1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
39 #include "keyserver-internal.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
130 proc_tree (c, c->list);
131 release_kbnode (c->list);
132 while (c->pkenc_list)
134 struct kidlist_item *tmp = c->pkenc_list->next;
135 xfree (c->pkenc_list);
138 c->pkenc_list = NULL;
141 c->any.uncompress_failed = 0;
142 c->last_was_session_key = 0;
149 add_onepass_sig (CTX c, PACKET *pkt)
153 if (c->list) /* Add another packet. */
154 add_kbnode (c->list, new_kbnode (pkt));
155 else /* Insert the first one. */
156 c->list = node = new_kbnode (pkt);
163 add_gpg_control (CTX c, PACKET *pkt)
165 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
167 /* New clear text signature.
168 * Process the last one and reset everything */
172 if (c->list) /* Add another packet. */
173 add_kbnode (c->list, new_kbnode (pkt));
174 else /* Insert the first one. */
175 c->list = new_kbnode (pkt);
182 add_user_id (CTX c, PACKET *pkt)
186 log_error ("orphaned user ID\n");
189 add_kbnode (c->list, new_kbnode (pkt));
195 add_subkey (CTX c, PACKET *pkt)
199 log_error ("subkey w/o mainkey\n");
202 add_kbnode (c->list, new_kbnode (pkt));
208 add_ring_trust (CTX c, PACKET *pkt)
212 log_error ("ring trust w/o key\n");
215 add_kbnode (c->list, new_kbnode (pkt));
221 add_signature (CTX c, PACKET *pkt)
226 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
228 /* This is the first signature for the following datafile.
229 * GPG does not write such packets; instead it always uses
230 * onepass-sig packets. The drawback of PGP's method
231 * of prepending the signature to the data is
232 * that it is not possible to make a signature from data read
233 * from stdin. (GPG is able to read PGP stuff anyway.) */
234 node = new_kbnode (pkt);
239 return 0; /* oops (invalid packet sequence)*/
240 else if (!c->list->pkt)
241 BUG(); /* so nicht */
243 /* Add a new signature node item at the end. */
244 node = new_kbnode (pkt);
245 add_kbnode (c->list, node);
251 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
255 if(slen < 17 || slen > 33)
257 log_error ( _("weird size for an encrypted session key (%d)\n"),
259 return GPG_ERR_BAD_KEY;
262 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
264 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
266 gcry_cipher_setiv ( hd, NULL, 0 );
267 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
268 gcry_cipher_close ( hd );
270 /* Now we replace the dek components with the real session key to
271 decrypt the contents of the sequencing packet. */
276 if(dek->keylen > DIM(dek->key))
279 memcpy(dek->key, seskey + 1, dek->keylen);
281 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
288 proc_symkey_enc (CTX c, PACKET *pkt)
292 enc = pkt->pkt.symkey_enc;
294 log_error ("invalid symkey encrypted packet\n");
297 int algo = enc->cipher_algo;
298 const char *s = openpgp_cipher_algo_name (algo);
300 if (!openpgp_cipher_test_algo (algo))
305 log_info (_("%s encrypted session key\n"), s );
307 log_info (_("%s encrypted data\n"), s );
311 log_error (_("encrypted with unknown algorithm %d\n"), algo);
313 if (openpgp_md_test_algo (enc->s2k.hash_algo))
315 log_error(_("passphrase generated with unknown digest"
316 " algorithm %d\n"),enc->s2k.hash_algo);
320 c->last_was_session_key = 2;
321 if (!s || opt.list_only)
324 if (opt.override_session_key)
326 c->dek = xmalloc_clear (sizeof *c->dek);
327 if (get_override_session_key (c->dek, opt.override_session_key))
335 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
338 c->dek->symmetric = 1;
340 /* FIXME: This doesn't work perfectly if a symmetric key
341 comes before a public key in the message - if the
342 user doesn't know the passphrase, then there is a
343 chance that the "decrypted" algorithm will happen to
344 be a valid one, which will make the returned dek
345 appear valid, so we won't try any public keys that
349 if (symkey_decrypt_seskey (c->dek,
350 enc->seskey, enc->seskeylen))
357 c->dek->algo_info_printed = 1;
369 proc_pubkey_enc (CTX c, PACKET *pkt)
374 /* Check whether the secret key is available and store in this case. */
375 c->last_was_session_key = 1;
376 enc = pkt->pkt.pubkey_enc;
377 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
378 /* Hmmm: why do I have this algo check here - anyway there is
379 * function to check it. */
381 log_info (_("public key is %s\n"), keystr (enc->keyid));
383 if (is_status_enabled())
386 /* FIXME: For ECC support we need to map the OpenPGP algo number
387 to the Libgcrypt defined one. This is due a chicken-egg
388 problem: We need to have code in Libgcrypt for a new
389 algorithm so to implement a proposed new algorithm before the
390 IANA will finally assign an OpenPGP indentifier. */
391 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
392 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
393 write_status_text (STATUS_ENC_TO, buf);
396 if (!opt.list_only && opt.override_session_key)
398 /* It does not make much sense to store the session key in
399 * secure memory because it has already been passed on the
400 * command line and the GCHQ knows about it. */
401 c->dek = xmalloc_clear (sizeof *c->dek);
402 result = get_override_session_key (c->dek, opt.override_session_key);
409 else if (is_ELGAMAL(enc->pubkey_algo)
410 || enc->pubkey_algo == PUBKEY_ALGO_DSA
411 || enc->pubkey_algo == PUBKEY_ALGO_ECDSA
412 || enc->pubkey_algo == PUBKEY_ALGO_EDDSA
413 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
414 || is_RSA (enc->pubkey_algo)
415 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
417 /* Note that we also allow type 20 Elgamal keys for decryption.
