1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
39 #include "keyserver-internal.h"
41 #include "mbox-util.h"
42 #include "call-dirmngr.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
130 proc_tree (c, c->list);
131 release_kbnode (c->list);
132 while (c->pkenc_list)
134 struct kidlist_item *tmp = c->pkenc_list->next;
135 xfree (c->pkenc_list);
138 c->pkenc_list = NULL;
141 c->any.uncompress_failed = 0;
142 c->last_was_session_key = 0;
149 add_onepass_sig (CTX c, PACKET *pkt)
153 if (c->list) /* Add another packet. */
154 add_kbnode (c->list, new_kbnode (pkt));
155 else /* Insert the first one. */
156 c->list = node = new_kbnode (pkt);
163 add_gpg_control (CTX c, PACKET *pkt)
165 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
167 /* New clear text signature.
168 * Process the last one and reset everything */
172 if (c->list) /* Add another packet. */
173 add_kbnode (c->list, new_kbnode (pkt));
174 else /* Insert the first one. */
175 c->list = new_kbnode (pkt);
182 add_user_id (CTX c, PACKET *pkt)
186 log_error ("orphaned user ID\n");
189 add_kbnode (c->list, new_kbnode (pkt));
195 add_subkey (CTX c, PACKET *pkt)
199 log_error ("subkey w/o mainkey\n");
202 add_kbnode (c->list, new_kbnode (pkt));
208 add_ring_trust (CTX c, PACKET *pkt)
212 log_error ("ring trust w/o key\n");
215 add_kbnode (c->list, new_kbnode (pkt));
221 add_signature (CTX c, PACKET *pkt)
226 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
228 /* This is the first signature for the following datafile.
229 * GPG does not write such packets; instead it always uses
230 * onepass-sig packets. The drawback of PGP's method
231 * of prepending the signature to the data is
232 * that it is not possible to make a signature from data read
233 * from stdin. (GPG is able to read PGP stuff anyway.) */
234 node = new_kbnode (pkt);
239 return 0; /* oops (invalid packet sequence)*/
240 else if (!c->list->pkt)
241 BUG(); /* so nicht */
243 /* Add a new signature node item at the end. */
244 node = new_kbnode (pkt);
245 add_kbnode (c->list, node);
251 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
255 if(slen < 17 || slen > 33)
257 log_error ( _("weird size for an encrypted session key (%d)\n"),
259 return GPG_ERR_BAD_KEY;
262 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
264 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
266 gcry_cipher_setiv ( hd, NULL, 0 );
267 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
268 gcry_cipher_close ( hd );
270 /* Now we replace the dek components with the real session key to
271 decrypt the contents of the sequencing packet. */
276 if(dek->keylen > DIM(dek->key))
279 memcpy(dek->key, seskey + 1, dek->keylen);
281 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
288 proc_symkey_enc (CTX c, PACKET *pkt)
292 enc = pkt->pkt.symkey_enc;
294 log_error ("invalid symkey encrypted packet\n");
297 int algo = enc->cipher_algo;
298 const char *s = openpgp_cipher_algo_name (algo);
300 if (!openpgp_cipher_test_algo (algo))
305 log_info (_("%s encrypted session key\n"), s );
307 log_info (_("%s encrypted data\n"), s );
311 log_error (_("encrypted with unknown algorithm %d\n"), algo);
313 if (openpgp_md_test_algo (enc->s2k.hash_algo))
315 log_error(_("passphrase generated with unknown digest"
316 " algorithm %d\n"),enc->s2k.hash_algo);
320 c->last_was_session_key = 2;
321 if (!s || opt.list_only)
324 if (opt.override_session_key)
326 c->dek = xmalloc_clear (sizeof *c->dek);
327 if (get_override_session_key (c->dek, opt.override_session_key))
335 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
338 c->dek->symmetric = 1;
340 /* FIXME: This doesn't work perfectly if a symmetric key
341 comes before a public key in the message - if the
342 user doesn't know the passphrase, then there is a
343 chance that the "decrypted" algorithm will happen to
344 be a valid one, which will make the returned dek
345 appear valid, so we won't try any public keys that
349 if (symkey_decrypt_seskey (c->dek,
350 enc->seskey, enc->seskeylen))
357 c->dek->algo_info_printed = 1;
