1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
38 #include "keyserver-internal.h"
40 #include "mbox-util.h"
41 #include "call-dirmngr.h"
43 /* Put an upper limit on nested packets. The 32 is an arbitrary
44 value, a much lower should actually be sufficient. */
45 #define MAX_NESTING_DEPTH 32
48 /* An object to build a list of keyid related info. */
51 struct kidlist_item *next;
59 * Object to hold the processing context.
61 typedef struct mainproc_context *CTX;
62 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_user_id *last_user_id;
68 md_filter_context_t mfx;
69 int sigs_only; /* Process only signatures and reject all other stuff. */
70 int encrypt_only; /* Process only encryption messages. */
72 /* Name of the file with the complete signature or the file with the
73 detached signature. This is currently only used to deduce the
74 file name of the data file if that has not been given. */
75 const char *sigfilename;
77 /* A structure to describe the signed data in case of a detached
81 /* A file descriptor of the the signed data. Only used if not -1. */
83 /* A list of filenames with the data files or NULL. This is only
84 used if DATA_FD is -1. */
86 /* Flag to indicated that either one of the next previous fields
87 is used. This is only needed for better readability. */
92 int last_was_session_key;
93 kbnode_t list; /* The current list of packets. */
94 iobuf_t iobuf; /* Used to get the filename etc. */
95 int trustletter; /* Temporary usage in list_node. */
97 struct kidlist_item *pkenc_list; /* List of encryption packets. */
99 unsigned int sig_seen:1; /* Set to true if a signature packet
101 unsigned int data:1; /* Any data packet seen */
102 unsigned int uncompress_failed:1;
107 /*** Local prototypes. ***/
108 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
109 static void list_node (CTX c, kbnode_t node);
110 static void proc_tree (CTX c, kbnode_t node);
111 static int literals_seen;
118 reset_literals_seen(void)
125 release_list( CTX c )
127 proc_tree (c, c->list);
128 release_kbnode (c->list);
129 while (c->pkenc_list)
131 struct kidlist_item *tmp = c->pkenc_list->next;
132 xfree (c->pkenc_list);
135 c->pkenc_list = NULL;
138 c->any.uncompress_failed = 0;
139 c->last_was_session_key = 0;
146 add_onepass_sig (CTX c, PACKET *pkt)
150 if (c->list) /* Add another packet. */
151 add_kbnode (c->list, new_kbnode (pkt));
152 else /* Insert the first one. */
153 c->list = node = new_kbnode (pkt);
160 add_gpg_control (CTX c, PACKET *pkt)
162 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
164 /* New clear text signature.
165 * Process the last one and reset everything */
169 if (c->list) /* Add another packet. */
170 add_kbnode (c->list, new_kbnode (pkt));
171 else /* Insert the first one. */
172 c->list = new_kbnode (pkt);
179 add_user_id (CTX c, PACKET *pkt)
183 log_error ("orphaned user ID\n");
186 add_kbnode (c->list, new_kbnode (pkt));
192 add_subkey (CTX c, PACKET *pkt)
196 log_error ("subkey w/o mainkey\n");
199 add_kbnode (c->list, new_kbnode (pkt));
205 add_ring_trust (CTX c, PACKET *pkt)
209 log_error ("ring trust w/o key\n");
212 add_kbnode (c->list, new_kbnode (pkt));
218 add_signature (CTX c, PACKET *pkt)
223 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
225 /* This is the first signature for the following datafile.
226 * GPG does not write such packets; instead it always uses
227 * onepass-sig packets. The drawback of PGP's method
228 * of prepending the signature to the data is
229 * that it is not possible to make a signature from data read
230 * from stdin. (GPG is able to read PGP stuff anyway.) */
231 node = new_kbnode (pkt);
236 return 0; /* oops (invalid packet sequence)*/
237 else if (!c->list->pkt)
238 BUG(); /* so nicht */
240 /* Add a new signature node item at the end. */
241 node = new_kbnode (pkt);
242 add_kbnode (c->list, node);
248 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
252 if(slen < 17 || slen > 33)
254 log_error ( _("weird size for an encrypted session key (%d)\n"),
256 return GPG_ERR_BAD_KEY;
259 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
261 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
263 gcry_cipher_setiv ( hd, NULL, 0 );
264 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
265 gcry_cipher_close ( hd );
267 /* Now we replace the dek components with the real session key to
268 decrypt the contents of the sequencing packet. */
273 if(dek->keylen > DIM(dek->key))
276 memcpy(dek->key, seskey + 1, dek->keylen);
278 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
285 proc_symkey_enc (CTX c, PACKET *pkt)
289 enc = pkt->pkt.symkey_enc;
291 log_error ("invalid symkey encrypted packet\n");
294 int algo = enc->cipher_algo;
295 const char *s = openpgp_cipher_algo_name (algo);
297 if (!openpgp_cipher_test_algo (algo))
302 log_info (_("%s encrypted session key\n"), s );
304 log_info (_("%s encrypted data\n"), s );
308 log_error (_("encrypted with unknown algorithm %d\n"), algo);
310 if (openpgp_md_test_algo (enc->s2k.hash_algo))
312 log_error(_("passphrase generated with unknown digest"
313 " algorithm %d\n"),enc->s2k.hash_algo);
317 c->last_was_session_key = 2;
318 if (!s || opt.list_only)
321 if (opt.override_session_key)
323 c->dek = xmalloc_clear (sizeof *c->dek);
324 if (get_override_session_key (c->dek, opt.override_session_key))
332 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
335 c->dek->symmetric = 1;
337 /* FIXME: This doesn't work perfectly if a symmetric key
338 comes before a public key in the message - if the
339 user doesn't know the passphrase, then there is a
340 chance that the "decrypted" algorithm will happen to
341 be a valid one, which will make the returned dek
342 appear valid, so we won't try any public keys that
346 if (symkey_decrypt_seskey (c->dek,
347 enc->seskey, enc->seskeylen))
354 c->dek->algo_info_printed = 1;
366 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
371 /* Check whether the secret key is available and store in this case. */
372 c->last_was_session_key = 1;
373 enc = pkt->pkt.pubkey_enc;
374 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
375 /* Hmmm: why do I have this algo check here - anyway there is
376 * function to check it. */
378 log_info (_("public key is %s\n"), keystr (enc->keyid));
380 if (is_status_enabled())
383 /* FIXME: For ECC support we need to map the OpenPGP algo number
384 to the Libgcrypt defined one. This is due a chicken-egg
385 problem: We need to have code in Libgcrypt for a new
386 algorithm so to implement a proposed new algorithm before the
387 IANA will finally assign an OpenPGP identifier. */
388 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
389 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
390 write_status_text (STATUS_ENC_TO, buf);
393 if (!opt.list_only && opt.override_session_key)
395 /* It does not make much sense to store the session key in
396 * secure memory because it has already been passed on the
397 * command line and the GCHQ knows about it. */
398 c->dek = xmalloc_clear (sizeof *c->dek);
399 result = get_override_session_key (c->dek, opt.override_session_key);
406 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
407 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
408 || enc->pubkey_algo == PUBKEY_ALGO_RSA
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
412 /* Note that we also allow type 20 Elgamal keys for decryption.