418 There are still a couple of those keys in active use as a
421 /* FIXME: Store this all in a list and process it later so that
422 we can prioritize what key to use. This gives a better user
423 experience if wildcard keyids are used. */
424 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
425 || opt.try_all_secrets
426 || have_secret_key_with_kid (enc->keyid)))
432 c->dek = xmalloc_secure_clear (sizeof *c->dek);
433 if ((result = get_session_key (enc, c->dek)))
435 /* Error: Delete the DEK. */
442 result = GPG_ERR_NO_SECKEY;
445 result = GPG_ERR_PUBKEY_ALGO;
451 /* Store it for later display. */
452 struct kidlist_item *x = xmalloc (sizeof *x);
453 x->kid[0] = enc->keyid[0];
454 x->kid[1] = enc->keyid[1];
455 x->pubkey_algo = enc->pubkey_algo;
457 x->next = c->pkenc_list;
460 if (!result && opt.verbose > 1)
461 log_info (_("public key encrypted data: good DEK\n"));
469 * Print the list of public key encrypted packets which we could
473 print_pkenc_list (struct kidlist_item *list, int failed)
475 for (; list; list = list->next)
480 if (failed && !list->reason)
482 if (!failed && list->reason)
485 algstr = openpgp_pk_algo_name (list->pubkey_algo);
486 pk = xmalloc_clear (sizeof *pk);
490 pk->pubkey_algo = list->pubkey_algo;
491 if (!get_pubkey (pk, list->kid))
494 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
495 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
496 strtimestamp (pk->timestamp));
497 p = get_user_id_native (list->kid);
498 log_printf (_(" \"%s\"\n"), p);
502 log_info (_("encrypted with %s key, ID %s\n"),
503 algstr, keystr(list->kid));
505 free_public_key (pk);
507 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
509 if (is_status_enabled())
512 snprintf (buf, sizeof buf, "%08lX%08lX",
513 (ulong)list->kid[0], (ulong)list->kid[1]);
514 write_status_text (STATUS_NO_SECKEY, buf);
517 else if (list->reason)
519 log_info (_("public key decryption failed: %s\n"),
520 gpg_strerror (list->reason));
521 write_status_error ("pkdecrypt_failed", list->reason);
528 proc_encrypted (CTX c, PACKET *pkt)
535 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
536 else if (c->symkeys == 1)
537 log_info (_("encrypted with 1 passphrase\n"));
538 print_pkenc_list ( c->pkenc_list, 1 );
539 print_pkenc_list ( c->pkenc_list, 0 );
542 /* FIXME: Figure out the session key by looking at all pkenc packets. */
544 write_status (STATUS_BEGIN_DECRYPTION);
546 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
549 else if (!c->dek && !c->last_was_session_key)
553 STRING2KEY *s2k = NULL;
556 if (opt.override_session_key)
558 c->dek = xmalloc_clear (sizeof *c->dek);
559 result = get_override_session_key (c->dek, opt.override_session_key);
568 /* Assume this is old style conventional encrypted data. */
569 algo = opt.def_cipher_algo;
571 log_info (_("assuming %s encrypted data\n"),
572 openpgp_cipher_algo_name (algo));
573 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
575 algo = opt.def_cipher_algo;
577 algo = opt.s2k_cipher_algo;
578 log_info (_("IDEA cipher unavailable, "
579 "optimistically attempting to use %s instead\n"),
580 openpgp_cipher_algo_name (algo));
584 algo = CIPHER_ALGO_IDEA;
585 if (!opt.s2k_digest_algo)
587 /* If no digest is given we assume SHA-1. */
589 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
592 log_info (_("assuming %s encrypted data\n"), "IDEA");
595 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
597 c->dek->algo_info_printed = 1;
599 result = gpg_error (GPG_ERR_CANCELED);
601 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
605 result = GPG_ERR_NO_SECKEY;
608 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
612 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
613 && opt.ignore_mdc_error))
615 write_status (STATUS_DECRYPTION_OKAY);
617 log_info(_("decryption okay\n"));
618 if (pkt->pkt.encrypted->mdc_method && !result)
619 write_status (STATUS_GOODMDC);
620 else if (!opt.no_mdc_warn)
621 log_info (_("WARNING: message was not integrity protected\n"));
623 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
625 glo_ctrl.lasterr = result;
626 log_error (_("WARNING: encrypted message has been manipulated!\n"));
627 write_status (STATUS_BADMDC);
628 write_status (STATUS_DECRYPTION_FAILED);
632 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
633 && *c->dek->s2k_cacheid != '\0')
635 log_debug (_("cleared passphrase cached with ID: %s\n"),
636 c->dek->s2k_cacheid);
637 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
639 glo_ctrl.lasterr = result;
640 write_status (STATUS_DECRYPTION_FAILED);
641 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
642 /* Hmmm: does this work when we have encrypted using multiple
643 * ways to specify the session key (symmmetric and PK). */
649 c->last_was_session_key = 0;
650 write_status (STATUS_END_DECRYPTION);
655 proc_plaintext( CTX c, PACKET *pkt )
657 PKT_plaintext *pt = pkt->pkt.plaintext;
658 int any, clearsig, rc;
663 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
664 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
665 else if (opt.verbose)
666 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
668 free_md_filter_context (&c->mfx);
669 if (gcry_md_open (&c->mfx.md, 0, 0))
671 /* fixme: we may need to push the textfilter if we have sigclass 1
672 * and no armoring - Not yet tested
673 * Hmmm, why don't we need it at all if we have sigclass 1
674 * Should we assume that plaintext in mode 't' has always sigclass 1??
