1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
39 #include "keyserver-internal.h"
41 #include "mbox-util.h"
42 #include "call-dirmngr.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
130 proc_tree (c, c->list);
131 release_kbnode (c->list);
132 while (c->pkenc_list)
134 struct kidlist_item *tmp = c->pkenc_list->next;
135 xfree (c->pkenc_list);
138 c->pkenc_list = NULL;
141 c->any.uncompress_failed = 0;
142 c->last_was_session_key = 0;
149 add_onepass_sig (CTX c, PACKET *pkt)
153 if (c->list) /* Add another packet. */
154 add_kbnode (c->list, new_kbnode (pkt));
155 else /* Insert the first one. */
156 c->list = node = new_kbnode (pkt);
163 add_gpg_control (CTX c, PACKET *pkt)
165 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
167 /* New clear text signature.
168 * Process the last one and reset everything */
172 if (c->list) /* Add another packet. */
173 add_kbnode (c->list, new_kbnode (pkt));
174 else /* Insert the first one. */
175 c->list = new_kbnode (pkt);
182 add_user_id (CTX c, PACKET *pkt)
186 log_error ("orphaned user ID\n");
189 add_kbnode (c->list, new_kbnode (pkt));
195 add_subkey (CTX c, PACKET *pkt)
199 log_error ("subkey w/o mainkey\n");
202 add_kbnode (c->list, new_kbnode (pkt));
208 add_ring_trust (CTX c, PACKET *pkt)
212 log_error ("ring trust w/o key\n");
215 add_kbnode (c->list, new_kbnode (pkt));
221 add_signature (CTX c, PACKET *pkt)
226 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
228 /* This is the first signature for the following datafile.
229 * GPG does not write such packets; instead it always uses
230 * onepass-sig packets. The drawback of PGP's method
231 * of prepending the signature to the data is
232 * that it is not possible to make a signature from data read
233 * from stdin. (GPG is able to read PGP stuff anyway.) */
234 node = new_kbnode (pkt);
239 return 0; /* oops (invalid packet sequence)*/
240 else if (!c->list->pkt)
241 BUG(); /* so nicht */
243 /* Add a new signature node item at the end. */
244 node = new_kbnode (pkt);
245 add_kbnode (c->list, node);
251 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
255 if(slen < 17 || slen > 33)
257 log_error ( _("weird size for an encrypted session key (%d)\n"),
259 return GPG_ERR_BAD_KEY;
262 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
264 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
266 gcry_cipher_setiv ( hd, NULL, 0 );
267 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
268 gcry_cipher_close ( hd );
270 /* Now we replace the dek components with the real session key to
271 decrypt the contents of the sequencing packet. */
276 if(dek->keylen > DIM(dek->key))
279 memcpy(dek->key, seskey + 1, dek->keylen);
281 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
288 proc_symkey_enc (CTX c, PACKET *pkt)
292 enc = pkt->pkt.symkey_enc;
294 log_error ("invalid symkey encrypted packet\n");
297 int algo = enc->cipher_algo;
298 const char *s = openpgp_cipher_algo_name (algo);
300 if (!openpgp_cipher_test_algo (algo))
305 log_info (_("%s encrypted session key\n"), s );
307 log_info (_("%s encrypted data\n"), s );
311 log_error (_("encrypted with unknown algorithm %d\n"), algo);
313 if (openpgp_md_test_algo (enc->s2k.hash_algo))
315 log_error(_("passphrase generated with unknown digest"
316 " algorithm %d\n"),enc->s2k.hash_algo);
320 c->last_was_session_key = 2;
321 if (!s || opt.list_only)
324 if (opt.override_session_key)
326 c->dek = xmalloc_clear (sizeof *c->dek);
327 if (get_override_session_key (c->dek, opt.override_session_key))
335 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
338 c->dek->symmetric = 1;
340 /* FIXME: This doesn't work perfectly if a symmetric key
341 comes before a public key in the message - if the
342 user doesn't know the passphrase, then there is a
343 chance that the "decrypted" algorithm will happen to
344 be a valid one, which will make the returned dek
345 appear valid, so we won't try any public keys that
349 if (symkey_decrypt_seskey (c->dek,
350 enc->seskey, enc->seskeylen))
357 c->dek->algo_info_printed = 1;
369 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
374 /* Check whether the secret key is available and store in this case. */
375 c->last_was_session_key = 1;
376 enc = pkt->pkt.pubkey_enc;
377 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
378 /* Hmmm: why do I have this algo check here - anyway there is
379 * function to check it. */
381 log_info (_("public key is %s\n"), keystr (enc->keyid));
383 if (is_status_enabled())
386 /* FIXME: For ECC support we need to map the OpenPGP algo number
387 to the Libgcrypt defined one. This is due a chicken-egg
388 problem: We need to have code in Libgcrypt for a new
389 algorithm so to implement a proposed new algorithm before the
390 IANA will finally assign an OpenPGP identifier. */
391 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
392 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
393 write_status_text (STATUS_ENC_TO, buf);
396 if (!opt.list_only && opt.override_session_key)
398 /* It does not make much sense to store the session key in
399 * secure memory because it has already been passed on the
400 * command line and the GCHQ knows about it. */
401 c->dek = xmalloc_clear (sizeof *c->dek);
402 result = get_override_session_key (c->dek, opt.override_session_key);
409 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
411 || enc->pubkey_algo == PUBKEY_ALGO_RSA
412 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
413 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
415 /* Note that we also allow type 20 Elgamal keys for decryption.
