1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
39 #include "keyserver-internal.h"
41 #include "mbox-util.h"
42 #include "call-dirmngr.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
130 proc_tree (c, c->list);
131 release_kbnode (c->list);
132 while (c->pkenc_list)
134 struct kidlist_item *tmp = c->pkenc_list->next;
135 xfree (c->pkenc_list);
138 c->pkenc_list = NULL;
141 c->any.uncompress_failed = 0;
142 c->last_was_session_key = 0;
149 add_onepass_sig (CTX c, PACKET *pkt)
153 if (c->list) /* Add another packet. */
154 add_kbnode (c->list, new_kbnode (pkt));
155 else /* Insert the first one. */
156 c->list = node = new_kbnode (pkt);
163 add_gpg_control (CTX c, PACKET *pkt)
165 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
167 /* New clear text signature.
168 * Process the last one and reset everything */
172 if (c->list) /* Add another packet. */
173 add_kbnode (c->list, new_kbnode (pkt));
174 else /* Insert the first one. */
175 c->list = new_kbnode (pkt);
182 add_user_id (CTX c, PACKET *pkt)
186 log_error ("orphaned user ID\n");
189 add_kbnode (c->list, new_kbnode (pkt));
195 add_subkey (CTX c, PACKET *pkt)
199 log_error ("subkey w/o mainkey\n");
202 add_kbnode (c->list, new_kbnode (pkt));
208 add_ring_trust (CTX c, PACKET *pkt)
212 log_error ("ring trust w/o key\n");
215 add_kbnode (c->list, new_kbnode (pkt));
221 add_signature (CTX c, PACKET *pkt)
226 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
228 /* This is the first signature for the following datafile.
229 * GPG does not write such packets; instead it always uses
230 * onepass-sig packets. The drawback of PGP's method
231 * of prepending the signature to the data is
232 * that it is not possible to make a signature from data read
233 * from stdin. (GPG is able to read PGP stuff anyway.) */
234 node = new_kbnode (pkt);
239 return 0; /* oops (invalid packet sequence)*/
240 else if (!c->list->pkt)
241 BUG(); /* so nicht */
243 /* Add a new signature node item at the end. */
244 node = new_kbnode (pkt);
245 add_kbnode (c->list, node);
251 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
255 if(slen < 17 || slen > 33)
257 log_error ( _("weird size for an encrypted session key (%d)\n"),
259 return GPG_ERR_BAD_KEY;
262 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
264 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
266 gcry_cipher_setiv ( hd, NULL, 0 );
267 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
268 gcry_cipher_close ( hd );
270 /* Now we replace the dek components with the real session key to
271 decrypt the contents of the sequencing packet. */
276 if(dek->keylen > DIM(dek->key))
279 memcpy(dek->key, seskey + 1, dek->keylen);
281 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
288 proc_symkey_enc (CTX c, PACKET *pkt)
292 enc = pkt->pkt.symkey_enc;
294 log_error ("invalid symkey encrypted packet\n");
297 int algo = enc->cipher_algo;
298 const char *s = openpgp_cipher_algo_name (algo);
300 if (!openpgp_cipher_test_algo (algo))
305 log_info (_("%s encrypted session key\n"), s );
307 log_info (_("%s encrypted data\n"), s );
311 log_error (_("encrypted with unknown algorithm %d\n"), algo);
313 if (openpgp_md_test_algo (enc->s2k.hash_algo))
315 log_error(_("passphrase generated with unknown digest"
316 " algorithm %d\n"),enc->s2k.hash_algo);
320 c->last_was_session_key = 2;
321 if (!s || opt.list_only)
324 if (opt.override_session_key)
326 c->dek = xmalloc_clear (sizeof *c->dek);
327 if (get_override_session_key (c->dek, opt.override_session_key))
335 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
338 c->dek->symmetric = 1;
340 /* FIXME: This doesn't work perfectly if a symmetric key
341 comes before a public key in the message - if the
342 user doesn't know the passphrase, then there is a
343 chance that the "decrypted" algorithm will happen to
344 be a valid one, which will make the returned dek
345 appear valid, so we won't try any public keys that
349 if (symkey_decrypt_seskey (c->dek,
350 enc->seskey, enc->seskeylen))
357 c->dek->algo_info_printed = 1;
369 proc_pubkey_enc (CTX c, PACKET *pkt)
374 /* Check whether the secret key is available and store in this case. */
375 c->last_was_session_key = 1;
376 enc = pkt->pkt.pubkey_enc;
377 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
378 /* Hmmm: why do I have this algo check here - anyway there is
379 * function to check it. */
381 log_info (_("public key is %s\n"), keystr (enc->keyid));
383 if (is_status_enabled())
386 /* FIXME: For ECC support we need to map the OpenPGP algo number
387 to the Libgcrypt defined one. This is due a chicken-egg
388 problem: We need to have code in Libgcrypt for a new
389 algorithm so to implement a proposed new algorithm before the
390 IANA will finally assign an OpenPGP indentifier. */
391 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
392 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
393 write_status_text (STATUS_ENC_TO, buf);
396 if (!opt.list_only && opt.override_session_key)
398 /* It does not make much sense to store the session key in
399 * secure memory because it has already been passed on the
400 * command line and the GCHQ knows about it. */
401 c->dek = xmalloc_clear (sizeof *c->dek);
402 result = get_override_session_key (c->dek, opt.override_session_key);
409 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
411 || enc->pubkey_algo == PUBKEY_ALGO_RSA
412 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
413 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
415 /* Note that we also allow type 20 Elgamal keys for decryption.
