diff options
Diffstat (limited to 'g10/sig-check.c')
-rw-r--r-- | g10/sig-check.c | 1229 |
1 files changed, 1229 insertions, 0 deletions
diff --git a/g10/sig-check.c b/g10/sig-check.c new file mode 100644 index 0000000..eeaf6f0 --- /dev/null +++ b/g10/sig-check.c @@ -0,0 +1,1229 @@ +/* sig-check.c - Check a signature + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, + * 2004, 2006 Free Software Foundation, Inc. + * Copyright (C) 2015, 2016 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +#include <config.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "gpg.h" +#include "../common/util.h" +#include "packet.h" +#include "keydb.h" +#include "main.h" +#include "../common/status.h" +#include "../common/i18n.h" +#include "options.h" +#include "pkglue.h" +#include "../common/compliance.h" + +static int check_signature_end (PKT_public_key *pk, PKT_signature *sig, + gcry_md_hd_t digest, + int *r_expired, int *r_revoked, + PKT_public_key *ret_pk); + +static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, + gcry_md_hd_t digest); + + +/* Statistics for signature verification. */ +struct +{ + unsigned int total; /* Total number of verifications. */ + unsigned int cached; /* Number of seen cache entries. */ + unsigned int goodsig;/* Number of good verifications from the cache. */ + unsigned int badsig; /* Number of bad verifications from the cache. */ +} cache_stats; + + +/* Dump verification stats. */ +void +sig_check_dump_stats (void) +{ + log_info ("sig_cache: total=%u cached=%u good=%u bad=%u\n", + cache_stats.total, cache_stats.cached, + cache_stats.goodsig, cache_stats.badsig); +} + + +static gpg_error_t +check_key_verify_compliance (PKT_public_key *pk) +{ + gpg_error_t err = 0; + + if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, + pk->pubkey_algo, 0, pk->pkey, + nbits_from_pk (pk), + NULL)) + { + /* Compliance failure. */ + log_info (_("key %s may not be used for signing in %s mode\n"), + keystr_from_pk (pk), + gnupg_compliance_option_string (opt.compliance)); + if (opt.flags.override_compliance_check) + log_info (_("continuing verification anyway due to option %s\n"), + "--override-compliance-failure"); + else + { + log_inc_errorcount (); /* We used log info above. */ + err = gpg_error (GPG_ERR_PUBKEY_ALGO); + } + } + + return err; +} + + + +/* Check a signature. This is shorthand for check_signature2 with + the unnamed arguments passed as NULL. */ +int +check_signature (ctrl_t ctrl, PKT_signature *sig, gcry_md_hd_t digest) +{ + return check_signature2 (ctrl, sig, digest, NULL, NULL, NULL, NULL, NULL); +} + + +/* Check a signature. + * + * Looks up the public key that created the signature (SIG->KEYID) + * from the key db. Makes sure that the signature is valid (it was + * not created prior to the key, the public key was created in the + * past, and the signature does not include any unsupported critical + * features), finishes computing the hash of the signature data, and + * checks that the signature verifies the digest. If the key that + * generated the signature is a subkey, this function also verifies + * that there is a valid backsig from the subkey to the primary key. + * Finally, if status fd is enabled and the signature class is 0x00 or + * 0x01, then a STATUS_SIG_ID is emitted on the status fd. + * + * SIG is the signature to check. + * + * DIGEST contains a valid hash context that already includes the + * signed data. This function adds the relevant meta-data from the + * signature packet to compute the final hash. (See Section 5.2 of + * RFC 4880: "The concatenation of the data being signed and the + * signature data from the version number through the hashed subpacket + * data (inclusive) is hashed.") + * + * If FORCED_PK is not NULL this public key is used to verify the + * signature and no other public key is looked up. + * + * If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's + * expiry. + * + * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired + * (0 otherwise). Note: PK being expired does not cause this function + * to fail. + * + * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been + * revoked (0 otherwise). Note: PK being revoked does not cause this + * function to fail. + * + * If R_PK is not NULL, the public key is stored at that address if it + * was found; other wise NULL is stored. + * + * Returns 0 on success. An error code otherwise. */ +gpg_error_t +check_signature2 (ctrl_t ctrl, + PKT_signature *sig, gcry_md_hd_t