1 /* mainproc.c - handle packets
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
3 * 2008, 2009 Free Software Foundation, Inc.
4 * Copyright (C) 2013 Werner Koch
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
41 #include "keyserver-internal.h"
46 /* Put an upper limit on nested packets. The 32 is an arbitrary
47 value, a much lower should actually be sufficient. */
48 #define MAX_NESTING_DEPTH 32
52 struct kidlist_item *next;
60 * Structure to hold the context
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_secret_key *last_seckey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fieldss
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 KBNODE list; /* The current list of packets. */
95 IOBUF iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 static int do_proc_packets( CTX c, IOBUF a );
109 static void list_node( CTX c, KBNODE node );
110 static void proc_tree( CTX c, KBNODE node );
111 static int literals_seen;
114 reset_literals_seen(void)
120 release_list( CTX c )
124 proc_tree(c, c->list );
125 release_kbnode( c->list );
126 while( c->pkenc_list ) {
127 struct kidlist_item *tmp = c->pkenc_list->next;
128 xfree( c->pkenc_list );
131 c->pkenc_list = NULL;
134 c->any.uncompress_failed = 0;
135 c->last_was_session_key = 0;
136 xfree(c->dek); c->dek = NULL;
141 add_onepass_sig( CTX c, PACKET *pkt )
145 if ( c->list ) /* add another packet */
146 add_kbnode( c->list, new_kbnode( pkt ));
147 else /* insert the first one */
148 c->list = node = new_kbnode( pkt );
155 add_gpg_control( CTX c, PACKET *pkt )
157 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START ) {
158 /* New clear text signature.
159 * Process the last one and reset everything */
163 if( c->list ) /* add another packet */
164 add_kbnode( c->list, new_kbnode( pkt ));
165 else /* insert the first one */
166 c->list = new_kbnode( pkt );
174 add_user_id( CTX c, PACKET *pkt )
177 log_error("orphaned user ID\n" );
180 add_kbnode( c->list, new_kbnode( pkt ) );
185 add_subkey( CTX c, PACKET *pkt )
188 log_error("subkey w/o mainkey\n" );
191 add_kbnode( c->list, new_kbnode( pkt ) );
196 add_ring_trust( CTX c, PACKET *pkt )
199 log_error("ring trust w/o key\n" );
202 add_kbnode( c->list, new_kbnode( pkt ) );
208 add_signature( CTX c, PACKET *pkt )
213 if( pkt->pkttype == PKT_SIGNATURE && !c->list ) {
214 /* This is the first signature for the following datafile.
215 * GPG does not write such packets; instead it always uses
216 * onepass-sig packets. The drawback of PGP's method
217 * of prepending the signature to the data is
218 * that it is not possible to make a signature from data read
219 * from stdin. (GPG is able to read PGP stuff anyway.) */
220 node = new_kbnode( pkt );
225 return 0; /* oops (invalid packet sequence)*/
226 else if( !c->list->pkt )
227 BUG(); /* so nicht */
229 /* add a new signature node id at the end */
230 node = new_kbnode( pkt );
231 add_kbnode( c->list, node );
236 symkey_decrypt_seskey( DEK *dek, byte *seskey, size_t slen )
240 if(slen < 17 || slen > 33)
242 log_error ( _("weird size for an encrypted session key (%d)\n"),
244 return G10ERR_BAD_KEY;
247 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
249 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
251 gcry_cipher_setiv ( hd, NULL, 0 );
252 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
253 gcry_cipher_close ( hd );
255 /* Now we replace the dek components with the real session key to
256 decrypt the contents of the sequencing packet. */
261 if(dek->keylen > DIM(dek->key))
264 /* This is not completely accurate, since a bad passphrase may have
265 resulted in a garbage algorithm byte, but it's close enough since
266 a bogus byte here will fail later. */
267 if(dek->algo==CIPHER_ALGO_IDEA)
270 memcpy(dek->key, seskey + 1, dek->keylen);
272 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
278 proc_symkey_enc( CTX c, PACKET *pkt )
282 enc = pkt->pkt.symkey_enc;
284 log_error ("invalid symkey encrypted packet\n");
287 int algo = enc->cipher_algo;
288 const char *s = openpgp_cipher_algo_name (algo);
290 if (!openpgp_cipher_test_algo (algo))
295 log_info(_("%s encrypted session key\n"), s );
297 log_info(_("%s encrypted data\n"), s );
301 log_error(_("encrypted with unknown algorithm %d\n"), algo );
303 if(openpgp_md_test_algo (enc->s2k.hash_algo))
305 log_error(_("passphrase generated with unknown digest"
306 " algorithm %d\n"),enc->s2k.hash_algo);
310 c->last_was_session_key = 2;
311 if(!s || opt.list_only)
314 if(opt.override_session_key)
316 c->dek = xmalloc_clear( sizeof *c->dek );
317 if(get_override_session_key(c->dek, opt.override_session_key))
325 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3,
331 /* FIXME: This doesn't work perfectly if a symmetric
332 key comes before a public key in the message - if
333 the user doesn't know the passphrase, then there is
334 a chance that the "decrypted" algorithm will happen
335 to be a valid one, which will make the returned dek
336 appear valid, so we won't try any public keys that
340 if(symkey_decrypt_seskey(c->dek, enc->seskey,
348 c->dek->algo_info_printed = 1;
359 proc_pubkey_enc( CTX c, PACKET *pkt )
364 /* check whether the secret key is available and store in this case */
365 c->last_was_session_key = 1;
366 enc = pkt->pkt.pubkey_enc;
367 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
368 /* Hmmm: why do I have this algo check here - anyway there is
369 * function to check it. */
371 log_info(_("public key is %s\n"), keystr(enc->keyid) );
373 if( is_status_enabled() ) {
375 sprintf(buf, "%08lX%08lX %d 0",
376 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo );
377 write_status_text( STATUS_ENC_TO, buf );
380 if( !opt.list_only && opt.override_session_key ) {
381 /* It does not make much sense to store the session key in
382 * secure memory because it has already been passed on the
383 * command line and the GCHQ knows about it. */
384 c->dek = xmalloc_clear( sizeof *c->dek );
385 result = get_override_session_key ( c->dek, opt.override_session_key );
387 xfree(c->dek); c->dek = NULL;
390 else if( enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
391 || enc->pubkey_algo == PUBKEY_ALGO_RSA
392 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
393 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL) {
394 /* Note that we also allow type 20 Elgamal keys for decryption.
