sigcheck.c

   1 /*
   2  * sigcheck.c - routines to check OpenPGP signatures
   3  *
   4  * Copyright 2012 Jonathan McDowell <noodles@earth.li>
   5  *
   6  * This program is free software: you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the Free
   8  * Software Foundation; version 2 of the License.
   9  *
  10  * This program is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  13  * more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along with
  16  * this program; if not, write to the Free Software Foundation, Inc., 51
  17  * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  */
  19
  20 #include <stdint.h>
  21
  22 #include "config.h"
  23 #include "decodekey.h"
  24 #include "keyid.h"
  25 #include "keystructs.h"
  26 #include "log.h"
  27 #include "openpgp.h"
  28 #include "sigcheck.h"
  29
  30 #ifdef HAVE_NETTLE
  31 #include <nettle/md5.h>
  32 #include <nettle/ripemd160.h>
  33 #include <nettle/sha.h>
  34 #else
  35 #include "md5.h"
  36 #include "sha1.h"
  37 #endif
  38 #include "sha1x.h"
  39
  40 int check_packet_sighash(struct openpgp_publickey *key,
  41                         struct openpgp_packet *packet,
  42                         struct openpgp_packet *sig)
  43 {
  44         uint8_t hashtype;
  45         uint8_t *sighash;
  46         size_t siglen, unhashedlen;
  47         struct sha1_ctx sha1_context;
  48         struct sha1x_ctx sha1x_context;
  49         struct md5_ctx md5_context;
  50 #ifdef NETTLE_WITH_RIPEMD160
  51         struct ripemd160_ctx ripemd160_context;
  52 #endif
  53 #ifdef NETTLE_WITH_SHA224
  54         struct sha224_ctx sha224_context;
  55 #endif
  56 #ifdef NETTLE_WITH_SHA256
  57         struct sha256_ctx sha256_context;
  58 #endif
  59 #ifdef NETTLE_WITH_SHA384
  60         struct sha384_ctx sha384_context;
  61 #endif
  62 #ifdef NETTLE_WITH_SHA512
  63         struct sha512_ctx sha512_context;
  64 #endif
  65         uint8_t keyheader[3];
  66         uint8_t packetheader[5];
  67         uint8_t v4trailer[6];
  68         uint8_t hash[64];
  69         uint8_t *hashdata[8];
  70         size_t hashlen[8];
  71         int chunks, i;
  72         uint64_t keyid;
  73         onak_status_t res;
  74
  75         keyheader[0] = 0x99;
  76         keyheader[1] = key->publickey->length >> 8;
  77         keyheader[2] = key->publickey->length & 0xFF;
  78         hashdata[0] = keyheader;
  79         hashlen[0] = 3;
  80         hashdata[1] = key->publickey->data;
  81         hashlen[1] = key->publickey->length;
  82         chunks = 2;
  83
  84         switch (sig->data[0]) {
  85         case 2:
  86         case 3:
  87                 hashtype = sig->data[16];
  88
  89                 if (packet != NULL) {
  90                         if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
  91                                 packetheader[0] = 0x99;
  92                                 packetheader[1] = packet->length >> 8;
  93                                 packetheader[2] = packet->length & 0xFF;
  94                                 hashdata[chunks] = packetheader;
  95                                 hashlen[chunks] = 3;
  96                                 chunks++;
  97                         }
  98
  99                         // TODO: Things other than UIDS/subkeys?