digest, + PKT_public_key *forced_pk, + u32 *r_expiredate, + int *r_expired, int *r_revoked, PKT_public_key **r_pk) +{ + int rc=0; + PKT_public_key *pk; + + if (r_expiredate) + *r_expiredate = 0; + if (r_expired) + *r_expired = 0; + if (r_revoked) + *r_revoked = 0; + if (r_pk) + *r_pk = NULL; + + pk = xtrycalloc (1, sizeof *pk); + if (!pk) + return gpg_error_from_syserror (); + + if ((rc=openpgp_md_test_algo(sig->digest_algo))) + { + /* We don't have this digest. */ + } + else if (!gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) + { + /* Compliance failure. */ + log_info (_("digest algorithm '%s' may not be used in %s mode\n"), + gcry_md_algo_name (sig->digest_algo), + gnupg_compliance_option_string (opt.compliance)); + rc = gpg_error (GPG_ERR_DIGEST_ALGO); + } + else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo))) + { + /* We don't have this pubkey algo. */ + } + else if (!gcry_md_is_enabled (digest,sig->digest_algo)) + { + /* Sanity check that the md has a context for the hash that the + * sig is expecting. This can happen if a onepass sig header + * does not match the actual sig, and also if the clearsign + * "Hash:" header is missing or does not match the actual sig. */ + log_info(_("WARNING: signature digest conflict in message\n")); + rc = gpg_error (GPG_ERR_GENERAL); + } + else if (get_pubkey_for_sig (ctrl, pk, sig, forced_pk)) + rc = gpg_error (GPG_ERR_NO_PUBKEY); + else if ((rc = check_key_verify_compliance (pk))) + ;/* Compliance failure. */ + else if (!pk->flags.valid) + { + /* You cannot have a good sig from an invalid key. */ + rc = gpg_error (GPG_ERR_BAD_PUBKEY); + } + else + { + if (r_expiredate) + *r_expiredate = pk->expiredate; + + rc = check_signature_end (pk, sig, digest, r_expired, r_revoked, NULL); + + /* Check the backsig. This is a back signature (0x19) from + * the subkey on the primary key. The idea here is that it + * should not be possible for someone to "steal" subkeys and + * claim them as their own. The attacker couldn't actually + * use the subkey, but they could try and claim ownership of + * any signatures issued by it. */ + if (!rc && !pk->flags.primary && pk->flags.backsig < 2) + { + if (!pk->flags.backsig) + { + log_info (_("WARNING: signing subkey %s is not" + " cross-certified\n"),keystr_from_pk(pk)); + log_info (_("please see %s for more information\n"), + "https://gnupg.org/faq/subkey-cross-certify.html"); + /* The default option --require-cross-certification + * makes this warning an error. */ + if (opt.flags.require_cross_cert) + rc = gpg_error (GPG_ERR_GENERAL); + } + else if(pk->flags.backsig == 1) + { + log_info (_("WARNING: signing subkey %s has an invalid" + " cross-certification\n"), keystr_from_pk(pk)); + rc = gpg_error (GPG_ERR_GENERAL); + } + } + + } + + if (!rc && sig->sig_class < 2 && is_status_enabled ()) + { + /* This signature id works best with DLP algorithms because + * they use a random parameter for every signature. Instead of + * this sig-id we could have also used the hash of the document + * and the timestamp, but the drawback of this is, that it is + * not possible to sign more than one identical document within + * one second. Some remote batch processing applications might + * like this feature here. + * + * Note that before 2.0.10, we used RIPE-MD160 for the hash + * and accidentally didn't include the timestamp and algorithm + * information in the hash. Given that this feature is not + * commonly used and that a replay attacks detection should + * not solely be based on this feature (because it does not + * work with RSA), we take the freedom and switch to SHA-1 + * with 2.0.10 to take advantage of hardware supported SHA-1 + * implementations. We also include the missing information + * in the hash. Note also the SIG_ID as computed by gpg 1.x + * and gpg 2.x didn't matched either because 2.x used to print + * MPIs not in PGP format. */ + u32 a = sig->timestamp; + int nsig = pubkey_get_nsig (sig->pubkey_algo); + unsigned char *p, *buffer; + size_t n, nbytes; + int i; + char hashbuf[20]; + + nbytes = 6; + for (i=0; i < nsig; i++ ) + { + if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i])) + BUG(); + nbytes += n; + } + + /* Make buffer large enough to be later used as output buffer. */ + if (nbytes < 100) + nbytes = 100; + nbytes += 10; /* Safety margin. */ + + /* Fill and hash buffer. */ + buffer = p = xmalloc (nbytes); + *p++ = sig->pubkey_algo; + *p++ = sig->digest_algo; + *p++ = (a >> 24) & 