416 There are still a couple of those keys in active use as a
419 /* FIXME: Store this all in a list and process it later so that
420 we can prioritize what key to use. This gives a better user
421 experience if wildcard keyids are used. */
422 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
423 || opt.try_all_secrets
424 || have_secret_key_with_kid (enc->keyid)))
430 c->dek = xmalloc_secure_clear (sizeof *c->dek);
431 if ((result = get_session_key (ctrl, enc, c->dek)))
433 /* Error: Delete the DEK. */
440 result = GPG_ERR_NO_SECKEY;
443 result = GPG_ERR_PUBKEY_ALGO;
449 /* Store it for later display. */
450 struct kidlist_item *x = xmalloc (sizeof *x);
451 x->kid[0] = enc->keyid[0];
452 x->kid[1] = enc->keyid[1];
453 x->pubkey_algo = enc->pubkey_algo;
455 x->next = c->pkenc_list;
458 if (!result && opt.verbose > 1)
459 log_info (_("public key encrypted data: good DEK\n"));
467 * Print the list of public key encrypted packets which we could
471 print_pkenc_list (struct kidlist_item *list, int failed)
473 for (; list; list = list->next)
478 if (failed && !list->reason)
480 if (!failed && list->reason)
483 algstr = openpgp_pk_algo_name (list->pubkey_algo);
484 pk = xmalloc_clear (sizeof *pk);
488 pk->pubkey_algo = list->pubkey_algo;
489 if (!get_pubkey (pk, list->kid))
492 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
493 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
494 strtimestamp (pk->timestamp));
495 p = get_user_id_native (list->kid);
496 log_printf (_(" \"%s\"\n"), p);
500 log_info (_("encrypted with %s key, ID %s\n"),
501 algstr, keystr(list->kid));
503 free_public_key (pk);
505 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
507 if (is_status_enabled())
510 snprintf (buf, sizeof buf, "%08lX%08lX",
511 (ulong)list->kid[0], (ulong)list->kid[1]);
512 write_status_text (STATUS_NO_SECKEY, buf);
515 else if (list->reason)
517 log_info (_("public key decryption failed: %s\n"),
518 gpg_strerror (list->reason));
519 write_status_error ("pkdecrypt_failed", list->reason);
526 proc_encrypted (CTX c, PACKET *pkt)
533 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
534 else if (c->symkeys == 1)
535 log_info (_("encrypted with 1 passphrase\n"));
536 print_pkenc_list ( c->pkenc_list, 1 );
537 print_pkenc_list ( c->pkenc_list, 0 );
540 /* FIXME: Figure out the session key by looking at all pkenc packets. */
542 write_status (STATUS_BEGIN_DECRYPTION);
544 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
547 else if (!c->dek && !c->last_was_session_key)
551 STRING2KEY *s2k = NULL;
554 if (opt.override_session_key)
556 c->dek = xmalloc_clear (sizeof *c->dek);
557 result = get_override_session_key (c->dek, opt.override_session_key);
566 /* Assume this is old style conventional encrypted data. */
567 algo = opt.def_cipher_algo;
569 log_info (_("assuming %s encrypted data\n"),
570 openpgp_cipher_algo_name (algo));
571 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
573 algo = opt.def_cipher_algo;
575 algo = opt.s2k_cipher_algo;
576 log_info (_("IDEA cipher unavailable, "
577 "optimistically attempting to use %s instead\n"),
578 openpgp_cipher_algo_name (algo));
582 algo = CIPHER_ALGO_IDEA;
583 if (!opt.s2k_digest_algo)
585 /* If no digest is given we assume SHA-1. */
587 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
590 log_info (_("assuming %s encrypted data\n"), "IDEA");
593 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
595 c->dek->algo_info_printed = 1;
597 result = gpg_error (GPG_ERR_CANCELED);
599 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
603 result = GPG_ERR_NO_SECKEY;
606 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
611 && !opt.ignore_mdc_error
612 && !pkt->pkt.encrypted->mdc_method
613 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
614 && c->dek->algo != CIPHER_ALGO_TWOFISH)
616 /* The message has been decrypted but has no MDC despite that a
617 modern cipher (blocklength != 64 bit, except for Twofish) is
618 used and the option to ignore MDC errors is not used: To
619 avoid attacks changing an MDC message to a non-MDC message,
621 log_error (_("WARNING: message was not integrity protected\n"));
623 log_info ("decryption forced to fail\n");
624 write_status (STATUS_DECRYPTION_FAILED);
626 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
627 && opt.ignore_mdc_error))
629 write_status (STATUS_DECRYPTION_OKAY);
631 log_info(_("decryption okay\n"));
632 if (pkt->pkt.encrypted->mdc_method && !result)
633 write_status (STATUS_GOODMDC);
634 else if (!opt.no_mdc_warn)
635 log_info (_("WARNING: message was not integrity protected\n"));
637 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
639 glo_ctrl.lasterr = result;
640 log_error (_("WARNING: encrypted message has been manipulated!\n"));
641 write_status (STATUS_BADMDC);
642 write_status (STATUS_DECRYPTION_FAILED);
646 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
647 && *c->dek->s2k_cacheid != '\0')
650 log_debug ("cleared passphrase cached with ID: %s\n",
651 c->dek->s2k_cacheid);
652 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
654 glo_ctrl.lasterr = result;
655 write_status (STATUS_DECRYPTION_FAILED);
656 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
657 /* Hmmm: does this work when we have encrypted using multiple
658 * ways to specify the session key (symmmetric and PK). */
664 c->last_was_session_key = 0;
665 write_status (STATUS_END_DECRYPTION);
670 proc_plaintext( CTX c, PACKET *pkt )
672 PKT_plaintext *pt = pkt->pkt.plaintext;
673 int any, clearsig, rc;
678 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
679 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
680 else if (opt.verbose)
681 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
683 free_md_filter_context (&c->mfx);
684 if (gcry_md_open (&c->mfx.md, 0, 0))
686 /* fixme: we may need to push the textfilter if we have sigclass 1
687 * and no armoring - Not yet tested
688 * Hmmm, why don't we need it at all if we have sigclass 1
689 * Should we assume that plaintext in mode 't' has always sigclass 1??
