * If the function detects a self-signature, it uses the PK from
471 * ROOT and does not read any public key.
472 */
473 int
474 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
475 {
476 return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
477 }
478
479 /* If check_pk is set, then use it to check the signature in node
480 rather than getting it from root or the keydb. If ret_pk is set,
481 fill in the public key that was used to verify the signature.
482 ret_pk is only meaningful when the verification was successful. */
483 /* TODO: add r_revoked here as well. It has the same problems as
484 r_expiredate and r_expired and the cache. */
485 int
486 check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
487 PKT_public_key *ret_pk, int *is_selfsig,
488 u32 *r_expiredate, int *r_expired )
489 {
490 gcry_md_hd_t md;
491 PKT_public_key *pk;
492 PKT_signature *sig;
493 int algo;
494 int rc;
495
496 if( is_selfsig )
497 *is_selfsig = 0;
498 if( r_expiredate )
499 *r_expiredate = 0;
500 if( r_expired )
501 *r_expired = 0;
502 assert( node->pkt->pkttype == PKT_SIGNATURE );
503 assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
504
505 pk = root->pkt->pkt.public_key;
506 sig = node->pkt->pkt.signature;
507 algo = sig->digest_algo;
508
509 /* Check whether we have cached the result of a previous signature
510 check. Note that we may no longer have the pubkey or hash
511 needed to verify a sig, but can still use the cached value. A
512 cache refresh detects and clears these cases. */
513 if ( !opt.no_sig_cache ) {
514 if (sig->flags.checked) { /*cached status available*/
515 if( is_selfsig ) {
516 u32 keyid[2];
517
518 keyid_from_pk( pk, keyid );
519 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
520 *is_selfsig = 1;
521 }
522 /* BUG: This is wrong for non-self-sigs.. needs to be the
523 actual pk */
524 if((rc=do_check_messages(pk,sig,r_expired,NULL)))
525 return rc;
526 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
527 }
528 }
529
530 if( (rc=openpgp_pk_test_algo(sig->pubkey_algo)) )
531 return rc;
532 if( (rc=openpgp_md_test_algo(algo)) )
533 return rc;
534
535 if( sig->sig_class == 0x20 ) { /* key revocation */
536 u32 keyid[2];
537 keyid_from_pk( pk, keyid );
538
539 /* is it a designated revoker? */
540 if(keyid[0]!=sig->keyid[0] || keyid[1]!=sig->keyid[1])
541 rc=check_revocation_keys(pk,sig);
542 else
543 {
544 if (gcry_md_open (&md, algo, 0 ))
545 BUG ();
546 hash_public_key( md, pk );
547 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
548 cache_sig_result ( sig, rc );
549 gcry_md_close(md);
550 }
551 }
552 else if( sig->sig_class == 0x28 ) { /* subkey revocation */
553 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
554
555 if( snode ) {
556 if (gcry_md_open (&md, algo, 0))
557 BUG ();
558 hash_public_key( md, pk );
559 hash_public_key( md, snode->pkt->pkt.public_key );
560 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
561 cache_sig_result ( sig, rc );
562 gcry_md_close(md);
563 }
564 else
565 {
566 if (opt.verbose)
567 log_info (_("key %s: no subkey for subkey"
568 " revocation signature\n"),keystr_from_pk(pk));
569 rc = G10ERR_SIG_CLASS;
570 }
571 }
572 else if( sig->sig_class == 0x18 ) { /* key binding */
573 KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
574
575 if( snode ) {
576 if( is_selfsig ) { /* does this make sense????? */
577 u32 keyid[2]; /* it should always be a selfsig */
578
579 keyid_from_pk( pk, keyid );
580 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
581 *is_selfsig = 1;
582 }
583 if (gcry_md_open (&md, algo, 0))
584 BUG ();
585 hash_public_key( md, pk );
586 hash_public_key( md, snode->pkt->pkt.public_key );
587 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
588 cache_sig_result ( sig, rc );
589 gcry_md_close(md);
590 }
591 else
592 {
593 if (opt.verbose)
594 log_info(_("key %s: no subkey for subkey"
595 " binding signature\n"),keystr_from_pk(pk));
596 rc = G10ERR_SIG_CLASS;
597 }
598 }
599 else if( sig->sig_class == 0x1f ) { /* direct key signature */
600 if (gcry_md_open (&md, algo, 0 ))
601 BUG ();
602 hash_public_key( md, pk );
603 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
604 cache_sig_result ( sig, rc );
605 gcry_md_close(md);
606 }
607 else { /* all other classes */
608 KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
609
610 if( unode ) {
611 u32 keyid[2];
612
613 keyid_from_pk( pk, keyid );
614 if (gcry_md_open (&md, algo, 0 ))
615 BUG ();
616 hash_public_key( md, pk );
617 hash_uid_node( unode, md, sig );
618 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
619 {
620 if( is_selfsig )
621 *is_selfsig = 1;
622 rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
623 }
624 else if (check_pk)
625 rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
626 else
627 rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
628
629 cache_sig_result ( sig, rc );
630 gcry_md_close(md);
631 }
632 else
633 {
634 if (!opt.quiet)
635 log_info ("key %s: no user ID for key signature packet"
636 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
637 rc = G10ERR_SIG_CLASS;
638 }
639 }
640
641 return rc;
642 }
gnupg svn clone