0xff; + *p++ = (a >> 16) & 0xff; + *p++ = (a >> 8) & 0xff; + *p++ = a & 0xff; + nbytes -= 6; + for (i=0; i < nsig; i++ ) + { + if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i])) + BUG(); + p += n; + nbytes -= n; + } + gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer); + + p = make_radix64_string (hashbuf, 20); + sprintf (buffer, "%s %s %lu", + p, strtimestamp (sig->timestamp), (ulong)sig->timestamp); + xfree (p); + write_status_text (STATUS_SIG_ID, buffer); + xfree (buffer); + } + + if (r_pk) + *r_pk = pk; + else + { + release_public_key_parts (pk); + xfree (pk); + } + + return rc; +} + + +/* The signature SIG was generated with the public key PK. Check + * whether the signature is valid in the following sense: + * + * - Make sure the public key was created before the signature was + * generated. + * + * - Make sure the public key was created in the past + * + * - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0 + * otherwise) + * + * - Check whether PK has been revoked (set *R_REVOKED to 1 if so + * and 0 otherwise). + * + * If either of the first two tests fail, returns an error code. + * Otherwise returns 0. (Thus, this function doesn't fail if the + * public key is expired or revoked.) */ +static int +check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig, + int *r_expired, int *r_revoked) +{ + u32 cur_time; + + if (r_expired) + *r_expired = 0; + if (r_revoked) + *r_revoked = 0; + + if (pk->timestamp > sig->timestamp ) + { + ulong d = pk->timestamp - sig->timestamp; + if ( d < 86400 ) + { + log_info (ngettext + ("public key %s is %lu second newer than the signature\n", + "public key %s is %lu seconds newer than the signature\n", + d), keystr_from_pk (pk), d); + } + else + { + d /= 86400; + log_info (ngettext + ("public key %s is %lu day newer than the signature\n", + "public key %s is %lu days newer than the signature\n", + d), keystr_from_pk (pk), d); + } + if (!opt.ignore_time_conflict) + return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */ + } + + cur_time = make_timestamp (); + if (pk->timestamp > cur_time) + { + ulong d = pk->timestamp - cur_time; + if (d < 86400) + { + log_info (ngettext("key %s was created %lu second" + " in the future (time warp or clock problem)\n", + "key %s was created %lu seconds" + " in the future (time warp or clock problem)\n", + d), keystr_from_pk (pk), d); + } + else + { + d /= 86400; + log_info (ngettext("key %s was created %lu day" + " in the future (time warp or clock problem)\n", + "key %s was created %lu days" + " in the future (time warp or clock problem)\n", + d), keystr_from_pk (pk), d); + } + if (!opt.ignore_time_conflict) + return GPG_ERR_TIME_CONFLICT; + } + + /* Check whether the key has expired. We check the has_expired + * flag which is set after a full evaluation of the key (getkey.c) + * as well as a simple compare to the current time in case the + * merge has for whatever reasons not been done. */ + if (pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) + { + char buf[11]; + if (opt.verbose) + log_info (_("Note: signature key %s expired %s\n"), + keystr_from_pk(pk), asctimestamp( pk->expiredate ) ); + snprintf (buf, sizeof buf, "%lu",(ulong)pk->expiredate); + write_status_text (STATUS_KEYEXPIRED, buf); + if (r_expired) + *r_expired = 1; + } + + if (pk->flags.revoked) + { + if (opt.verbose) + log_info (_("Note: signature key %s has been revoked\n"), + keystr_from_pk(pk)); + if (r_revoked) + *r_revoked=1; + } + + return 0; +} + + +/* Finish generating a signature and check it. Concretely: make sure + * that the signature is valid (it was not created prior to the key, + * the public key was created in the past, and the signature does not + * include any unsupported critical features), finish computing the + * digest by adding the relevant data from the signature packet, and + * check that the signature verifies the digest. + * + * DIGEST contains a hash context, which has already hashed the signed + * data. This function adds the relevant meta-data from the signature + * packet to compute the final hash. (See Section 5.2 of RFC 4880: + * "The concatenation of the data being signed and the signature data + * from the version number through the hashed subpacket data + * (inclusive) is hashed.") + * + * SIG is the signature to check. + * + * PK is the public key used to generate the signature. + * + * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired + * (0 otherwise). Note: PK being expired does