1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
38 #include "keyserver-internal.h"
40 #include "mbox-util.h"
41 #include "call-dirmngr.h"
43 /* Put an upper limit on nested packets. The 32 is an arbitrary
44 value, a much lower should actually be sufficient. */
45 #define MAX_NESTING_DEPTH 32
48 /* An object to build a list of keyid related info. */
51 struct kidlist_item *next;
59 * Object to hold the processing context.
61 typedef struct mainproc_context *CTX;
62 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_user_id *last_user_id;
68 md_filter_context_t mfx;
69 int sigs_only; /* Process only signatures and reject all other stuff. */
70 int encrypt_only; /* Process only encryption messages. */
72 /* Name of the file with the complete signature or the file with the
73 detached signature. This is currently only used to deduce the
74 file name of the data file if that has not been given. */
75 const char *sigfilename;
77 /* A structure to describe the signed data in case of a detached
81 /* A file descriptor of the the signed data. Only used if not -1. */
83 /* A list of filenames with the data files or NULL. This is only
84 used if DATA_FD is -1. */
86 /* Flag to indicated that either one of the next previous fields
87 is used. This is only needed for better readability. */
92 int last_was_session_key;
93 kbnode_t list; /* The current list of packets. */
94 iobuf_t iobuf; /* Used to get the filename etc. */
95 int trustletter; /* Temporary usage in list_node. */
97 struct kidlist_item *pkenc_list; /* List of encryption packets. */
99 unsigned int sig_seen:1; /* Set to true if a signature packet
101 unsigned int data:1; /* Any data packet seen */
102 unsigned int uncompress_failed:1;
107 /*** Local prototypes. ***/
108 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
109 static void list_node (CTX c, kbnode_t node);
110 static void proc_tree (CTX c, kbnode_t node);
111 static int literals_seen;
118 reset_literals_seen(void)
125 release_list( CTX c )
127 proc_tree (c, c->list);
128 release_kbnode (c->list);
129 while (c->pkenc_list)
131 struct kidlist_item *tmp = c->pkenc_list->next;
132 xfree (c->pkenc_list);
135 c->pkenc_list = NULL;
138 c->any.uncompress_failed = 0;
139 c->last_was_session_key = 0;
146 add_onepass_sig (CTX c, PACKET *pkt)
150 if (c->list) /* Add another packet. */
151 add_kbnode (c->list, new_kbnode (pkt));
152 else /* Insert the first one. */
153 c->list = node = new_kbnode (pkt);
160 add_gpg_control (CTX c, PACKET *pkt)
162 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
164 /* New clear text signature.
165 * Process the last one and reset everything */
169 if (c->list) /* Add another packet. */
170 add_kbnode (c->list, new_kbnode (pkt));
171 else /* Insert the first one. */
172 c->list = new_kbnode (pkt);
179 add_user_id (CTX c, PACKET *pkt)
183 log_error ("orphaned user ID\n");
186 add_kbnode (c->list, new_kbnode (pkt));
192 add_subkey (CTX c, PACKET *pkt)
196 log_error ("subkey w/o mainkey\n");
199 add_kbnode (c->list, new_kbnode (pkt));
205 add_ring_trust (CTX c, PACKET *pkt)
209 log_error ("ring trust w/o key\n");
212 add_kbnode (c->list, new_kbnode (pkt));
218 add_signature (CTX c, PACKET *pkt)
223 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
225 /* This is the first signature for the following datafile.
226 * GPG does not write such packets; instead it always uses
227 * onepass-sig packets. The drawback of PGP's method
228 * of prepending the signature to the data is
229 * that it is not possible to make a signature from data read
230 * from stdin. (GPG is able to read PGP stuff anyway.) */
231 node = new_kbnode (pkt);
236 return 0; /* oops (invalid packet sequence)*/
237 else if (!c->list->pkt)
238 BUG(); /* so nicht */
240 /* Add a new signature node item at the end. */
241 node = new_kbnode (pkt);
242 add_kbnode (c->list, node);
248 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
252 if(slen < 17 || slen > 33)
254 log_error ( _("weird size for an encrypted session key (%d)\n"),
256 return GPG_ERR_BAD_KEY;
259 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
261 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
263 gcry_cipher_setiv ( hd, NULL, 0 );
264 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
265 gcry_cipher_close ( hd );
267 /* Now we replace the dek components with the real session key to
268 decrypt the contents of the sequencing packet. */
273 if(dek->keylen > DIM(dek->key))
276 memcpy(dek->key, seskey + 1, dek->keylen);
278 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
285 proc_symkey_enc (CTX c, PACKET *pkt)
289 enc = pkt->pkt.symkey_enc;
291 log_error ("invalid symkey encrypted packet\n");
294 int algo = enc->cipher_algo;
295 const char *s = openpgp_cipher_algo_name (algo);
297 if (!openpgp_cipher_test_algo (algo))
302 log_info (_("%s encrypted session key\n"), s );
304 log_info (_("%s encrypted data\n"), s );
308 log_error (_("encrypted with unknown algorithm %d\n"), algo);
310 if (openpgp_md_test_algo (enc->s2k.hash_algo))
312 log_error(_("passphrase generated with unknown digest"
313 " algorithm %d\n"),enc->s2k.hash_algo);
317 c->last_was_session_key = 2;
318 if (!s || opt.list_only)
321 if (opt.override_session_key)
323 c->dek = xmalloc_clear (sizeof *c->dek);
324 if (get_override_session_key (c->dek, opt.override_session_key))
332 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
335 c->dek->symmetric = 1;
337 /* FIXME: This doesn't work perfectly if a symmetric key
338 comes before a public key in the message - if the
339 user doesn't know the passphrase, then there is a
340 chance that the "decrypted" algorithm will happen to
341 be a valid one, which will make the returned dek
342 appear valid, so we won't try any public keys that
346 if (symkey_decrypt_seskey (c->dek,
347 enc->seskey, enc->seskeylen))
354 c->dek->algo_info_printed = 1;
366 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
371 /* Check whether the secret key is available and store in this case. */
372 c->last_was_session_key = 1;
373 enc = pkt->pkt.pubkey_enc;
374 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
375 /* Hmmm: why do I have this algo check here - anyway there is
376 * function to check it. */
378 log_info (_("public key is %s\n"), keystr (enc->keyid));
380 if (is_status_enabled())
383 /* FIXME: For ECC support we need to map the OpenPGP algo number
384 to the Libgcrypt defined one. This is due a chicken-egg
385 problem: We need to have code in Libgcrypt for a new
386 algorithm so to implement a proposed new algorithm before the
387 IANA will finally assign an OpenPGP identifier. */
388 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
389 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
390 write_status_text (STATUS_ENC_TO, buf);
393 if (!opt.list_only && opt.override_session_key)
395 /* It does not make much sense to store the session key in
396 * secure memory because it has already been passed on the
397 * command line and the GCHQ knows about it. */
398 c->dek = xmalloc_clear (sizeof *c->dek);
399 result = get_override_session_key (c->dek, opt.override_session_key);
406 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
407 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
408 || enc->pubkey_algo == PUBKEY_ALGO_RSA
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
412 /* Note that we also allow type 20 Elgamal keys for decryption.