416 There are still a couple of those keys in active use as a
419 /* FIXME: Store this all in a list and process it later so that
420 we can prioritize what key to use. This gives a better user
421 experience if wildcard keyids are used. */
422 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
423 || opt.try_all_secrets
424 || have_secret_key_with_kid (enc->keyid)))
430 c->dek = xmalloc_secure_clear (sizeof *c->dek);
431 if ((result = get_session_key (enc, c->dek)))
433 /* Error: Delete the DEK. */
440 result = GPG_ERR_NO_SECKEY;
443 result = GPG_ERR_PUBKEY_ALGO;
449 /* Store it for later display. */
450 struct kidlist_item *x = xmalloc (sizeof *x);
451 x->kid[0] = enc->keyid[0];
452 x->kid[1] = enc->keyid[1];
453 x->pubkey_algo = enc->pubkey_algo;
455 x->next = c->pkenc_list;
458 if (!result && opt.verbose > 1)
459 log_info (_("public key encrypted data: good DEK\n"));
467 * Print the list of public key encrypted packets which we could
471 print_pkenc_list (struct kidlist_item *list, int failed)
473 for (; list; list = list->next)
478 if (failed && !list->reason)
480 if (!failed && list->reason)
483 algstr = openpgp_pk_algo_name (list->pubkey_algo);
484 pk = xmalloc_clear (sizeof *pk);
488 pk->pubkey_algo = list->pubkey_algo;
489 if (!get_pubkey (pk, list->kid))
492 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
493 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
494 strtimestamp (pk->timestamp));
495 p = get_user_id_native (list->kid);
496 log_printf (_(" \"%s\"\n"), p);
500 log_info (_("encrypted with %s key, ID %s\n"),
501 algstr, keystr(list->kid));
503 free_public_key (pk);
505 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
507 if (is_status_enabled())
510 snprintf (buf, sizeof buf, "%08lX%08lX",
511 (ulong)list->kid[0], (ulong)list->kid[1]);
512 write_status_text (STATUS_NO_SECKEY, buf);
515 else if (list->reason)
517 log_info (_("public key decryption failed: %s\n"),
518 gpg_strerror (list->reason));
519 write_status_error ("pkdecrypt_failed", list->reason);
526 proc_encrypted (CTX c, PACKET *pkt)
533 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
534 else if (c->symkeys == 1)
535 log_info (_("encrypted with 1 passphrase\n"));
536 print_pkenc_list ( c->pkenc_list, 1 );
537 print_pkenc_list ( c->pkenc_list, 0 );
540 /* FIXME: Figure out the session key by looking at all pkenc packets. */
542 write_status (STATUS_BEGIN_DECRYPTION);
544 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
547 else if (!c->dek && !c->last_was_session_key)
551 STRING2KEY *s2k = NULL;
554 if (opt.override_session_key)
556 c->dek = xmalloc_clear (sizeof *c->dek);
557 result = get_override_session_key (c->dek, opt.override_session_key);
566 /* Assume this is old style conventional encrypted data. */
567 algo = opt.def_cipher_algo;
569 log_info (_("assuming %s encrypted data\n"),
570 openpgp_cipher_algo_name (algo));
571 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
573 algo = opt.def_cipher_algo;
575 algo = opt.s2k_cipher_algo;
576 log_info (_("IDEA cipher unavailable, "
577 "optimistically attempting to use %s instead\n"),
578 openpgp_cipher_algo_name (algo));
582 algo = CIPHER_ALGO_IDEA;
583 if (!opt.s2k_digest_algo)
585 /* If no digest is given we assume SHA-1. */
587 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
590 log_info (_("assuming %s encrypted data\n"), "IDEA");
593 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
595 c->dek->algo_info_printed = 1;
597 result = gpg_error (GPG_ERR_CANCELED);
599 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
603 result = GPG_ERR_NO_SECKEY;
606 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
611 && !opt.ignore_mdc_error
612 && !pkt->pkt.encrypted->mdc_method
613 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
614 && c->dek->algo != CIPHER_ALGO_TWOFISH)
616 /* The message has been decrypted but has no MDC despite that a
617 modern cipher (blocklength != 64 bit, except for Twofish) is
618 used and the option to ignore MDC errors is not used: To
619 avoid attacks changing an MDC message to a non-MDC message,
621 log_error (_("WARNING: message was not integrity protected\n"));
623 log_info ("decryption forced to fail\n");
624 write_status (STATUS_DECRYPTION_FAILED);
626 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
627 && opt.ignore_mdc_error))
629 write_status (STATUS_DECRYPTION_OKAY);
631 log_info(_("decryption okay\n"));
632 if (pkt->pkt.encrypted->mdc_method && !result)
633 write_status (STATUS_GOODMDC);
634 else if (!opt.no_mdc_warn)
635 log_info (_("WARNING: message was not integrity protected\n"));
637 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
639 glo_ctrl.lasterr = result;
640 log_error (_("WARNING: encrypted message has been manipulated!\n"));
641 write_status (STATUS_BADMDC);
642 write_status (STATUS_DECRYPTION_FAILED);
646 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
647 && *c->dek->s2k_cacheid != '\0')
649 log_debug (_("cleared passphrase cached with ID: %s\n"),
650 c->dek->s2k_cacheid);
651 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
653 glo_ctrl.lasterr = result;
654 write_status (STATUS_DECRYPTION_FAILED);
655 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
656 /* Hmmm: does this work when we have encrypted using multiple
657 * ways to specify the session key (symmmetric and PK). */
663 c->last_was_session_key = 0;
664 write_status (STATUS_END_DECRYPTION);
669 proc_plaintext( CTX c, PACKET *pkt )
671 PKT_plaintext *pt = pkt->pkt.plaintext;
672 int any, clearsig, rc;
677 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
678 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
679 else if (opt.verbose)
680 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
682 free_md_filter_context (&c->mfx);
683 if (gcry_md_open (&c->mfx.md, 0, 0))
685 /* fixme: we may need to push the textfilter if we have sigclass 1
686 * and no armoring - Not yet tested
687 * Hmmm, why don't we need it at all if we have sigclass 1
688 * Should we assume that plaintext in mode 't' has always sigclass 1??