not cause this function + * to fail. + * + * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been + * revoked (0 otherwise). Note: PK being revoked does not cause this + * function to fail. + * + * If RET_PK is not NULL, PK is copied into RET_PK on success. + * + * Returns 0 on success. An error code other. */ +static int +check_signature_end (PKT_public_key *pk, PKT_signature *sig, + gcry_md_hd_t digest, + int *r_expired, int *r_revoked, PKT_public_key *ret_pk) +{ + int rc = 0; + + if ((rc = check_signature_metadata_validity (pk, sig, + r_expired, r_revoked))) + return rc; + + if ((rc = check_signature_end_simple (pk, sig, digest))) + return rc; + + if (!rc && ret_pk) + copy_public_key(ret_pk,pk); + + return rc; +} + + +/* This function is similar to check_signature_end, but it only checks + * whether the signature was generated by PK. It does not check + * expiration, revocation, etc. */ +static int +check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, + gcry_md_hd_t digest) +{ + gcry_mpi_t result = NULL; + int rc = 0; + + if (!opt.flags.allow_weak_digest_algos) + { + if (is_weak_digest (sig->digest_algo)) + { + print_digest_rejected_note (sig->digest_algo); + return GPG_ERR_DIGEST_ALGO; + } + } + + /* For key signatures check that the key has a cert usage. We may + * do this only for subkeys because the primary may always issue key + * signature. The latter may not be reflected in the pubkey_usage + * field because we need to check the key signatures to extract the + * key usage. */ + if (!pk->flags.primary + && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT)) + { + rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); + if (!opt.quiet) + log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"), + keystr_from_pk (pk), gpg_strerror (rc), + sig->sig_class, pk->pubkey_usage); + return rc; + } + + /* For data signatures check that the key has sign usage. */ + if (!IS_BACK_SIG (sig) && IS_SIG (sig) + && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) + { + rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); + if (!opt.quiet) + log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), + keystr_from_pk (pk), gpg_strerror (rc), + sig->sig_class, pk->pubkey_usage); + return rc; + } + + /* Make sure the digest algo is enabled (in case of a detached + * signature). */ + gcry_md_enable (digest, sig->digest_algo); + + /* Complete the digest. */ + if (sig->version >= 4) + gcry_md_putc (digest, sig->version); + + gcry_md_putc( digest, sig->sig_class ); + if (sig->version < 4) + { + u32 a = sig->timestamp; + gcry_md_putc (digest, ((a >> 24) & 0xff)); + gcry_md_putc (digest, ((a >> 16) & 0xff)); + gcry_md_putc (digest, ((a >> 8) & 0xff)); + gcry_md_putc (digest, ( a & 0xff)); + } + else + { + byte buf[6]; + size_t n; + gcry_md_putc (digest, sig->pubkey_algo); + gcry_md_putc (digest, sig->digest_algo); + if (sig->hashed) + { + n = sig->hashed->len; + gcry_md_putc (digest, (n >> 8) ); + gcry_md_putc (digest, n ); + gcry_md_write (digest, sig->hashed->data, n); + n += 6; + } + else + { + /* Two octets for the (empty) length of the hashed + * section. */ + gcry_md_putc (digest, 0); + gcry_md_putc (digest, 0); + n = 6; + } + /* Add some magic per Section 5.2.4 of RFC 4880. */ + buf[0] = sig->version; + buf[1] = 0xff; + buf[2] = n >> 24; + buf[3] = n >> 16; + buf[4] = n >> 8; + buf[5] = n; + gcry_md_write( digest, buf, 6 ); + } + gcry_md_final( digest ); + + /* Convert the digest to an MPI. */ + result = encode_md_value (pk, digest, sig->digest_algo ); + if (!result) + return GPG_ERR_GENERAL; + + /* Verify the signature. */ + rc = pk_verify (pk->pubkey_algo, result, sig->data, pk->pkey); + gcry_mpi_release (result); + + if (!rc && sig->flags.unknown_critical) + { + log_info(_("assuming bad signature from key %s" + " due to an unknown critical bit\n"),keystr_from_pk(pk)); + rc = GPG_ERR_BAD_SIGNATURE; + } + + return rc; +} + + +/* Add a uid node to a hash context. See section 5.2.4, paragraph 4 + * of RFC 4880. */ +static void +hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig ) +{ + if (uid->attrib_data) + { + if (sig->version >=4) + { + byte buf[5]; + buf[0] = 0xd1; /* packet of type 17 */ + buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ + buf[2] = uid->attrib_len >> 16; + buf[3] = uid->attrib_len >> 8; + buf[4] = uid->attrib_len; + gcry_md_write( md, buf, 5 ); + } + gcry_md_write( md, uid->attrib_data, uid->attrib_len ); + } + else + { + if (sig->version >=4) + { + byte buf[5]; + buf[0] = 0xb4; /* indicates a userid packet */ + buf[1] = uid->len >> 24; /* always use 4 length bytes */ + buf[2] = uid->len >> 16; + buf[3] = uid->len >> 8; + buf[4] = uid->len; + gcry_md_write( md, buf, 5 ); + } + gcry_md_write( md, uid->name, uid->len ); + } +} + +static void +cache_sig_result ( PKT_signature *sig, int result ) +{ + if (!result) + { + sig->flags.checked = 1; + sig->flags.valid = 1; + } + else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE) + { + sig->flags.checked = 1; + sig->flags.valid = 0; + } + else + { + sig->flags.checked = 0; + sig->flags.valid = 0; + } +} + + +/* SIG is a key revocation signature. Check if this signature was + * generated by any of the public key PK's designated revokers. + * + * PK is the public key that SIG allegedly revokes. + * + * SIG is the revocation signature to check. + * + * This function avoids infinite recursion, which can happen if two + * keys are designed revokers for each other and they revoke each + * other. This is done by observing that if a key A is revoked by key + * B we still consider the revocation to be valid even if B is + * revoked. Thus, we don't need to determine whether B is revoked to + * determine whether A has been revoked by B, we just need to check + * the signature. + * + * Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not + * revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is + * only returned when a revocation signature is from a valid + * revocation key designated in a revkey subpacket, but the revocation + * key itself isn't present. + * + * XXX: This code will need to be modified if gpg ever becomes + * multi-threaded. Note that this guarantees that a designated + * revocation sig will never be considered valid unless it is actually + * valid, as well as being issued by a revocation key in a valid + * direct signature. Note also that this is written so that a revoked + * revoker can still issue revocations: i.e. If A revokes B, but A is + * revoked, B is still revoked. I'm not completely convinced this is + * the proper behavior, but it matches how PGP does it. -dms */ +int +check_revocation_keys (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig) +{ + static int busy=0; + int i; + int rc = GPG_ERR_GENERAL; + + log_assert (IS_KEY_REV(sig)); + log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1])); + + /* Avoid infinite recursion. Consider the following: + * + * - We want to check if A is revoked. + * + * - C is a designated revoker for B and has revoked B. + * + * - B is a designated revoker for A and has revoked A. + * + * When checking if A is revoked (in merge_selfsigs_main), we + * observe that A has a designed revoker. As such, we call this + * function. This function sees that there is a valid revocation + * signature, which is signed by B. It then calls check_signature() + * to verify that the signature is good. To check the sig, we need + * to lookup B. Looking up B means calling merge_selfsigs_main, + * which checks whether B is revoked, which calls this function to + * see if B was revoked by some key. + * + * In this case, the added level of indirection doesn't hurt. It + * just means a bit more work. However, if C == A, then we'd end up + * in a loop. But, it doesn't make sense to look up C anyways: even + * if B is revoked, we conservatively consider a valid revocation + * signed by B to revoke A. Since this is the only place where this + * type of recursion can occur, we simply cause this function to + * fail if it is entered recursively. */ + if (busy) + { + /* Return an error (i.e. not revoked), but mark the pk as + uncacheable as we don't really know its revocation status + until it is checked directly. */ + pk->flags.dont_cache = 1; + return rc; + } + + busy=1; + + /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1], + (ulong)sig->keyid[1]); */ + + /* is the issuer of the sig one of our revokers? */ + if( !pk->revkey && pk->numrevkeys ) + BUG(); + else + for(i=0;i<pk->numrevkeys;i++) + { + /* The revoker's keyid. */ + u32 keyid[2]; + + keyid_from_fingerprint (ctrl, pk->revkey[i].fpr, + MAX_FINGERPRINT_LEN, keyid); + + if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1]) + /* The signature was generated by a designated revoker. + Verify the signature. */ + { + gcry_md_hd_t md; + + if (gcry_md_open (&md, sig->digest_algo, 0)) + BUG (); + hash_public_key(md,pk); + /* Note: check_signature only checks that the signature + is good. It does not fail if the key is revoked. */ + rc = check_signature (ctrl, sig, md); + cache_sig_result(sig,rc); + gcry_md_close (md); + break; + } + } + + busy=0; + + return rc; +} + +/* Check that the backsig BACKSIG from the subkey SUB_PK to its + * primary key MAIN_PK is valid. + * + * Backsigs (0x19) have the same format as binding sigs (0x18), but + * this function is simpler than check_key_signature in a few ways. + * For example, there is no support for expiring backsigs since it is + * questionable what such a thing actually means. Note also that the + * sig cache check here, unlike other sig caches in GnuPG, is not + * persistent. */ +int +check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk, + PKT_signature *backsig) +{ + gcry_md_hd_t md; + int rc; + + /* Always check whether the algorithm is available. Although + gcry_md_open would throw an error, some libgcrypt versions will + print a debug message in that case too. */ + if ((rc=openpgp_md_test_algo (backsig->digest_algo))) + return rc; + + if(!opt.no_sig_cache && backsig->flags.checked) + return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE); + + rc = gcry_md_open (&md, backsig->digest_algo,0); + if (!rc) + { + hash_public_key(md,main_pk); + hash_public_key(md,sub_pk); + rc = check_signature_end (sub_pk, backsig, md, NULL, NULL, NULL); + cache_sig_result(backsig,rc); + gcry_md_close(md); + } + + return rc; +} + + +/* Check that a signature over a key is valid. This is a + * specialization of check_key_signature2 with the unnamed parameters + * passed as NULL. See the documentation for that function for more + * details. */ +int +check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node, + int *is_selfsig) +{ + return check_key_signature2 (ctrl, root, node, NULL, NULL, + is_selfsig, NULL, NULL); +} + + +/* Returns whether SIGNER generated the signature SIG over the packet + * PACKET, which is a key, subkey or uid, and comes from the key block + * KB. (KB is PACKET's corresponding keyblock; we don't assume that + * SIG has been added to the keyblock.) + * + * If SIGNER is set, then checks whether SIGNER generated the + * signature. Otherwise, uses SIG->KEYID to find the alleged signer. + * This parameter can be used to effectively override the alleged + * signer that is stored in SIG. + * + * KB may be NULL if SIGNER is set. + * + * Unlike check_key_signature, this function ignores any cached + * results! That is, it does not consider SIG->FLAGS.CHECKED and + * SIG->FLAGS.VALID nor does it set them. + * + * This doesn't check the signature's semantic mean. Concretely, it + * doesn't check whether a non-self signed revocation signature was + * created by a designated revoker. In fact, it doesn't return an + * error for a binding generated by a completely different key! + * + * Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if + * this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if + * the key that generated the signature (according to SIG) could not + * be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad. + * Other errors codes may be returned if something else goes wrong. + * + * IF IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a + * self-signature (by the key's primary key) or 0 if not. + * + * If RET_PK is not NULL, returns a copy of the public key that + * generated the signature (i.e., the signer) on success. This must + * be released by the caller using release_public_key_parts (). */ +gpg_error_t +check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, + PKT_signature *sig, KBNODE kb, PACKET *packet, + int *is_selfsig, PKT_public_key *ret_pk) +{ + int rc; + PKT_public_key *pripk = kb->pkt->pkt.public_key; + gcry_md_hd_t md; + int signer_alloced = 0; + int stub_is_selfsig; + + if (!is_selfsig) + is_selfsig = &stub_is_selfsig; + + rc = openpgp_pk_test_algo (sig->pubkey_algo); + if (rc) + return rc; + rc = openpgp_md_test_algo (sig->digest_algo); + if (rc) + return rc; + + /* A signature's class indicates the type of packet that it + signs. */ + if (IS_BACK_SIG (sig) || IS_KEY_SIG (sig) || IS_KEY_REV (sig)) + { + /* Key revocations can only be over primary keys. */ + if (packet->pkttype != PKT_PUBLIC_KEY) + return gpg_error (GPG_ERR_SIG_CLASS); + } + else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) + { + if (packet->pkttype != PKT_PUBLIC_SUBKEY) + return gpg_error (GPG_ERR_SIG_CLASS); + } + else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) + { + if (packet->pkttype != PKT_USER_ID) + return gpg_error (GPG_ERR_SIG_CLASS); + } + else + return gpg_error (GPG_ERR_SIG_CLASS); + + /* PACKET is the right type for SIG. */ + + if (signer) + { + if (signer->keyid[0] == pripk->keyid[0] + && signer->keyid[1] == pripk->keyid[1]) + *is_selfsig = 1; + else + *is_selfsig = 0; + } + else + { + /* Get the signer. If possible, avoid a look up. */ + if (sig->keyid[0] == pripk->keyid[0] + && sig->keyid[1] == pripk->keyid[1]) + { + /* Issued by the primary key. */ + signer = pripk; + *is_selfsig = 1; + } + else + { + /* See if one of the subkeys was the signer (although this + * is extremely unlikely). */ + kbnode_t ctx = NULL; + kbnode_t n; + + while ((n = walk_kbnode (kb, &ctx, 0))) + { + PKT_public_key *subk; + + if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY) + continue; + + subk = n->pkt->pkt.public_key; + if (sig->keyid[0] == subk->keyid[0] + && sig->keyid[1] == subk->keyid[1]) + { + /* Issued by a subkey. */ + signer = subk; + break; + } + } + + if (! signer) + { + /* Signer by some other key. */ + *is_selfsig = 0; + if (ret_pk) + { + signer = ret_pk; + /* FIXME: Using memset here is probematic because it + * assumes that there are no allocated fields in + * SIGNER. */ + memset (signer, 0, sizeof (*signer)); + signer_alloced = 1; + } + else + { + signer = xmalloc_clear (sizeof (*signer)); + signer_alloced = 2; + } + + if (IS_CERT (sig)) + signer->req_usage = PUBKEY_USAGE_CERT; + + rc = get_pubkey_for_sig (ctrl, signer, sig, NULL); + if (rc) + { + xfree (signer); + signer = NULL; + signer_alloced = 0; + goto leave; + } + } + } + } + + /* We checked above that we supported this algo, so an error here is + * a bug. */ + if (gcry_md_open (&md, sig->digest_algo, 0)) + BUG (); + + /* Hash the relevant data. */ + + if (IS_KEY_SIG (sig) || IS_KEY_REV (sig)) + { + log_assert (packet->pkttype == PKT_PUBLIC_KEY); + hash_public_key (md, packet->pkt.public_key); + rc = check_signature_end_simple (signer, sig, md); + } + else if (IS_BACK_SIG (sig)) + { + log_assert (packet->pkttype == PKT_PUBLIC_KEY); + hash_public_key (md, packet->pkt.public_key); + hash_public_key (md, signer); + rc = check_signature_end_simple (signer, sig, md); + } + else if (IS_SUBKEY_SIG (sig) || IS_SUBKEY_REV (sig)) + { + log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY); + hash_public_key (md, pripk); + hash_public_key (md, packet->pkt.public_key); + rc = check_signature_end_simple (signer, sig, md); + } + else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) + { + log_assert (packet->pkttype == PKT_USER_ID); + if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig + && sig->timestamp > 1547856000 + && !opt.flags.allow_weak_key_signatures) + { + /* If the signature was created using SHA-1 we consider this + * signature invalid because it makes it possible to mount a + * chosen-prefix collision. We don't do this for + * self-signatures or for signatures created before the + * somewhat arbitrary cut-off date 2019-01-19. */ + print_sha1_keysig_rejected_note (); + rc = gpg_error (GPG_ERR_DIGEST_ALGO); + } + else + { + hash_public_key (md, pripk); + hash_uid_packet (packet->pkt.user_id, md, sig); + rc = check_signature_end_simple (signer, sig, md); + } + } + else + { + /* We should never get here. (The first if above should have + * already caught this error.) */ + BUG (); + } + + gcry_md_close (md); + + leave: + if (! rc && ret_pk && ret_pk != signer) + copy_public_key (ret_pk, signer); + + if (signer_alloced) + { + /* We looked up SIGNER; it is not a pointer into KB. */ + release_public_key_parts (signer); + /* Free if we also allocated the memory. */ + if (signer_alloced == 2) + xfree (signer); + } + + return rc; +} + + +/* Check that a signature over a key (e.g., a key revocation, key + * binding, user id certification, etc.) is valid. If the function + * detects a self-signature, it uses the public key from the specified + * key block and does not bother looking up the key specified in the + * signature packet. + * + * ROOT is a keyblock. + * + * NODE references a signature packet that appears in the keyblock + * that should be verified. + * + * If CHECK_PK is set, the specified key is sometimes preferred for + * verifying signatures. See the implementation for details. + * + * If RET_PK is not NULL, the public key that successfully verified + * the signature is copied into *RET_PK. + * + * If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a + * self-signature. + * + * If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry + * date. + * + * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been + * expired (0 otherwise). Note: PK being revoked does not cause this + * function to fail. + * + * + * If OPT.NO_SIG_CACHE is not set, this function will first check if + * the result of a previous verification is already cached in the + * signature packet's data structure. + * + * TODO: add r_revoked here as well. It has the same problems as + * r_expiredate and r_expired and the cache. */ +int +check_key_signature2 (ctrl_t ctrl, + kbnode_t root, kbnode_t node, PKT_public_key *check_pk, + PKT_public_key *ret_pk, int *is_selfsig, + u32 *r_expiredate, int *r_expired ) +{ + PKT_public_key *pk; + PKT_signature *sig; + int algo; + int rc; + + if (is_selfsig) + *is_selfsig = 0; + if (r_expiredate) + *r_expiredate = 0; + if (r_expired) + *r_expired = 0; + log_assert (node->pkt->pkttype == PKT_SIGNATURE); + log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY); + + pk = root->pkt->pkt.public_key; + sig = node->pkt->pkt.signature; + algo = sig->digest_algo; + + /* Check whether we have cached the result of a previous signature + * check. Note that we may no longer have the pubkey or hash + * needed to verify a sig, but can still use the cached value. A + * cache refresh detects and clears these cases. */ + if ( !opt.no_sig_cache ) + { + cache_stats.total++; + if (sig->flags.checked) /* Cached status available. */ + { + cache_stats.cached++; + if (is_selfsig) + { + u32 keyid[2]; + + keyid_from_pk (pk, keyid); + if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) + *is_selfsig = 1; + } + /* BUG: This is wrong for non-self-sigs... needs to be the + * actual pk. */ + rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); + if (rc) + return rc; + if (sig->flags.valid) + { + cache_stats.goodsig++; + return 0; + } + cache_stats.badsig++; + return gpg_error (GPG_ERR_BAD_SIGNATURE); + } + } + + rc = openpgp_pk_test_algo(sig->pubkey_algo); + if (rc) + return rc; + rc = openpgp_md_test_algo(algo); + if (rc) + return rc; + + if (IS_KEY_REV (sig)) + { + u32 keyid[2]; + keyid_from_pk( pk, keyid ); + + /* Is it a designated revoker? */ + if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1]) + rc = check_revocation_keys (ctrl, pk, sig); + else + { + rc = check_signature_metadata_validity (pk, sig, + r_expired, NULL); + if (! rc) + rc = check_signature_over_key_or_uid (ctrl, pk, sig, + root, root->pkt, + is_selfsig, ret_pk); + } + } + else if (IS_SUBKEY_REV (sig) || IS_SUBKEY_SIG (sig)) + { + kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY); + + if (snode) + { + rc = check_signature_metadata_validity (pk, sig, + r_expired, NULL); + if (! rc) + { + /* A subkey revocation (0x28) must be a self-sig, but a + * subkey signature (0x18) needn't be. */ + rc = check_signature_over_key_or_uid (ctrl, + IS_SUBKEY_SIG (sig) + ? NULL : pk, + sig, root, snode->pkt, + is_selfsig, ret_pk); + } + } + else + { + if (opt.verbose) + { + if (IS_SUBKEY_REV (sig)) + log_info (_("key %s: no subkey for subkey" + " revocation signature\n"), keystr_from_pk(pk)); + else if (sig->sig_class == 0x18) + log_info(_("key %s: no subkey for subkey" + " binding signature\n"), keystr_from_pk(pk)); + } + rc = GPG_ERR_SIG_CLASS; + } + } + else if (IS_KEY_SIG (sig)) /* direct key signature */ + { + rc = check_signature_metadata_validity (pk, sig, + r_expired, NULL); + if (! rc) + rc = check_signature_over_key_or_uid (ctrl, pk, sig, root, root->pkt, + is_selfsig, ret_pk); + } + else if (IS_UID_SIG (sig) || IS_UID_REV (sig)) + { + kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID); + + if (unode) + { + rc = check_signature_metadata_validity (pk, sig, r_expired, NULL); + if (! rc) + { + /* If this is a self-sig, ignore check_pk. */ + rc = check_signature_over_key_or_uid + (ctrl, + keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk, + sig, root, unode->pkt, NULL, ret_pk); + } + } + else + { + if (!opt.quiet) + log_info ("key %s: no user ID for key signature packet" + " of class %02x\n",keystr_from_pk(pk),sig->sig_class); + rc = GPG_ERR_SIG_CLASS; + } + } + else + { + log_info ("sig issued by %s with class %d (digest: %02x %02x)" + " is not valid over a user id or a key id, ignoring.\n", + keystr (sig->keyid), sig->sig_class, + sig->digest_start[0], sig->digest_start[1]); + rc = gpg_error (GPG_ERR_BAD_SIGNATURE); + } + + cache_sig_result (sig, rc); + + return rc; +} |