2 * sigcheck.c - routines to check OpenPGP signatures
4 * Copyright 2012 Jonathan McDowell <noodles@earth.li>
6 * This program is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the Free
8 * Software Foundation; version 2 of the License.
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
15 * You should have received a copy of the GNU General Public License along with
16 * this program; if not, write to the Free Software Foundation, Inc., 51
17 * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 #include "decodekey.h"
25 #include "keystructs.h"
31 #include <nettle/md5.h>
32 #include <nettle/ripemd160.h>
33 #include <nettle/sha.h>
40 int check_packet_sighash(struct openpgp_publickey *key,
41 struct openpgp_packet *packet,
42 struct openpgp_packet *sig)
46 size_t siglen, unhashedlen;
47 struct sha1_ctx sha1_context;
48 struct sha1x_ctx sha1x_context;
49 struct md5_ctx md5_context;
50 #ifdef NETTLE_WITH_RIPEMD160
51 struct ripemd160_ctx ripemd160_context;
53 #ifdef NETTLE_WITH_SHA224
54 struct sha224_ctx sha224_context;
56 #ifdef NETTLE_WITH_SHA256
57 struct sha256_ctx sha256_context;
59 #ifdef NETTLE_WITH_SHA384
60 struct sha384_ctx sha384_context;
62 #ifdef NETTLE_WITH_SHA512
63 struct sha512_ctx sha512_context;
66 uint8_t packetheader[5];
75 keyheader[1] = key->publickey->length >> 8;
76 keyheader[2] = key->publickey->length & 0xFF;
77 hashdata[0] = keyheader;
79 hashdata[1] = key->publickey->data;
80 hashlen[1] = key->publickey->length;
83 switch (sig->data[0]) {
86 hashtype = sig->data[16];
89 if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
90 packetheader[0] = 0x99;
91 packetheader[1] = packet->length >> 8;
92 packetheader[2] = packet->length & 0xFF;
93 hashdata[chunks] = packetheader;
98 // TODO: Things other than UIDS/subkeys?
99 hashdata[chunks] = packet->data;
100 hashlen[chunks] = packet->length;
104 hashdata[chunks] = &sig->data[2];
107 sighash = &sig->data[17];
110 hashtype = sig->data[3];
112 /* Check to see if this is an X509 based signature */
113 if (sig->data[2] == 0 || sig->data[2] == 100) {
117 len = parse_subpackets(&sig->data[4], &keyid, NULL);
119 /* No unhashed data */
120 sig->data[4 + len] == 0 &&
121 sig->data[5 + len] == 0 &&
122 /* Dummy 0 checksum */
123 sig->data[6 + len] == 0 &&
124 sig->data[7 + len] == 0 &&
126 sig->data[8 + len] == 0 &&
127 sig->data[9 + len] == 1 &&
128 sig->data[10 + len] == 1) {
129 get_keyid(key, &keyid);
130 logthing(LOGTHING_DEBUG,
131 "Skipping X509 signature on 0x%016"
138 if (packet != NULL) {
139 if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
140 packetheader[0] = 0x99;
141 packetheader[1] = packet->length >> 8;
142 packetheader[2] = packet->length & 0xFF;
143 hashdata[chunks] = packetheader;
146 } else if (packet->tag == OPENPGP_PACKET_UID ||
147 packet->tag == OPENPGP_PACKET_UAT) {
148 packetheader[0] = (packet->tag ==
149 OPENPGP_PACKET_UID) ? 0xB4 : 0xD1;
150 packetheader[1] = packet->length >> 24;
151 packetheader[2] = (packet->length >> 16) & 0xFF;
152 packetheader[3] = (packet->length >> 8) & 0xFF;
153 packetheader[4] = packet->length & 0xFF;