675 * See: Russ Allbery's mail 1999-02-09
678 for (n=c->list; n; n = n->next )
680 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
682 /* The onepass signature case. */
683 if (n->pkt->pkt.onepass_sig->digest_algo)
685 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
689 else if (n->pkt->pkttype == PKT_GPG_CONTROL
690 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
692 /* The clearsigned message case. */
693 size_t datalen = n->pkt->pkt.gpg_control->datalen;
694 const byte *data = n->pkt->pkt.gpg_control->data;
696 /* Check that we have at least the sigclass and one hash. */
698 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
699 /* Note that we don't set the clearsig flag for not-dash-escaped
701 clearsig = (*data == 0x01);
702 for (data++, datalen--; datalen; datalen--, data++)
703 gcry_md_enable (c->mfx.md, *data);
705 break; /* Stop here as one-pass signature packets are not
708 else if (n->pkt->pkttype == PKT_SIGNATURE)
710 /* The SIG+LITERAL case that PGP used to use. */
711 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
716 if (!any && !opt.skip_verify)
718 /* This is for the old GPG LITERAL+SIG case. It's not legal
719 according to 2440, so hopefully it won't come up that often.
720 There is no good way to specify what algorithms to use in
721 that case, so these there are the historical answer. */
722 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
723 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
727 gcry_md_debug (c->mfx.md, "verify");
729 gcry_md_debug (c->mfx.md2, "verify2");
734 if (literals_seen > 1)
736 log_info (_("WARNING: multiple plaintexts seen\n"));
738 if (!opt.flags.allow_multiple_messages)
740 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
741 log_inc_errorcount ();
742 rc = gpg_error (GPG_ERR_UNEXPECTED);
748 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
749 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
751 /* Can't write output but we hash it anyway to check the
753 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
758 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
761 c->last_was_session_key = 0;
763 /* We add a marker control packet instead of the plaintext packet.
764 * This is so that we can later detect invalid packet sequences. */
765 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
767 add_kbnode (c->list, n);
774 proc_compressed_cb (iobuf_t a, void *info)
776 if ( ((CTX)info)->signed_data.used
777 && ((CTX)info)->signed_data.data_fd != -1)
778 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
779 ((CTX)info)->signed_data.data_fd);
781 return proc_signature_packets (((CTX)info)->ctrl, info, a,
782 ((CTX)info)->signed_data.data_names,
783 ((CTX)info)->sigfilename );
788 proc_encrypt_cb (iobuf_t a, void *info )
791 return proc_encryption_packets (c->ctrl, info, a );
796 proc_compressed (CTX c, PACKET *pkt)
798 PKT_compressed *zd = pkt->pkt.compressed;
801 /*printf("zip: compressed data packet\n");*/
803 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
804 else if( c->encrypt_only )
805 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
807 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
809 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
811 if (!c->any.uncompress_failed)
815 for (cc=c; cc; cc = cc->anchor)
816 cc->any.uncompress_failed = 1;
817 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
821 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
824 c->last_was_session_key = 0;
830 * check the signature
831 * Returns: 0 = valid signature or an error code
834 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
835 int *is_expkey, int *is_revkey)
838 gcry_md_hd_t md = NULL;
839 gcry_md_hd_t md2 = NULL;
842 assert (node->pkt->pkttype == PKT_SIGNATURE);
845 sig = node->pkt->pkt.signature;
847 algo = sig->digest_algo;
848 rc = openpgp_md_test_algo (algo);
852 if (sig->sig_class == 0x00)
856 if (gcry_md_copy (&md, c->mfx.md ))
859 else /* detached signature */
861 /* signature_check() will enable the md. */
862 if (gcry_md_open (&md, 0, 0 ))
866 else if (sig->sig_class == 0x01)
868 /* How do we know that we have to hash the (already hashed) text
869 in canonical mode ??? (calculating both modes???) */
872 if (gcry_md_copy (&md, c->mfx.md ))
874 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
877 else /* detached signature */
879 log_debug ("Do we really need this here?");
880 /* signature_check() will enable the md*/
881 if (gcry_md_open (&md, 0, 0 ))
883 if (gcry_md_open (&md2, 0, 0 ))
887 else if ((sig->sig_class&~3) == 0x10
888 || sig->sig_class == 0x18
889 || sig->sig_class == 0x1f
890 || sig->sig_class == 0x20
891 || sig->sig_class == 0x28
892 || sig->sig_class == 0x30)
894 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
895 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
897 return check_key_signature( c->list, node, is_selfsig );
899 else if (sig->sig_class == 0x20)
901 log_error (_("standalone revocation - "
902 "use \"gpg --import\" to apply\n"));
903 return GPG_ERR_NOT_PROCESSED;
907 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
908 return GPG_ERR_SIG_CLASS;
912 return GPG_ERR_SIG_CLASS;
914 rc = signature_check2 (sig, md, NULL, is_expkey, is_revkey, NULL);
915 if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
916 rc = signature_check2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
926 print_userid (PACKET *pkt)
931 if (pkt->pkttype != PKT_USER_ID)
933 printf ("ERROR: unexpected packet type %d", pkt->pkttype );
938 if (pkt->pkt.user_id->attrib_data)
940 pkt->pkt.user_id->numattribs,
941 pkt->pkt.user_id->attrib_len);
943 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
944 pkt->pkt.user_id->len, ":", NULL);
947 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
948 pkt->pkt.user_id->len );
953 * List the keyblock in a user friendly way
956 list_node (CTX c, kbnode_t node)
959 char pkstrbuf[PUBKEY_STRING_SIZE];
963 else if ((mainkey = (node->pkt->pkttype == PKT_PUBLIC_KEY))
964 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY )
966 PKT_public_key *pk = node->pkt->pkt.public_key;
972 keyid_from_pk( pk, keyid );
974 c->trustletter = (opt.fast_list_mode?