413 There are still a couple of those keys in active use as a
416 /* FIXME: Store this all in a list and process it later so that
417 we can prioritize what key to use. This gives a better user
418 experience if wildcard keyids are used. */
419 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
420 || opt.try_all_secrets
421 || have_secret_key_with_kid (enc->keyid)))
427 c->dek = xmalloc_secure_clear (sizeof *c->dek);
428 if ((result = get_session_key (ctrl, enc, c->dek)))
430 /* Error: Delete the DEK. */
437 result = GPG_ERR_NO_SECKEY;
440 result = GPG_ERR_PUBKEY_ALGO;
446 /* Store it for later display. */
447 struct kidlist_item *x = xmalloc (sizeof *x);
448 x->kid[0] = enc->keyid[0];
449 x->kid[1] = enc->keyid[1];
450 x->pubkey_algo = enc->pubkey_algo;
452 x->next = c->pkenc_list;
455 if (!result && opt.verbose > 1)
456 log_info (_("public key encrypted data: good DEK\n"));
464 * Print the list of public key encrypted packets which we could
468 print_pkenc_list (struct kidlist_item *list, int failed)
470 for (; list; list = list->next)
475 if (failed && !list->reason)
477 if (!failed && list->reason)
480 algstr = openpgp_pk_algo_name (list->pubkey_algo);
481 pk = xmalloc_clear (sizeof *pk);
485 pk->pubkey_algo = list->pubkey_algo;
486 if (!get_pubkey (pk, list->kid))
489 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
490 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
491 strtimestamp (pk->timestamp));
492 p = get_user_id_native (list->kid);
493 log_printf (_(" \"%s\"\n"), p);
497 log_info (_("encrypted with %s key, ID %s\n"),
498 algstr, keystr(list->kid));
500 free_public_key (pk);
502 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
504 if (is_status_enabled())
507 snprintf (buf, sizeof buf, "%08lX%08lX",
508 (ulong)list->kid[0], (ulong)list->kid[1]);
509 write_status_text (STATUS_NO_SECKEY, buf);
512 else if (list->reason)
514 log_info (_("public key decryption failed: %s\n"),
515 gpg_strerror (list->reason));
516 write_status_error ("pkdecrypt_failed", list->reason);
523 proc_encrypted (CTX c, PACKET *pkt)
530 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
531 else if (c->symkeys == 1)
532 log_info (_("encrypted with 1 passphrase\n"));
533 print_pkenc_list ( c->pkenc_list, 1 );
534 print_pkenc_list ( c->pkenc_list, 0 );
537 /* FIXME: Figure out the session key by looking at all pkenc packets. */
539 write_status (STATUS_BEGIN_DECRYPTION);
541 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
544 else if (!c->dek && !c->last_was_session_key)
548 STRING2KEY *s2k = NULL;
551 if (opt.override_session_key)
553 c->dek = xmalloc_clear (sizeof *c->dek);
554 result = get_override_session_key (c->dek, opt.override_session_key);
563 /* Assume this is old style conventional encrypted data. */
564 algo = opt.def_cipher_algo;
566 log_info (_("assuming %s encrypted data\n"),
567 openpgp_cipher_algo_name (algo));
568 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
570 algo = opt.def_cipher_algo;
572 algo = opt.s2k_cipher_algo;
573 log_info (_("IDEA cipher unavailable, "
574 "optimistically attempting to use %s instead\n"),
575 openpgp_cipher_algo_name (algo));
579 algo = CIPHER_ALGO_IDEA;
580 if (!opt.s2k_digest_algo)
582 /* If no digest is given we assume SHA-1. */
584 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
587 log_info (_("assuming %s encrypted data\n"), "IDEA");
590 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
592 c->dek->algo_info_printed = 1;
594 result = gpg_error (GPG_ERR_CANCELED);
596 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
600 result = GPG_ERR_NO_SECKEY;
603 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
608 && !opt.ignore_mdc_error
609 && !pkt->pkt.encrypted->mdc_method
610 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
611 && c->dek->algo != CIPHER_ALGO_TWOFISH)
613 /* The message has been decrypted but has no MDC despite that a
614 modern cipher (blocklength != 64 bit, except for Twofish) is
615 used and the option to ignore MDC errors is not used: To
616 avoid attacks changing an MDC message to a non-MDC message,
618 log_error (_("WARNING: message was not integrity protected\n"));
620 log_info ("decryption forced to fail\n");
621 write_status (STATUS_DECRYPTION_FAILED);
623 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
624 && opt.ignore_mdc_error))
626 write_status (STATUS_DECRYPTION_OKAY);
628 log_info(_("decryption okay\n"));
629 if (pkt->pkt.encrypted->mdc_method && !result)
630 write_status (STATUS_GOODMDC);
631 else if (!opt.no_mdc_warn)
632 log_info (_("WARNING: message was not integrity protected\n"));
634 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
636 glo_ctrl.lasterr = result;
637 log_error (_("WARNING: encrypted message has been manipulated!\n"));
638 write_status (STATUS_BADMDC);
639 write_status (STATUS_DECRYPTION_FAILED);
643 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
644 && *c->dek->s2k_cacheid != '\0')
647 log_debug ("cleared passphrase cached with ID: %s\n",
648 c->dek->s2k_cacheid);
649 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
651 glo_ctrl.lasterr = result;
652 write_status (STATUS_DECRYPTION_FAILED);
653 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
654 /* Hmmm: does this work when we have encrypted using multiple
655 * ways to specify the session key (symmmetric and PK). */
661 c->last_was_session_key = 0;
662 write_status (STATUS_END_DECRYPTION);
667 proc_plaintext( CTX c, PACKET *pkt )
669 PKT_plaintext *pt = pkt->pkt.plaintext;
670 int any, clearsig, rc;
675 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
676 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
677 else if (opt.verbose)
678 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
680 free_md_filter_context (&c->mfx);
681 if (gcry_md_open (&c->mfx.md, 0, 0))
683 /* fixme: we may need to push the textfilter if we have sigclass 1
684 * and no armoring - Not yet tested
685 * Hmmm, why don't we need it at all if we have sigclass 1
686 * Should we assume that plaintext in mode 't' has always sigclass 1??