413 There are still a couple of those keys in active use as a
416 /* FIXME: Store this all in a list and process it later so that
417 we can prioritize what key to use. This gives a better user
418 experience if wildcard keyids are used. */
419 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
420 || opt.try_all_secrets
421 || have_secret_key_with_kid (enc->keyid)))
427 c->dek = xmalloc_secure_clear (sizeof *c->dek);
428 if ((result = get_session_key (ctrl, enc, c->dek)))
430 /* Error: Delete the DEK. */
437 result = GPG_ERR_NO_SECKEY;
440 result = GPG_ERR_PUBKEY_ALGO;
446 /* Store it for later display. */
447 struct kidlist_item *x = xmalloc (sizeof *x);
448 x->kid[0] = enc->keyid[0];
449 x->kid[1] = enc->keyid[1];
450 x->pubkey_algo = enc->pubkey_algo;
452 x->next = c->pkenc_list;
455 if (!result && opt.verbose > 1)
456 log_info (_("public key encrypted data: good DEK\n"));
464 * Print the list of public key encrypted packets which we could
468 print_pkenc_list (struct kidlist_item *list, int failed)
470 for (; list; list = list->next)
475 if (failed && !list->reason)
477 if (!failed && list->reason)
480 algstr = openpgp_pk_algo_name (list->pubkey_algo);
481 pk = xmalloc_clear (sizeof *pk);
485 pk->pubkey_algo = list->pubkey_algo;
486 if (!get_pubkey (pk, list->kid))
489 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
490 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
491 strtimestamp (pk->timestamp));
492 p = get_user_id_native (list->kid);
493 log_printf (_(" \"%s\"\n"), p);
497 log_info (_("encrypted with %s key, ID %s\n"),
498 algstr, keystr(list->kid));
500 free_public_key (pk);
502 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
504 if (is_status_enabled())
507 snprintf (buf, sizeof buf, "%08lX%08lX",
508 (ulong)list->kid[0], (ulong)list->kid[1]);
509 write_status_text (STATUS_NO_SECKEY, buf);
512 else if (list->reason)
514 log_info (_("public key decryption failed: %s\n"),
515 gpg_strerror (list->reason));
516 write_status_error ("pkdecrypt_failed", list->reason);
523 proc_encrypted (CTX c, PACKET *pkt)
530 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
531 else if (c->symkeys == 1)
532 log_info (_("encrypted with 1 passphrase\n"));
533 print_pkenc_list ( c->pkenc_list, 1 );
534 print_pkenc_list ( c->pkenc_list, 0 );
537 /* FIXME: Figure out the session key by looking at all pkenc packets. */
539 write_status (STATUS_BEGIN_DECRYPTION);
541 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
544 else if (!c->dek && !c->last_was_session_key)
548 STRING2KEY *s2k = NULL;
551 if (opt.override_session_key)
553 c->dek = xmalloc_clear (sizeof *c->dek);
554 result = get_override_session_key (c->dek, opt.override_session_key);
563 /* Assume this is old style conventional encrypted data. */
564 algo = opt.def_cipher_algo;
566 log_info (_("assuming %s encrypted data\n"),
567 openpgp_cipher_algo_name (algo));
568 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
570 algo = opt.def_cipher_algo;
572 algo = opt.s2k_cipher_algo;
573 log_info (_("IDEA cipher unavailable, "
574 "optimistically attempting to use %s instead\n"),
575 openpgp_cipher_algo_name (algo));
579 algo = CIPHER_ALGO_IDEA;
580 if (!opt.s2k_digest_algo)
582 /* If no digest is given we assume SHA-1. */
584 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
587 log_info (_("assuming %s encrypted data\n"), "IDEA");
590 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
592 c->dek->algo_info_printed = 1;
594 result = gpg_error (GPG_ERR_CANCELED);
596 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
600 result = GPG_ERR_NO_SECKEY;
603 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
608 && !opt.ignore_mdc_error
609 && !pkt->pkt.encrypted->mdc_method
610 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
611 && c->dek->algo != CIPHER_ALGO_TWOFISH)
613 /* The message has been decrypted but has no MDC despite that a
614 modern cipher (blocklength != 64 bit, except for Twofish) is
615 used and the option to ignore MDC errors is not used: To
616 avoid attacks changing an MDC message to a non-MDC message,
618 log_error (_("WARNING: message was not integrity protected\n"));
620 log_info ("decryption forced to fail\n");
621 write_status (STATUS_DECRYPTION_FAILED);
623 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
624 && opt.ignore_mdc_error))
626 write_status (STATUS_DECRYPTION_OKAY);
628 log_info(_("decryption okay\n"));
629 if (pkt->pkt.encrypted->mdc_method && !result)
630 write_status (STATUS_GOODMDC);
631 else if (!opt.no_mdc_warn)
632 log_info (_("WARNING: message was not integrity protected\n"));
634 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
636 glo_ctrl.lasterr = result;
637 log_error (_("WARNING: encrypted message has been manipulated!\n"));
638 write_status (STATUS_BADMDC);
639 write_status (STATUS_DECRYPTION_FAILED);
643 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
644 && *c->dek->s2k_cacheid != '\0')
647 log_debug ("cleared passphrase cached with ID: %s\n",
648 c->dek->s2k_cacheid);
649 passphrase_clear_cache (c->dek->s2k_cacheid);
651 glo_ctrl.lasterr = result;
652 write_status (STATUS_DECRYPTION_FAILED);
653 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
654 /* Hmmm: does this work when we have encrypted using multiple
655 * ways to specify the session key (symmmetric and PK). */
661 c->last_was_session_key = 0;
662 write_status (STATUS_END_DECRYPTION);
667 proc_plaintext( CTX c, PACKET *pkt )
669 PKT_plaintext *pt = pkt->pkt.plaintext;
670 int any, clearsig, rc;
675 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
676 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
677 else if (opt.verbose)
678 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
680 free_md_filter_context (&c->mfx);
681 if (gcry_md_open (&c->mfx.md, 0, 0))
683 /* fixme: we may need to push the textfilter if we have sigclass 1
684 * and no armoring - Not yet tested
685 * Hmmm, why don't we need it at all if we have sigclass 1
686 * Should we assume that plaintext in mode 't' has always sigclass 1??