975 0 : get_validity_info( pk, NULL));
976 es_printf ("%s:", mainkey? "pub":"sub" );
978 es_putc (c->trustletter, es_stdout);
979 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
982 (ulong)keyid[0],(ulong)keyid[1],
983 colon_datestr_from_pk( pk ),
984 colon_strtime (pk->expiredate) );
985 if (mainkey && !opt.fast_list_mode)
986 es_putc (get_ownertrust_info (pk), es_stdout);
987 es_putc (':', es_stdout);
990 es_printf ("%s %s/%s %s",
991 mainkey? "pub":"sub",
992 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
994 datestr_from_pk (pk));
996 if (pk->flags.revoked)
999 es_printf (_("revoked: %s"), revokestr_from_pk (pk));
1002 else if( pk->expiredate && !opt.with_colons)
1005 es_printf (_("expires: %s"), expirestr_from_pk (pk));
1009 es_putc ('\n', es_stdout);
1011 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
1012 print_fingerprint (NULL, pk, 0);
1014 if (opt.with_colons)
1016 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1017 es_printf ("rtv:1:%u:\n",
1018 node->next->pkt->pkt.ring_trust->trustval);
1023 /* Now list all userids with their signatures. */
1024 for (node = node->next; node; node = node->next)
1026 if (node->pkt->pkttype == PKT_SIGNATURE)
1028 list_node (c, node );
1030 else if (node->pkt->pkttype == PKT_USER_ID)
1032 if (opt.with_colons)
1033 es_printf ("%s:::::::::",
1034 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1036 es_printf ("uid%*s", 28, "" );
1037 print_userid (node->pkt);
1038 if (opt.with_colons)
1039 es_putc (':', es_stdout);
1040 es_putc ('\n', es_stdout);
1043 && node->next->pkt->pkttype == PKT_RING_TRUST)
1045 es_printf ("rtv:2:%u:\n",
1046 node->next->pkt->pkt.ring_trust?
1047 node->next->pkt->pkt.ring_trust->trustval : 0);
1050 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1052 list_node(c, node );
1057 else if ((mainkey = (node->pkt->pkttype == PKT_SECRET_KEY) )
1058 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1061 log_debug ("FIXME: No way to print secret key packets here\n");
1062 /* fixme: We may use a fucntion to turn a secret key packet into
1063 a public key one and use that here. */
1065 else if (node->pkt->pkttype == PKT_SIGNATURE)
1067 PKT_signature *sig = node->pkt->pkt.signature;
1077 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1078 es_fputs ("rev", es_stdout);
1080 es_fputs ("sig", es_stdout);
1084 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1085 switch (gpg_err_code (rc2))
1087 case 0: sigrc = '!'; break;
1088 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1089 case GPG_ERR_NO_PUBKEY:
1090 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1091 default: sigrc = '%'; break;
1094 else /* Check whether this is a self signature. */
1098 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1099 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1101 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1103 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1108 if (opt.with_colons)
1110 es_putc (':', es_stdout);
1112 es_putc (sigrc, es_stdout);
1113 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1114 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1115 colon_datestr_from_sig (sig),
1116 colon_expirestr_from_sig (sig));
1118 if (sig->trust_depth || sig->trust_value)
1119 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1120 es_putc (':', es_stdout);
1122 if (sig->trust_regexp)
1123 es_write_sanitized (es_stdout, sig->trust_regexp,
1124 strlen (sig->trust_regexp), ":", NULL);
1125 es_putc (':', es_stdout);
1128 es_printf ("%c %s %s ",
1129 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1131 es_printf ("[%s] ", gpg_strerror (rc2) );
1132 else if (sigrc == '?')
1134 else if (is_selfsig)
1136 if (opt.with_colons)
1137 es_putc (':', es_stdout);
1138 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1139 if (opt.with_colons)
1140 es_putc (':', es_stdout);
1142 else if (!opt.fast_list_mode)
1144 p = get_user_id (sig->keyid, &n);
1145 es_write_sanitized (es_stdout, p, n,
1146 opt.with_colons?":":NULL, NULL );
1149 if (opt.with_colons)
1150 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1151 es_putc ('\n', es_stdout);
1154 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1159 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1162 CTX c = xmalloc_clear (sizeof *c);
1166 rc = do_proc_packets (c, a);
1174 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1175 strlist_t signedfiles, const char *sigfilename )
1177 CTX c = xmalloc_clear (sizeof *c);
1184 c->signed_data.data_fd = -1;
1185 c->signed_data.data_names = signedfiles;
1186 c->signed_data.used = !!signedfiles;
1188 c->sigfilename = sigfilename;
1189 rc = do_proc_packets ( c, a );
1191 /* If we have not encountered any signature we print an error
1192 messages, send a NODATA status back and return an error code.
1193 Using log_error is required because verify_files does not check
1194 error codes for each file but we want to terminate the process
1196 if (!rc && !c->any.sig_seen)
1198 write_status_text (STATUS_NODATA, "4");
1199 log_error (_("no signature found\n"));
1200 rc = GPG_ERR_NO_DATA;
1203 /* Propagate the signature seen flag upward. Do this only on success
1204 so that we won't issue the nodata status several times. */
1205 if (!rc && c->anchor && c->any.sig_seen)
1206 c->anchor->any.sig_seen = 1;
1214 proc_signature_packets_by_fd (ctrl_t ctrl,
1215 void *anchor, iobuf_t a, int signed_data_fd )
1220 c = xtrycalloc (1, sizeof *c);
1222 return gpg_error_from_syserror ();
1228 c->signed_data.data_fd = signed_data_fd;
1229 c->signed_data.data_names = NULL;
1230 c->signed_data.used = (signed_data_fd != -1);
1232 rc = do_proc_packets ( c, a );
1234 /* If we have not encountered any signature we print an error
1235 messages, send a NODATA status back and return an error code.