690 * See: Russ Allbery's mail 1999-02-09
693 for (n=c->list; n; n = n->next )
695 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
697 /* The onepass signature case. */
698 if (n->pkt->pkt.onepass_sig->digest_algo)
700 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
704 else if (n->pkt->pkttype == PKT_GPG_CONTROL
705 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
707 /* The clearsigned message case. */
708 size_t datalen = n->pkt->pkt.gpg_control->datalen;
709 const byte *data = n->pkt->pkt.gpg_control->data;
711 /* Check that we have at least the sigclass and one hash. */
713 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
714 /* Note that we don't set the clearsig flag for not-dash-escaped
716 clearsig = (*data == 0x01);
717 for (data++, datalen--; datalen; datalen--, data++)
718 gcry_md_enable (c->mfx.md, *data);
720 break; /* Stop here as one-pass signature packets are not
723 else if (n->pkt->pkttype == PKT_SIGNATURE)
725 /* The SIG+LITERAL case that PGP used to use. */
726 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
731 if (!any && !opt.skip_verify)
733 /* This is for the old GPG LITERAL+SIG case. It's not legal
734 according to 2440, so hopefully it won't come up that often.
735 There is no good way to specify what algorithms to use in
736 that case, so these there are the historical answer. */
737 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
738 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
742 gcry_md_debug (c->mfx.md, "verify");
744 gcry_md_debug (c->mfx.md2, "verify2");
749 if (literals_seen > 1)
751 log_info (_("WARNING: multiple plaintexts seen\n"));
753 if (!opt.flags.allow_multiple_messages)
755 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
756 log_inc_errorcount ();
757 rc = gpg_error (GPG_ERR_UNEXPECTED);
763 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
764 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
766 /* Can't write output but we hash it anyway to check the
768 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
773 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
776 c->last_was_session_key = 0;
778 /* We add a marker control packet instead of the plaintext packet.
779 * This is so that we can later detect invalid packet sequences. */
780 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
782 add_kbnode (c->list, n);
789 proc_compressed_cb (iobuf_t a, void *info)
791 if ( ((CTX)info)->signed_data.used
792 && ((CTX)info)->signed_data.data_fd != -1)
793 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
794 ((CTX)info)->signed_data.data_fd);
796 return proc_signature_packets (((CTX)info)->ctrl, info, a,
797 ((CTX)info)->signed_data.data_names,
798 ((CTX)info)->sigfilename );
803 proc_encrypt_cb (iobuf_t a, void *info )
806 return proc_encryption_packets (c->ctrl, info, a );
811 proc_compressed (CTX c, PACKET *pkt)
813 PKT_compressed *zd = pkt->pkt.compressed;
816 /*printf("zip: compressed data packet\n");*/
818 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
819 else if( c->encrypt_only )
820 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
822 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
824 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
826 if (!c->any.uncompress_failed)
830 for (cc=c; cc; cc = cc->anchor)
831 cc->any.uncompress_failed = 1;
832 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
836 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
839 c->last_was_session_key = 0;
845 * check the signature
846 * Returns: 0 = valid signature or an error code
849 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
850 int *is_expkey, int *is_revkey)
853 gcry_md_hd_t md = NULL;
854 gcry_md_hd_t md2 = NULL;
855 gcry_md_hd_t md_good = NULL;
858 assert (node->pkt->pkttype == PKT_SIGNATURE);
861 sig = node->pkt->pkt.signature;
863 algo = sig->digest_algo;
864 rc = openpgp_md_test_algo (algo);
868 if (sig->sig_class == 0x00)
872 if (gcry_md_copy (&md, c->mfx.md ))
875 else /* detached signature */
877 /* check_signature() will enable the md. */
878 if (gcry_md_open (&md, 0, 0 ))
882 else if (sig->sig_class == 0x01)
884 /* How do we know that we have to hash the (already hashed) text
885 in canonical mode ??? (calculating both modes???) */
888 if (gcry_md_copy (&md, c->mfx.md ))
890 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
893 else /* detached signature */
895 log_debug ("Do we really need this here?");
896 /* check_signature() will enable the md*/
897 if (gcry_md_open (&md, 0, 0 ))
899 if (gcry_md_open (&md2, 0, 0 ))
903 else if ((sig->sig_class&~3) == 0x10
904 || sig->sig_class == 0x18
905 || sig->sig_class == 0x1f
906 || sig->sig_class == 0x20
907 || sig->sig_class == 0x28
908 || sig->sig_class == 0x30)
910 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
911 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
913 return check_key_signature( c->list, node, is_selfsig );
915 else if (sig->sig_class == 0x20)
917 log_error (_("standalone revocation - "
918 "use \"gpg --import\" to apply\n"));
919 return GPG_ERR_NOT_PROCESSED;
923 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
924 return GPG_ERR_SIG_CLASS;
928 return GPG_ERR_SIG_CLASS;
930 /* We only get here if we are checking the signature of a binary
931 (0x00) or text document (0x01). */
932 rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, NULL);
935 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
937 rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
944 unsigned char *buffer = gcry_md_read (md_good, 0);
945 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
946 memcpy (sig->digest, buffer, sig->digest_len);
957 print_userid (PACKET *pkt)
962 if (pkt->pkttype != PKT_USER_ID)
964 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
969 if (pkt->pkt.user_id->attrib_data)
971 pkt->pkt.user_id->numattribs,
972 pkt->pkt.user_id->attrib_len);
974 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
975 pkt->pkt.user_id->len, ":", NULL);
978 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
979 pkt->pkt.user_id->len );
984 * List the keyblock in a user friendly way
987 list_node (CTX c, kbnode_t node)
990 char pkstrbuf[PUBKEY_STRING_SIZE];
994 else if ((mainkey = (node->pkt->pkttype == PKT_PUBLIC_KEY))
995 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY )
997 PKT_public_key *pk = node->pkt->pkt.public_key;
1003 keyid_from_pk( pk, keyid );
1005 c->trustletter = (opt.fast_list_mode?