687 * See: Russ Allbery's mail 1999-02-09
690 for (n=c->list; n; n = n->next )
692 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
694 /* The onepass signature case. */
695 if (n->pkt->pkt.onepass_sig->digest_algo)
697 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
701 else if (n->pkt->pkttype == PKT_GPG_CONTROL
702 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
704 /* The clearsigned message case. */
705 size_t datalen = n->pkt->pkt.gpg_control->datalen;
706 const byte *data = n->pkt->pkt.gpg_control->data;
708 /* Check that we have at least the sigclass and one hash. */
710 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
711 /* Note that we don't set the clearsig flag for not-dash-escaped
713 clearsig = (*data == 0x01);
714 for (data++, datalen--; datalen; datalen--, data++)
715 gcry_md_enable (c->mfx.md, *data);
717 break; /* Stop here as one-pass signature packets are not
720 else if (n->pkt->pkttype == PKT_SIGNATURE)
722 /* The SIG+LITERAL case that PGP used to use. */
723 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
728 if (!any && !opt.skip_verify)
730 /* This is for the old GPG LITERAL+SIG case. It's not legal
731 according to 2440, so hopefully it won't come up that often.
732 There is no good way to specify what algorithms to use in
733 that case, so these there are the historical answer. */
734 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
735 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
739 gcry_md_debug (c->mfx.md, "verify");
741 gcry_md_debug (c->mfx.md2, "verify2");
746 if (literals_seen > 1)
748 log_info (_("WARNING: multiple plaintexts seen\n"));
750 if (!opt.flags.allow_multiple_messages)
752 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
753 log_inc_errorcount ();
754 rc = gpg_error (GPG_ERR_UNEXPECTED);
760 /* It we are in --verify mode, we do not want to output the
761 * signed text. However, if --output is also used we do what
762 * has been requested and write out the signed data. */
763 rc = handle_plaintext (pt, &c->mfx,
764 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
766 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
768 /* Can't write output but we hash it anyway to check the
770 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
775 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
778 c->last_was_session_key = 0;
780 /* We add a marker control packet instead of the plaintext packet.
781 * This is so that we can later detect invalid packet sequences. */
782 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
784 add_kbnode (c->list, n);
791 proc_compressed_cb (iobuf_t a, void *info)
793 if ( ((CTX)info)->signed_data.used
794 && ((CTX)info)->signed_data.data_fd != -1)
795 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
796 ((CTX)info)->signed_data.data_fd);
798 return proc_signature_packets (((CTX)info)->ctrl, info, a,
799 ((CTX)info)->signed_data.data_names,
800 ((CTX)info)->sigfilename );
805 proc_encrypt_cb (iobuf_t a, void *info )
808 return proc_encryption_packets (c->ctrl, info, a );
813 proc_compressed (CTX c, PACKET *pkt)
815 PKT_compressed *zd = pkt->pkt.compressed;
818 /*printf("zip: compressed data packet\n");*/
820 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
821 else if( c->encrypt_only )
822 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
824 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
826 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
828 if (!c->any.uncompress_failed)
832 for (cc=c; cc; cc = cc->anchor)
833 cc->any.uncompress_failed = 1;
834 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
838 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
841 c->last_was_session_key = 0;
847 * Check the signature. If R_PK is not NULL a copy of the public key
848 * used to verify the signature will be stored tehre, or NULL if not
849 * found. Returns: 0 = valid signature or an error code
852 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
853 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
856 gcry_md_hd_t md = NULL;
857 gcry_md_hd_t md2 = NULL;
858 gcry_md_hd_t md_good = NULL;
864 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
867 sig = node->pkt->pkt.signature;
869 algo = sig->digest_algo;
870 rc = openpgp_md_test_algo (algo);
874 if (sig->sig_class == 0x00)
878 if (gcry_md_copy (&md, c->mfx.md ))
881 else /* detached signature */
883 /* check_signature() will enable the md. */
884 if (gcry_md_open (&md, 0, 0 ))
888 else if (sig->sig_class == 0x01)
890 /* How do we know that we have to hash the (already hashed) text
891 in canonical mode ??? (calculating both modes???) */
894 if (gcry_md_copy (&md, c->mfx.md ))
896 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
899 else /* detached signature */
901 log_debug ("Do we really need this here?");
902 /* check_signature() will enable the md*/
903 if (gcry_md_open (&md, 0, 0 ))
905 if (gcry_md_open (&md2, 0, 0 ))
909 else if ((sig->sig_class&~3) == 0x10
910 || sig->sig_class == 0x18
911 || sig->sig_class == 0x1f
912 || sig->sig_class == 0x20
913 || sig->sig_class == 0x28
914 || sig->sig_class == 0x30)
916 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
917 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
919 return check_key_signature( c->list, node, is_selfsig );
921 else if (sig->sig_class == 0x20)
923 log_error (_("standalone revocation - "
924 "use \"gpg --import\" to apply\n"));
925 return GPG_ERR_NOT_PROCESSED;
929 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
930 return GPG_ERR_SIG_CLASS;
934 return GPG_ERR_SIG_CLASS;
936 /* We only get here if we are checking the signature of a binary
937 (0x00) or text document (0x01). */
938 rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, r_pk);
941 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
945 rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey,
952 free_public_key (*r_pk);
960 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
961 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
962 memcpy (sig->digest, buffer, sig->digest_len);
973 print_userid (PACKET *pkt)
978 if (pkt->pkttype != PKT_USER_ID)
980 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
985 if (pkt->pkt.user_id->attrib_data)
987 pkt->pkt.user_id->numattribs,
988 pkt->pkt.user_id->attrib_len);
990 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
991 pkt->pkt.user_id->len, ":", NULL);
994 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
995 pkt->pkt.user_id->len );
1000 * List the keyblock in a user friendly way
1003 list_node (CTX c, kbnode_t node)
1007 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1008 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1010 PKT_public_key *pk = node->pkt->pkt.public_key;
1012 if (opt.with_colons)
1016 keyid_from_pk( pk, keyid );
1017 if (pk->flags.primary)
1018 c->trustletter = (opt.fast_list_mode?