1236 Using log_error is required because verify_files does not check
1237 error codes for each file but we want to terminate the process
1239 if (!rc && !c->any.sig_seen)
1241 write_status_text (STATUS_NODATA, "4");
1242 log_error (_("no signature found\n"));
1243 rc = gpg_error (GPG_ERR_NO_DATA);
1246 /* Propagate the signature seen flag upward. Do this only on success
1247 so that we won't issue the nodata status several times. */
1248 if (!rc && c->anchor && c->any.sig_seen)
1249 c->anchor->any.sig_seen = 1;
1257 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1259 CTX c = xmalloc_clear (sizeof *c);
1264 c->encrypt_only = 1;
1265 rc = do_proc_packets (c, a);
1272 check_nesting (CTX c)
1276 for (level=0; c; c = c->anchor)
1279 if (level > MAX_NESTING_DEPTH)
1281 log_error ("input data with too deeply nested packets\n");
1282 write_status_text (STATUS_UNEXPECTED, "1");
1283 return GPG_ERR_BAD_DATA;
1291 do_proc_packets (CTX c, iobuf_t a)
1298 rc = check_nesting (c);
1302 pkt = xmalloc( sizeof *pkt );
1305 while ((rc=parse_packet(a, pkt)) != -1)
1311 /* Stop processing when an invalid packet has been encountered
1312 * but don't do so when we are doing a --list-packets. */
1313 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1314 && opt.list_packets != 2 )
1319 if (opt.list_packets)
1321 switch (pkt->pkttype)
1323 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1324 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1326 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1327 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1328 default: newpkt = 0; break;
1331 else if (c->sigs_only)
1333 switch (pkt->pkttype)
1335 case PKT_PUBLIC_KEY:
1336 case PKT_SECRET_KEY:
1338 case PKT_SYMKEY_ENC:
1339 case PKT_PUBKEY_ENC:
1341 case PKT_ENCRYPTED_MDC:
1342 write_status_text( STATUS_UNEXPECTED, "0" );
1343 rc = GPG_ERR_UNEXPECTED;
1346 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1347 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1348 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1349 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1350 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1351 default: newpkt = 0; break;
1354 else if (c->encrypt_only)
1356 switch (pkt->pkttype)
1358 case PKT_PUBLIC_KEY:
1359 case PKT_SECRET_KEY:
1361 write_status_text (STATUS_UNEXPECTED, "0");
1362 rc = GPG_ERR_UNEXPECTED;
1365 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1366 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1367 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1369 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1370 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1371 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1372 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1373 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1374 default: newpkt = 0; break;
1379 switch (pkt->pkttype)
1381 case PKT_PUBLIC_KEY:
1382 case PKT_SECRET_KEY:
1384 c->list = new_kbnode (pkt);
1387 case PKT_PUBLIC_SUBKEY:
1388 case PKT_SECRET_SUBKEY:
1389 newpkt = add_subkey (c, pkt);
1391 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1392 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1393 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1394 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1396 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1397 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1398 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1399 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1400 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1401 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1402 default: newpkt = 0; break;
1409 /* This is a very ugly construct and frankly, I don't remember why
1410 * I used it. Adding the MDC check here is a hack.
1411 * The right solution is to initiate another context for encrypted
1412 * packet and not to reuse the current one ... It works right
1413 * when there is a compression packet inbetween which adds just
1415 * Hmmm: Rewrite this whole module here??
1417 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1418 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1424 pkt = xmalloc (sizeof *pkt);
1431 if (rc == GPG_ERR_INV_PACKET)
1432 write_status_text (STATUS_NODATA, "3");
1437 write_status_text (STATUS_NODATA, "2");
1445 free_md_filter_context (&c->mfx);
1450 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1451 of the notation data. */
1453 get_pka_address (PKT_signature *sig)
1455 pka_info_t *pka = NULL;
1456 struct notation *nd,*notation;
1458 notation=sig_to_notation(sig);
1460 for(nd=notation;nd;nd=nd->next)
1462 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1463 continue; /* Not the notation we want. */
1465 /* For now we only use the first valid PKA notation. In future
1466 we might want to keep additional PKA notations in a linked
1468 if (is_valid_mailbox (nd->value))
1470 pka = xmalloc (sizeof *pka + strlen(nd->value));
1474 strcpy (pka->email, nd->value);
1479 free_notation(notation);
1485 /* Return the URI from a DNS PKA record. If this record has already
1486 be retrieved for the signature we merely return it; if not we go
1487 out and try to get that DNS record. */
1489 pka_uri_from_sig (PKT_signature *sig)
1491 if (!sig->flags.pka_tried)
1493 assert (!sig->pka_info);
1494 sig->flags.pka_tried = 1;
1495 sig->pka_info = get_pka_address (sig);
1500 uri = get_pka_info (sig->pka_info->email, sig->pka_info->fpr);
1503 sig->pka_info->valid = 1;
1507 sig->pka_info->uri = uri;
1511 return sig->pka_info? sig->pka_info->uri : NULL;
1516 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1517 PKT_signature *sig, int rc)
1521 write_status_text_and_buffer (statno, keyid_str,
1522 un? un->pkt->pkt.user_id->name:"[?]",
1523 un? un->pkt->pkt.user_id->len:3,
1527 p = utf8_to_native (un->pkt->pkt.user_id->name,
1528 un->pkt->pkt.user_id->len, 0);
1530 p = xstrdup ("[?]");
1533 log_info (_("BAD signature from \"%s\""), p);
1534 else if (sig->flags.expired)
1535 log_info (_("Expired signature from \"%s\""), p);
1537 log_info (_("Good signature from \"%s\""), p);
1544 check_sig_and_print (CTX c, kbnode_t node)
1546 PKT_signature *sig = node->pkt->pkt.signature;
1551 char pkstrbuf[PUBKEY_STRING_SIZE];
1555 if (opt.skip_verify)
1557 log_info(_("signature verification suppressed\n"));
1561 /* Check that the message composition is valid.