1006 0 : get_validity_info( pk, NULL));
1007 es_printf ("%s:", mainkey? "pub":"sub" );
1009 es_putc (c->trustletter, es_stdout);
1010 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1011 nbits_from_pk( pk ),
1013 (ulong)keyid[0],(ulong)keyid[1],
1014 colon_datestr_from_pk( pk ),
1015 colon_strtime (pk->expiredate) );
1016 if (mainkey && !opt.fast_list_mode)
1017 es_putc (get_ownertrust_info (pk), es_stdout);
1018 es_putc (':', es_stdout);
1021 es_printf ("%s %s/%s %s",
1022 mainkey? "pub":"sub",
1023 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
1024 keystr_from_pk (pk),
1025 datestr_from_pk (pk));
1027 if (pk->flags.revoked)
1030 es_printf (_("revoked: %s"), revokestr_from_pk (pk));
1033 else if( pk->expiredate && !opt.with_colons)
1036 es_printf (_("expires: %s"), expirestr_from_pk (pk));
1040 es_putc ('\n', es_stdout);
1042 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
1043 print_fingerprint (NULL, pk, 0);
1045 if (opt.with_colons)
1047 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1048 es_printf ("rtv:1:%u:\n",
1049 node->next->pkt->pkt.ring_trust->trustval);
1054 /* Now list all userids with their signatures. */
1055 for (node = node->next; node; node = node->next)
1057 if (node->pkt->pkttype == PKT_SIGNATURE)
1059 list_node (c, node );
1061 else if (node->pkt->pkttype == PKT_USER_ID)
1063 if (opt.with_colons)
1064 es_printf ("%s:::::::::",
1065 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1067 es_printf ("uid%*s",
1068 (int)keystrlen ()+(opt.legacy_list_mode? 9:11),
1070 print_userid (node->pkt);
1071 if (opt.with_colons)
1072 es_putc (':', es_stdout);
1073 es_putc ('\n', es_stdout);
1076 && node->next->pkt->pkttype == PKT_RING_TRUST)
1078 es_printf ("rtv:2:%u:\n",
1079 node->next->pkt->pkt.ring_trust?
1080 node->next->pkt->pkt.ring_trust->trustval : 0);
1083 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1085 list_node(c, node );
1090 else if ((mainkey = (node->pkt->pkttype == PKT_SECRET_KEY) )
1091 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1094 log_debug ("FIXME: No way to print secret key packets here\n");
1095 /* fixme: We may use a function to turn a secret key packet into
1096 a public key one and use that here. */
1098 else if (node->pkt->pkttype == PKT_SIGNATURE)
1100 PKT_signature *sig = node->pkt->pkt.signature;
1110 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1111 es_fputs ("rev", es_stdout);
1113 es_fputs ("sig", es_stdout);
1117 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1118 switch (gpg_err_code (rc2))
1120 case 0: sigrc = '!'; break;
1121 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1122 case GPG_ERR_NO_PUBKEY:
1123 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1124 default: sigrc = '%'; break;
1127 else /* Check whether this is a self signature. */
1131 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1132 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1134 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1136 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1141 if (opt.with_colons)
1143 es_putc (':', es_stdout);
1145 es_putc (sigrc, es_stdout);
1146 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1147 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1148 colon_datestr_from_sig (sig),
1149 colon_expirestr_from_sig (sig));
1151 if (sig->trust_depth || sig->trust_value)
1152 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1153 es_putc (':', es_stdout);
1155 if (sig->trust_regexp)
1156 es_write_sanitized (es_stdout, sig->trust_regexp,
1157 strlen (sig->trust_regexp), ":", NULL);
1158 es_putc (':', es_stdout);
1161 es_printf ("%c %s %s ",
1162 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1164 es_printf ("[%s] ", gpg_strerror (rc2) );
1165 else if (sigrc == '?')
1167 else if (is_selfsig)
1169 if (opt.with_colons)
1170 es_putc (':', es_stdout);
1171 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1172 if (opt.with_colons)
1173 es_putc (':', es_stdout);
1175 else if (!opt.fast_list_mode)
1177 p = get_user_id (sig->keyid, &n);
1178 es_write_sanitized (es_stdout, p, n,
1179 opt.with_colons?":":NULL, NULL );
1182 if (opt.with_colons)
1183 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1184 es_putc ('\n', es_stdout);
1187 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1192 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1195 CTX c = xmalloc_clear (sizeof *c);
1199 rc = do_proc_packets (ctrl, c, a);
1207 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1208 strlist_t signedfiles, const char *sigfilename )
1210 CTX c = xmalloc_clear (sizeof *c);
1217 c->signed_data.data_fd = -1;
1218 c->signed_data.data_names = signedfiles;
1219 c->signed_data.used = !!signedfiles;
1221 c->sigfilename = sigfilename;
1222 rc = do_proc_packets (ctrl, c, a);
1224 /* If we have not encountered any signature we print an error
1225 messages, send a NODATA status back and return an error code.
1226 Using log_error is required because verify_files does not check
1227 error codes for each file but we want to terminate the process
1229 if (!rc && !c->any.sig_seen)
1231 write_status_text (STATUS_NODATA, "4");
1232 log_error (_("no signature found\n"));
1233 rc = GPG_ERR_NO_DATA;
1236 /* Propagate the signature seen flag upward. Do this only on success
1237 so that we won't issue the nodata status several times. */
1238 if (!rc && c->anchor && c->any.sig_seen)
1239 c->anchor->any.sig_seen = 1;
1247 proc_signature_packets_by_fd (ctrl_t ctrl,
1248 void *anchor, iobuf_t a, int signed_data_fd )
1253 c = xtrycalloc (1, sizeof *c);
1255 return gpg_error_from_syserror ();
1261 c->signed_data.data_fd = signed_data_fd;
1262 c->signed_data.data_names = NULL;
1263 c->signed_data.used = (signed_data_fd != -1);
1265 rc = do_proc_packets (ctrl, c, a);
1267 /* If we have not encountered any signature we print an error
1268 messages, send a NODATA status back and return an error code.