687 * See: Russ Allbery's mail 1999-02-09
690 for (n=c->list; n; n = n->next )
692 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
694 /* The onepass signature case. */
695 if (n->pkt->pkt.onepass_sig->digest_algo)
697 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
701 else if (n->pkt->pkttype == PKT_GPG_CONTROL
702 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
704 /* The clearsigned message case. */
705 size_t datalen = n->pkt->pkt.gpg_control->datalen;
706 const byte *data = n->pkt->pkt.gpg_control->data;
708 /* Check that we have at least the sigclass and one hash. */
710 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
711 /* Note that we don't set the clearsig flag for not-dash-escaped
713 clearsig = (*data == 0x01);
714 for (data++, datalen--; datalen; datalen--, data++)
715 gcry_md_enable (c->mfx.md, *data);
717 break; /* Stop here as one-pass signature packets are not
720 else if (n->pkt->pkttype == PKT_SIGNATURE)
722 /* The SIG+LITERAL case that PGP used to use. */
723 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
728 if (!any && !opt.skip_verify)
730 /* This is for the old GPG LITERAL+SIG case. It's not legal
731 according to 2440, so hopefully it won't come up that often.
732 There is no good way to specify what algorithms to use in
733 that case, so these there are the historical answer. */
734 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
735 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
739 gcry_md_debug (c->mfx.md, "verify");
741 gcry_md_debug (c->mfx.md2, "verify2");
746 if (literals_seen > 1)
748 log_info (_("WARNING: multiple plaintexts seen\n"));
750 if (!opt.flags.allow_multiple_messages)
752 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
753 log_inc_errorcount ();
754 rc = gpg_error (GPG_ERR_UNEXPECTED);
760 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
761 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
763 /* Can't write output but we hash it anyway to check the
765 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
770 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
773 c->last_was_session_key = 0;
775 /* We add a marker control packet instead of the plaintext packet.
776 * This is so that we can later detect invalid packet sequences. */
777 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
779 add_kbnode (c->list, n);
786 proc_compressed_cb (iobuf_t a, void *info)
788 if ( ((CTX)info)->signed_data.used
789 && ((CTX)info)->signed_data.data_fd != -1)
790 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
791 ((CTX)info)->signed_data.data_fd);
793 return proc_signature_packets (((CTX)info)->ctrl, info, a,
794 ((CTX)info)->signed_data.data_names,
795 ((CTX)info)->sigfilename );
800 proc_encrypt_cb (iobuf_t a, void *info )
803 return proc_encryption_packets (c->ctrl, info, a );
808 proc_compressed (CTX c, PACKET *pkt)
810 PKT_compressed *zd = pkt->pkt.compressed;
813 /*printf("zip: compressed data packet\n");*/
815 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
816 else if( c->encrypt_only )
817 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
819 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
821 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
823 if (!c->any.uncompress_failed)
827 for (cc=c; cc; cc = cc->anchor)
828 cc->any.uncompress_failed = 1;
829 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
833 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
836 c->last_was_session_key = 0;
842 * check the signature
843 * Returns: 0 = valid signature or an error code
846 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
847 int *is_expkey, int *is_revkey)
850 gcry_md_hd_t md = NULL;
851 gcry_md_hd_t md2 = NULL;
852 gcry_md_hd_t md_good = NULL;
855 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
858 sig = node->pkt->pkt.signature;
860 algo = sig->digest_algo;
861 rc = openpgp_md_test_algo (algo);
865 if (sig->sig_class == 0x00)
869 if (gcry_md_copy (&md, c->mfx.md ))
872 else /* detached signature */
874 /* check_signature() will enable the md. */
875 if (gcry_md_open (&md, 0, 0 ))
879 else if (sig->sig_class == 0x01)
881 /* How do we know that we have to hash the (already hashed) text
882 in canonical mode ??? (calculating both modes???) */
885 if (gcry_md_copy (&md, c->mfx.md ))
887 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
890 else /* detached signature */
892 log_debug ("Do we really need this here?");
893 /* check_signature() will enable the md*/
894 if (gcry_md_open (&md, 0, 0 ))
896 if (gcry_md_open (&md2, 0, 0 ))
900 else if ((sig->sig_class&~3) == 0x10
901 || sig->sig_class == 0x18
902 || sig->sig_class == 0x1f
903 || sig->sig_class == 0x20
904 || sig->sig_class == 0x28
905 || sig->sig_class == 0x30)
907 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
908 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
910 return check_key_signature( c->list, node, is_selfsig );
912 else if (sig->sig_class == 0x20)
914 log_error (_("standalone revocation - "
915 "use \"gpg --import\" to apply\n"));
916 return GPG_ERR_NOT_PROCESSED;
920 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
921 return GPG_ERR_SIG_CLASS;
925 return GPG_ERR_SIG_CLASS;
927 /* We only get here if we are checking the signature of a binary
928 (0x00) or text document (0x01). */
929 rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, NULL);
932 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
934 rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
941 unsigned char *buffer = gcry_md_read (md_good, 0);
942 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
943 memcpy (sig->digest, buffer, sig->digest_len);
954 print_userid (PACKET *pkt)
959 if (pkt->pkttype != PKT_USER_ID)
961 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
966 if (pkt->pkt.user_id->attrib_data)
968 pkt->pkt.user_id->numattribs,
969 pkt->pkt.user_id->attrib_len);
971 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
972 pkt->pkt.user_id->len, ":", NULL);
975 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
976 pkt->pkt.user_id->len );
981 * List the keyblock in a user friendly way
984 list_node (CTX c, kbnode_t node)
988 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
989 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
991 PKT_public_key *pk = node->pkt->pkt.public_key;
997 keyid_from_pk( pk, keyid );
998 if (pk->flags.primary)
999 c->trustletter = (opt.fast_list_mode?