 100                         hashdata[chunks] = packet->data;
 101                         hashlen[chunks] = packet->length;
 102                         chunks++;
 103                 }
 104
 105                 hashdata[chunks] = &sig->data[2];
 106                 hashlen[chunks] = 5;
 107                 chunks++;
 108                 sighash = &sig->data[17];
 109                 break;
 110         case 4:
 111                 hashtype = sig->data[3];
 112
 113                 /* Check to see if this is an X509 based signature */
 114                 if (sig->data[2] == 0 || sig->data[2] == 100) {
 115                         size_t len;
 116
 117                         keyid = 0;
 118                         res = parse_subpackets(&sig->data[4],
 119                                                 sig->length - 4, &len,
 120                                                 &keyid, NULL);
 121                         if (res != ONAK_E_OK) {
 122                                 /* If it parses badly, reject it */
 123                                 return 0;
 124                         }
 125                         if (keyid == 0 &&
 126                                         /* No unhashed data */
 127                                         sig->data[4 + len] == 0 &&
 128                                         sig->data[5 + len] == 0 &&
 129                                         /* Dummy 0 checksum */
 130                                         sig->data[6 + len] == 0 &&
 131                                         sig->data[7 + len] == 0 &&
 132                                         /* Dummy MPI of 1 */
 133                                         sig->data[8 + len] == 0 &&
 134                                         sig->data[9 + len] == 1 &&
 135                                         sig->data[10 + len] == 1) {
 136                                 get_keyid(key, &keyid);
 137                                 logthing(LOGTHING_DEBUG,
 138                                         "Skipping X509 signature on 0x%016"
 139                                         PRIX64,
 140                                         keyid);
 141                                 return -1;
 142                         }
 143                 }
 144
 145                 if (packet != NULL) {
 146                         if (packet->tag == OPENPGP_PACKET_PUBLICSUBKEY) {
 147                                 packetheader[0] = 0x99;
 148                                 packetheader[1] = packet->length >> 8;
 149                                 packetheader[2] = packet->length & 0xFF;
 150                                 hashdata[chunks] = packetheader;
 151                                 hashlen[chunks] = 3;
 152                                 chunks++;
 153                         } else if (packet->tag == OPENPGP_PACKET_UID ||
 154                                         packet->tag == OPENPGP_PACKET_UAT) {
 155                                 packetheader[0] = (packet->tag ==
 156                                         OPENPGP_PACKET_UID) ?  0xB4 : 0xD1;
 157                                 packetheader[1] = packet->length >> 24;
 158                                 packetheader[2] = (packet->length >> 16) & 0xFF;
 159                                 packetheader[3] = (packet->length >> 8) & 0xFF;
 160                                 packetheader[4] = packet->length & 0xFF;
 161                                 hashdata[chunks] = packetheader;
 162                                 hashlen[chunks] = 5;
 163                                 chunks++;
 164                         }
 165                         hashdata[chunks] = packet->data;
 166                         hashlen[chunks] = packet->length;
 167                         chunks++;
 168                 }
 169
 170                 hashdata[chunks] = sig->data;
 171                 hashlen[chunks] = siglen = (sig->data[4] << 8) +
 172                         sig->data[5] + 6;;
 173                 if (siglen > sig->length) {
 174                         /* Signature data exceed packet length, bogus */
 175                         return 0;
 176                 }
 177                 chunks++;
 178
 179                 v4trailer[0] = 4;
 180                 v4trailer[1] = 0xFF;
 181                 v4trailer[2] = siglen >> 24;
 182                 v4trailer[3] = (siglen >> 16) & 0xFF;
 183                 v4trailer[4] = (siglen >> 8) & 0xFF;
 184                 v4trailer[5] = siglen & 0xFF;
 185                 hashdata[chunks] = v4trailer;
 186                 hashlen[chunks] = 6;
 187                 chunks++;
 188
 189                 unhashedlen = (sig->data[siglen] << 8) +
 190                         sig->data[siglen + 1];
 191                 sighash = &sig->data[siglen + unhashedlen + 2];