1269 Using log_error is required because verify_files does not check
1270 error codes for each file but we want to terminate the process
1272 if (!rc && !c->any.sig_seen)
1274 write_status_text (STATUS_NODATA, "4");
1275 log_error (_("no signature found\n"));
1276 rc = gpg_error (GPG_ERR_NO_DATA);
1279 /* Propagate the signature seen flag upward. Do this only on success
1280 so that we won't issue the nodata status several times. */
1281 if (!rc && c->anchor && c->any.sig_seen)
1282 c->anchor->any.sig_seen = 1;
1290 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1292 CTX c = xmalloc_clear (sizeof *c);
1297 c->encrypt_only = 1;
1298 rc = do_proc_packets (ctrl, c, a);
1305 check_nesting (CTX c)
1309 for (level=0; c; c = c->anchor)
1312 if (level > MAX_NESTING_DEPTH)
1314 log_error ("input data with too deeply nested packets\n");
1315 write_status_text (STATUS_UNEXPECTED, "1");
1316 return GPG_ERR_BAD_DATA;
1324 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1331 rc = check_nesting (c);
1335 pkt = xmalloc( sizeof *pkt );
1338 while ((rc=parse_packet(a, pkt)) != -1)
1344 /* Stop processing when an invalid packet has been encountered
1345 * but don't do so when we are doing a --list-packets. */
1346 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1347 && opt.list_packets != 2 )
1352 if (opt.list_packets)
1354 switch (pkt->pkttype)
1356 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1357 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1359 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1360 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1361 default: newpkt = 0; break;
1364 else if (c->sigs_only)
1366 switch (pkt->pkttype)
1368 case PKT_PUBLIC_KEY:
1369 case PKT_SECRET_KEY:
1371 case PKT_SYMKEY_ENC:
1372 case PKT_PUBKEY_ENC:
1374 case PKT_ENCRYPTED_MDC:
1375 write_status_text( STATUS_UNEXPECTED, "0" );
1376 rc = GPG_ERR_UNEXPECTED;
1379 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1380 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1381 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1382 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1383 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1384 default: newpkt = 0; break;
1387 else if (c->encrypt_only)
1389 switch (pkt->pkttype)
1391 case PKT_PUBLIC_KEY:
1392 case PKT_SECRET_KEY:
1394 write_status_text (STATUS_UNEXPECTED, "0");
1395 rc = GPG_ERR_UNEXPECTED;
1398 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1399 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1400 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1402 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1403 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1404 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1405 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1406 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1407 default: newpkt = 0; break;
1412 switch (pkt->pkttype)
1414 case PKT_PUBLIC_KEY:
1415 case PKT_SECRET_KEY:
1417 c->list = new_kbnode (pkt);
1420 case PKT_PUBLIC_SUBKEY:
1421 case PKT_SECRET_SUBKEY:
1422 newpkt = add_subkey (c, pkt);
1424 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1425 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1426 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1427 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1429 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1430 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1431 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1432 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1433 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1434 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1435 default: newpkt = 0; break;
1442 /* This is a very ugly construct and frankly, I don't remember why
1443 * I used it. Adding the MDC check here is a hack.
1444 * The right solution is to initiate another context for encrypted
1445 * packet and not to reuse the current one ... It works right
1446 * when there is a compression packet between which adds just
1448 * Hmmm: Rewrite this whole module here??
1450 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1451 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1457 pkt = xmalloc (sizeof *pkt);
1464 if (rc == GPG_ERR_INV_PACKET)
1465 write_status_text (STATUS_NODATA, "3");
1470 write_status_text (STATUS_NODATA, "2");
1478 free_md_filter_context (&c->mfx);
1483 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1484 of the notation data. */
1486 get_pka_address (PKT_signature *sig)
1488 pka_info_t *pka = NULL;
1489 struct notation *nd,*notation;
1491 notation=sig_to_notation(sig);
1493 for(nd=notation;nd;nd=nd->next)
1495 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1496 continue; /* Not the notation we want. */
1498 /* For now we only use the first valid PKA notation. In future
1499 we might want to keep additional PKA notations in a linked
1501 if (is_valid_mailbox (nd->value))
1503 pka = xmalloc (sizeof *pka + strlen(nd->value));
1507 strcpy (pka->email, nd->value);
1512 free_notation(notation);
1518 /* Return the URI from a DNS PKA record. If this record has already
1519 be retrieved for the signature we merely return it; if not we go
1520 out and try to get that DNS record. */
1522 pka_uri_from_sig (CTX c, PKT_signature *sig)
1524 if (!sig->flags.pka_tried)
1526 assert (!sig->pka_info);
1527 sig->flags.pka_tried = 1;
1528 sig->pka_info = get_pka_address (sig);
1535 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1536 &fpr, &fprlen, &url))
1538 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1540 memcpy (sig->pka_info->fpr, fpr, fprlen);
1543 sig->pka_info->valid = 1;
1547 sig->pka_info->uri = url;
1556 return sig->pka_info? sig->pka_info->uri : NULL;
1561 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1562 PKT_signature *sig, int rc)
1566 write_status_text_and_buffer (statno, keyid_str,
1567 un? un->pkt->pkt.user_id->name:"[?]",
1568 un? un->pkt->pkt.user_id->len:3,
1572 p = utf8_to_native (un->pkt->pkt.user_id->name,
1573 un->pkt->pkt.user_id->len, 0);
1575 p = xstrdup ("[?]");
1578 log_info (_("BAD signature from \"%s\""), p);
1579 else if (sig->flags.expired)
1580 log_info (_("Expired signature from \"%s\""), p);
1582 log_info (_("Good signature from \"%s\""), p);
1589 check_sig_and_print (CTX c, kbnode_t node)
1591 PKT_signature *sig = node->pkt->pkt.signature;
1596 char pkstrbuf[PUBKEY_STRING_SIZE];
1600 if (opt.skip_verify)
1602 log_info(_("signature verification suppressed\n"));
1606 /* Check that the message composition is valid.