1019 0 : get_validity_info (c->ctrl, pk, NULL));
1020 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1022 es_putc (c->trustletter, es_stdout);
1023 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1024 nbits_from_pk( pk ),
1026 (ulong)keyid[0],(ulong)keyid[1],
1027 colon_datestr_from_pk( pk ),
1028 colon_strtime (pk->expiredate) );
1029 if (pk->flags.primary && !opt.fast_list_mode)
1030 es_putc (get_ownertrust_info (pk), es_stdout);
1031 es_putc (':', es_stdout);
1032 es_putc ('\n', es_stdout);
1036 print_key_line (es_stdout, pk, 0);
1039 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1040 ; /* Already printed. */
1041 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1042 print_fingerprint (NULL, pk, 0);
1044 if (opt.with_colons)
1046 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1047 es_printf ("rtv:1:%u:\n",
1048 node->next->pkt->pkt.ring_trust->trustval);
1051 if (pk->flags.primary)
1053 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1055 /* Now list all userids with their signatures. */
1056 for (node = node->next; node; node = node->next)
1058 if (node->pkt->pkttype == PKT_SIGNATURE)
1060 list_node (c, node );
1062 else if (node->pkt->pkttype == PKT_USER_ID)
1064 if (opt.with_colons)
1065 es_printf ("%s:::::::::",
1066 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1068 es_printf ("uid%*s",
1069 kl + (opt.legacy_list_mode? 9:11),
1071 print_userid (node->pkt);
1072 if (opt.with_colons)
1073 es_putc (':', es_stdout);
1074 es_putc ('\n', es_stdout);
1077 && node->next->pkt->pkttype == PKT_RING_TRUST)
1079 es_printf ("rtv:2:%u:\n",
1080 node->next->pkt->pkt.ring_trust?
1081 node->next->pkt->pkt.ring_trust->trustval : 0);
1084 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1086 list_node(c, node );
1091 else if (node->pkt->pkttype == PKT_SECRET_KEY
1092 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1095 log_debug ("FIXME: No way to print secret key packets here\n");
1096 /* fixme: We may use a function to turn a secret key packet into
1097 a public key one and use that here. */
1099 else if (node->pkt->pkttype == PKT_SIGNATURE)
1101 PKT_signature *sig = node->pkt->pkt.signature;
1111 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1112 es_fputs ("rev", es_stdout);
1114 es_fputs ("sig", es_stdout);
1118 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
1119 switch (gpg_err_code (rc2))
1121 case 0: sigrc = '!'; break;
1122 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1123 case GPG_ERR_NO_PUBKEY:
1124 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1125 default: sigrc = '%'; break;
1128 else /* Check whether this is a self signature. */
1132 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1133 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1135 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1137 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1142 if (opt.with_colons)
1144 es_putc (':', es_stdout);
1146 es_putc (sigrc, es_stdout);
1147 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1148 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1149 colon_datestr_from_sig (sig),
1150 colon_expirestr_from_sig (sig));
1152 if (sig->trust_depth || sig->trust_value)
1153 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1154 es_putc (':', es_stdout);
1156 if (sig->trust_regexp)
1157 es_write_sanitized (es_stdout, sig->trust_regexp,
1158 strlen (sig->trust_regexp), ":", NULL);
1159 es_putc (':', es_stdout);
1162 es_printf ("%c %s %s ",
1163 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1165 es_printf ("[%s] ", gpg_strerror (rc2) );
1166 else if (sigrc == '?')
1168 else if (is_selfsig)
1170 if (opt.with_colons)
1171 es_putc (':', es_stdout);
1172 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1173 if (opt.with_colons)
1174 es_putc (':', es_stdout);
1176 else if (!opt.fast_list_mode)
1178 p = get_user_id (sig->keyid, &n);
1179 es_write_sanitized (es_stdout, p, n,
1180 opt.with_colons?":":NULL, NULL );
1183 if (opt.with_colons)
1184 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1185 es_putc ('\n', es_stdout);
1188 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1193 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1196 CTX c = xmalloc_clear (sizeof *c);
1200 rc = do_proc_packets (ctrl, c, a);
1208 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1209 strlist_t signedfiles, const char *sigfilename )
1211 CTX c = xmalloc_clear (sizeof *c);
1218 c->signed_data.data_fd = -1;
1219 c->signed_data.data_names = signedfiles;
1220 c->signed_data.used = !!signedfiles;
1222 c->sigfilename = sigfilename;
1223 rc = do_proc_packets (ctrl, c, a);
1225 /* If we have not encountered any signature we print an error
1226 messages, send a NODATA status back and return an error code.
1227 Using log_error is required because verify_files does not check
1228 error codes for each file but we want to terminate the process
1230 if (!rc && !c->any.sig_seen)
1232 write_status_text (STATUS_NODATA, "4");
1233 log_error (_("no signature found\n"));
1234 rc = GPG_ERR_NO_DATA;
1237 /* Propagate the signature seen flag upward. Do this only on success
1238 so that we won't issue the nodata status several times. */
1239 if (!rc && c->anchor && c->any.sig_seen)
1240 c->anchor->any.sig_seen = 1;
1248 proc_signature_packets_by_fd (ctrl_t ctrl,
1249 void *anchor, iobuf_t a, int signed_data_fd )
1254 c = xtrycalloc (1, sizeof *c);
1256 return gpg_error_from_syserror ();
1262 c->signed_data.data_fd = signed_data_fd;
1263 c->signed_data.data_names = NULL;
1264 c->signed_data.used = (signed_data_fd != -1);
1266 rc = do_proc_packets (ctrl, c, a);
1268 /* If we have not encountered any signature we print an error
1269 messages, send a NODATA status back and return an error code.