689 * See: Russ Allbery's mail 1999-02-09
692 for (n=c->list; n; n = n->next )
694 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
696 /* The onepass signature case. */
697 if (n->pkt->pkt.onepass_sig->digest_algo)
699 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
703 else if (n->pkt->pkttype == PKT_GPG_CONTROL
704 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
706 /* The clearsigned message case. */
707 size_t datalen = n->pkt->pkt.gpg_control->datalen;
708 const byte *data = n->pkt->pkt.gpg_control->data;
710 /* Check that we have at least the sigclass and one hash. */
712 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
713 /* Note that we don't set the clearsig flag for not-dash-escaped
715 clearsig = (*data == 0x01);
716 for (data++, datalen--; datalen; datalen--, data++)
717 gcry_md_enable (c->mfx.md, *data);
719 break; /* Stop here as one-pass signature packets are not
722 else if (n->pkt->pkttype == PKT_SIGNATURE)
724 /* The SIG+LITERAL case that PGP used to use. */
725 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
730 if (!any && !opt.skip_verify)
732 /* This is for the old GPG LITERAL+SIG case. It's not legal
733 according to 2440, so hopefully it won't come up that often.
734 There is no good way to specify what algorithms to use in
735 that case, so these there are the historical answer. */
736 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
737 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
741 gcry_md_debug (c->mfx.md, "verify");
743 gcry_md_debug (c->mfx.md2, "verify2");
748 if (literals_seen > 1)
750 log_info (_("WARNING: multiple plaintexts seen\n"));
752 if (!opt.flags.allow_multiple_messages)
754 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
755 log_inc_errorcount ();
756 rc = gpg_error (GPG_ERR_UNEXPECTED);
762 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
763 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
765 /* Can't write output but we hash it anyway to check the
767 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
772 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
775 c->last_was_session_key = 0;
777 /* We add a marker control packet instead of the plaintext packet.
778 * This is so that we can later detect invalid packet sequences. */
779 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
781 add_kbnode (c->list, n);
788 proc_compressed_cb (iobuf_t a, void *info)
790 if ( ((CTX)info)->signed_data.used
791 && ((CTX)info)->signed_data.data_fd != -1)
792 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
793 ((CTX)info)->signed_data.data_fd);
795 return proc_signature_packets (((CTX)info)->ctrl, info, a,
796 ((CTX)info)->signed_data.data_names,
797 ((CTX)info)->sigfilename );
802 proc_encrypt_cb (iobuf_t a, void *info )
805 return proc_encryption_packets (c->ctrl, info, a );
810 proc_compressed (CTX c, PACKET *pkt)
812 PKT_compressed *zd = pkt->pkt.compressed;
815 /*printf("zip: compressed data packet\n");*/
817 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
818 else if( c->encrypt_only )
819 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
821 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
823 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
825 if (!c->any.uncompress_failed)
829 for (cc=c; cc; cc = cc->anchor)
830 cc->any.uncompress_failed = 1;
831 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
835 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
838 c->last_was_session_key = 0;
844 * check the signature
845 * Returns: 0 = valid signature or an error code
848 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
849 int *is_expkey, int *is_revkey)
852 gcry_md_hd_t md = NULL;
853 gcry_md_hd_t md2 = NULL;
856 assert (node->pkt->pkttype == PKT_SIGNATURE);
859 sig = node->pkt->pkt.signature;
861 algo = sig->digest_algo;
862 rc = openpgp_md_test_algo (algo);
866 if (sig->sig_class == 0x00)
870 if (gcry_md_copy (&md, c->mfx.md ))
873 else /* detached signature */
875 /* signature_check() will enable the md. */
876 if (gcry_md_open (&md, 0, 0 ))
880 else if (sig->sig_class == 0x01)
882 /* How do we know that we have to hash the (already hashed) text
883 in canonical mode ??? (calculating both modes???) */
886 if (gcry_md_copy (&md, c->mfx.md ))
888 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
891 else /* detached signature */
893 log_debug ("Do we really need this here?");
894 /* signature_check() will enable the md*/
895 if (gcry_md_open (&md, 0, 0 ))
897 if (gcry_md_open (&md2, 0, 0 ))
901 else if ((sig->sig_class&~3) == 0x10
902 || sig->sig_class == 0x18
903 || sig->sig_class == 0x1f
904 || sig->sig_class == 0x20
905 || sig->sig_class == 0x28
906 || sig->sig_class == 0x30)
908 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
909 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
911 return check_key_signature( c->list, node, is_selfsig );
913 else if (sig->sig_class == 0x20)
915 log_error (_("standalone revocation - "
916 "use \"gpg --import\" to apply\n"));
917 return GPG_ERR_NOT_PROCESSED;
921 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
922 return GPG_ERR_SIG_CLASS;
926 return GPG_ERR_SIG_CLASS;
928 rc = signature_check2 (sig, md, NULL, is_expkey, is_revkey, NULL);
929 if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
930 rc = signature_check2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
940 print_userid (PACKET *pkt)
945 if (pkt->pkttype != PKT_USER_ID)
947 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
952 if (pkt->pkt.user_id->attrib_data)
954 pkt->pkt.user_id->numattribs,
955 pkt->pkt.user_id->attrib_len);
957 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
958 pkt->pkt.user_id->len, ":", NULL);
961 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
962 pkt->pkt.user_id->len );
967 * List the keyblock in a user friendly way
970 list_node (CTX c, kbnode_t node)
973 char pkstrbuf[PUBKEY_STRING_SIZE];
977 else if ((mainkey = (node->pkt->pkttype == PKT_PUBLIC_KEY))
978 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY )
980 PKT_public_key *pk = node->pkt->pkt.public_key;
986 keyid_from_pk( pk, keyid );
988 c->trustletter = (opt.fast_list_mode?