1000 0 : get_validity_info (c->ctrl, pk, NULL));
1001 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1003 es_putc (c->trustletter, es_stdout);
1004 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1005 nbits_from_pk( pk ),
1007 (ulong)keyid[0],(ulong)keyid[1],
1008 colon_datestr_from_pk( pk ),
1009 colon_strtime (pk->expiredate) );
1010 if (pk->flags.primary && !opt.fast_list_mode)
1011 es_putc (get_ownertrust_info (pk), es_stdout);
1012 es_putc (':', es_stdout);
1013 es_putc ('\n', es_stdout);
1017 print_key_line (es_stdout, pk, 0);
1020 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1021 ; /* Already printed. */
1022 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1023 print_fingerprint (NULL, pk, 0);
1025 if (opt.with_colons)
1027 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1028 es_printf ("rtv:1:%u:\n",
1029 node->next->pkt->pkt.ring_trust->trustval);
1032 if (pk->flags.primary)
1034 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1036 /* Now list all userids with their signatures. */
1037 for (node = node->next; node; node = node->next)
1039 if (node->pkt->pkttype == PKT_SIGNATURE)
1041 list_node (c, node );
1043 else if (node->pkt->pkttype == PKT_USER_ID)
1045 if (opt.with_colons)
1046 es_printf ("%s:::::::::",
1047 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1049 es_printf ("uid%*s",
1050 kl + (opt.legacy_list_mode? 9:11),
1052 print_userid (node->pkt);
1053 if (opt.with_colons)
1054 es_putc (':', es_stdout);
1055 es_putc ('\n', es_stdout);
1058 && node->next->pkt->pkttype == PKT_RING_TRUST)
1060 es_printf ("rtv:2:%u:\n",
1061 node->next->pkt->pkt.ring_trust?
1062 node->next->pkt->pkt.ring_trust->trustval : 0);
1065 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1067 list_node(c, node );
1072 else if (node->pkt->pkttype == PKT_SECRET_KEY
1073 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1076 log_debug ("FIXME: No way to print secret key packets here\n");
1077 /* fixme: We may use a function to turn a secret key packet into
1078 a public key one and use that here. */
1080 else if (node->pkt->pkttype == PKT_SIGNATURE)
1082 PKT_signature *sig = node->pkt->pkt.signature;
1092 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1093 es_fputs ("rev", es_stdout);
1095 es_fputs ("sig", es_stdout);
1099 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1100 switch (gpg_err_code (rc2))
1102 case 0: sigrc = '!'; break;
1103 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1104 case GPG_ERR_NO_PUBKEY:
1105 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1106 default: sigrc = '%'; break;
1109 else /* Check whether this is a self signature. */
1113 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1114 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1116 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1118 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1123 if (opt.with_colons)
1125 es_putc (':', es_stdout);
1127 es_putc (sigrc, es_stdout);
1128 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1129 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1130 colon_datestr_from_sig (sig),
1131 colon_expirestr_from_sig (sig));
1133 if (sig->trust_depth || sig->trust_value)
1134 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1135 es_putc (':', es_stdout);
1137 if (sig->trust_regexp)
1138 es_write_sanitized (es_stdout, sig->trust_regexp,
1139 strlen (sig->trust_regexp), ":", NULL);
1140 es_putc (':', es_stdout);
1143 es_printf ("%c %s %s ",
1144 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1146 es_printf ("[%s] ", gpg_strerror (rc2) );
1147 else if (sigrc == '?')
1149 else if (is_selfsig)
1151 if (opt.with_colons)
1152 es_putc (':', es_stdout);
1153 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1154 if (opt.with_colons)
1155 es_putc (':', es_stdout);
1157 else if (!opt.fast_list_mode)
1159 p = get_user_id (sig->keyid, &n);
1160 es_write_sanitized (es_stdout, p, n,
1161 opt.with_colons?":":NULL, NULL );
1164 if (opt.with_colons)
1165 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1166 es_putc ('\n', es_stdout);
1169 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1174 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1177 CTX c = xmalloc_clear (sizeof *c);
1181 rc = do_proc_packets (ctrl, c, a);
1189 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1190 strlist_t signedfiles, const char *sigfilename )
1192 CTX c = xmalloc_clear (sizeof *c);
1199 c->signed_data.data_fd = -1;
1200 c->signed_data.data_names = signedfiles;
1201 c->signed_data.used = !!signedfiles;
1203 c->sigfilename = sigfilename;
1204 rc = do_proc_packets (ctrl, c, a);
1206 /* If we have not encountered any signature we print an error
1207 messages, send a NODATA status back and return an error code.
1208 Using log_error is required because verify_files does not check
1209 error codes for each file but we want to terminate the process
1211 if (!rc && !c->any.sig_seen)
1213 write_status_text (STATUS_NODATA, "4");
1214 log_error (_("no signature found\n"));
1215 rc = GPG_ERR_NO_DATA;
1218 /* Propagate the signature seen flag upward. Do this only on success
1219 so that we won't issue the nodata status several times. */
1220 if (!rc && c->anchor && c->any.sig_seen)
1221 c->anchor->any.sig_seen = 1;
1229 proc_signature_packets_by_fd (ctrl_t ctrl,
1230 void *anchor, iobuf_t a, int signed_data_fd )
1235 c = xtrycalloc (1, sizeof *c);
1237 return gpg_error_from_syserror ();
1243 c->signed_data.data_fd = signed_data_fd;
1244 c->signed_data.data_names = NULL;
1245 c->signed_data.used = (signed_data_fd != -1);
1247 rc = do_proc_packets (ctrl, c, a);
1249 /* If we have not encountered any signature we print an error
1250 messages, send a NODATA status back and return an error code.