1270 Using log_error is required because verify_files does not check
1271 error codes for each file but we want to terminate the process
1273 if (!rc && !c->any.sig_seen)
1275 write_status_text (STATUS_NODATA, "4");
1276 log_error (_("no signature found\n"));
1277 rc = gpg_error (GPG_ERR_NO_DATA);
1280 /* Propagate the signature seen flag upward. Do this only on success
1281 so that we won't issue the nodata status several times. */
1282 if (!rc && c->anchor && c->any.sig_seen)
1283 c->anchor->any.sig_seen = 1;
1291 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1293 CTX c = xmalloc_clear (sizeof *c);
1298 c->encrypt_only = 1;
1299 rc = do_proc_packets (ctrl, c, a);
1306 check_nesting (CTX c)
1310 for (level=0; c; c = c->anchor)
1313 if (level > MAX_NESTING_DEPTH)
1315 log_error ("input data with too deeply nested packets\n");
1316 write_status_text (STATUS_UNEXPECTED, "1");
1317 return GPG_ERR_BAD_DATA;
1325 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1332 rc = check_nesting (c);
1336 pkt = xmalloc( sizeof *pkt );
1339 while ((rc=parse_packet(a, pkt)) != -1)
1345 /* Stop processing when an invalid packet has been encountered
1346 * but don't do so when we are doing a --list-packets. */
1347 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1348 && opt.list_packets == 0)
1353 if (opt.list_packets)
1355 switch (pkt->pkttype)
1357 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1358 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1360 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1361 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1362 default: newpkt = 0; break;
1365 else if (c->sigs_only)
1367 switch (pkt->pkttype)
1369 case PKT_PUBLIC_KEY:
1370 case PKT_SECRET_KEY:
1372 case PKT_SYMKEY_ENC:
1373 case PKT_PUBKEY_ENC:
1375 case PKT_ENCRYPTED_MDC:
1376 write_status_text( STATUS_UNEXPECTED, "0" );
1377 rc = GPG_ERR_UNEXPECTED;
1380 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1381 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1382 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1383 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1384 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1385 default: newpkt = 0; break;
1388 else if (c->encrypt_only)
1390 switch (pkt->pkttype)
1392 case PKT_PUBLIC_KEY:
1393 case PKT_SECRET_KEY:
1395 write_status_text (STATUS_UNEXPECTED, "0");
1396 rc = GPG_ERR_UNEXPECTED;
1399 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1400 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1401 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1403 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1404 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1405 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1406 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1407 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1408 default: newpkt = 0; break;
1413 switch (pkt->pkttype)
1415 case PKT_PUBLIC_KEY:
1416 case PKT_SECRET_KEY:
1418 c->list = new_kbnode (pkt);
1421 case PKT_PUBLIC_SUBKEY:
1422 case PKT_SECRET_SUBKEY:
1423 newpkt = add_subkey (c, pkt);
1425 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1426 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1427 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1428 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1430 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1431 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1432 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1433 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1434 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1435 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1436 default: newpkt = 0; break;
1443 /* This is a very ugly construct and frankly, I don't remember why
1444 * I used it. Adding the MDC check here is a hack.
1445 * The right solution is to initiate another context for encrypted
1446 * packet and not to reuse the current one ... It works right
1447 * when there is a compression packet between which adds just
1449 * Hmmm: Rewrite this whole module here??
1451 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1452 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1458 pkt = xmalloc (sizeof *pkt);
1465 if (rc == GPG_ERR_INV_PACKET)
1466 write_status_text (STATUS_NODATA, "3");
1471 write_status_text (STATUS_NODATA, "2");
1479 free_md_filter_context (&c->mfx);
1484 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1485 of the notation data. */
1487 get_pka_address (PKT_signature *sig)
1489 pka_info_t *pka = NULL;
1490 struct notation *nd,*notation;
1492 notation=sig_to_notation(sig);
1494 for(nd=notation;nd;nd=nd->next)
1496 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1497 continue; /* Not the notation we want. */
1499 /* For now we only use the first valid PKA notation. In future
1500 we might want to keep additional PKA notations in a linked
1502 if (is_valid_mailbox (nd->value))
1504 pka = xmalloc (sizeof *pka + strlen(nd->value));
1508 strcpy (pka->email, nd->value);
1513 free_notation(notation);
1519 /* Return the URI from a DNS PKA record. If this record has already
1520 be retrieved for the signature we merely return it; if not we go
1521 out and try to get that DNS record. */
1523 pka_uri_from_sig (CTX c, PKT_signature *sig)
1525 if (!sig->flags.pka_tried)
1527 log_assert (!sig->pka_info);
1528 sig->flags.pka_tried = 1;
1529 sig->pka_info = get_pka_address (sig);
1536 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1537 &fpr, &fprlen, &url))
1539 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1541 memcpy (sig->pka_info->fpr, fpr, fprlen);
1544 sig->pka_info->valid = 1;
1548 sig->pka_info->uri = url;
1557 return sig->pka_info? sig->pka_info->uri : NULL;
1561 /* Return true if the AKL has the WKD method specified. */
1563 akl_has_wkd_method (void)
1567 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1568 if (akl->type == AKL_WKD)
1574 /* Return the ISSUER fingerprint string in human readbale format if
1575 * available. Caller must release the string. */
1577 issuer_fpr_string (PKT_signature *sig)
1582 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1583 if (p && n == 21 && p[0] == 4)
1584 return bin2hex (p+1, n-1, NULL);
1590 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1591 PKT_signature *sig, int rc)
1595 write_status_text_and_buffer (statno, keyid_str,
1596 un? un->pkt->pkt.user_id->name:"[?]",
1597 un? un->pkt->pkt.user_id->len:3,
1601 p = utf8_to_native (un->pkt->pkt.user_id->name,
1602 un->pkt->pkt.user_id->len, 0);
1604 p = xstrdup ("[?]");
1607 log_info (_("BAD signature from \"%s\""), p);
1608 else if (sig->flags.expired)
1609 log_info (_("Expired signature from \"%s\""), p);
1611 log_info (_("Good signature from \"%s\""), p);
1618 check_sig_and_print (CTX c, kbnode_t node)
1620 PKT_signature *sig = node->pkt->pkt.signature;
1626 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1628 if (opt.skip_verify)
1630 log_info(_("signature verification suppressed\n"));
1634 /* Check that the message composition is valid.