1608 Per RFC-2440bis (-15) allowed:
1610 S{1,n} -- detached signature.
1611 S{1,n} P -- old style PGP2 signature
1612 O{1,n} P S{1,n} -- standard OpenPGP signature.
1613 C P S{1,n} -- cleartext signature.
1616 O = One-Pass Signature packet.
1617 S = Signature packet.
1618 P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1619 (Note that the current rfc2440bis draft also allows
1620 for a signed message but that does not work as it
1621 introduces ambiguities.)
1622 We keep track of these packages using the marker packet
1623 CTRLPKT_PLAINTEXT_MARK.
1624 C = Marker packet for cleartext signatures.
1626 We reject all other messages.
1628 Actually we are calling this too often, i.e. for verification of
1629 each message but better have some duplicate work than to silently
1630 introduce a bug here.
1634 int n_onepass, n_sig;
1636 /* log_debug ("checking signature packet composition\n"); */
1637 /* dump_kbnode (c->list); */
1641 if ( n->pkt->pkttype == PKT_SIGNATURE )
1643 /* This is either "S{1,n}" case (detached signature) or
1644 "S{1,n} P" (old style PGP2 signature). */
1645 for (n = n->next; n; n = n->next)
1646 if (n->pkt->pkttype != PKT_SIGNATURE)
1649 ; /* Okay, this is a detached signature. */
1650 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1651 && (n->pkt->pkt.gpg_control->control
1652 == CTRLPKT_PLAINTEXT_MARK) )
1655 goto ambiguous; /* We only allow one P packet. */
1660 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1662 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1663 for (n_onepass=1, n = n->next;
1664 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1666 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1667 && (n->pkt->pkt.gpg_control->control
1668 == CTRLPKT_PLAINTEXT_MARK)))
1670 for (n_sig=0, n = n->next;
1671 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1676 /* If we wanted to disallow multiple sig verification, we'd do
1677 something like this:
1679 if (n && !opt.allow_multisig_verification)
1682 However, now that we have --allow-multiple-messages, this
1683 can stay allowable as we can't get here unless multiple
1684 messages (i.e. multiple literals) are allowed. */
1686 if (n_onepass != n_sig)
1688 log_info ("number of one-pass packets does not match "
1689 "number of signature packets\n");
1693 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1694 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1696 /* This is the "C P S{1,n}" case (clear text signature). */
1698 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1699 && (n->pkt->pkt.gpg_control->control
1700 == CTRLPKT_PLAINTEXT_MARK)))
1702 for (n_sig=0, n = n->next;
1703 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1711 log_error(_("can't handle this ambiguous signature data\n"));
1716 write_status_text (STATUS_NEWSIG, NULL);
1718 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1719 if (keystrlen () > 8)
1721 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1722 log_info (_(" using %s key %s\n"),
1723 astr? astr: "?",keystr(sig->keyid));
1726 log_info (_("Signature made %s using %s key ID %s\n"),
1727 asctimestamp(sig->timestamp), astr? astr: "?",
1728 keystr(sig->keyid));
1730 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1732 /* If the key isn't found, check for a preferred keyserver */
1734 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1740 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1742 /* According to my favorite copy editor, in English grammar,
1743 you say "at" if the key is located on a web page, but
1744 "from" if it is located on a keyserver. I'm not going to
1745 even try to make two strings here :) */
1746 log_info(_("Key available at: ") );
1747 print_utf8_buffer (log_get_stream(), p, n);
1750 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1751 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1753 struct keyserver_spec *spec;
1755 spec = parse_preferred_keyserver (sig);
1760 glo_ctrl.in_auto_key_retrieve++;
1761 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1762 glo_ctrl.in_auto_key_retrieve--;
1764 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1765 free_keyserver_spec (spec);
1774 /* If the preferred keyserver thing above didn't work, our second
1775 try is to use the URI from a DNS PKA record. */
1776 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1777 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1778 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1780 const char *uri = pka_uri_from_sig (c, sig);
1784 /* FIXME: We might want to locate the key using the
1785 fingerprint instead of the keyid. */
1787 struct keyserver_spec *spec;
1789 spec = parse_keyserver_uri (uri, 1);
1792 glo_ctrl.in_auto_key_retrieve++;
1793 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1794 glo_ctrl.in_auto_key_retrieve--;
1795 free_keyserver_spec (spec);
1797 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1802 /* If the preferred keyserver thing above didn't work and we got
1803 no information from the DNS PKA, this is a third try. */
1805 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1806 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1807 && keyserver_any_configured (c->ctrl))
1811 glo_ctrl.in_auto_key_retrieve++;
1812 res=keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1813 glo_ctrl.in_auto_key_retrieve--;
1815 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1818 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1820 kbnode_t un, keyblock;
1824 PKT_public_key *pk = NULL;
1827 statno = STATUS_BADSIG;
1828 else if (sig->flags.expired)
1829 statno = STATUS_EXPSIG;
1831 statno = STATUS_EXPKEYSIG;
1833 statno = STATUS_REVKEYSIG;
1835 statno = STATUS_GOODSIG;
1837 keyblock = get_pubkeyblock (sig->keyid);