1251 Using log_error is required because verify_files does not check
1252 error codes for each file but we want to terminate the process
1254 if (!rc && !c->any.sig_seen)
1256 write_status_text (STATUS_NODATA, "4");
1257 log_error (_("no signature found\n"));
1258 rc = gpg_error (GPG_ERR_NO_DATA);
1261 /* Propagate the signature seen flag upward. Do this only on success
1262 so that we won't issue the nodata status several times. */
1263 if (!rc && c->anchor && c->any.sig_seen)
1264 c->anchor->any.sig_seen = 1;
1272 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1274 CTX c = xmalloc_clear (sizeof *c);
1279 c->encrypt_only = 1;
1280 rc = do_proc_packets (ctrl, c, a);
1287 check_nesting (CTX c)
1291 for (level=0; c; c = c->anchor)
1294 if (level > MAX_NESTING_DEPTH)
1296 log_error ("input data with too deeply nested packets\n");
1297 write_status_text (STATUS_UNEXPECTED, "1");
1298 return GPG_ERR_BAD_DATA;
1306 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1313 rc = check_nesting (c);
1317 pkt = xmalloc( sizeof *pkt );
1320 while ((rc=parse_packet(a, pkt)) != -1)
1326 /* Stop processing when an invalid packet has been encountered
1327 * but don't do so when we are doing a --list-packets. */
1328 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1329 && opt.list_packets == 0)
1334 if (opt.list_packets)
1336 switch (pkt->pkttype)
1338 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1339 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1341 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1342 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1343 default: newpkt = 0; break;
1346 else if (c->sigs_only)
1348 switch (pkt->pkttype)
1350 case PKT_PUBLIC_KEY:
1351 case PKT_SECRET_KEY:
1353 case PKT_SYMKEY_ENC:
1354 case PKT_PUBKEY_ENC:
1356 case PKT_ENCRYPTED_MDC:
1357 write_status_text( STATUS_UNEXPECTED, "0" );
1358 rc = GPG_ERR_UNEXPECTED;
1361 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1362 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1363 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1364 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1365 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1366 default: newpkt = 0; break;
1369 else if (c->encrypt_only)
1371 switch (pkt->pkttype)
1373 case PKT_PUBLIC_KEY:
1374 case PKT_SECRET_KEY:
1376 write_status_text (STATUS_UNEXPECTED, "0");
1377 rc = GPG_ERR_UNEXPECTED;
1380 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1381 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1382 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1384 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1385 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1386 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1387 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1388 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1389 default: newpkt = 0; break;
1394 switch (pkt->pkttype)
1396 case PKT_PUBLIC_KEY:
1397 case PKT_SECRET_KEY:
1399 c->list = new_kbnode (pkt);
1402 case PKT_PUBLIC_SUBKEY:
1403 case PKT_SECRET_SUBKEY:
1404 newpkt = add_subkey (c, pkt);
1406 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1407 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1408 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1409 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1411 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1412 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1413 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1414 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1415 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1416 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1417 default: newpkt = 0; break;
1424 /* This is a very ugly construct and frankly, I don't remember why
1425 * I used it. Adding the MDC check here is a hack.
1426 * The right solution is to initiate another context for encrypted
1427 * packet and not to reuse the current one ... It works right
1428 * when there is a compression packet between which adds just
1430 * Hmmm: Rewrite this whole module here??
1432 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1433 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1439 pkt = xmalloc (sizeof *pkt);
1446 if (rc == GPG_ERR_INV_PACKET)
1447 write_status_text (STATUS_NODATA, "3");
1452 write_status_text (STATUS_NODATA, "2");
1460 free_md_filter_context (&c->mfx);
1465 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1466 of the notation data. */
1468 get_pka_address (PKT_signature *sig)
1470 pka_info_t *pka = NULL;
1471 struct notation *nd,*notation;
1473 notation=sig_to_notation(sig);
1475 for(nd=notation;nd;nd=nd->next)
1477 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1478 continue; /* Not the notation we want. */
1480 /* For now we only use the first valid PKA notation. In future
1481 we might want to keep additional PKA notations in a linked
1483 if (is_valid_mailbox (nd->value))
1485 pka = xmalloc (sizeof *pka + strlen(nd->value));
1489 strcpy (pka->email, nd->value);
1494 free_notation(notation);
1500 /* Return the URI from a DNS PKA record. If this record has already
1501 be retrieved for the signature we merely return it; if not we go
1502 out and try to get that DNS record. */
1504 pka_uri_from_sig (CTX c, PKT_signature *sig)
1506 if (!sig->flags.pka_tried)
1508 log_assert (!sig->pka_info);
1509 sig->flags.pka_tried = 1;
1510 sig->pka_info = get_pka_address (sig);
1517 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1518 &fpr, &fprlen, &url))
1520 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1522 memcpy (sig->pka_info->fpr, fpr, fprlen);
1525 sig->pka_info->valid = 1;
1529 sig->pka_info->uri = url;
1538 return sig->pka_info? sig->pka_info->uri : NULL;
1542 /* Return true if the AKL has the WKD method specified. */
1544 akl_has_wkd_method (void)
1548 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1549 if (akl->type == AKL_WKD)
1556 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1557 PKT_signature *sig, int rc)
1561 write_status_text_and_buffer (statno, keyid_str,
1562 un? un->pkt->pkt.user_id->name:"[?]",
1563 un? un->pkt->pkt.user_id->len:3,
1567 p = utf8_to_native (un->pkt->pkt.user_id->name,
1568 un->pkt->pkt.user_id->len, 0);
1570 p = xstrdup ("[?]");
1573 log_info (_("BAD signature from \"%s\""), p);
1574 else if (sig->flags.expired)
1575 log_info (_("Expired signature from \"%s\""), p);
1577 log_info (_("Good signature from \"%s\""), p);
1584 check_sig_and_print (CTX c, kbnode_t node)
1586 PKT_signature *sig = node->pkt->pkt.signature;
1591 char pkstrbuf[PUBKEY_STRING_SIZE];
1595 if (opt.skip_verify)
1597 log_info(_("signature verification suppressed\n"));
1601 /* Check that the message composition is valid.