1636 * Per RFC-2440bis (-15) allowed:
1638 * S{1,n} -- detached signature.
1639 * S{1,n} P -- old style PGP2 signature
1640 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1641 * C P S{1,n} -- cleartext signature.
1644 * O = One-Pass Signature packet.
1645 * S = Signature packet.
1646 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1647 * (Note that the current rfc2440bis draft also allows
1648 * for a signed message but that does not work as it
1649 * introduces ambiguities.)
1650 * We keep track of these packages using the marker packet
1651 * CTRLPKT_PLAINTEXT_MARK.
1652 * C = Marker packet for cleartext signatures.
1654 * We reject all other messages.
1656 * Actually we are calling this too often, i.e. for verification of
1657 * each message but better have some duplicate work than to silently
1658 * introduce a bug here.
1662 int n_onepass, n_sig;
1664 /* log_debug ("checking signature packet composition\n"); */
1665 /* dump_kbnode (c->list); */
1669 if ( n->pkt->pkttype == PKT_SIGNATURE )
1671 /* This is either "S{1,n}" case (detached signature) or
1672 "S{1,n} P" (old style PGP2 signature). */
1673 for (n = n->next; n; n = n->next)
1674 if (n->pkt->pkttype != PKT_SIGNATURE)
1677 ; /* Okay, this is a detached signature. */
1678 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1679 && (n->pkt->pkt.gpg_control->control
1680 == CTRLPKT_PLAINTEXT_MARK) )
1683 goto ambiguous; /* We only allow one P packet. */
1688 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1690 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1691 for (n_onepass=1, n = n->next;
1692 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1694 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1695 && (n->pkt->pkt.gpg_control->control
1696 == CTRLPKT_PLAINTEXT_MARK)))
1698 for (n_sig=0, n = n->next;
1699 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1704 /* If we wanted to disallow multiple sig verification, we'd do
1705 something like this:
1707 if (n && !opt.allow_multisig_verification)
1710 However, now that we have --allow-multiple-messages, this
1711 can stay allowable as we can't get here unless multiple
1712 messages (i.e. multiple literals) are allowed. */
1714 if (n_onepass != n_sig)
1716 log_info ("number of one-pass packets does not match "
1717 "number of signature packets\n");
1721 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1722 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1724 /* This is the "C P S{1,n}" case (clear text signature). */
1726 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1727 && (n->pkt->pkt.gpg_control->control
1728 == CTRLPKT_PLAINTEXT_MARK)))
1730 for (n_sig=0, n = n->next;
1731 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1739 log_error(_("can't handle this ambiguous signature data\n"));
1744 if (sig->signers_uid)
1745 write_status_buffer (STATUS_NEWSIG,
1746 sig->signers_uid, strlen (sig->signers_uid), 0);
1748 write_status_text (STATUS_NEWSIG, NULL);
1750 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1751 if ((issuer_fpr = issuer_fpr_string (sig)))
1753 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1754 log_info (_(" using %s key %s\n"),
1755 astr? astr: "?", issuer_fpr);
1759 else if (!keystrlen () || keystrlen () > 8)
1761 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1762 log_info (_(" using %s key %s\n"),
1763 astr? astr: "?", keystr(sig->keyid));
1765 else /* Legacy format. */
1766 log_info (_("Signature made %s using %s key ID %s\n"),
1767 asctimestamp(sig->timestamp), astr? astr: "?",
1768 keystr(sig->keyid));
1770 /* In verbose mode print the signers UID. */
1771 if (sig->signers_uid)
1772 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1774 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1776 /* If the key isn't found, check for a preferred keyserver. */
1777 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1783 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1785 /* According to my favorite copy editor, in English grammar,
1786 you say "at" if the key is located on a web page, but
1787 "from" if it is located on a keyserver. I'm not going to
1788 even try to make two strings here :) */
1789 log_info(_("Key available at: ") );
1790 print_utf8_buffer (log_get_stream(), p, n);
1793 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1794 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1796 struct keyserver_spec *spec;
1798 spec = parse_preferred_keyserver (sig);
1803 free_public_key (pk);
1805 glo_ctrl.in_auto_key_retrieve++;
1806 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
1807 glo_ctrl.in_auto_key_retrieve--;
1809 rc = do_check_sig (c, node, NULL,
1810 &is_expkey, &is_revkey, &pk);
1811 free_keyserver_spec (spec);
1820 /* If the avove methods didn't work, our next try is to use the URI
1821 * from a DNS PKA record. */
1822 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1823 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1824 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1826 const char *uri = pka_uri_from_sig (c, sig);
1830 /* FIXME: We might want to locate the key using the
1831 fingerprint instead of the keyid. */
1833 struct keyserver_spec *spec;
1835 spec = parse_keyserver_uri (uri, 1);
1838 free_public_key (pk);
1840 glo_ctrl.in_auto_key_retrieve++;
1841 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
1842 glo_ctrl.in_auto_key_retrieve--;
1843 free_keyserver_spec (spec);
1845 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1850 /* If the above methods didn't work, our next try is to locate
1851 * the key via its fingerprint from a keyserver. This requires
1852 * that the signers fingerprint is encoded in the signature. We
1853 * favor this over the WKD method (to be tried next), because an
1854 * arbitrary keyserver is less subject to web bug like monitoring. */
1855 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1856 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1857 && keyserver_any_configured (c->ctrl))
1863 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1864 if (p && n == 21 && p[0] == 4)
1866 /* v4 packet with a SHA-1 fingerprint. */
1867 free_public_key (pk);
1869 glo_ctrl.in_auto_key_retrieve++;
1870 res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
1871 glo_ctrl.in_auto_key_retrieve--;
1873 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1877 /* If the above methods didn't work, our next try is to retrieve the
1878 * key from the WKD. */
1879 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1880 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1881 && !opt.flags.disable_signer_uid
1882 && akl_has_wkd_method ()
1883 && sig->signers_uid)
1887 free_public_key (pk);
1889 glo_ctrl.in_auto_key_retrieve++;
1890 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
1891 glo_ctrl.in_auto_key_retrieve--;
1892 /* Fixme: If the fingerprint is embedded in the signature,
1893 * compare it to the fingerprint of the returned key. */
1895 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1898 /* If the above methods did't work, our next try is to use a