989 0 : get_validity_info( pk, NULL));
990 es_printf ("%s:", mainkey? "pub":"sub" );
992 es_putc (c->trustletter, es_stdout);
993 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
996 (ulong)keyid[0],(ulong)keyid[1],
997 colon_datestr_from_pk( pk ),
998 colon_strtime (pk->expiredate) );
999 if (mainkey && !opt.fast_list_mode)
1000 es_putc (get_ownertrust_info (pk), es_stdout);
1001 es_putc (':', es_stdout);
1004 es_printf ("%s %s/%s %s",
1005 mainkey? "pub":"sub",
1006 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
1007 keystr_from_pk (pk),
1008 datestr_from_pk (pk));
1010 if (pk->flags.revoked)
1013 es_printf (_("revoked: %s"), revokestr_from_pk (pk));
1016 else if( pk->expiredate && !opt.with_colons)
1019 es_printf (_("expires: %s"), expirestr_from_pk (pk));
1023 es_putc ('\n', es_stdout);
1025 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
1026 print_fingerprint (NULL, pk, 0);
1028 if (opt.with_colons)
1030 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1031 es_printf ("rtv:1:%u:\n",
1032 node->next->pkt->pkt.ring_trust->trustval);
1037 /* Now list all userids with their signatures. */
1038 for (node = node->next; node; node = node->next)
1040 if (node->pkt->pkttype == PKT_SIGNATURE)
1042 list_node (c, node );
1044 else if (node->pkt->pkttype == PKT_USER_ID)
1046 if (opt.with_colons)
1047 es_printf ("%s:::::::::",
1048 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1050 es_printf ("uid%*s",
1051 (int)keystrlen ()+(opt.legacy_list_mode? 9:11),
1053 print_userid (node->pkt);
1054 if (opt.with_colons)
1055 es_putc (':', es_stdout);
1056 es_putc ('\n', es_stdout);
1059 && node->next->pkt->pkttype == PKT_RING_TRUST)
1061 es_printf ("rtv:2:%u:\n",
1062 node->next->pkt->pkt.ring_trust?
1063 node->next->pkt->pkt.ring_trust->trustval : 0);
1066 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1068 list_node(c, node );
1073 else if ((mainkey = (node->pkt->pkttype == PKT_SECRET_KEY) )
1074 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1077 log_debug ("FIXME: No way to print secret key packets here\n");
1078 /* fixme: We may use a fucntion to turn a secret key packet into
1079 a public key one and use that here. */
1081 else if (node->pkt->pkttype == PKT_SIGNATURE)
1083 PKT_signature *sig = node->pkt->pkt.signature;
1093 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1094 es_fputs ("rev", es_stdout);
1096 es_fputs ("sig", es_stdout);
1100 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1101 switch (gpg_err_code (rc2))
1103 case 0: sigrc = '!'; break;
1104 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1105 case GPG_ERR_NO_PUBKEY:
1106 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1107 default: sigrc = '%'; break;
1110 else /* Check whether this is a self signature. */
1114 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1115 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1117 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1119 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1124 if (opt.with_colons)
1126 es_putc (':', es_stdout);
1128 es_putc (sigrc, es_stdout);
1129 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1130 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1131 colon_datestr_from_sig (sig),
1132 colon_expirestr_from_sig (sig));
1134 if (sig->trust_depth || sig->trust_value)
1135 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1136 es_putc (':', es_stdout);
1138 if (sig->trust_regexp)
1139 es_write_sanitized (es_stdout, sig->trust_regexp,
1140 strlen (sig->trust_regexp), ":", NULL);
1141 es_putc (':', es_stdout);
1144 es_printf ("%c %s %s ",
1145 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1147 es_printf ("[%s] ", gpg_strerror (rc2) );
1148 else if (sigrc == '?')
1150 else if (is_selfsig)
1152 if (opt.with_colons)
1153 es_putc (':', es_stdout);
1154 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1155 if (opt.with_colons)
1156 es_putc (':', es_stdout);
1158 else if (!opt.fast_list_mode)
1160 p = get_user_id (sig->keyid, &n);
1161 es_write_sanitized (es_stdout, p, n,
1162 opt.with_colons?":":NULL, NULL );
1165 if (opt.with_colons)
1166 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1167 es_putc ('\n', es_stdout);
1170 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1175 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1178 CTX c = xmalloc_clear (sizeof *c);
1182 rc = do_proc_packets (c, a);
1190 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1191 strlist_t signedfiles, const char *sigfilename )
1193 CTX c = xmalloc_clear (sizeof *c);
1200 c->signed_data.data_fd = -1;
1201 c->signed_data.data_names = signedfiles;
1202 c->signed_data.used = !!signedfiles;
1204 c->sigfilename = sigfilename;
1205 rc = do_proc_packets ( c, a );
1207 /* If we have not encountered any signature we print an error
1208 messages, send a NODATA status back and return an error code.