395 There are still a couple of those keys in active use as a
398 /* FIXME: Store this all in a list and process it later so that
399 we can prioritize what key to use. This gives a better user
400 experience if wildcard keyids are used. */
401 if ( !c->dek && ((!enc->keyid[0] && !enc->keyid[1])
402 || opt.try_all_secrets
403 || !seckey_available( enc->keyid )) ) {
407 c->dek = xmalloc_secure_clear( sizeof *c->dek );
408 if( (result = get_session_key( enc, c->dek )) ) {
409 /* error: delete the DEK */
410 xfree(c->dek); c->dek = NULL;
415 result = G10ERR_NO_SECKEY;
418 result = G10ERR_PUBKEY_ALGO;
424 /* store it for later display */
425 struct kidlist_item *x = xmalloc( sizeof *x );
426 x->kid[0] = enc->keyid[0];
427 x->kid[1] = enc->keyid[1];
428 x->pubkey_algo = enc->pubkey_algo;
430 x->next = c->pkenc_list;
433 if( !result && opt.verbose > 1 )
434 log_info( _("public key encrypted data: good DEK\n") );
443 * Print the list of public key encrypted packets which we could
447 print_pkenc_list( struct kidlist_item *list, int failed )
449 for( ; list; list = list->next ) {
453 if ( failed && !list->reason )
455 if ( !failed && list->reason )
458 algstr = openpgp_pk_algo_name ( list->pubkey_algo );
459 pk = xmalloc_clear( sizeof *pk );
463 pk->pubkey_algo = list->pubkey_algo;
464 if( !get_pubkey( pk, list->kid ) )
467 log_info( _("encrypted with %u-bit %s key, ID %s, created %s\n"),
468 nbits_from_pk( pk ), algstr, keystr_from_pk(pk),
469 strtimestamp(pk->timestamp) );
470 p=get_user_id_native(list->kid);
471 log_printf (_(" \"%s\"\n"),p);
475 log_info(_("encrypted with %s key, ID %s\n"),
476 algstr,keystr(list->kid));
478 free_public_key( pk );
480 if( list->reason == G10ERR_NO_SECKEY ) {
481 if( is_status_enabled() ) {
483 snprintf (buf, sizeof buf, "%08lX%08lX",
484 (ulong)list->kid[0], (ulong)list->kid[1]);
485 write_status_text( STATUS_NO_SECKEY, buf );
488 else if (list->reason)
490 log_info(_("public key decryption failed: %s\n"),
491 g10_errstr(list->reason));
492 write_status_error ("pkdecrypt_failed", list->reason);
499 proc_encrypted( CTX c, PACKET *pkt )
506 log_info(_("encrypted with %lu passphrases\n"),c->symkeys);
507 else if(c->symkeys==1)
508 log_info(_("encrypted with 1 passphrase\n"));
509 print_pkenc_list ( c->pkenc_list, 1 );
510 print_pkenc_list ( c->pkenc_list, 0 );
513 /* FIXME: Figure out the session key by looking at all pkenc packets. */
516 write_status( STATUS_BEGIN_DECRYPTION );
518 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
521 else if( !c->dek && !c->last_was_session_key ) {
524 STRING2KEY *s2k = NULL;
527 if(opt.override_session_key)
529 c->dek = xmalloc_clear( sizeof *c->dek );
530 result=get_override_session_key(c->dek, opt.override_session_key);
539 /* Assume this is old style conventional encrypted data. */
540 algo = opt.def_cipher_algo;
542 log_info (_("assuming %s encrypted data\n"),
543 openpgp_cipher_algo_name (algo));
544 else if ( openpgp_cipher_test_algo (CIPHER_ALGO_IDEA) )
546 algo = opt.def_cipher_algo;
548 algo = opt.s2k_cipher_algo;
550 log_info (_("IDEA cipher unavailable, "
551 "optimistically attempting to use %s instead\n"),
552 openpgp_cipher_algo_name (algo));
556 algo = CIPHER_ALGO_IDEA;
557 if (!opt.s2k_digest_algo)
559 /* If no digest is given we assume MD5 */
561 s2kbuf.hash_algo = DIGEST_ALGO_MD5;
564 log_info (_("assuming %s encrypted data\n"), "IDEA");
567 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL,&canceled);
569 c->dek->algo_info_printed = 1;
571 result = gpg_error (GPG_ERR_CANCELED);
573 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
577 result = G10ERR_NO_SECKEY;
580 result = decrypt_data( c, pkt->pkt.encrypted, c->dek );
584 else if( !result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
585 && opt.ignore_mdc_error)) {
586 write_status( STATUS_DECRYPTION_OKAY );
587 if( opt.verbose > 1 )
588 log_info(_("decryption okay\n"));
589 if( pkt->pkt.encrypted->mdc_method && !result )
590 write_status( STATUS_GOODMDC );
591 else if(!opt.no_mdc_warn)
592 log_info (_("WARNING: message was not integrity protected\n"));
594 else if( gpg_err_code (result) == G10ERR_BAD_SIGN ) {
595 log_error(_("WARNING: encrypted message has been manipulated!\n"));
596 write_status( STATUS_BADMDC );
597 write_status( STATUS_DECRYPTION_FAILED );
600 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
601 && *c->dek->s2k_cacheid != '\0')
603 log_debug(_("cleared passphrase cached with ID: %s\n"),
604 c->dek->s2k_cacheid);
605 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
607 write_status( STATUS_DECRYPTION_FAILED );
608 log_error(_("decryption failed: %s\n"), g10_errstr(result));
609 /* Hmmm: does this work when we have encrypted using multiple
610 * ways to specify the session key (symmmetric and PK)*/
612 xfree(c->dek); c->dek = NULL;
614 c->last_was_session_key = 0;
615 write_status( STATUS_END_DECRYPTION );
620 proc_plaintext( CTX c, PACKET *pkt )
622 PKT_plaintext *pt = pkt->pkt.plaintext;
623 int any, clearsig, only_md5, rc;
628 if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
629 log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
630 else if( opt.verbose )
631 log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
632 free_md_filter_context( &c->mfx );
633 if (gcry_md_open (&c->mfx.md, 0, 0))
635 /* fixme: we may need to push the textfilter if we have sigclass 1
636 * and no armoring - Not yet tested
637 * Hmmm, why don't we need it at all if we have sigclass 1
638 * Should we assume that plaintext in mode 't' has always sigclass 1??