1563 Per RFC-2440bis (-15) allowed:
1565 S{1,n} -- detached signature.
1566 S{1,n} P -- old style PGP2 signature
1567 O{1,n} P S{1,n} -- standard OpenPGP signature.
1568 C P S{1,n} -- cleartext signature.
1571 O = One-Pass Signature packet.
1572 S = Signature packet.
1573 P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1574 (Note that the current rfc2440bis draft also allows
1575 for a signed message but that does not work as it
1576 introduces ambiguities.)
1577 We keep track of these packages using the marker packet
1578 CTRLPKT_PLAINTEXT_MARK.
1579 C = Marker packet for cleartext signatures.
1581 We reject all other messages.
1583 Actually we are calling this too often, i.e. for verification of
1584 each message but better have some duplicate work than to silently
1585 introduce a bug here.
1589 int n_onepass, n_sig;
1591 /* log_debug ("checking signature packet composition\n"); */
1592 /* dump_kbnode (c->list); */
1596 if ( n->pkt->pkttype == PKT_SIGNATURE )
1598 /* This is either "S{1,n}" case (detached signature) or
1599 "S{1,n} P" (old style PGP2 signature). */
1600 for (n = n->next; n; n = n->next)
1601 if (n->pkt->pkttype != PKT_SIGNATURE)
1604 ; /* Okay, this is a detached signature. */
1605 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1606 && (n->pkt->pkt.gpg_control->control
1607 == CTRLPKT_PLAINTEXT_MARK) )
1610 goto ambiguous; /* We only allow one P packet. */
1615 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1617 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1618 for (n_onepass=1, n = n->next;
1619 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1621 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1622 && (n->pkt->pkt.gpg_control->control
1623 == CTRLPKT_PLAINTEXT_MARK)))
1625 for (n_sig=0, n = n->next;
1626 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1631 /* If we wanted to disallow multiple sig verification, we'd do
1632 something like this:
1634 if (n && !opt.allow_multisig_verification)
1637 However, now that we have --allow-multiple-messages, this
1638 can stay allowable as we can't get here unless multiple
1639 messages (i.e. multiple literals) are allowed. */
1641 if (n_onepass != n_sig)
1643 log_info ("number of one-pass packets does not match "
1644 "number of signature packets\n");
1648 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1649 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1651 /* This is the "C P S{1,n}" case (clear text signature). */
1653 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1654 && (n->pkt->pkt.gpg_control->control
1655 == CTRLPKT_PLAINTEXT_MARK)))
1657 for (n_sig=0, n = n->next;
1658 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1666 log_error(_("can't handle this ambiguous signature data\n"));
1671 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1672 if (keystrlen () > 8)
1674 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1675 log_info (_(" using %s key %s\n"),
1676 astr? astr: "?",keystr(sig->keyid));
1679 log_info (_("Signature made %s using %s key ID %s\n"),
1680 asctimestamp(sig->timestamp), astr? astr: "?",
1681 keystr(sig->keyid));
1683 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1685 /* If the key isn't found, check for a preferred keyserver */
1687 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1693 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1695 /* According to my favorite copy editor, in English grammar,
1696 you say "at" if the key is located on a web page, but
1697 "from" if it is located on a keyserver. I'm not going to
1698 even try to make two strings here :) */
1699 log_info(_("Key available at: ") );
1700 print_utf8_buffer (log_get_stream(), p, n);
1703 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1704 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1706 struct keyserver_spec *spec;
1708 spec = parse_preferred_keyserver (sig);
1713 glo_ctrl.in_auto_key_retrieve++;
1714 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1715 glo_ctrl.in_auto_key_retrieve--;
1717 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1718 free_keyserver_spec (spec);
1727 /* If the preferred keyserver thing above didn't work, our second
1728 try is to use the URI from a DNS PKA record. */
1729 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1730 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1731 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1733 const char *uri = pka_uri_from_sig (sig);
1737 /* FIXME: We might want to locate the key using the
1738 fingerprint instead of the keyid. */
1740 struct keyserver_spec *spec;
1742 spec = parse_keyserver_uri (uri, 1);
1745 glo_ctrl.in_auto_key_retrieve++;
1746 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1747 glo_ctrl.in_auto_key_retrieve--;
1748 free_keyserver_spec (spec);
1750 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1755 /* If the preferred keyserver thing above didn't work and we got
1756 no information from the DNS PKA, this is a third try. */
1758 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1760 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE))
1764 glo_ctrl.in_auto_key_retrieve++;
1765 res=keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1766 glo_ctrl.in_auto_key_retrieve--;
1768 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1771 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1773 kbnode_t un, keyblock;
1777 PKT_public_key *pk = NULL;
1780 statno = STATUS_BADSIG;
1781 else if (sig->flags.expired)
1782 statno = STATUS_EXPSIG;
1784 statno = STATUS_EXPKEYSIG;
1786 statno = STATUS_REVKEYSIG;
1788 statno = STATUS_GOODSIG;
1790 keyblock = get_pubkeyblock (sig->keyid);