1209 Using log_error is required because verify_files does not check
1210 error codes for each file but we want to terminate the process
1212 if (!rc && !c->any.sig_seen)
1214 write_status_text (STATUS_NODATA, "4");
1215 log_error (_("no signature found\n"));
1216 rc = GPG_ERR_NO_DATA;
1219 /* Propagate the signature seen flag upward. Do this only on success
1220 so that we won't issue the nodata status several times. */
1221 if (!rc && c->anchor && c->any.sig_seen)
1222 c->anchor->any.sig_seen = 1;
1230 proc_signature_packets_by_fd (ctrl_t ctrl,
1231 void *anchor, iobuf_t a, int signed_data_fd )
1236 c = xtrycalloc (1, sizeof *c);
1238 return gpg_error_from_syserror ();
1244 c->signed_data.data_fd = signed_data_fd;
1245 c->signed_data.data_names = NULL;
1246 c->signed_data.used = (signed_data_fd != -1);
1248 rc = do_proc_packets ( c, a );
1250 /* If we have not encountered any signature we print an error
1251 messages, send a NODATA status back and return an error code.
1252 Using log_error is required because verify_files does not check
1253 error codes for each file but we want to terminate the process
1255 if (!rc && !c->any.sig_seen)
1257 write_status_text (STATUS_NODATA, "4");
1258 log_error (_("no signature found\n"));
1259 rc = gpg_error (GPG_ERR_NO_DATA);
1262 /* Propagate the signature seen flag upward. Do this only on success
1263 so that we won't issue the nodata status several times. */
1264 if (!rc && c->anchor && c->any.sig_seen)
1265 c->anchor->any.sig_seen = 1;
1273 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1275 CTX c = xmalloc_clear (sizeof *c);
1280 c->encrypt_only = 1;
1281 rc = do_proc_packets (c, a);
1288 check_nesting (CTX c)
1292 for (level=0; c; c = c->anchor)
1295 if (level > MAX_NESTING_DEPTH)
1297 log_error ("input data with too deeply nested packets\n");
1298 write_status_text (STATUS_UNEXPECTED, "1");
1299 return GPG_ERR_BAD_DATA;
1307 do_proc_packets (CTX c, iobuf_t a)
1314 rc = check_nesting (c);
1318 pkt = xmalloc( sizeof *pkt );
1321 while ((rc=parse_packet(a, pkt)) != -1)
1327 /* Stop processing when an invalid packet has been encountered
1328 * but don't do so when we are doing a --list-packets. */
1329 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1330 && opt.list_packets != 2 )
1335 if (opt.list_packets)
1337 switch (pkt->pkttype)
1339 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1340 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1342 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1343 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1344 default: newpkt = 0; break;
1347 else if (c->sigs_only)
1349 switch (pkt->pkttype)
1351 case PKT_PUBLIC_KEY:
1352 case PKT_SECRET_KEY:
1354 case PKT_SYMKEY_ENC:
1355 case PKT_PUBKEY_ENC:
1357 case PKT_ENCRYPTED_MDC:
1358 write_status_text( STATUS_UNEXPECTED, "0" );
1359 rc = GPG_ERR_UNEXPECTED;
1362 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1363 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1364 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1365 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1366 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1367 default: newpkt = 0; break;
1370 else if (c->encrypt_only)
1372 switch (pkt->pkttype)
1374 case PKT_PUBLIC_KEY:
1375 case PKT_SECRET_KEY:
1377 write_status_text (STATUS_UNEXPECTED, "0");
1378 rc = GPG_ERR_UNEXPECTED;
1381 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1382 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1383 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1385 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1386 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1387 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1388 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1389 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1390 default: newpkt = 0; break;
1395 switch (pkt->pkttype)
1397 case PKT_PUBLIC_KEY:
1398 case PKT_SECRET_KEY:
1400 c->list = new_kbnode (pkt);
1403 case PKT_PUBLIC_SUBKEY:
1404 case PKT_SECRET_SUBKEY:
1405 newpkt = add_subkey (c, pkt);
1407 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1408 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1409 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1410 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1412 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1413 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1414 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1415 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1416 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1417 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1418 default: newpkt = 0; break;
1425 /* This is a very ugly construct and frankly, I don't remember why
1426 * I used it. Adding the MDC check here is a hack.
1427 * The right solution is to initiate another context for encrypted
1428 * packet and not to reuse the current one ... It works right
1429 * when there is a compression packet inbetween which adds just
1431 * Hmmm: Rewrite this whole module here??
1433 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1434 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1440 pkt = xmalloc (sizeof *pkt);
1447 if (rc == GPG_ERR_INV_PACKET)
1448 write_status_text (STATUS_NODATA, "3");
1453 write_status_text (STATUS_NODATA, "2");
1461 free_md_filter_context (&c->mfx);
1466 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1467 of the notation data. */
1469 get_pka_address (PKT_signature *sig)
1471 pka_info_t *pka = NULL;
1472 struct notation *nd,*notation;
1474 notation=sig_to_notation(sig);
1476 for(nd=notation;nd;nd=nd->next)
1478 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1479 continue; /* Not the notation we want. */
1481 /* For now we only use the first valid PKA notation. In future
1482 we might want to keep additional PKA notations in a linked
1484 if (is_valid_mailbox (nd->value))
1486 pka = xmalloc (sizeof *pka + strlen(nd->value));
1490 strcpy (pka->email, nd->value);
1495 free_notation(notation);
1501 /* Return the URI from a DNS PKA record. If this record has already
1502 be retrieved for the signature we merely return it; if not we go
1503 out and try to get that DNS record. */
1505 pka_uri_from_sig (CTX c, PKT_signature *sig)
1507 if (!sig->flags.pka_tried)
1509 assert (!sig->pka_info);
1510 sig->flags.pka_tried = 1;
1511 sig->pka_info = get_pka_address (sig);
1518 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1519 &fpr, &fprlen, &url))
1521 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1523 memcpy (sig->pka_info->fpr, fpr, fprlen);
1526 sig->pka_info->valid = 1;
1530 sig->pka_info->uri = url;
1539 return sig->pka_info? sig->pka_info->uri : NULL;
1544 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1545 PKT_signature *sig, int rc)
1549 write_status_text_and_buffer (statno, keyid_str,
1550 un? un->pkt->pkt.user_id->name:"[?]",
1551 un? un->pkt->pkt.user_id->len:3,
1555 p = utf8_to_native (un->pkt->pkt.user_id->name,
1556 un->pkt->pkt.user_id->len, 0);
1558 p = xstrdup ("[?]");
1561 log_info (_("BAD signature from \"%s\""), p);
1562 else if (sig->flags.expired)
1563 log_info (_("Expired signature from \"%s\""), p);
1565 log_info (_("Good signature from \"%s\""), p);
1572 check_sig_and_print (CTX c, kbnode_t node)
1574 PKT_signature *sig = node->pkt->pkt.signature;
1579 char pkstrbuf[PUBKEY_STRING_SIZE];
1583 if (opt.skip_verify)
1585 log_info(_("signature verification suppressed\n"));
1589 /* Check that the message composition is valid.