1603 * Per RFC-2440bis (-15) allowed:
1605 * S{1,n} -- detached signature.
1606 * S{1,n} P -- old style PGP2 signature
1607 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1608 * C P S{1,n} -- cleartext signature.
1611 * O = One-Pass Signature packet.
1612 * S = Signature packet.
1613 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1614 * (Note that the current rfc2440bis draft also allows
1615 * for a signed message but that does not work as it
1616 * introduces ambiguities.)
1617 * We keep track of these packages using the marker packet
1618 * CTRLPKT_PLAINTEXT_MARK.
1619 * C = Marker packet for cleartext signatures.
1621 * We reject all other messages.
1623 * Actually we are calling this too often, i.e. for verification of
1624 * each message but better have some duplicate work than to silently
1625 * introduce a bug here.
1629 int n_onepass, n_sig;
1631 /* log_debug ("checking signature packet composition\n"); */
1632 /* dump_kbnode (c->list); */
1636 if ( n->pkt->pkttype == PKT_SIGNATURE )
1638 /* This is either "S{1,n}" case (detached signature) or
1639 "S{1,n} P" (old style PGP2 signature). */
1640 for (n = n->next; n; n = n->next)
1641 if (n->pkt->pkttype != PKT_SIGNATURE)
1644 ; /* Okay, this is a detached signature. */
1645 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1646 && (n->pkt->pkt.gpg_control->control
1647 == CTRLPKT_PLAINTEXT_MARK) )
1650 goto ambiguous; /* We only allow one P packet. */
1655 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1657 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1658 for (n_onepass=1, n = n->next;
1659 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1661 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1662 && (n->pkt->pkt.gpg_control->control
1663 == CTRLPKT_PLAINTEXT_MARK)))
1665 for (n_sig=0, n = n->next;
1666 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1671 /* If we wanted to disallow multiple sig verification, we'd do
1672 something like this:
1674 if (n && !opt.allow_multisig_verification)
1677 However, now that we have --allow-multiple-messages, this
1678 can stay allowable as we can't get here unless multiple
1679 messages (i.e. multiple literals) are allowed. */
1681 if (n_onepass != n_sig)
1683 log_info ("number of one-pass packets does not match "
1684 "number of signature packets\n");
1688 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1689 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1691 /* This is the "C P S{1,n}" case (clear text signature). */
1693 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1694 && (n->pkt->pkt.gpg_control->control
1695 == CTRLPKT_PLAINTEXT_MARK)))
1697 for (n_sig=0, n = n->next;
1698 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1706 log_error(_("can't handle this ambiguous signature data\n"));
1711 if (sig->signers_uid)
1712 write_status_buffer (STATUS_NEWSIG,
1713 sig->signers_uid, strlen (sig->signers_uid), 0);
1715 write_status_text (STATUS_NEWSIG, NULL);
1717 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1718 if (keystrlen () > 8)
1720 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1721 log_info (_(" using %s key %s\n"),
1722 astr? astr: "?", keystr(sig->keyid));
1725 log_info (_("Signature made %s using %s key ID %s\n"),
1726 asctimestamp(sig->timestamp), astr? astr: "?",
1727 keystr(sig->keyid));
1729 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1731 /* If the key isn't found, check for a preferred keyserver. */
1732 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1738 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1740 /* According to my favorite copy editor, in English grammar,
1741 you say "at" if the key is located on a web page, but
1742 "from" if it is located on a keyserver. I'm not going to
1743 even try to make two strings here :) */
1744 log_info(_("Key available at: ") );
1745 print_utf8_buffer (log_get_stream(), p, n);
1748 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1749 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1751 struct keyserver_spec *spec;
1753 spec = parse_preferred_keyserver (sig);
1758 glo_ctrl.in_auto_key_retrieve++;
1759 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1760 glo_ctrl.in_auto_key_retrieve--;
1762 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1763 free_keyserver_spec (spec);
1772 /* If the avove methods didn't work, our next try is to use the URI
1773 * from a DNS PKA record. */
1774 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1775 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1776 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1778 const char *uri = pka_uri_from_sig (c, sig);
1782 /* FIXME: We might want to locate the key using the
1783 fingerprint instead of the keyid. */
1785 struct keyserver_spec *spec;
1787 spec = parse_keyserver_uri (uri, 1);
1790 glo_ctrl.in_auto_key_retrieve++;
1791 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1792 glo_ctrl.in_auto_key_retrieve--;
1793 free_keyserver_spec (spec);
1795 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1800 /* If the above methods didn't work, our next try is to use locate
1801 * the key via its fingerprint from a keyserver. This requires
1802 * that the signers fingerprint is encoded in the signature. We
1803 * favor this over the WKD method (to be tried next), because an
1804 * arbitrary keyserver is less subject to web bug like
1806 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1807 && opt.flags.rfc4880bis
1808 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1809 && keyserver_any_configured (c->ctrl))
1815 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1816 if (p && n == 21 && p[0] == 4)
1818 /* v4 packet with a SHA-1 fingerprint. */
1819 glo_ctrl.in_auto_key_retrieve++;
1820 res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver);
1821 glo_ctrl.in_auto_key_retrieve--;
1823 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1827 /* If the above methods didn't work, our next try is to retrieve the
1828 * key from the WKD. */
1829 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1830 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1831 && !opt.flags.disable_signer_uid
1832 && akl_has_wkd_method ()
1833 && sig->signers_uid)
1837 glo_ctrl.in_auto_key_retrieve++;
1838 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, NULL, NULL);
1839 glo_ctrl.in_auto_key_retrieve--;
1840 /* Fixme: If the fingerprint is embedded in the signature,
1841 * compare it to the fingerprint of the returned key. */