154 hashdata[chunks] = packetheader;
158 hashdata[chunks] = packet->data;
159 hashlen[chunks] = packet->length;
163 hashdata[chunks] = sig->data;
164 hashlen[chunks] = siglen = (sig->data[4] << 8) +
170 v4trailer[2] = siglen >> 24;
171 v4trailer[3] = (siglen >> 16) & 0xFF;
172 v4trailer[4] = (siglen >> 8) & 0xFF;
173 v4trailer[5] = siglen & 0xFF;
174 hashdata[chunks] = v4trailer;
178 unhashedlen = (sig->data[siglen] << 8) +
179 sig->data[siglen + 1];
180 sighash = &sig->data[siglen + unhashedlen + 2];
183 get_keyid(key, &keyid);
184 logthing(LOGTHING_ERROR,
185 "Unknown signature version %d on 0x%016" PRIX64,
186 sig->data[0], keyid);
191 case OPENPGP_HASH_MD5:
192 md5_init(&md5_context);
193 for (i = 0; i < chunks; i++) {
194 md5_update(&md5_context, hashlen[i], hashdata[i]);
196 md5_digest(&md5_context, 16, hash);
198 case OPENPGP_HASH_SHA1:
199 sha1_init(&sha1_context);
200 for (i = 0; i < chunks; i++) {
201 sha1_update(&sha1_context, hashlen[i], hashdata[i]);
203 sha1_digest(&sha1_context, 20, hash);
205 case OPENPGP_HASH_RIPEMD160:
206 #ifdef NETTLE_WITH_RIPEMD160
207 ripemd160_init(&ripemd160_context);
208 for (i = 0; i < chunks; i++) {
209 ripemd160_update(&ripemd160_context, hashlen[i],
212 ripemd160_digest(&ripemd160_context, RIPEMD160_DIGEST_SIZE,
216 logthing(LOGTHING_INFO, "RIPEMD160 support not available.");
219 case OPENPGP_HASH_SHA1X:
220 sha1x_init(&sha1x_context);
221 for (i = 0; i < chunks; i++) {
222 sha1x_update(&sha1x_context, hashlen[i], hashdata[i]);
224 sha1x_digest(&sha1x_context, 20, hash);
226 case OPENPGP_HASH_SHA224:
227 #ifdef NETTLE_WITH_SHA224
228 sha224_init(&sha224_context);
229 for (i = 0; i < chunks; i++) {
230 sha224_update(&sha224_context, hashlen[i],
233 sha224_digest(&sha224_context, SHA224_DIGEST_SIZE, hash);
236 logthing(LOGTHING_INFO, "SHA224 support not available.");
239 case OPENPGP_HASH_SHA256:
240 #ifdef NETTLE_WITH_SHA256
241 sha256_init(&sha256_context);
242 for (i = 0; i < chunks; i++) {
243 sha256_update(&sha256_context, hashlen[i],
246 sha256_digest(&sha256_context, SHA256_DIGEST_SIZE, hash);
249 logthing(LOGTHING_INFO, "SHA256 support not available.");
252 case OPENPGP_HASH_SHA384:
253 #ifdef NETTLE_WITH_SHA384
254 sha384_init(&sha384_context);
255 for (i = 0; i < chunks; i++) {
256 sha384_update(&sha384_context, hashlen[i],
259 sha384_digest(&sha384_context, SHA384_DIGEST_SIZE, hash);
262 logthing(LOGTHING_INFO, "SHA384 support not available.");
265 case OPENPGP_HASH_SHA512:
266 #ifdef NETTLE_WITH_SHA512
267 sha512_init(&sha512_context);
268 for (i = 0; i < chunks; i++) {
269 sha512_update(&sha512_context, hashlen[i],
272 sha512_digest(&sha512_context, SHA512_DIGEST_SIZE, hash);
275 logthing(LOGTHING_INFO, "SHA512 support not available.");
279 get_keyid(key, &keyid);
280 logthing(LOGTHING_ERROR,
281 "Unsupported signature hash type %d on 0x%016" PRIX64,
287 logthing(LOGTHING_DEBUG, "Hash type: %d, %d chunks, "
288 "calculated: %02X%02X / actual: %02X%02X",
290 hash[0], hash[1], sighash[0], sighash[1]);
292 return (hash[0] == sighash[0] && hash[1] == sighash[1]);