639 * See: Russ Allbery's mail 1999-02-09
641 any = clearsig = only_md5 = 0;
642 for(n=c->list; n; n = n->next )
644 if( n->pkt->pkttype == PKT_ONEPASS_SIG )
646 /* For the onepass signature case */
647 if( n->pkt->pkt.onepass_sig->digest_algo )
649 gcry_md_enable (c->mfx.md,
650 n->pkt->pkt.onepass_sig->digest_algo);
651 if( !any && n->pkt->pkt.onepass_sig->digest_algo
658 if( n->pkt->pkt.onepass_sig->sig_class != 0x01 )
661 else if( n->pkt->pkttype == PKT_GPG_CONTROL
662 && n->pkt->pkt.gpg_control->control
663 == CTRLPKT_CLEARSIGN_START )
665 /* For the clearsigned message case */
666 size_t datalen = n->pkt->pkt.gpg_control->datalen;
667 const byte *data = n->pkt->pkt.gpg_control->data;
669 /* check that we have at least the sigclass and one hash */
671 log_fatal("invalid control packet CTRLPKT_CLEARSIGN_START\n");
672 /* Note that we don't set the clearsig flag for not-dash-escaped
674 clearsig = (*data == 0x01);
675 for( data++, datalen--; datalen; datalen--, data++ )
676 gcry_md_enable (c->mfx.md, *data);
678 break; /* Stop here as one-pass signature packets are not
681 else if(n->pkt->pkttype==PKT_SIGNATURE)
683 /* For the SIG+LITERAL case that PGP used to use. */
684 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
689 if( !any && !opt.skip_verify )
691 /* This is for the old GPG LITERAL+SIG case. It's not legal
692 according to 2440, so hopefully it won't come up that
693 often. There is no good way to specify what algorithms to
694 use in that case, so these three are the historical
696 gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
697 gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
698 gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
700 if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
701 /* This is a kludge to work around a bug in pgp2. It does only
702 * catch those mails which are armored. To catch the non-armored
703 * pgp mails we could see whether there is the signature packet
704 * in front of the plaintext. If someone needs this, send me a patch.
706 if ( gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0) )
710 gcry_md_debug ( c->mfx.md, "verify" );
712 gcry_md_debug ( c->mfx.md2, "verify2" );
719 log_info (_("WARNING: multiple plaintexts seen\n"));
721 if (!opt.flags.allow_multiple_messages)
723 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
724 log_inc_errorcount ();
725 rc = gpg_error (GPG_ERR_UNEXPECTED);
731 rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
732 if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only )
734 /* Can't write output but we hash it anyway to check the
736 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
741 log_error( "handle plaintext failed: %s\n", g10_errstr(rc));
743 c->last_was_session_key = 0;
745 /* We add a marker control packet instead of the plaintext packet.
746 * This is so that we can later detect invalid packet sequences.
748 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
750 add_kbnode (c->list, n);
757 proc_compressed_cb( IOBUF a, void *info )
759 if ( ((CTX)info)->signed_data.used
760 && ((CTX)info)->signed_data.data_fd != -1)
761 return proc_signature_packets_by_fd (info, a,
762 ((CTX)info)->signed_data.data_fd);
764 return proc_signature_packets (info, a,
765 ((CTX)info)->signed_data.data_names,
766 ((CTX)info)->sigfilename );
770 proc_encrypt_cb( IOBUF a, void *info )
772 return proc_encryption_packets( info, a );
776 proc_compressed( CTX c, PACKET *pkt )
778 PKT_compressed *zd = pkt->pkt.compressed;
781 /*printf("zip: compressed data packet\n");*/
783 rc = handle_compressed (c, zd, proc_compressed_cb, c);
784 else if (c->encrypt_only)
785 rc = handle_compressed (c, zd, proc_encrypt_cb, c);
787 rc = handle_compressed (c, zd, NULL, NULL);
789 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
791 if (!c->any.uncompress_failed)
795 for (cc=c; cc; cc = cc->anchor)
796 cc->any.uncompress_failed = 1;
797 log_error ("uncompressing failed: %s\n", g10_errstr(rc));
801 log_error("uncompressing failed: %s\n", g10_errstr(rc));
804 c->last_was_session_key = 0;
809 * check the signature
810 * Returns: 0 = valid signature or an error code
813 do_check_sig( CTX c, KBNODE node, int *is_selfsig,
814 int *is_expkey, int *is_revkey )
817 gcry_md_hd_t md = NULL, md2 = NULL;
820 assert( node->pkt->pkttype == PKT_SIGNATURE );
823 sig = node->pkt->pkt.signature;
825 algo = sig->digest_algo;
826 rc = openpgp_md_test_algo(algo);
830 if( sig->sig_class == 0x00 ) {
833 if (gcry_md_copy (&md, c->mfx.md ))
836 else /* detached signature */
838 /* signature_check() will enable the md*/
839 if (gcry_md_open (&md, 0, 0 ))
843 else if( sig->sig_class == 0x01 ) {
844 /* how do we know that we have to hash the (already hashed) text
845 * in canonical mode ??? (calculating both modes???) */
847 if (gcry_md_copy (&md, c->mfx.md ))
849 if( c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2 ))
852 else { /* detached signature */
853 log_debug("Do we really need this here?");
854 /* signature_check() will enable the md*/
855 if (gcry_md_open (&md, 0, 0 ))
857 if (gcry_md_open (&md2, 0, 0 ))
861 else if( (sig->sig_class&~3) == 0x10
862 || sig->sig_class == 0x18
863 || sig->sig_class == 0x1f
864 || sig->sig_class == 0x20
865 || sig->sig_class == 0x28
866 || sig->sig_class == 0x30 ) {
867 if( c->list->pkt->pkttype == PKT_PUBLIC_KEY
868 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY ) {
869 return check_key_signature( c->list, node, is_selfsig );
871 else if( sig->sig_class == 0x20 ) {
872 log_error (_("standalone revocation - "
873 "use \"gpg --import\" to apply\n"));
874 return G10ERR_NOT_PROCESSED;
877 log_error("invalid root packet for sigclass %02x\n",
879 return G10ERR_SIG_CLASS;
883 return G10ERR_SIG_CLASS;
884 rc = signature_check2( sig, md, NULL, is_expkey, is_revkey, NULL );
885 if( gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2 )
886 rc = signature_check2( sig, md2, NULL, is_expkey, is_revkey, NULL );
895 print_userid( PACKET *pkt )
899 if( pkt->pkttype != PKT_USER_ID ) {
900 printf("ERROR: unexpected packet type %d", pkt->pkttype );
903 if( opt.with_colons )
905 if(pkt->pkt.user_id->attrib_data)
907 pkt->pkt.user_id->numattribs,
908 pkt->pkt.user_id->attrib_len);
910 print_string( stdout, pkt->pkt.user_id->name,
911 pkt->pkt.user_id->len, ':');
914 print_utf8_string( stdout, pkt->pkt.user_id->name,
915 pkt->pkt.user_id->len );
920 * List the certificate in a user friendly way
924 list_node( CTX c, KBNODE node )
930 else if( (mainkey = (node->pkt->pkttype == PKT_PUBLIC_KEY) )
931 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY ) {
932 PKT_public_key *pk = node->pkt->pkt.public_key;
934 if( opt.with_colons )
937 keyid_from_pk( pk, keyid );
939 c->trustletter = opt.fast_list_mode?