1839 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1840 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1842 /* Find and print the primary user ID along with the
1843 "Good|Expired|Bad signature" line. */
1844 for (un=keyblock; un; un = un->next)
1848 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1850 pk=un->pkt->pkt.public_key;
1853 if (un->pkt->pkttype != PKT_USER_ID)
1855 if (!un->pkt->pkt.user_id->created)
1857 if (un->pkt->pkt.user_id->is_revoked)
1859 if (un->pkt->pkt.user_id->is_expired)
1861 if (!un->pkt->pkt.user_id->is_primary)
1863 /* We want the textual primary user ID here */
1864 if (un->pkt->pkt.user_id->attrib_data)
1869 /* Since this is just informational, don't actually ask the
1870 user to update any trust information. (Note: we register
1871 the signature later.) Because print_good_bad_signature
1872 does not print a LF we need to compute the validity
1873 before calling that function. */
1874 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1875 valid = get_validity (pk, un->pkt->pkt.user_id, NULL, 0);
1877 valid = 0; /* Not used. */
1879 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1881 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1883 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1884 log_printf (" [%s]\n",trust_value_to_string(valid));
1888 /* Get a string description of the algo for informational
1889 output we want to print later. It is convenient to do it
1890 here because we already have the right public key. */
1891 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1895 /* In case we did not found a valid valid textual userid above
1896 we print the first user id packet or a "[?]" instead along
1897 with the "Good|Expired|Bad signature" line. */
1900 /* Try for an invalid textual userid */
1901 for (un=keyblock; un; un = un->next)
1903 if (un->pkt->pkttype == PKT_USER_ID
1904 && !un->pkt->pkt.user_id->attrib_data)
1908 /* Try for any userid at all */
1911 for (un=keyblock; un; un = un->next)
1913 if (un->pkt->pkttype == PKT_USER_ID)
1918 if (opt.trust_model==TM_ALWAYS || !un)
1919 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1921 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1923 if (opt.trust_model != TM_ALWAYS && un)
1924 log_printf (" %s",_("[uncertain]") );
1928 /* If we have a good signature and already printed
1929 * the primary user ID, print all the other user IDs */
1932 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1935 for( un=keyblock; un; un = un->next)
1937 if (un->pkt->pkttype != PKT_USER_ID)
1939 if ((un->pkt->pkt.user_id->is_revoked
1940 || un->pkt->pkt.user_id->is_expired)
1941 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1943 /* Skip textual primary user ids which we printed above. */
1944 if (un->pkt->pkt.user_id->is_primary
1945 && !un->pkt->pkt.user_id->attrib_data )
1948 /* If this user id has attribute data, print that. */
1949 if (un->pkt->pkt.user_id->attrib_data)
1951 dump_attribs (un->pkt->pkt.user_id, pk);
1953 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1954 show_photos (un->pkt->pkt.user_id->attribs,
1955 un->pkt->pkt.user_id->numattribs,
1956 pk ,un->pkt->pkt.user_id);
1959 p = utf8_to_native (un->pkt->pkt.user_id->name,
1960 un->pkt->pkt.user_id->len, 0);
1961 log_info (_(" aka \"%s\""), p);
1964 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1968 if (un->pkt->pkt.user_id->is_revoked)
1969 valid = _("revoked");
1970 else if (un->pkt->pkt.user_id->is_expired)
1971 valid = _("expired");
1973 /* Since this is just informational, don't
1974 actually ask the user to update any trust
1976 valid = (trust_value_to_string
1977 (get_validity (pk, un->pkt->pkt.user_id, sig, 0)));
1978 log_printf (" [%s]\n",valid);
1984 release_kbnode( keyblock );
1986 /* For good signatures print notation data. */
1989 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
1990 show_policy_url (sig, 0, 1);
1992 show_policy_url (sig, 0, 2);
1994 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
1995 show_keyserver_url (sig, 0, 1);
1997 show_keyserver_url (sig, 0, 2);
1999 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2002 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2003 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2005 show_notation (sig, 0, 2, 0);
2008 /* For good signatures print the VALIDSIG status line. */
2009 if (!rc && is_status_enabled ())
2011 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
2013 if (!get_pubkey (vpk, sig->keyid))
2015 byte array[MAX_FINGERPRINT_LEN], *p;
2016 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
2020 fingerprint_from_pk (vpk, array, &n);
2022 for(i=0; i < n ; i++, p++, bufp += 2)
2023 sprintf (bufp, "%02X", *p );
2024 /* TODO: Replace the reserved '0' in the field below
2025 with bits for status flags (policy url, notation,
2026 etc.). Remember to make the buffer larger to match! */
2027 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
2028 strtimestamp( sig->timestamp ),
2029 (ulong)sig->timestamp,(ulong)sig->expiredate,
2030 sig->version,sig->pubkey_algo,sig->digest_algo,
2032 bufp = bufp + strlen (bufp);
2033 if (!vpk->flags.primary)
2037 akid[0] = vpk->main_keyid[0];
2038 akid[1] = vpk->main_keyid[1];
2039 free_public_key (vpk);
2040 vpk = xmalloc_clear (sizeof *vpk);
2041 if (get_pubkey (vpk, akid))
2043 /* Impossible error, we simply return a zeroed out fpr */
2044 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
2045 memset (array, 0, n);
2048 fingerprint_from_pk( vpk, array, &n );
2051 for (i=0; i < n ; i++, p++, bufp += 2)
2052 sprintf(bufp, "%02X", *p );
2053 write_status_text (STATUS_VALIDSIG, buf);
2055 free_public_key (vpk);
2058 /* For good signatures compute and print the trust information.