1591 Per RFC-2440bis (-15) allowed:
1593 S{1,n} -- detached signature.
1594 S{1,n} P -- old style PGP2 signature
1595 O{1,n} P S{1,n} -- standard OpenPGP signature.
1596 C P S{1,n} -- cleartext signature.
1599 O = One-Pass Signature packet.
1600 S = Signature packet.
1601 P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1602 (Note that the current rfc2440bis draft also allows
1603 for a signed message but that does not work as it
1604 introduces ambiguities.)
1605 We keep track of these packages using the marker packet
1606 CTRLPKT_PLAINTEXT_MARK.
1607 C = Marker packet for cleartext signatures.
1609 We reject all other messages.
1611 Actually we are calling this too often, i.e. for verification of
1612 each message but better have some duplicate work than to silently
1613 introduce a bug here.
1617 int n_onepass, n_sig;
1619 /* log_debug ("checking signature packet composition\n"); */
1620 /* dump_kbnode (c->list); */
1624 if ( n->pkt->pkttype == PKT_SIGNATURE )
1626 /* This is either "S{1,n}" case (detached signature) or
1627 "S{1,n} P" (old style PGP2 signature). */
1628 for (n = n->next; n; n = n->next)
1629 if (n->pkt->pkttype != PKT_SIGNATURE)
1632 ; /* Okay, this is a detached signature. */
1633 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1634 && (n->pkt->pkt.gpg_control->control
1635 == CTRLPKT_PLAINTEXT_MARK) )
1638 goto ambiguous; /* We only allow one P packet. */
1643 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1645 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1646 for (n_onepass=1, n = n->next;
1647 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1649 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1650 && (n->pkt->pkt.gpg_control->control
1651 == CTRLPKT_PLAINTEXT_MARK)))
1653 for (n_sig=0, n = n->next;
1654 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1659 /* If we wanted to disallow multiple sig verification, we'd do
1660 something like this:
1662 if (n && !opt.allow_multisig_verification)
1665 However, now that we have --allow-multiple-messages, this
1666 can stay allowable as we can't get here unless multiple
1667 messages (i.e. multiple literals) are allowed. */
1669 if (n_onepass != n_sig)
1671 log_info ("number of one-pass packets does not match "
1672 "number of signature packets\n");
1676 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1677 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1679 /* This is the "C P S{1,n}" case (clear text signature). */
1681 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1682 && (n->pkt->pkt.gpg_control->control
1683 == CTRLPKT_PLAINTEXT_MARK)))
1685 for (n_sig=0, n = n->next;
1686 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1694 log_error(_("can't handle this ambiguous signature data\n"));
1699 write_status_text (STATUS_NEWSIG, NULL);
1701 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1702 if (keystrlen () > 8)
1704 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1705 log_info (_(" using %s key %s\n"),
1706 astr? astr: "?",keystr(sig->keyid));
1709 log_info (_("Signature made %s using %s key ID %s\n"),
1710 asctimestamp(sig->timestamp), astr? astr: "?",
1711 keystr(sig->keyid));
1713 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1715 /* If the key isn't found, check for a preferred keyserver */
1717 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1723 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1725 /* According to my favorite copy editor, in English grammar,
1726 you say "at" if the key is located on a web page, but
1727 "from" if it is located on a keyserver. I'm not going to
1728 even try to make two strings here :) */
1729 log_info(_("Key available at: ") );
1730 print_utf8_buffer (log_get_stream(), p, n);
1733 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1734 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1736 struct keyserver_spec *spec;
1738 spec = parse_preferred_keyserver (sig);
1743 glo_ctrl.in_auto_key_retrieve++;
1744 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1745 glo_ctrl.in_auto_key_retrieve--;
1747 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1748 free_keyserver_spec (spec);
1757 /* If the preferred keyserver thing above didn't work, our second
1758 try is to use the URI from a DNS PKA record. */
1759 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1760 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1761 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1763 const char *uri = pka_uri_from_sig (c, sig);
1767 /* FIXME: We might want to locate the key using the
1768 fingerprint instead of the keyid. */
1770 struct keyserver_spec *spec;
1772 spec = parse_keyserver_uri (uri, 1);
1775 glo_ctrl.in_auto_key_retrieve++;
1776 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1777 glo_ctrl.in_auto_key_retrieve--;
1778 free_keyserver_spec (spec);
1780 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1785 /* If the preferred keyserver thing above didn't work and we got
1786 no information from the DNS PKA, this is a third try. */
1788 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1790 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE))
1794 glo_ctrl.in_auto_key_retrieve++;
1795 res=keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1796 glo_ctrl.in_auto_key_retrieve--;
1798 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1801 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1803 kbnode_t un, keyblock;
1807 PKT_public_key *pk = NULL;
1810 statno = STATUS_BADSIG;
1811 else if (sig->flags.expired)
1812 statno = STATUS_EXPSIG;
1814 statno = STATUS_EXPKEYSIG;
1816 statno = STATUS_REVKEYSIG;
1818 statno = STATUS_GOODSIG;
1820 keyblock = get_pubkeyblock (sig->keyid);