940 0 : get_validity_info( pk, NULL );
941 printf("%s:", mainkey? "pub":"sub" );
943 putchar( c->trustletter );
944 printf(":%u:%d:%08lX%08lX:%s:%s::",
947 (ulong)keyid[0],(ulong)keyid[1],
948 colon_datestr_from_pk( pk ),
949 colon_strtime (pk->expiredate) );
950 if( mainkey && !opt.fast_list_mode )
951 putchar( get_ownertrust_info (pk) );
956 printf("%s %4u%c/%s %s",
957 mainkey? "pub":"sub", nbits_from_pk( pk ),
958 pubkey_letter( pk->pubkey_algo ), keystr_from_pk( pk ),
959 datestr_from_pk (pk));
965 printf(_("revoked: %s"),revokestr_from_pk(pk));
968 else if (pk->expiredate && !opt.with_colons)
971 printf(_("expires: %s"),expirestr_from_pk(pk));
977 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
978 print_fingerprint (pk, NULL, 0);
982 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
983 printf("rtv:1:%u:\n", node->next->pkt->pkt.ring_trust->trustval);
987 /* and now list all userids with their signatures */
988 for( node = node->next; node; node = node->next ) {
989 if( node->pkt->pkttype == PKT_SIGNATURE ) {
992 else if( node->pkt->pkttype == PKT_USER_ID ) {
993 if( opt.with_colons )
994 printf("%s:::::::::",
995 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
997 printf( "uid%*s", 28, "" );
998 print_userid( node->pkt );
999 if( opt.with_colons )
1004 && node->next->pkt->pkttype == PKT_RING_TRUST ) {
1005 printf("rtv:2:%u:\n",
1006 node->next->pkt->pkt.ring_trust?
1007 node->next->pkt->pkt.ring_trust->trustval : 0);
1010 else if( node->pkt->pkttype == PKT_PUBLIC_SUBKEY ) {
1011 list_node(c, node );
1016 else if( (mainkey = (node->pkt->pkttype == PKT_SECRET_KEY) )
1017 || node->pkt->pkttype == PKT_SECRET_SUBKEY ) {
1018 PKT_secret_key *sk = node->pkt->pkt.secret_key;
1020 if( opt.with_colons )
1023 keyid_from_sk( sk, keyid );
1024 printf("%s::%u:%d:%08lX%08lX:%s:%s:::",
1025 mainkey? "sec":"ssb",
1026 nbits_from_sk( sk ),
1028 (ulong)keyid[0],(ulong)keyid[1],
1029 colon_datestr_from_sk( sk ),
1030 colon_strtime (sk->expiredate));
1033 printf("%s %4u%c/%s %s ", mainkey? "sec":"ssb",
1034 nbits_from_sk( sk ), pubkey_letter( sk->pubkey_algo ),
1035 keystr_from_sk( sk ), datestr_from_sk( sk ));
1038 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
1039 print_fingerprint (NULL, sk,0);
1042 /* and now list all userids with their signatures */
1043 for( node = node->next; node; node = node->next ) {
1044 if( node->pkt->pkttype == PKT_SIGNATURE ) {
1045 list_node(c, node );
1047 else if( node->pkt->pkttype == PKT_USER_ID ) {
1048 if( opt.with_colons )
1049 printf("%s:::::::::",
1050 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1052 printf( "uid%*s", 28, "" );
1053 print_userid( node->pkt );
1054 if( opt.with_colons )
1058 else if( node->pkt->pkttype == PKT_SECRET_SUBKEY ) {
1059 list_node(c, node );
1064 else if( node->pkt->pkttype == PKT_SIGNATURE ) {
1065 PKT_signature *sig = node->pkt->pkt.signature;
1075 if( sig->sig_class == 0x20 || sig->sig_class == 0x30 )
1076 fputs("rev", stdout);
1078 fputs("sig", stdout);
1079 if( opt.check_sigs ) {
1081 rc2=do_check_sig( c, node, &is_selfsig, NULL, NULL );
1082 switch (gpg_err_code (rc2)) {
1083 case 0: sigrc = '!'; break;
1084 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1085 case GPG_ERR_NO_PUBKEY:
1086 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1087 default: sigrc = '%'; break;
1090 else { /* check whether this is a self signature */
1093 if( c->list->pkt->pkttype == PKT_PUBLIC_KEY
1094 || c->list->pkt->pkttype == PKT_SECRET_KEY ) {
1095 if( c->list->pkt->pkttype == PKT_PUBLIC_KEY )
1096 keyid_from_pk( c->list->pkt->pkt.public_key, keyid );
1098 keyid_from_sk( c->list->pkt->pkt.secret_key, keyid );
1100 if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
1104 if( opt.with_colons ) {
1108 printf("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1109 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1110 colon_datestr_from_sig(sig),
1111 colon_expirestr_from_sig(sig));
1113 if(sig->trust_depth || sig->trust_value)
1114 printf("%d %d",sig->trust_depth,sig->trust_value);
1117 if(sig->trust_regexp)
1118 print_string(stdout,sig->trust_regexp,
1119 strlen(sig->trust_regexp),':');
1124 sigrc, keystr(sig->keyid), datestr_from_sig(sig));
1126 printf("[%s] ", g10_errstr(rc2) );
1127 else if( sigrc == '?' )
1129 else if( is_selfsig ) {
1130 if( opt.with_colons )
1132 fputs( sig->sig_class == 0x18? "[keybind]":"[selfsig]", stdout);
1133 if( opt.with_colons )
1136 else if( !opt.fast_list_mode ) {
1137 p = get_user_id( sig->keyid, &n );
1138 print_string( stdout, p, n, opt.with_colons );
1141 if( opt.with_colons )
1142 printf(":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1146 log_error("invalid node with packet of type %d\n", node->pkt->pkttype);
1152 proc_packets( void *anchor, IOBUF a )
1155 CTX c = xmalloc_clear( sizeof *c );
1158 rc = do_proc_packets( c, a );
1166 proc_signature_packets( void *anchor, IOBUF a,
1167 strlist_t signedfiles, const char *sigfilename )
1169 CTX c = xmalloc_clear( sizeof *c );
1175 c->signed_data.data_fd = -1;
1176 c->signed_data.data_names = signedfiles;
1177 c->signed_data.used = !!signedfiles;
1179 c->sigfilename = sigfilename;
1180 rc = do_proc_packets( c, a );
1182 /* If we have not encountered any signature we print an error
1183 messages, send a NODATA status back and return an error code.