1792 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1793 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1795 /* Find and print the primary user ID. */
1796 for (un=keyblock; un; un = un->next)
1800 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1802 pk=un->pkt->pkt.public_key;
1805 if (un->pkt->pkttype != PKT_USER_ID)
1807 if (!un->pkt->pkt.user_id->created)
1809 if (un->pkt->pkt.user_id->is_revoked)
1811 if (un->pkt->pkt.user_id->is_expired)
1813 if (!un->pkt->pkt.user_id->is_primary)
1815 /* We want the textual primary user ID here */
1816 if (un->pkt->pkt.user_id->attrib_data)
1821 /* Get it before we print anything to avoid interrupting the
1822 output with the "please do a --check-trustdb" line. */
1823 valid = get_validity (pk, un->pkt->pkt.user_id);
1825 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1827 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1829 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1830 log_printf (" [%s]\n",trust_value_to_string(valid));
1834 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1838 if (!count) /* Just in case that we have no valid textual userid */
1840 /* Try for an invalid textual userid */
1841 for (un=keyblock; un; un = un->next)
1843 if (un->pkt->pkttype == PKT_USER_ID
1844 && !un->pkt->pkt.user_id->attrib_data)
1848 /* Try for any userid at all */
1851 for (un=keyblock; un; un = un->next)
1853 if (un->pkt->pkttype == PKT_USER_ID)
1858 if (opt.trust_model==TM_ALWAYS || !un)
1859 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1861 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1863 if (opt.trust_model != TM_ALWAYS && un)
1864 log_printf (" %s",_("[uncertain]") );
1868 /* If we have a good signature and already printed
1869 * the primary user ID, print all the other user IDs */
1872 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1875 for( un=keyblock; un; un = un->next)
1877 if (un->pkt->pkttype != PKT_USER_ID)
1879 if ((un->pkt->pkt.user_id->is_revoked
1880 || un->pkt->pkt.user_id->is_expired)
1881 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1883 /* Only skip textual primaries */
1884 if (un->pkt->pkt.user_id->is_primary
1885 && !un->pkt->pkt.user_id->attrib_data )
1888 if (un->pkt->pkt.user_id->attrib_data)
1890 dump_attribs (un->pkt->pkt.user_id, pk);
1892 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1893 show_photos (un->pkt->pkt.user_id->attribs,
1894 un->pkt->pkt.user_id->numattribs,
1895 pk ,un->pkt->pkt.user_id);
1898 p = utf8_to_native (un->pkt->pkt.user_id->name,
1899 un->pkt->pkt.user_id->len, 0);
1900 log_info (_(" aka \"%s\""), p);
1903 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1907 if (un->pkt->pkt.user_id->is_revoked)
1908 valid = _("revoked");
1909 else if (un->pkt->pkt.user_id->is_expired)
1910 valid = _("expired");
1912 valid = (trust_value_to_string
1913 (get_validity (pk, un->pkt->pkt.user_id)));
1914 log_printf (" [%s]\n",valid);
1920 release_kbnode( keyblock );
1924 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
1925 show_policy_url (sig, 0, 1);
1927 show_policy_url (sig, 0, 2);
1929 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
1930 show_keyserver_url (sig, 0, 1);
1932 show_keyserver_url (sig, 0, 2);
1934 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
1937 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
1938 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
1940 show_notation (sig, 0, 2, 0);
1943 if (!rc && is_status_enabled ())
1945 /* Print a status response with the fingerprint. */
1946 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
1948 if (!get_pubkey (vpk, sig->keyid))
1950 byte array[MAX_FINGERPRINT_LEN], *p;
1951 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
1955 fingerprint_from_pk (vpk, array, &n);
1957 for(i=0; i < n ; i++, p++, bufp += 2)
1958 sprintf (bufp, "%02X", *p );
1959 /* TODO: Replace the reserved '0' in the field below
1960 with bits for status flags (policy url, notation,
1961 etc.). Remember to make the buffer larger to match! */
1962 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
1963 strtimestamp( sig->timestamp ),
1964 (ulong)sig->timestamp,(ulong)sig->expiredate,
1965 sig->version,sig->pubkey_algo,sig->digest_algo,
1967 bufp = bufp + strlen (bufp);
1968 if (!vpk->flags.primary)
1972 akid[0] = vpk->main_keyid[0];
1973 akid[1] = vpk->main_keyid[1];
1974 free_public_key (vpk);
1975 vpk = xmalloc_clear (sizeof *vpk);
1976 if (get_pubkey (vpk, akid))
1978 /* Impossible error, we simply return a zeroed out fpr */
1979 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
1980 memset (array, 0, n);
1983 fingerprint_from_pk( vpk, array, &n );
1986 for (i=0; i < n ; i++, p++, bufp += 2)
1987 sprintf(bufp, "%02X", *p );
1988 write_status_text (STATUS_VALIDSIG, buf);
1990 free_public_key (vpk);
1995 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
1996 pka_uri_from_sig (sig); /* Make sure PKA info is available. */
1997 rc = check_signatures_trust (sig);
2000 if (sig->flags.expired)
2002 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2003 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2005 else if (sig->expiredate)
2006 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2009 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2010 sig->sig_class==0x00?_("binary"):
2011 sig->sig_class==0x01?_("textmode"):_("unknown"),
2012 gcry_md_algo_name (sig->digest_algo),
2013 *pkstrbuf?_(", key algorithm "):"",
2016 if (!rc && !c->signed_data.used)
2018 /* Signature is basically good but we test whether the
2020 gpg --verify FILE.sig
2022 gpg --verify FILE.sig FILE
2023 to verify a detached signature. If we figure out that a
2024 data file with a matching name exists, we print a warning.