1843 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1846 /* If the above methods did't work, our next try is to use a
1848 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1849 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1850 && keyserver_any_configured (c->ctrl))
1854 glo_ctrl.in_auto_key_retrieve++;
1855 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1856 glo_ctrl.in_auto_key_retrieve--;
1858 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1861 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1863 kbnode_t un, keyblock;
1867 PKT_public_key *pk = NULL;
1870 statno = STATUS_BADSIG;
1871 else if (sig->flags.expired)
1872 statno = STATUS_EXPSIG;
1874 statno = STATUS_EXPKEYSIG;
1876 statno = STATUS_REVKEYSIG;
1878 statno = STATUS_GOODSIG;
1880 keyblock = get_pubkeyblock (sig->keyid);
1882 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1883 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1885 /* Find and print the primary user ID along with the
1886 "Good|Expired|Bad signature" line. */
1887 for (un=keyblock; un; un = un->next)
1891 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1893 pk=un->pkt->pkt.public_key;
1896 if (un->pkt->pkttype != PKT_USER_ID)
1898 if (!un->pkt->pkt.user_id->created)
1900 if (un->pkt->pkt.user_id->is_revoked)
1902 if (un->pkt->pkt.user_id->is_expired)
1904 if (!un->pkt->pkt.user_id->is_primary)
1906 /* We want the textual primary user ID here */
1907 if (un->pkt->pkt.user_id->attrib_data)
1912 /* Since this is just informational, don't actually ask the
1913 user to update any trust information. (Note: we register
1914 the signature later.) Because print_good_bad_signature
1915 does not print a LF we need to compute the validity
1916 before calling that function. */
1917 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1918 valid = get_validity (c->ctrl, pk, un->pkt->pkt.user_id, NULL, 0);
1920 valid = 0; /* Not used. */
1922 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1924 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1926 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1927 log_printf (" [%s]\n",trust_value_to_string(valid));
1931 /* Get a string description of the algo for informational
1932 output we want to print later. It is convenient to do it
1933 here because we already have the right public key. */
1934 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1938 /* In case we did not found a valid valid textual userid above
1939 we print the first user id packet or a "[?]" instead along
1940 with the "Good|Expired|Bad signature" line. */
1943 /* Try for an invalid textual userid */
1944 for (un=keyblock; un; un = un->next)
1946 if (un->pkt->pkttype == PKT_USER_ID
1947 && !un->pkt->pkt.user_id->attrib_data)
1951 /* Try for any userid at all */
1954 for (un=keyblock; un; un = un->next)
1956 if (un->pkt->pkttype == PKT_USER_ID)
1961 if (opt.trust_model==TM_ALWAYS || !un)
1962 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1964 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1966 if (opt.trust_model != TM_ALWAYS && un)
1967 log_printf (" %s",_("[uncertain]") );
1971 /* If we have a good signature and already printed
1972 * the primary user ID, print all the other user IDs */
1975 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1978 for( un=keyblock; un; un = un->next)
1980 if (un->pkt->pkttype != PKT_USER_ID)
1982 if ((un->pkt->pkt.user_id->is_revoked
1983 || un->pkt->pkt.user_id->is_expired)
1984 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1986 /* Skip textual primary user ids which we printed above. */
1987 if (un->pkt->pkt.user_id->is_primary
1988 && !un->pkt->pkt.user_id->attrib_data )
1991 /* If this user id has attribute data, print that. */
1992 if (un->pkt->pkt.user_id->attrib_data)
1994 dump_attribs (un->pkt->pkt.user_id, pk);
1996 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1997 show_photos (c->ctrl,
1998 un->pkt->pkt.user_id->attribs,
1999 un->pkt->pkt.user_id->numattribs,
2000 pk ,un->pkt->pkt.user_id);
2003 p = utf8_to_native (un->pkt->pkt.user_id->name,
2004 un->pkt->pkt.user_id->len, 0);
2005 log_info (_(" aka \"%s\""), p);
2008 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2012 if (un->pkt->pkt.user_id->is_revoked)
2013 valid = _("revoked");
2014 else if (un->pkt->pkt.user_id->is_expired)
2015 valid = _("expired");
2017 /* Since this is just informational, don't
2018 actually ask the user to update any trust
2020 valid = (trust_value_to_string
2021 (get_validity (c->ctrl, pk,
2022 un->pkt->pkt.user_id, sig, 0)));
2023 log_printf (" [%s]\n",valid);
2029 release_kbnode( keyblock );
2031 /* For good signatures print notation data. */
2034 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2035 show_policy_url (sig, 0, 1);
2037 show_policy_url (sig, 0, 2);
2039 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2040 show_keyserver_url (sig, 0, 1);
2042 show_keyserver_url (sig, 0, 2);
2044 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2047 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2048 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2050 show_notation (sig, 0, 2, 0);
2053 /* For good signatures print the VALIDSIG status line. */
2054 if (!rc && is_status_enabled ())
2056 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
2058 if (!get_pubkey (vpk, sig->keyid))
2060 byte array[MAX_FINGERPRINT_LEN], *p;
2061 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
2065 fingerprint_from_pk (vpk, array, &n);
2067 for(i=0; i < n ; i++, p++, bufp += 2)
2068 sprintf (bufp, "%02X", *p );
2069 /* TODO: Replace the reserved '0' in the field below
2070 with bits for status flags (policy url, notation,
2071 etc.). Remember to make the buffer larger to match! */
2072 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
2073 strtimestamp( sig->timestamp ),
2074 (ulong)sig->timestamp,(ulong)sig->expiredate,
2075 sig->version,sig->pubkey_algo,sig->digest_algo,
2077 bufp = bufp + strlen (bufp);
2078 if (!vpk->flags.primary)
2082 akid[0] = vpk->main_keyid[0];
2083 akid[1] = vpk->main_keyid[1];
2084 free_public_key (vpk);
2085 vpk = xmalloc_clear (sizeof *vpk);
2086 if (get_pubkey (vpk, akid))
2088 /* Impossible error, we simply return a zeroed out fpr */
2089 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
2090 memset (array, 0, n);
2093 fingerprint_from_pk( vpk, array, &n );
2096 for (i=0; i < n ; i++, p++, bufp += 2)
2097 sprintf(bufp, "%02X", *p );
2098 write_status_text (STATUS_VALIDSIG, buf);
2100 free_public_key (vpk);
2103 /* For good signatures compute and print the trust information.