1184 Using log_error is required because verify_files does not check
1185 error codes for each file but we want to terminate the process
1187 if (!rc && !c->any.sig_seen)
1189 write_status_text (STATUS_NODATA, "4");
1190 log_error (_("no signature found\n"));
1191 rc = G10ERR_NO_DATA;
1194 /* Propagate the signature seen flag upward. Do this only on
1195 success so that we won't issue the nodata status several
1197 if (!rc && c->anchor && c->any.sig_seen)
1198 c->anchor->any.sig_seen = 1;
1205 proc_signature_packets_by_fd (void *anchor, IOBUF a, int signed_data_fd )
1208 CTX c = xcalloc (1, sizeof *c);
1213 c->signed_data.data_fd = signed_data_fd;
1214 c->signed_data.data_names = NULL;
1215 c->signed_data.used = (signed_data_fd != -1);
1217 rc = do_proc_packets ( c, a );
1219 /* If we have not encountered any signature we print an error
1220 messages, send a NODATA status back and return an error code.
1221 Using log_error is required because verify_files does not check
1222 error codes for each file but we want to terminate the process
1224 if (!rc && !c->any.sig_seen)
1226 write_status_text (STATUS_NODATA, "4");
1227 log_error (_("no signature found\n"));
1228 rc = gpg_error (GPG_ERR_NO_DATA);
1231 /* Propagate the signature seen flag upward. Do this only on success
1232 so that we won't issue the nodata status several times. */
1233 if (!rc && c->anchor && c->any.sig_seen)
1234 c->anchor->any.sig_seen = 1;
1242 proc_encryption_packets( void *anchor, IOBUF a )
1244 CTX c = xmalloc_clear( sizeof *c );
1248 c->encrypt_only = 1;
1249 rc = do_proc_packets( c, a );
1256 check_nesting (CTX c)
1260 for (level=0; c; c = c->anchor)
1263 if (level > MAX_NESTING_DEPTH)
1265 log_error ("input data with too deeply nested packets\n");
1266 write_status_text (STATUS_UNEXPECTED, "1");
1267 return GPG_ERR_BAD_DATA;
1274 do_proc_packets( CTX c, IOBUF a )
1281 rc = check_nesting (c);
1285 pkt = xmalloc( sizeof *pkt );
1288 while( (rc=parse_packet(a, pkt)) != -1 ) {
1292 /* stop processing when an invalid packet has been encountered
1293 * but don't do so when we are doing a --list-packets. */
1294 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1295 && opt.list_packets != 2 )
1300 if( opt.list_packets ) {
1301 switch( pkt->pkttype ) {
1302 case PKT_PUBKEY_ENC: proc_pubkey_enc( c, pkt ); break;
1303 case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break;
1305 case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
1306 case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
1307 default: newpkt = 0; break;
1310 else if( c->sigs_only ) {
1311 switch( pkt->pkttype ) {
1312 case PKT_PUBLIC_KEY:
1313 case PKT_SECRET_KEY:
1315 case PKT_SYMKEY_ENC:
1316 case PKT_PUBKEY_ENC:
1318 case PKT_ENCRYPTED_MDC:
1319 write_status_text( STATUS_UNEXPECTED, "0" );
1320 rc = G10ERR_UNEXPECTED;
1322 case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break;
1323 case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
1324 case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
1325 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
1326 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1327 default: newpkt = 0; break;
1330 else if( c->encrypt_only ) {
1331 switch( pkt->pkttype ) {
1332 case PKT_PUBLIC_KEY:
1333 case PKT_SECRET_KEY:
1335 write_status_text( STATUS_UNEXPECTED, "0" );
1336 rc = G10ERR_UNEXPECTED;
1338 case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break;
1339 case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break;
1340 case PKT_PUBKEY_ENC: proc_pubkey_enc( c, pkt ); break;
1342 case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
1343 case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
1344 case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
1345 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
1346 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1347 default: newpkt = 0; break;
1351 switch( pkt->pkttype ) {
1352 case PKT_PUBLIC_KEY:
1353 case PKT_SECRET_KEY:
1355 c->list = new_kbnode( pkt );
1358 case PKT_PUBLIC_SUBKEY:
1359 case PKT_SECRET_SUBKEY:
1360 newpkt = add_subkey( c, pkt );
1362 case PKT_USER_ID: newpkt = add_user_id( c, pkt ); break;
1363 case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break;
1364 case PKT_PUBKEY_ENC: proc_pubkey_enc( c, pkt ); break;
1365 case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break;
1367 case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
1368 case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
1369 case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
1370 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
1371 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1372 case PKT_RING_TRUST: newpkt = add_ring_trust( c, pkt ); break;
1373 default: newpkt = 0; break;
1380 /* This is a very ugly construct and frankly, I don't remember why
1381 * I used it. Adding the MDC check here is a hack.
1382 * The right solution is to initiate another context for encrypted
1383 * packet and not to reuse the current one ... It works right
1384 * when there is a compression packet inbetween which adds just
1386 * Hmmm: Rewrite this whole module here??
1388 if( pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC )
1389 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1394 pkt = xmalloc( sizeof *pkt );
1400 if( rc == G10ERR_INVALID_PACKET )
1401 write_status_text( STATUS_NODATA, "3" );
1405 write_status_text( STATUS_NODATA, "2" );
1413 free_md_filter_context( &c->mfx );
1418 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1419 of the notation data. */
1421 get_pka_address (PKT_signature *sig)
1423 pka_info_t *pka = NULL;
1424 struct notation *nd,*notation;
1426 notation=sig_to_notation(sig);
1428 for(nd=notation;nd;nd=nd->next)
1430 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1431 continue; /* Not the notation we want. */
1433 /* For now we only use the first valid PKA notation. In future
1434 we might want to keep additional PKA notations in a linked
1436 if (is_valid_mailbox (nd->value))
1438 pka = xmalloc (sizeof *pka + strlen(nd->value));
1442 strcpy (pka->email, nd->value);
1447 free_notation(notation);
1453 /* Return the URI from a DNS PKA record. If this record has already
1454 be retrieved for the signature we merely return it; if not we go
1455 out and try to get that DNS record. */
1457 pka_uri_from_sig (PKT_signature *sig)
1459 if (!sig->flags.pka_tried)
1461 assert (!sig->pka_info);
1462 sig->flags.pka_tried = 1;
1463 sig->pka_info = get_pka_address (sig);
1468 uri = get_pka_info (sig->pka_info->email, sig->pka_info->fpr);
1471 sig->pka_info->valid = 1;
1475 sig->pka_info->uri = uri;
1479 return sig->pka_info? sig->pka_info->uri : NULL;
1484 check_sig_and_print( CTX c, KBNODE node )
1486 PKT_signature *sig = node->pkt->pkt.signature;
1488 int rc, is_expkey=0, is_revkey=0;
1490 if (opt.skip_verify)
1492 log_info(_("signature verification suppressed\n"));
1496 /* Check that the message composition is valid.
1498 Per RFC-2440bis (-15) allowed:
1500 S{1,n} -- detached signature.
1501 S{1,n} P -- old style PGP2 signature
1502 O{1,n} P S{1,n} -- standard OpenPGP signature.
1503 C P S{1,n} -- cleartext signature.
1506 O = One-Pass Signature packet.
1507 S = Signature packet.
1508 P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1509 (Note that the current rfc2440bis draft also allows
1510 for a signed message but that does not work as it
1511 introduces ambiguities.)