1822 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1823 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1825 /* Find and print the primary user ID. */
1826 for (un=keyblock; un; un = un->next)
1830 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1832 pk=un->pkt->pkt.public_key;
1835 if (un->pkt->pkttype != PKT_USER_ID)
1837 if (!un->pkt->pkt.user_id->created)
1839 if (un->pkt->pkt.user_id->is_revoked)
1841 if (un->pkt->pkt.user_id->is_expired)
1843 if (!un->pkt->pkt.user_id->is_primary)
1845 /* We want the textual primary user ID here */
1846 if (un->pkt->pkt.user_id->attrib_data)
1851 /* Get it before we print anything to avoid interrupting the
1852 output with the "please do a --check-trustdb" line. */
1853 valid = get_validity (pk, un->pkt->pkt.user_id);
1855 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1857 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1859 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1860 log_printf (" [%s]\n",trust_value_to_string(valid));
1864 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1868 if (!count) /* Just in case that we have no valid textual userid */
1870 /* Try for an invalid textual userid */
1871 for (un=keyblock; un; un = un->next)
1873 if (un->pkt->pkttype == PKT_USER_ID
1874 && !un->pkt->pkt.user_id->attrib_data)
1878 /* Try for any userid at all */
1881 for (un=keyblock; un; un = un->next)
1883 if (un->pkt->pkttype == PKT_USER_ID)
1888 if (opt.trust_model==TM_ALWAYS || !un)
1889 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1891 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1893 if (opt.trust_model != TM_ALWAYS && un)
1894 log_printf (" %s",_("[uncertain]") );
1898 /* If we have a good signature and already printed
1899 * the primary user ID, print all the other user IDs */
1902 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1905 for( un=keyblock; un; un = un->next)
1907 if (un->pkt->pkttype != PKT_USER_ID)
1909 if ((un->pkt->pkt.user_id->is_revoked
1910 || un->pkt->pkt.user_id->is_expired)
1911 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1913 /* Only skip textual primaries */
1914 if (un->pkt->pkt.user_id->is_primary
1915 && !un->pkt->pkt.user_id->attrib_data )
1918 if (un->pkt->pkt.user_id->attrib_data)
1920 dump_attribs (un->pkt->pkt.user_id, pk);
1922 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1923 show_photos (un->pkt->pkt.user_id->attribs,
1924 un->pkt->pkt.user_id->numattribs,
1925 pk ,un->pkt->pkt.user_id);
1928 p = utf8_to_native (un->pkt->pkt.user_id->name,
1929 un->pkt->pkt.user_id->len, 0);
1930 log_info (_(" aka \"%s\""), p);
1933 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1937 if (un->pkt->pkt.user_id->is_revoked)
1938 valid = _("revoked");
1939 else if (un->pkt->pkt.user_id->is_expired)
1940 valid = _("expired");
1942 valid = (trust_value_to_string
1943 (get_validity (pk, un->pkt->pkt.user_id)));
1944 log_printf (" [%s]\n",valid);
1950 release_kbnode( keyblock );
1954 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
1955 show_policy_url (sig, 0, 1);
1957 show_policy_url (sig, 0, 2);
1959 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
1960 show_keyserver_url (sig, 0, 1);
1962 show_keyserver_url (sig, 0, 2);
1964 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
1967 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
1968 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
1970 show_notation (sig, 0, 2, 0);
1973 if (!rc && is_status_enabled ())
1975 /* Print a status response with the fingerprint. */
1976 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
1978 if (!get_pubkey (vpk, sig->keyid))
1980 byte array[MAX_FINGERPRINT_LEN], *p;
1981 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
1985 fingerprint_from_pk (vpk, array, &n);
1987 for(i=0; i < n ; i++, p++, bufp += 2)
1988 sprintf (bufp, "%02X", *p );
1989 /* TODO: Replace the reserved '0' in the field below
1990 with bits for status flags (policy url, notation,
1991 etc.). Remember to make the buffer larger to match! */
1992 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
1993 strtimestamp( sig->timestamp ),
1994 (ulong)sig->timestamp,(ulong)sig->expiredate,
1995 sig->version,sig->pubkey_algo,sig->digest_algo,
1997 bufp = bufp + strlen (bufp);
1998 if (!vpk->flags.primary)
2002 akid[0] = vpk->main_keyid[0];
2003 akid[1] = vpk->main_keyid[1];
2004 free_public_key (vpk);
2005 vpk = xmalloc_clear (sizeof *vpk);
2006 if (get_pubkey (vpk, akid))
2008 /* Impossible error, we simply return a zeroed out fpr */
2009 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
2010 memset (array, 0, n);
2013 fingerprint_from_pk( vpk, array, &n );
2016 for (i=0; i < n ; i++, p++, bufp += 2)
2017 sprintf(bufp, "%02X", *p );
2018 write_status_text (STATUS_VALIDSIG, buf);
2020 free_public_key (vpk);
2025 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2026 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2027 rc = check_signatures_trust (sig);
2030 if (sig->flags.expired)
2032 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2033 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2035 else if (sig->expiredate)
2036 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2039 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2040 sig->sig_class==0x00?_("binary"):
2041 sig->sig_class==0x01?_("textmode"):_("unknown"),
2042 gcry_md_algo_name (sig->digest_algo),
2043 *pkstrbuf?_(", key algorithm "):"",
2046 if (!rc && !c->signed_data.used)
2048 /* Signature is basically good but we test whether the
2050 gpg --verify FILE.sig
2052 gpg --verify FILE.sig FILE
2053 to verify a detached signature. If we figure out that a
2054 data file with a matching name exists, we print a warning.