1900 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1901 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1902 && keyserver_any_configured (c->ctrl))
1906 free_public_key (pk);
1908 glo_ctrl.in_auto_key_retrieve++;
1909 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
1910 glo_ctrl.in_auto_key_retrieve--;
1912 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1915 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1917 kbnode_t un, keyblock;
1921 PKT_public_key *mainpk = NULL;
1924 statno = STATUS_BADSIG;
1925 else if (sig->flags.expired)
1926 statno = STATUS_EXPSIG;
1928 statno = STATUS_EXPKEYSIG;
1930 statno = STATUS_REVKEYSIG;
1932 statno = STATUS_GOODSIG;
1934 /* FIXME: We should have the public key in PK and thus the
1935 * keyboock has already been fetched. Thus we could use the
1936 * fingerprint or PK itself to lookup the entire keyblock. That
1937 * would best be done with a cache. */
1938 keyblock = get_pubkeyblock (sig->keyid);
1940 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1941 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1943 /* Find and print the primary user ID along with the
1944 "Good|Expired|Bad signature" line. */
1945 for (un=keyblock; un; un = un->next)
1949 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1951 mainpk = un->pkt->pkt.public_key;
1954 if (un->pkt->pkttype != PKT_USER_ID)
1956 if (!un->pkt->pkt.user_id->created)
1958 if (un->pkt->pkt.user_id->is_revoked)
1960 if (un->pkt->pkt.user_id->is_expired)
1962 if (!un->pkt->pkt.user_id->is_primary)
1964 /* We want the textual primary user ID here */
1965 if (un->pkt->pkt.user_id->attrib_data)
1968 log_assert (mainpk);
1970 /* Since this is just informational, don't actually ask the
1971 user to update any trust information. (Note: we register
1972 the signature later.) Because print_good_bad_signature
1973 does not print a LF we need to compute the validity
1974 before calling that function. */
1975 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1976 valid = get_validity (c->ctrl, mainpk, un->pkt->pkt.user_id,
1979 valid = 0; /* Not used. */
1981 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1983 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1985 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1986 log_printf (" [%s]\n",trust_value_to_string(valid));
1993 log_assert (mainpk);
1995 /* In case we did not found a valid valid textual userid above
1996 we print the first user id packet or a "[?]" instead along
1997 with the "Good|Expired|Bad signature" line. */
2000 /* Try for an invalid textual userid */
2001 for (un=keyblock; un; un = un->next)
2003 if (un->pkt->pkttype == PKT_USER_ID
2004 && !un->pkt->pkt.user_id->attrib_data)
2008 /* Try for any userid at all */
2011 for (un=keyblock; un; un = un->next)
2013 if (un->pkt->pkttype == PKT_USER_ID)
2018 if (opt.trust_model==TM_ALWAYS || !un)
2019 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2021 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2023 if (opt.trust_model != TM_ALWAYS && un)
2024 log_printf (" %s",_("[uncertain]") );
2028 /* If we have a good signature and already printed
2029 * the primary user ID, print all the other user IDs */
2032 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2035 for( un=keyblock; un; un = un->next)
2037 if (un->pkt->pkttype != PKT_USER_ID)
2039 if ((un->pkt->pkt.user_id->is_revoked
2040 || un->pkt->pkt.user_id->is_expired)
2041 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2043 /* Skip textual primary user ids which we printed above. */
2044 if (un->pkt->pkt.user_id->is_primary
2045 && !un->pkt->pkt.user_id->attrib_data )
2048 /* If this user id has attribute data, print that. */
2049 if (un->pkt->pkt.user_id->attrib_data)
2051 dump_attribs (un->pkt->pkt.user_id, mainpk);
2053 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2054 show_photos (c->ctrl,
2055 un->pkt->pkt.user_id->attribs,
2056 un->pkt->pkt.user_id->numattribs,
2057 mainpk ,un->pkt->pkt.user_id);
2060 p = utf8_to_native (un->pkt->pkt.user_id->name,
2061 un->pkt->pkt.user_id->len, 0);
2062 log_info (_(" aka \"%s\""), p);
2065 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2069 if (un->pkt->pkt.user_id->is_revoked)
2070 valid = _("revoked");
2071 else if (un->pkt->pkt.user_id->is_expired)
2072 valid = _("expired");
2074 /* Since this is just informational, don't
2075 actually ask the user to update any trust
2077 valid = (trust_value_to_string
2078 (get_validity (c->ctrl, mainpk,
2079 un->pkt->pkt.user_id, NULL, 0)));
2080 log_printf (" [%s]\n",valid);
2087 /* For good signatures print notation data. */
2090 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2091 show_policy_url (sig, 0, 1);
2093 show_policy_url (sig, 0, 2);
2095 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2096 show_keyserver_url (sig, 0, 1);
2098 show_keyserver_url (sig, 0, 2);
2100 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2103 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2104 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2106 show_notation (sig, 0, 2, 0);
2109 /* For good signatures print the VALIDSIG status line. */
2110 if (!rc && is_status_enabled () && pk)
2112 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2113 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2115 hexfingerprint (pk, pkhex, sizeof pkhex);
2116 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2118 /* TODO: Replace the reserved '0' in the field below with
2119 bits for status flags (policy url, notation, etc.). */
2120 write_status_printf (STATUS_VALIDSIG,
2121 "%s %s %lu %lu %d 0 %d %d %02X %s",
2123 strtimestamp (sig->timestamp),
2124 (ulong)sig->timestamp,
2125 (ulong)sig->expiredate,
2126 sig->version, sig->pubkey_algo,
2132 /* For good signatures compute and print the trust information.
2133 Note that in the Tofu trust model this may ask the user on
2134 how to resolve a conflict. */
2137 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2138 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2139 rc = check_signatures_trust (c->ctrl, sig);
2142 /* Print extra information about the signature. */
2143 if (sig->flags.expired)
2145 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2146 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2148 else if (sig->expiredate)
2149 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2153 char pkstrbuf[PUBKEY_STRING_SIZE];
2156 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2160 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2161 sig->sig_class==0x00?_("binary"):
2162 sig->sig_class==0x01?_("textmode"):_("unknown"),
2163 gcry_md_algo_name (sig->digest_algo),
2164 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2167 /* Print final warnings. */
2168 if (!rc && !c->signed_data.used)
2170 /* Signature is basically good but we test whether the
2172 gpg --verify FILE.sig
2174 gpg --verify FILE.sig FILE
2175 to verify a detached signature. If we figure out that a
2176 data file with a matching name exists, we print a warning.