1512 We keep track of these packages using the marker packet
1513 CTRLPKT_PLAINTEXT_MARK.
1514 C = Marker packet for cleartext signatures.
1516 We reject all other messages.
1518 Actually we are calling this too often, i.e. for verification of
1519 each message but better have some duplicate work than to silently
1520 introduce a bug here.
1524 int n_onepass, n_sig;
1526 /* log_debug ("checking signature packet composition\n"); */
1527 /* dump_kbnode (c->list); */
1531 if ( n->pkt->pkttype == PKT_SIGNATURE )
1533 /* This is either "S{1,n}" case (detached signature) or
1534 "S{1,n} P" (old style PGP2 signature). */
1535 for (n = n->next; n; n = n->next)
1536 if (n->pkt->pkttype != PKT_SIGNATURE)
1539 ; /* Okay, this is a detached signature. */
1540 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1541 && (n->pkt->pkt.gpg_control->control
1542 == CTRLPKT_PLAINTEXT_MARK) )
1545 goto ambiguous; /* We only allow one P packet. */
1550 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1552 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1553 for (n_onepass=1, n = n->next;
1554 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1556 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1557 && (n->pkt->pkt.gpg_control->control
1558 == CTRLPKT_PLAINTEXT_MARK)))
1560 for (n_sig=0, n = n->next;
1561 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1566 /* If we wanted to disallow multiple sig verification, we'd do
1567 something like this:
1569 if (n && !opt.allow_multisig_verification)
1572 However, now that we have --allow-multiple-messages, this
1573 can stay allowable as we can't get here unless multiple
1574 messages (i.e. multiple literals) are allowed. */
1576 if (n_onepass != n_sig)
1578 log_info ("number of one-pass packets does not match "
1579 "number of signature packets\n");
1583 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1584 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1586 /* This is the "C P S{1,n}" case (clear text signature). */
1588 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1589 && (n->pkt->pkt.gpg_control->control
1590 == CTRLPKT_PLAINTEXT_MARK)))
1592 for (n_sig=0, n = n->next;
1593 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1601 log_error(_("can't handle this ambiguous signature data\n"));
1607 write_status_text (STATUS_NEWSIG, NULL);
1609 /* (Indendation below not yet changed to GNU style.) */
1611 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1614 log_info(_("Signature made %s\n"),asctimestamp(sig->timestamp));
1615 log_info(_(" using %s key %s\n"),
1616 astr? astr: "?",keystr(sig->keyid));
1619 log_info(_("Signature made %s using %s key ID %s\n"),
1620 asctimestamp(sig->timestamp), astr? astr: "?",
1621 keystr(sig->keyid));
1623 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1625 /* If the key isn't found, check for a preferred keyserver */
1627 if(rc==G10ERR_NO_PUBKEY && sig->flags.pref_ks)
1633 while((p=enum_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1635 /* According to my favorite copy editor, in English
1636 grammar, you say "at" if the key is located on a web
1637 page, but "from" if it is located on a keyserver. I'm
1638 not going to even try to make two strings here :) */
1639 log_info(_("Key available at: ") );
1640 print_utf8_string( log_get_stream(), p, n );
1643 if(opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1644 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1646 struct keyserver_spec *spec;
1648 spec=parse_preferred_keyserver(sig);
1653 glo_ctrl.in_auto_key_retrieve++;
1654 res=keyserver_import_keyid(sig->keyid,spec);
1655 glo_ctrl.in_auto_key_retrieve--;
1657 rc=do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1658 free_keyserver_spec(spec);
1667 /* If the preferred keyserver thing above didn't work, our second
1668 try is to use the URI from a DNS PKA record. */
1669 if ( rc == G10ERR_NO_PUBKEY
1670 && opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1671 && opt.keyserver_options.options&KEYSERVER_HONOR_PKA_RECORD)
1673 const char *uri = pka_uri_from_sig (sig);
1677 /* FIXME: We might want to locate the key using the
1678 fingerprint instead of the keyid. */
1680 struct keyserver_spec *spec;
1682 spec = parse_keyserver_uri (uri, 1, NULL, 0);
1685 glo_ctrl.in_auto_key_retrieve++;
1686 res = keyserver_import_keyid (sig->keyid, spec);
1687 glo_ctrl.in_auto_key_retrieve--;
1688 free_keyserver_spec (spec);
1690 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1695 /* If the preferred keyserver thing above didn't work and we got
1696 no information from the DNS PKA, this is a third try. */
1698 if( rc == G10ERR_NO_PUBKEY && opt.keyserver
1699 && opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1703 glo_ctrl.in_auto_key_retrieve++;
1704 res=keyserver_import_keyid ( sig->keyid, opt.keyserver );
1705 glo_ctrl.in_auto_key_retrieve--;
1707 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1710 if( !rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE ) {
1711 KBNODE un, keyblock;
1712 int count=0, statno;
1714 PKT_public_key *pk=NULL;
1717 statno=STATUS_BADSIG;
1718 else if(sig->flags.expired)
1719 statno=STATUS_EXPSIG;
1721 statno=STATUS_EXPKEYSIG;
1723 statno=STATUS_REVKEYSIG;
1725 statno=STATUS_GOODSIG;
1727 keyblock = get_pubkeyblock( sig->keyid );
1729 sprintf (keyid_str, "%08lX%08lX [uncertain] ",
1730 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1732 /* find and print the primary user ID */
1733 for( un=keyblock; un; un = un->next ) {
1736 if(un->pkt->pkttype==PKT_PUBLIC_KEY)
1738 pk=un->pkt->pkt.public_key;
1741 if( un->pkt->pkttype != PKT_USER_ID )
1743 if ( !un->pkt->pkt.user_id->created )
1745 if ( un->pkt->pkt.user_id->is_revoked )
1747 if ( un->pkt->pkt.user_id->is_expired )
1749 if ( !un->pkt->pkt.user_id->is_primary )
1751 /* We want the textual primary user ID here */
1752 if ( un->pkt->pkt.user_id->attrib_data )