2056 The problem is that the first form would also verify a
2057 standard signature. This behavior could be used to
2058 create a made up .sig file for a tarball by creating a
2059 standard signature from a valid detached signature packet
2060 (for example from a signed git tag). Then replace the
2061 sig file on the FTP server along with a changed tarball.
2062 Using the first form the verify command would correctly
2063 verify the signature but don't even consider the tarball. */
2067 dfile = get_matching_datafile (c->sigfilename);
2070 for (n = c->list; n; n = n->next)
2071 if (n->pkt->pkttype != PKT_SIGNATURE)
2075 /* Not only signature packets in the tree thus this
2076 is not a detached signature. */
2077 log_info (_("WARNING: not a detached signature; "
2078 "file '%s' was NOT verified!\n"), dfile);
2085 g10_errors_seen = 1;
2086 if (opt.batch && rc)
2093 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2094 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2095 sig->pubkey_algo, sig->digest_algo,
2096 sig->sig_class, (ulong)sig->timestamp, rc);
2097 write_status_text (STATUS_ERRSIG, buf);
2098 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2101 write_status_text (STATUS_NO_PUBKEY, buf);
2103 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2104 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2112 * Process the tree which starts at node
2115 proc_tree (CTX c, kbnode_t node)
2120 if (opt.list_packets || opt.list_only)
2123 /* We must skip our special plaintext marker packets here because
2124 they may be the root packet. These packets are only used in
2125 addional checks and skipping them here doesn't matter. */
2127 && node->pkt->pkttype == PKT_GPG_CONTROL
2128 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2135 c->trustletter = ' ';
2136 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2137 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2139 merge_keys_and_selfsig (node);
2140 list_node (c, node);
2142 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2144 merge_keys_and_selfsig (node);
2145 list_node (c, node);
2147 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2149 /* Check all signatures. */
2152 int use_textmode = 0;
2154 free_md_filter_context (&c->mfx);
2155 /* Prepare to create all requested message digests. */
2156 rc = gcry_md_open (&c->mfx.md, 0, 0);
2160 /* Fixme: why looking for the signature packet and not the
2162 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2163 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2165 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2168 /* Ask for file and hash it. */
2171 if (c->signed_data.used && c->signed_data.data_fd != -1)
2172 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2173 c->signed_data.data_fd,
2176 rc = hash_datafiles (c->mfx.md, NULL,
2177 c->signed_data.data_names,
2183 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2184 iobuf_get_real_fname (c->iobuf),
2191 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2195 else if (c->signed_data.used)
2197 log_error (_("not a detached signature\n"));
2201 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2202 check_sig_and_print (c, n1);
2205 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2206 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2208 /* Clear text signed message. */
2211 log_error ("cleartext signature without data\n");
2214 else if (c->signed_data.used)
2216 log_error (_("not a detached signature\n"));
2220 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2221 check_sig_and_print (c, n1);
2224 else if (node->pkt->pkttype == PKT_SIGNATURE)
2226 PKT_signature *sig = node->pkt->pkt.signature;
2227 int multiple_ok = 1;
2229 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2232 byte class = sig->sig_class;
2233 byte hash = sig->digest_algo;
2235 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2237 /* We can't currently handle multiple signatures of
2238 different classes or digests (we'd pretty much have
2239 to run a different hash context for each), but if
2240 they are all the same, make an exception. */
2241 if (n1->pkt->pkt.signature->sig_class != class
2242 || n1->pkt->pkt.signature->digest_algo != hash)
2245 log_info (_("WARNING: multiple signatures detected. "
2246 "Only the first will be checked.\n"));
2252 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2254 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2256 else if (!c->any.data)
2258 /* Detached signature */
2259 free_md_filter_context (&c->mfx);
2260 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2262 goto detached_hash_err;
2264 if (RFC2440 || RFC4880)
2265 ; /* Strict RFC mode. */
2266 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2267 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2268 && sig->sig_class == 0x01)
2270 /* Enable a workaround for a pgp5 bug when the detached
2271 * signature has been created in textmode. */
2272 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2274 goto detached_hash_err;
2277 /* Here we used to have another hack to work around a pgp
2278 * 2 bug: It worked by not using the textmode for detached
2279 * signatures; this would let the first signature check
2280 * (on md) fail but the second one (on md2), which adds an
2281 * extra CR would then have produced the "correct" hash.
2282 * This is very, very ugly hack but it may haved help in
2283 * some cases (and break others).
2284 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2289 gcry_md_debug (c->mfx.md, "verify");
2291 gcry_md_debug (c->mfx.md2, "verify2");
2296 if (c->signed_data.used && c->signed_data.data_fd != -1)
2297 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2298 c->signed_data.data_fd,
2299 (sig->sig_class == 0x01));
2301 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2302 c->signed_data.data_names,
2304 (sig->sig_class == 0x01));
2308 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2309 iobuf_get_real_fname(c->iobuf),
2310 (sig->sig_class == 0x01));
2316 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2320 else if (c->signed_data.used)
2322 log_error (_("not a detached signature\n"));
2325 else if (!opt.quiet)
2326 log_info (_("old style (PGP 2.x) signature\n"));
2330 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2331 check_sig_and_print (c, n1);
2334 check_sig_and_print (c, node);
2339 dump_kbnode (c->list);
2340 log_error ("invalid root packet detected in proc_tree()\n");