2104 Note that in the Tofu trust model this may ask the user on
2105 how to resolve a conflict. */
2108 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2109 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2110 rc = check_signatures_trust (c->ctrl, sig);
2113 /* Print extra information about the signature. */
2114 if (sig->flags.expired)
2116 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2117 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2119 else if (sig->expiredate)
2120 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2123 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2124 sig->sig_class==0x00?_("binary"):
2125 sig->sig_class==0x01?_("textmode"):_("unknown"),
2126 gcry_md_algo_name (sig->digest_algo),
2127 *pkstrbuf?_(", key algorithm "):"",
2130 /* Print final warnings. */
2131 if (!rc && !c->signed_data.used)
2133 /* Signature is basically good but we test whether the
2135 gpg --verify FILE.sig
2137 gpg --verify FILE.sig FILE
2138 to verify a detached signature. If we figure out that a
2139 data file with a matching name exists, we print a warning.
2141 The problem is that the first form would also verify a
2142 standard signature. This behavior could be used to
2143 create a made up .sig file for a tarball by creating a
2144 standard signature from a valid detached signature packet
2145 (for example from a signed git tag). Then replace the
2146 sig file on the FTP server along with a changed tarball.
2147 Using the first form the verify command would correctly
2148 verify the signature but don't even consider the tarball. */
2152 dfile = get_matching_datafile (c->sigfilename);
2155 for (n = c->list; n; n = n->next)
2156 if (n->pkt->pkttype != PKT_SIGNATURE)
2160 /* Not only signature packets in the tree thus this
2161 is not a detached signature. */
2162 log_info (_("WARNING: not a detached signature; "
2163 "file '%s' was NOT verified!\n"), dfile);
2170 g10_errors_seen = 1;
2171 if (opt.batch && rc)
2178 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2179 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2180 sig->pubkey_algo, sig->digest_algo,
2181 sig->sig_class, (ulong)sig->timestamp, rc);
2182 write_status_text (STATUS_ERRSIG, buf);
2183 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2186 write_status_text (STATUS_NO_PUBKEY, buf);
2188 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2189 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2197 * Process the tree which starts at node
2200 proc_tree (CTX c, kbnode_t node)
2205 if (opt.list_packets || opt.list_only)
2208 /* We must skip our special plaintext marker packets here because
2209 they may be the root packet. These packets are only used in
2210 addional checks and skipping them here doesn't matter. */
2212 && node->pkt->pkttype == PKT_GPG_CONTROL
2213 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2220 c->trustletter = ' ';
2221 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2222 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2224 merge_keys_and_selfsig (node);
2225 list_node (c, node);
2227 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2229 merge_keys_and_selfsig (node);
2230 list_node (c, node);
2232 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2234 /* Check all signatures. */
2237 int use_textmode = 0;
2239 free_md_filter_context (&c->mfx);
2240 /* Prepare to create all requested message digests. */
2241 rc = gcry_md_open (&c->mfx.md, 0, 0);
2245 /* Fixme: why looking for the signature packet and not the
2247 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2248 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2250 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2253 /* Ask for file and hash it. */
2256 if (c->signed_data.used && c->signed_data.data_fd != -1)
2257 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2258 c->signed_data.data_fd,
2261 rc = hash_datafiles (c->mfx.md, NULL,
2262 c->signed_data.data_names,
2268 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2269 iobuf_get_real_fname (c->iobuf),
2276 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2280 else if (c->signed_data.used)
2282 log_error (_("not a detached signature\n"));
2286 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2287 check_sig_and_print (c, n1);
2290 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2291 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2293 /* Clear text signed message. */
2296 log_error ("cleartext signature without data\n");
2299 else if (c->signed_data.used)
2301 log_error (_("not a detached signature\n"));
2305 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2306 check_sig_and_print (c, n1);
2309 else if (node->pkt->pkttype == PKT_SIGNATURE)
2311 PKT_signature *sig = node->pkt->pkt.signature;
2312 int multiple_ok = 1;
2314 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2317 byte class = sig->sig_class;
2318 byte hash = sig->digest_algo;
2320 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2322 /* We can't currently handle multiple signatures of
2323 different classes or digests (we'd pretty much have
2324 to run a different hash context for each), but if
2325 they are all the same, make an exception. */
2326 if (n1->pkt->pkt.signature->sig_class != class
2327 || n1->pkt->pkt.signature->digest_algo != hash)
2330 log_info (_("WARNING: multiple signatures detected. "
2331 "Only the first will be checked.\n"));
2337 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2339 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2341 else if (!c->any.data)
2343 /* Detached signature */
2344 free_md_filter_context (&c->mfx);
2345 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2347 goto detached_hash_err;
2349 if (RFC2440 || RFC4880)
2350 ; /* Strict RFC mode. */
2351 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2352 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2353 && sig->sig_class == 0x01)
2355 /* Enable a workaround for a pgp5 bug when the detached
2356 * signature has been created in textmode. */
2357 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2359 goto detached_hash_err;
2362 /* Here we used to have another hack to work around a pgp
2363 * 2 bug: It worked by not using the textmode for detached
2364 * signatures; this would let the first signature check
2365 * (on md) fail but the second one (on md2), which adds an
2366 * extra CR would then have produced the "correct" hash.
2367 * This is very, very ugly hack but it may haved help in
2368 * some cases (and break others).
2369 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2374 gcry_md_debug (c->mfx.md, "verify");
2376 gcry_md_debug (c->mfx.md2, "verify2");
2381 if (c->signed_data.used && c->signed_data.data_fd != -1)
2382 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2383 c->signed_data.data_fd,
2384 (sig->sig_class == 0x01));
2386 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2387 c->signed_data.data_names,
2389 (sig->sig_class == 0x01));
2393 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2394 iobuf_get_real_fname(c->iobuf),
2395 (sig->sig_class == 0x01));
2401 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2405 else if (c->signed_data.used)
2407 log_error (_("not a detached signature\n"));
2410 else if (!opt.quiet)
2411 log_info (_("old style (PGP 2.x) signature\n"));
2415 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2416 check_sig_and_print (c, n1);
2419 check_sig_and_print (c, node);
2424 dump_kbnode (c->list);
2425 log_error ("invalid root packet detected in proc_tree()\n");