1757 /* Get it before we print anything to avoid interrupting
1758 the output with the "please do a --check-trustdb"
1760 valid=get_validity(pk,un->pkt->pkt.user_id);
1762 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1763 write_status_text_and_buffer (statno, keyid_str,
1764 un->pkt->pkt.user_id->name,
1765 un->pkt->pkt.user_id->len,
1768 p=utf8_to_native(un->pkt->pkt.user_id->name,
1769 un->pkt->pkt.user_id->len,0);
1772 log_info(_("BAD signature from \"%s\""),p);
1773 else if(sig->flags.expired)
1774 log_info(_("Expired signature from \"%s\""),p);
1776 log_info(_("Good signature from \"%s\""),p);
1780 if(opt.verify_options&VERIFY_SHOW_UID_VALIDITY)
1781 log_printf (" [%s]\n",trust_value_to_string(valid));
1786 if( !count ) { /* just in case that we have no valid textual
1790 /* Try for an invalid textual userid */
1791 for( un=keyblock; un; un = un->next ) {
1792 if( un->pkt->pkttype == PKT_USER_ID &&
1793 !un->pkt->pkt.user_id->attrib_data )
1797 /* Try for any userid at all */
1799 for( un=keyblock; un; un = un->next ) {
1800 if( un->pkt->pkttype == PKT_USER_ID )
1805 if (opt.trust_model==TM_ALWAYS || !un)
1806 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1808 write_status_text_and_buffer (statno, keyid_str,
1809 un? un->pkt->pkt.user_id->name:"[?]",
1810 un? un->pkt->pkt.user_id->len:3,
1814 p=utf8_to_native(un->pkt->pkt.user_id->name,
1815 un->pkt->pkt.user_id->len,0);
1820 log_info(_("BAD signature from \"%s\""),p);
1821 else if(sig->flags.expired)
1822 log_info(_("Expired signature from \"%s\""),p);
1824 log_info(_("Good signature from \"%s\""),p);
1825 if (opt.trust_model!=TM_ALWAYS && un)
1826 log_printf (" %s",_("[uncertain]") );
1830 /* If we have a good signature and already printed
1831 * the primary user ID, print all the other user IDs */
1833 && !(opt.verify_options&VERIFY_SHOW_PRIMARY_UID_ONLY)) {
1835 for( un=keyblock; un; un = un->next ) {
1836 if( un->pkt->pkttype != PKT_USER_ID )
1838 if((un->pkt->pkt.user_id->is_revoked
1839 || un->pkt->pkt.user_id->is_expired)
1840 && !(opt.verify_options&VERIFY_SHOW_UNUSABLE_UIDS))
1842 /* Only skip textual primaries */
1843 if ( un->pkt->pkt.user_id->is_primary &&
1844 !un->pkt->pkt.user_id->attrib_data )
1847 if(un->pkt->pkt.user_id->attrib_data)
1849 dump_attribs(un->pkt->pkt.user_id,pk,NULL);
1851 if(opt.verify_options&VERIFY_SHOW_PHOTOS)
1852 show_photos(un->pkt->pkt.user_id->attribs,
1853 un->pkt->pkt.user_id->numattribs,
1854 pk,NULL,un->pkt->pkt.user_id);
1857 p=utf8_to_native(un->pkt->pkt.user_id->name,
1858 un->pkt->pkt.user_id->len,0);
1859 log_info(_(" aka \"%s\""),p);
1862 if(opt.verify_options&VERIFY_SHOW_UID_VALIDITY)
1865 if(un->pkt->pkt.user_id->is_revoked)
1867 else if(un->pkt->pkt.user_id->is_expired)
1870 valid=trust_value_to_string(get_validity(pk,
1873 log_printf (" [%s]\n",valid);
1879 release_kbnode( keyblock );
1883 if(opt.verify_options&VERIFY_SHOW_POLICY_URLS)
1884 show_policy_url(sig,0,1);
1886 show_policy_url(sig,0,2);
1888 if(opt.verify_options&VERIFY_SHOW_KEYSERVER_URLS)
1889 show_keyserver_url(sig,0,1);
1891 show_keyserver_url(sig,0,2);
1893 if(opt.verify_options&VERIFY_SHOW_NOTATIONS)
1894 show_notation(sig,0,1,
1895 ((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)+
1896 ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0));
1898 show_notation(sig,0,2,0);
1901 if( !rc && is_status_enabled() ) {
1902 /* print a status response with the fingerprint */
1903 PKT_public_key *vpk = xmalloc_clear( sizeof *vpk );
1905 if( !get_pubkey( vpk, sig->keyid ) ) {
1906 byte array[MAX_FINGERPRINT_LEN], *p;
1907 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
1911 fingerprint_from_pk( vpk, array, &n );
1913 for(i=0; i < n ; i++, p++, bufp += 2)
1914 sprintf(bufp, "%02X", *p );
1915 /* TODO: Replace the reserved '0' in the field below
1916 with bits for status flags (policy url, notation,
1917 etc.). Remember to make the buffer larger to
1919 sprintf(bufp, " %s %lu %lu %d 0 %d %d %02X ",
1920 strtimestamp( sig->timestamp ),
1921 (ulong)sig->timestamp,(ulong)sig->expiredate,
1922 sig->version,sig->pubkey_algo,sig->digest_algo,
1924 bufp = bufp + strlen (bufp);
1925 if (!vpk->is_primary) {
1928 akid[0] = vpk->main_keyid[0];
1929 akid[1] = vpk->main_keyid[1];
1930 free_public_key (vpk);
1931 vpk = xmalloc_clear( sizeof *vpk );
1932 if (get_pubkey (vpk, akid)) {
1933 /* impossible error, we simply return a zeroed out fpr */
1934 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
1935 memset (array, 0, n);
1938 fingerprint_from_pk( vpk, array, &n );
1941 for(i=0; i < n ; i++, p++, bufp += 2)
1942 sprintf(bufp, "%02X", *p );
1943 write_status_text( STATUS_VALIDSIG, buf );
1945 free_public_key( vpk );
1950 if(opt.verify_options&VERIFY_PKA_LOOKUPS)
1951 pka_uri_from_sig (sig); /* Make sure PKA info is available. */
1952 rc = check_signatures_trust( sig );
1955 if(sig->flags.expired)
1957 log_info(_("Signature expired %s\n"),
1958 asctimestamp(sig->expiredate));
1959 rc=G10ERR_GENERAL; /* need a better error here? */
1961 else if(sig->expiredate)
1962 log_info(_("Signature expires %s\n"),asctimestamp(sig->expiredate));
1965 log_info(_("%s signature, digest algorithm %s\n"),
1966 sig->sig_class==0x00?_("binary"):
1967 sig->sig_class==0x01?_("textmode"):_("unknown"),
1968 gcry_md_algo_name (sig->digest_algo));
1970 if (!rc && !c->signed_data.used)
1972 /* Signature is basically good but we test whether the
1974 gpg --verify FILE.sig
1976 gpg --verify FILE.sig FILE
1977 to verify a detached signature. If we figure out that a
1978 data file with a matching name exists, we print a warning.
1980 The problem is that the first form would also verify a
1981 standard signature. This behavior could be used to
1982 create a made up .sig file for a tarball by creating a
1983 standard signature from a valid detached signature packet
1984 (for example from a signed git tag). Then replace the
1985 sig file on the FTP server along with a changed tarball.