2026 The problem is that the first form would also verify a
2027 standard signature. This behavior could be used to
2028 create a made up .sig file for a tarball by creating a
2029 standard signature from a valid detached signature packet
2030 (for example from a signed git tag). Then replace the
2031 sig file on the FTP server along with a changed tarball.
2032 Using the first form the verify command would correctly
2033 verify the signature but don't even consider the tarball. */
2037 dfile = get_matching_datafile (c->sigfilename);
2040 for (n = c->list; n; n = n->next)
2041 if (n->pkt->pkttype != PKT_SIGNATURE)
2045 /* Not only signature packets in the tree thus this
2046 is not a detached signature. */
2047 log_info (_("WARNING: not a detached signature; "
2048 "file '%s' was NOT verified!\n"), dfile);
2055 g10_errors_seen = 1;
2056 if (opt.batch && rc)
2063 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2064 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2065 sig->pubkey_algo, sig->digest_algo,
2066 sig->sig_class, (ulong)sig->timestamp, rc);
2067 write_status_text (STATUS_ERRSIG, buf);
2068 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2071 write_status_text (STATUS_NO_PUBKEY, buf);
2073 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2074 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2082 * Process the tree which starts at node
2085 proc_tree (CTX c, kbnode_t node)
2090 if (opt.list_packets || opt.list_only)
2093 /* We must skip our special plaintext marker packets here because
2094 they may be the root packet. These packets are only used in
2095 addional checks and skipping them here doesn't matter. */
2097 && node->pkt->pkttype == PKT_GPG_CONTROL
2098 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2105 c->trustletter = ' ';
2106 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2107 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2109 merge_keys_and_selfsig (node);
2110 list_node (c, node);
2112 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2114 merge_keys_and_selfsig (node);
2115 list_node (c, node);
2117 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2119 /* Check all signatures. */
2122 int use_textmode = 0;
2124 free_md_filter_context (&c->mfx);
2125 /* Prepare to create all requested message digests. */
2126 rc = gcry_md_open (&c->mfx.md, 0, 0);
2130 /* Fixme: why looking for the signature packet and not the
2132 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2133 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2135 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2138 /* Ask for file and hash it. */
2141 if (c->signed_data.used && c->signed_data.data_fd != -1)
2142 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2143 c->signed_data.data_fd,
2146 rc = hash_datafiles (c->mfx.md, NULL,
2147 c->signed_data.data_names,
2153 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2154 iobuf_get_real_fname (c->iobuf),
2161 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2165 else if (c->signed_data.used)
2167 log_error (_("not a detached signature\n"));
2171 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2172 check_sig_and_print (c, n1);
2175 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2176 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2178 /* Clear text signed message. */
2181 log_error ("cleartext signature without data\n");
2184 else if (c->signed_data.used)
2186 log_error (_("not a detached signature\n"));
2190 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2191 check_sig_and_print (c, n1);
2194 else if (node->pkt->pkttype == PKT_SIGNATURE)
2196 PKT_signature *sig = node->pkt->pkt.signature;
2197 int multiple_ok = 1;
2199 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2202 byte class = sig->sig_class;
2203 byte hash = sig->digest_algo;
2205 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2207 /* We can't currently handle multiple signatures of
2208 different classes or digests (we'd pretty much have
2209 to run a different hash context for each), but if
2210 they are all the same, make an exception. */
2211 if (n1->pkt->pkt.signature->sig_class != class
2212 || n1->pkt->pkt.signature->digest_algo != hash)
2215 log_info (_("WARNING: multiple signatures detected. "
2216 "Only the first will be checked.\n"));
2222 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2224 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2226 else if (!c->any.data)
2228 /* Detached signature */
2229 free_md_filter_context (&c->mfx);
2230 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2232 goto detached_hash_err;
2234 if (RFC2440 || RFC4880)
2235 ; /* Strict RFC mode. */
2236 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2237 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2238 && sig->sig_class == 0x01)
2240 /* Enable a workaround for a pgp5 bug when the detached
2241 * signature has been created in textmode. */
2242 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2244 goto detached_hash_err;
2247 /* Here we used to have another hack to work around a pgp
2248 * 2 bug: It worked by not using the textmode for detached
2249 * signatures; this would let the first signature check
2250 * (on md) fail but the second one (on md2), which adds an
2251 * extra CR would then have produced the "correct" hash.
2252 * This is very, very ugly hack but it may haved help in
2253 * some cases (and break others).
2254 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2259 gcry_md_debug (c->mfx.md, "verify");
2261 gcry_md_debug (c->mfx.md2, "verify2");
2266 if (c->signed_data.used && c->signed_data.data_fd != -1)
2267 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2268 c->signed_data.data_fd,
2269 (sig->sig_class == 0x01));
2271 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2272 c->signed_data.data_names,
2274 (sig->sig_class == 0x01));
2278 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2279 iobuf_get_real_fname(c->iobuf),
2280 (sig->sig_class == 0x01));
2286 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2290 else if (c->signed_data.used)
2292 log_error (_("not a detached signature\n"));
2295 else if (!opt.quiet)
2296 log_info (_("old style (PGP 2.x) signature\n"));
2300 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2301 check_sig_and_print (c, n1);
2304 check_sig_and_print (c, node);
2309 dump_kbnode (c->list);
2310 log_error ("invalid root packet detected in proc_tree()\n");