 192                 break;
 193         default:
 194                 get_keyid(key, &keyid);
 195                 logthing(LOGTHING_ERROR,
 196                         "Unknown signature version %d on 0x%016" PRIX64,
 197                         sig->data[0], keyid);
 198                 return -1;
 199         }
 200
 201         switch (hashtype) {
 202         case OPENPGP_HASH_MD5:
 203                 md5_init(&md5_context);
 204                 for (i = 0; i < chunks; i++) {
 205                         md5_update(&md5_context, hashlen[i], hashdata[i]);
 206                 }
 207                 md5_digest(&md5_context, 16, hash);
 208                 break;
 209         case OPENPGP_HASH_SHA1:
 210                 sha1_init(&sha1_context);
 211                 for (i = 0; i < chunks; i++) {
 212                         sha1_update(&sha1_context, hashlen[i], hashdata[i]);
 213                 }
 214                 sha1_digest(&sha1_context, 20, hash);
 215                 break;
 216         case OPENPGP_HASH_RIPEMD160:
 217 #ifdef NETTLE_WITH_RIPEMD160
 218                 ripemd160_init(&ripemd160_context);
 219                 for (i = 0; i < chunks; i++) {
 220                         ripemd160_update(&ripemd160_context, hashlen[i],
 221                                 hashdata[i]);
 222                 }
 223                 ripemd160_digest(&ripemd160_context, RIPEMD160_DIGEST_SIZE,
 224                         hash);
 225                 break;
 226 #else
 227                 logthing(LOGTHING_INFO, "RIPEMD160 support not available.");
 228                 return -1;
 229 #endif
 230         case OPENPGP_HASH_SHA1X:
 231                 sha1x_init(&sha1x_context);
 232                 for (i = 0; i < chunks; i++) {
 233                         sha1x_update(&sha1x_context, hashlen[i], hashdata[i]);
 234                 }
 235                 sha1x_digest(&sha1x_context, 20, hash);
 236                 break;
 237         case OPENPGP_HASH_SHA224:
 238 #ifdef NETTLE_WITH_SHA224
 239                 sha224_init(&sha224_context);
 240                 for (i = 0; i < chunks; i++) {
 241                         sha224_update(&sha224_context, hashlen[i],
 242                                 hashdata[i]);
 243                 }
 244                 sha224_digest(&sha224_context, SHA224_DIGEST_SIZE, hash);
 245                 break;
 246 #else
 247                 logthing(LOGTHING_INFO, "SHA224 support not available.");
 248                 return -1;
 249 #endif
 250         case OPENPGP_HASH_SHA256:
 251 #ifdef NETTLE_WITH_SHA256
 252                 sha256_init(&sha256_context);
 253                 for (i = 0; i < chunks; i++) {
 254                         sha256_update(&sha256_context, hashlen[i],
 255                                 hashdata[i]);
 256                 }
 257                 sha256_digest(&sha256_context, SHA256_DIGEST_SIZE, hash);
 258                 break;
 259 #else
 260                 logthing(LOGTHING_INFO, "SHA256 support not available.");
 261                 return -1;
 262 #endif
 263         case OPENPGP_HASH_SHA384:
 264 #ifdef NETTLE_WITH_SHA384
 265                 sha384_init(&sha384_context);
 266                 for (i = 0; i < chunks; i++) {
 267                         sha384_update(&sha384_context, hashlen[i],
 268                                 hashdata[i]);
 269                 }
 270                 sha384_digest(&sha384_context, SHA384_DIGEST_SIZE, hash);
 271                 break;
 272 #else
 273                 logthing(LOGTHING_INFO, "SHA384 support not available.");
 274                 return -1;
 275 #endif
 276         case OPENPGP_HASH_SHA512:
 277 #ifdef NETTLE_WITH_SHA512
 278                 sha512_init(&sha512_context);
 279                 for (i = 0; i < chunks; i++) {
 280                         sha512_update(&sha512_context, hashlen[i],
 281                                 hashdata[i]);
 282                 }
 283                 sha512_digest(&sha512_context, SHA512_DIGEST_SIZE, hash);
 284                 break;
 285 #else
 286                 logthing(LOGTHING_INFO, "SHA512 support not available.");
 287                 return -1;
 288 #endif
 289         default:
 290                 get_keyid(key, &keyid);
 291                 logthing(LOGTHING_ERROR,
 292                         "Unsupported signature hash type %d on 0x%016" PRIX64,
 293                         hashtype,
 294                         keyid);
 295                 return -1;
 296         }
 297
 298         logthing(LOGTHING_DEBUG, "Hash type: %d, %d chunks, "
 299                 "calculated: %02X%02X / actual: %02X%02X",
 300                 hashtype, chunks,
 301                 hash[0], hash[1], sighash[0], sighash[1]);
 302
 303         return (hash[0] == sighash[0] && hash[1] == sighash[1]);
 304 }