1986 Using the first form the verify command would correctly
1987 verify the signature but don't even consider the tarball. */
1991 dfile = get_matching_datafile (c->sigfilename);
1994 for (n = c->list; n; n = n->next)
1995 if (n->pkt->pkttype != PKT_SIGNATURE)
1999 /* Not only signature packets in the tree thus this
2000 is not a detached signature. */
2001 log_info (_("WARNING: not a detached signature; "
2002 "file '%s' was NOT verified!\n"), dfile);
2009 g10_errors_seen = 1;
2010 if( opt.batch && rc )
2015 sprintf(buf, "%08lX%08lX %d %d %02x %lu %d",
2016 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2017 sig->pubkey_algo, sig->digest_algo,
2018 sig->sig_class, (ulong)sig->timestamp, rc );
2019 write_status_text( STATUS_ERRSIG, buf );
2020 if( rc == G10ERR_NO_PUBKEY ) {
2022 write_status_text( STATUS_NO_PUBKEY, buf );
2024 if( rc != G10ERR_NOT_PROCESSED )
2025 log_error(_("Can't check signature: %s\n"), g10_errstr(rc) );
2032 * Process the tree which starts at node
2035 proc_tree( CTX c, KBNODE node )
2040 if( opt.list_packets || opt.list_only )
2043 /* we must skip our special plaintext marker packets here becuase
2044 they may be the root packet. These packets are only used in
2045 addionla checks and skipping them here doesn't matter */
2047 && node->pkt->pkttype == PKT_GPG_CONTROL
2048 && node->pkt->pkt.gpg_control->control
2049 == CTRLPKT_PLAINTEXT_MARK ) {
2055 c->trustletter = ' ';
2056 if( node->pkt->pkttype == PKT_PUBLIC_KEY
2057 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY ) {
2058 merge_keys_and_selfsig( node );
2059 list_node( c, node );
2061 else if( node->pkt->pkttype == PKT_SECRET_KEY ) {
2062 merge_keys_and_selfsig( node );
2063 list_node( c, node );
2065 else if( node->pkt->pkttype == PKT_ONEPASS_SIG ) {
2066 /* check all signatures */
2067 if( !c->any.data ) {
2068 int use_textmode = 0;
2070 free_md_filter_context( &c->mfx );
2071 /* prepare to create all requested message digests */
2072 if (gcry_md_open (&c->mfx.md, 0, 0))
2075 /* fixme: why looking for the signature packet and not the
2077 for ( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
2079 gcry_md_enable (c->mfx.md,
2080 n1->pkt->pkt.signature->digest_algo);
2083 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2086 /* Ask for file and hash it. */
2087 if( c->sigs_only ) {
2088 if (c->signed_data.used && c->signed_data.data_fd != -1)
2089 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2090 c->signed_data.data_fd,
2093 rc = hash_datafiles (c->mfx.md, NULL,
2094 c->signed_data.data_names,
2099 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2100 iobuf_get_real_fname(c->iobuf),
2104 log_error("can't hash datafile: %s\n", g10_errstr(rc));
2108 else if ( c->signed_data.used ) {
2109 log_error (_("not a detached signature\n") );
2113 for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
2114 check_sig_and_print( c, n1 );
2116 else if( node->pkt->pkttype == PKT_GPG_CONTROL
2117 && node->pkt->pkt.gpg_control->control
2118 == CTRLPKT_CLEARSIGN_START ) {
2119 /* clear text signed message */
2120 if( !c->any.data ) {
2121 log_error("cleartext signature without data\n" );
2124 else if ( c->signed_data.used ) {
2125 log_error (_("not a detached signature\n") );
2129 for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
2130 check_sig_and_print( c, n1 );
2132 else if( node->pkt->pkttype == PKT_SIGNATURE ) {
2133 PKT_signature *sig = node->pkt->pkt.signature;
2136 n1=find_next_kbnode(node, PKT_SIGNATURE);
2139 byte class=sig->sig_class;
2140 byte hash=sig->digest_algo;
2142 for(; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2144 /* We can't currently handle multiple signatures of
2145 different classes or digests (we'd pretty much have
2146 to run a different hash context for each), but if
2147 they are all the same, make an exception. */
2148 if(n1->pkt->pkt.signature->sig_class!=class
2149 || n1->pkt->pkt.signature->digest_algo!=hash)
2152 log_info(_("WARNING: multiple signatures detected. "
2153 "Only the first will be checked.\n"));
2159 if( sig->sig_class != 0x00 && sig->sig_class != 0x01 )
2160 log_info(_("standalone signature of class 0x%02x\n"),
2162 else if( !c->any.data ) {
2163 /* detached signature */
2164 free_md_filter_context( &c->mfx );
2165 if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
2168 if( !opt.pgp2_workarounds )
2170 else if( sig->digest_algo == DIGEST_ALGO_MD5
2171 && is_RSA( sig->pubkey_algo ) ) {
2172 /* enable a workaround for a pgp2 bug */
2173 if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
2176 else if( sig->digest_algo == DIGEST_ALGO_SHA1
2177 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2178 && sig->sig_class == 0x01 ) {
2179 /* enable the workaround also for pgp5 when the detached
2180 * signature has been created in textmode */
2181 if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
2184 #if 0 /* workaround disabled */
2185 /* Here we have another hack to work around a pgp 2 bug
2186 * It works by not using the textmode for detached signatures;
2187 * this will let the first signature check (on md) fail
2188 * but the second one (on md2) which adds an extra CR should
2189 * then produce the "correct" hash. This is very, very ugly
2190 * hack but it may help in some cases (and break others)
2192 /* c->mfx.md2? 0 :(sig->sig_class == 0x01) */
2194 if ( DBG_HASHING ) {
2195 gcry_md_debug( c->mfx.md, "verify" );
2197 gcry_md_debug( c->mfx.md2, "verify2" );
2199 if( c->sigs_only ) {
2200 if (c->signed_data.used && c->signed_data.data_fd != -1)
2201 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2202 c->signed_data.data_fd,
2203 (sig->sig_class == 0x01));
2205 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2206 c->signed_data.data_names,
2208 (sig->sig_class == 0x01));
2211 rc = ask_for_detached_datafile( c->mfx.md, c->mfx.md2,
2212 iobuf_get_real_fname(c->iobuf),
2213 (sig->sig_class == 0x01) );
2216 log_error("can't hash datafile: %s\n", g10_errstr(rc));
2220 else if ( c->signed_data.used ) {
2221 log_error (_("not a detached signature\n") );
2224 else if (!opt.quiet)
2225 log_info(_("old style (PGP 2.x) signature\n"));
2228 for( n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )) )
2229 check_sig_and_print( c, n1 );
2231 check_sig_and_print( c, node );
2234 dump_kbnode (c->list);
2235 log_error(_("invalid root packet detected in proc_tree()\n"));