2059 Note that in the Tofu trust model this may ask the user on
2060 how to resolve a conflict. */
2063 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2064 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2065 rc = check_signatures_trust (sig);
2068 /* Print extra information about the signature. */
2069 if (sig->flags.expired)
2071 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2072 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2074 else if (sig->expiredate)
2075 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2078 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2079 sig->sig_class==0x00?_("binary"):
2080 sig->sig_class==0x01?_("textmode"):_("unknown"),
2081 gcry_md_algo_name (sig->digest_algo),
2082 *pkstrbuf?_(", key algorithm "):"",
2085 /* Print final warnings. */
2086 if (!rc && !c->signed_data.used)
2088 /* Signature is basically good but we test whether the
2090 gpg --verify FILE.sig
2092 gpg --verify FILE.sig FILE
2093 to verify a detached signature. If we figure out that a
2094 data file with a matching name exists, we print a warning.
2096 The problem is that the first form would also verify a
2097 standard signature. This behavior could be used to
2098 create a made up .sig file for a tarball by creating a
2099 standard signature from a valid detached signature packet
2100 (for example from a signed git tag). Then replace the
2101 sig file on the FTP server along with a changed tarball.
2102 Using the first form the verify command would correctly
2103 verify the signature but don't even consider the tarball. */
2107 dfile = get_matching_datafile (c->sigfilename);
2110 for (n = c->list; n; n = n->next)
2111 if (n->pkt->pkttype != PKT_SIGNATURE)
2115 /* Not only signature packets in the tree thus this
2116 is not a detached signature. */
2117 log_info (_("WARNING: not a detached signature; "
2118 "file '%s' was NOT verified!\n"), dfile);
2125 g10_errors_seen = 1;
2126 if (opt.batch && rc)
2133 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2134 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2135 sig->pubkey_algo, sig->digest_algo,
2136 sig->sig_class, (ulong)sig->timestamp, rc);
2137 write_status_text (STATUS_ERRSIG, buf);
2138 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2141 write_status_text (STATUS_NO_PUBKEY, buf);
2143 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2144 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2152 * Process the tree which starts at node
2155 proc_tree (CTX c, kbnode_t node)
2160 if (opt.list_packets || opt.list_only)
2163 /* We must skip our special plaintext marker packets here because
2164 they may be the root packet. These packets are only used in
2165 addional checks and skipping them here doesn't matter. */
2167 && node->pkt->pkttype == PKT_GPG_CONTROL
2168 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2175 c->trustletter = ' ';
2176 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2177 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2179 merge_keys_and_selfsig (node);
2180 list_node (c, node);
2182 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2184 merge_keys_and_selfsig (node);
2185 list_node (c, node);
2187 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2189 /* Check all signatures. */
2192 int use_textmode = 0;
2194 free_md_filter_context (&c->mfx);
2195 /* Prepare to create all requested message digests. */
2196 rc = gcry_md_open (&c->mfx.md, 0, 0);
2200 /* Fixme: why looking for the signature packet and not the
2202 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2203 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2205 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2208 /* Ask for file and hash it. */
2211 if (c->signed_data.used && c->signed_data.data_fd != -1)
2212 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2213 c->signed_data.data_fd,
2216 rc = hash_datafiles (c->mfx.md, NULL,
2217 c->signed_data.data_names,
2223 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2224 iobuf_get_real_fname (c->iobuf),
2231 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2235 else if (c->signed_data.used)
2237 log_error (_("not a detached signature\n"));
2241 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2242 check_sig_and_print (c, n1);
2245 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2246 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2248 /* Clear text signed message. */
2251 log_error ("cleartext signature without data\n");
2254 else if (c->signed_data.used)
2256 log_error (_("not a detached signature\n"));
2260 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2261 check_sig_and_print (c, n1);
2264 else if (node->pkt->pkttype == PKT_SIGNATURE)
2266 PKT_signature *sig = node->pkt->pkt.signature;
2267 int multiple_ok = 1;
2269 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2272 byte class = sig->sig_class;
2273 byte hash = sig->digest_algo;
2275 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2277 /* We can't currently handle multiple signatures of
2278 different classes or digests (we'd pretty much have
2279 to run a different hash context for each), but if
2280 they are all the same, make an exception. */
2281 if (n1->pkt->pkt.signature->sig_class != class
2282 || n1->pkt->pkt.signature->digest_algo != hash)
2285 log_info (_("WARNING: multiple signatures detected. "
2286 "Only the first will be checked.\n"));
2292 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2294 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2296 else if (!c->any.data)
2298 /* Detached signature */
2299 free_md_filter_context (&c->mfx);
2300 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2302 goto detached_hash_err;
2304 if (RFC2440 || RFC4880)
2305 ; /* Strict RFC mode. */
2306 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2307 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2308 && sig->sig_class == 0x01)
2310 /* Enable a workaround for a pgp5 bug when the detached
2311 * signature has been created in textmode. */
2312 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2314 goto detached_hash_err;
2317 /* Here we used to have another hack to work around a pgp
2318 * 2 bug: It worked by not using the textmode for detached
2319 * signatures; this would let the first signature check
2320 * (on md) fail but the second one (on md2), which adds an
2321 * extra CR would then have produced the "correct" hash.
2322 * This is very, very ugly hack but it may haved help in
2323 * some cases (and break others).
2324 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2329 gcry_md_debug (c->mfx.md, "verify");
2331 gcry_md_debug (c->mfx.md2, "verify2");
2336 if (c->signed_data.used && c->signed_data.data_fd != -1)
2337 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2338 c->signed_data.data_fd,
2339 (sig->sig_class == 0x01));
2341 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2342 c->signed_data.data_names,
2344 (sig->sig_class == 0x01));
2348 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2349 iobuf_get_real_fname(c->iobuf),
2350 (sig->sig_class == 0x01));
2356 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2360 else if (c->signed_data.used)
2362 log_error (_("not a detached signature\n"));
2365 else if (!opt.quiet)
2366 log_info (_("old style (PGP 2.x) signature\n"));
2370 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2371 check_sig_and_print (c, n1);
2374 check_sig_and_print (c, node);
2379 dump_kbnode (c->list);
2380 log_error ("invalid root packet detected in proc_tree()\n");