2178 The problem is that the first form would also verify a
2179 standard signature. This behavior could be used to
2180 create a made up .sig file for a tarball by creating a
2181 standard signature from a valid detached signature packet
2182 (for example from a signed git tag). Then replace the
2183 sig file on the FTP server along with a changed tarball.
2184 Using the first form the verify command would correctly
2185 verify the signature but don't even consider the tarball. */
2189 dfile = get_matching_datafile (c->sigfilename);
2192 for (n = c->list; n; n = n->next)
2193 if (n->pkt->pkttype != PKT_SIGNATURE)
2197 /* Not only signature packets in the tree thus this
2198 is not a detached signature. */
2199 log_info (_("WARNING: not a detached signature; "
2200 "file '%s' was NOT verified!\n"), dfile);
2206 free_public_key (pk);
2208 release_kbnode( keyblock );
2210 g10_errors_seen = 1;
2211 if (opt.batch && rc)
2218 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2219 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2220 sig->pubkey_algo, sig->digest_algo,
2221 sig->sig_class, (ulong)sig->timestamp, rc);
2222 write_status_text (STATUS_ERRSIG, buf);
2223 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2226 write_status_text (STATUS_NO_PUBKEY, buf);
2228 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2229 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2237 * Process the tree which starts at node
2240 proc_tree (CTX c, kbnode_t node)
2245 if (opt.list_packets || opt.list_only)
2248 /* We must skip our special plaintext marker packets here because
2249 they may be the root packet. These packets are only used in
2250 additional checks and skipping them here doesn't matter. */
2252 && node->pkt->pkttype == PKT_GPG_CONTROL
2253 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2260 c->trustletter = ' ';
2261 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2262 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2264 merge_keys_and_selfsig (node);
2265 list_node (c, node);
2267 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2269 merge_keys_and_selfsig (node);
2270 list_node (c, node);
2272 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2274 /* Check all signatures. */
2277 int use_textmode = 0;
2279 free_md_filter_context (&c->mfx);
2280 /* Prepare to create all requested message digests. */
2281 rc = gcry_md_open (&c->mfx.md, 0, 0);
2285 /* Fixme: why looking for the signature packet and not the
2287 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2288 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2290 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2293 /* Ask for file and hash it. */
2296 if (c->signed_data.used && c->signed_data.data_fd != -1)
2297 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2298 c->signed_data.data_fd,
2301 rc = hash_datafiles (c->mfx.md, NULL,
2302 c->signed_data.data_names,
2308 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2309 iobuf_get_real_fname (c->iobuf),
2316 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2320 else if (c->signed_data.used)
2322 log_error (_("not a detached signature\n"));
2326 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2327 check_sig_and_print (c, n1);
2330 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2331 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2333 /* Clear text signed message. */
2336 log_error ("cleartext signature without data\n");
2339 else if (c->signed_data.used)
2341 log_error (_("not a detached signature\n"));
2345 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2346 check_sig_and_print (c, n1);
2349 else if (node->pkt->pkttype == PKT_SIGNATURE)
2351 PKT_signature *sig = node->pkt->pkt.signature;
2352 int multiple_ok = 1;
2354 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2357 byte class = sig->sig_class;
2358 byte hash = sig->digest_algo;
2360 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2362 /* We can't currently handle multiple signatures of
2363 * different classes (we'd pretty much have to run a
2364 * different hash context for each), but if they are all
2365 * the same and it is detached signature, we make an
2366 * exception. Note that the old code also disallowed
2367 * multiple signatures if the digest algorithms are
2368 * different. We softened this restriction only for
2369 * detached signatures, to be on the safe side. */
2370 if (n1->pkt->pkt.signature->sig_class != class
2372 && n1->pkt->pkt.signature->digest_algo != hash))
2375 log_info (_("WARNING: multiple signatures detected. "
2376 "Only the first will be checked.\n"));
2382 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2384 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2386 else if (!c->any.data)
2388 /* Detached signature */
2389 free_md_filter_context (&c->mfx);
2390 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2392 goto detached_hash_err;
2396 /* If we have and want to handle multiple signatures we
2397 * need to enable all hash algorithms for the context. */
2398 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2399 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2400 gcry_md_enable (c->mfx.md,
2401 map_md_openpgp_to_gcry
2402 (n1->pkt->pkt.signature->digest_algo));
2405 if (RFC2440 || RFC4880)
2406 ; /* Strict RFC mode. */
2407 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2408 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2409 && sig->sig_class == 0x01)
2411 /* Enable a workaround for a pgp5 bug when the detached
2412 * signature has been created in textmode. Note that we
2413 * do not implement this for multiple signatures with
2414 * different hash algorithms. */
2415 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2417 goto detached_hash_err;
2420 /* Here we used to have another hack to work around a pgp
2421 * 2 bug: It worked by not using the textmode for detached
2422 * signatures; this would let the first signature check
2423 * (on md) fail but the second one (on md2), which adds an
2424 * extra CR would then have produced the "correct" hash.
2425 * This is very, very ugly hack but it may haved help in
2426 * some cases (and break others).
2427 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2432 gcry_md_debug (c->mfx.md, "verify");
2434 gcry_md_debug (c->mfx.md2, "verify2");
2439 if (c->signed_data.used && c->signed_data.data_fd != -1)
2440 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2441 c->signed_data.data_fd,
2442 (sig->sig_class == 0x01));
2444 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2445 c->signed_data.data_names,
2447 (sig->sig_class == 0x01));
2451 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2452 iobuf_get_real_fname(c->iobuf),
2453 (sig->sig_class == 0x01));
2459 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2463 else if (c->signed_data.used)
2465 log_error (_("not a detached signature\n"));
2468 else if (!opt.quiet)
2469 log_info (_("old style (PGP 2.x) signature\n"));
2473 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2474 check_sig_and_print (c, n1);
2477 check_sig_and_print (c, node);
2482 dump_kbnode (c->list);
2483 log_error ("invalid root packet detected in proc_tree()\n");