369 proc_pubkey_enc (CTX c, PACKET *pkt)
374 /* Check whether the secret key is available and store in this case. */
375 c->last_was_session_key = 1;
376 enc = pkt->pkt.pubkey_enc;
377 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
378 /* Hmmm: why do I have this algo check here - anyway there is
379 * function to check it. */
381 log_info (_("public key is %s\n"), keystr (enc->keyid));
383 if (is_status_enabled())
386 /* FIXME: For ECC support we need to map the OpenPGP algo number
387 to the Libgcrypt defined one. This is due a chicken-egg
388 problem: We need to have code in Libgcrypt for a new
389 algorithm so to implement a proposed new algorithm before the
390 IANA will finally assign an OpenPGP indentifier. */
391 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
392 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
393 write_status_text (STATUS_ENC_TO, buf);
396 if (!opt.list_only && opt.override_session_key)
398 /* It does not make much sense to store the session key in
399 * secure memory because it has already been passed on the
400 * command line and the GCHQ knows about it. */
401 c->dek = xmalloc_clear (sizeof *c->dek);
402 result = get_override_session_key (c->dek, opt.override_session_key);
409 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
411 || enc->pubkey_algo == PUBKEY_ALGO_RSA
412 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
413 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
415 /* Note that we also allow type 20 Elgamal keys for decryption.
416 There are still a couple of those keys in active use as a
419 /* FIXME: Store this all in a list and process it later so that
420 we can prioritize what key to use. This gives a better user
421 experience if wildcard keyids are used. */
422 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
423 || opt.try_all_secrets
424 || have_secret_key_with_kid (enc->keyid)))
430 c->dek = xmalloc_secure_clear (sizeof *c->dek);
431 if ((result = get_session_key (enc, c->dek)))
433 /* Error: Delete the DEK. */
440 result = GPG_ERR_NO_SECKEY;
443 result = GPG_ERR_PUBKEY_ALGO;
449 /* Store it for later display. */
450 struct kidlist_item *x = xmalloc (sizeof *x);
451 x->kid[0] = enc->keyid[0];
452 x->kid[1] = enc->keyid[1];
453 x->pubkey_algo = enc->pubkey_algo;
455 x->next = c->pkenc_list;
458 if (!result && opt.verbose > 1)
459 log_info (_("public key encrypted data: good DEK\n"));
467 * Print the list of public key encrypted packets which we could
471 print_pkenc_list (struct kidlist_item *list, int failed)
473 for (; list; list = list->next)
478 if (failed && !list->reason)
480 if (!failed && list->reason)
483 algstr = openpgp_pk_algo_name (list->pubkey_algo);
484 pk = xmalloc_clear (sizeof *pk);
488 pk->pubkey_algo = list->pubkey_algo;
489 if (!get_pubkey (pk, list->kid))
492 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
493 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
494 strtimestamp (pk->timestamp));
495 p = get_user_id_native (list->kid);
496 log_printf (_(" \"%s\"\n"), p);
500 log_info (_("encrypted with %s key, ID %s\n"),
501 algstr, keystr(list->kid));
503 free_public_key (pk);
505 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
507 if (is_status_enabled())
510 snprintf (buf, sizeof buf, "%08lX%08lX",
511 (ulong)list->kid[0], (ulong)list->kid[1]);
512 write_status_text (STATUS_NO_SECKEY, buf);
515 else if (list->reason)
517 log_info (_("public key decryption failed: %s\n"),
518 gpg_strerror (list->reason));
519 write_status_error ("pkdecrypt_failed", list->reason);
526 proc_encrypted (CTX c, PACKET *pkt)
533 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
534 else if (c->symkeys == 1)
535 log_info (_("encrypted with 1 passphrase\n"));
536 print_pkenc_list ( c->pkenc_list, 1 );
537 print_pkenc_list ( c->pkenc_list, 0 );
540 /* FIXME: Figure out the session key by looking at all pkenc packets. */
542 write_status (STATUS_BEGIN_DECRYPTION);
544 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
547 else if (!c->dek && !c->last_was_session_key)
551 STRING2KEY *s2k = NULL;
554 if (opt.override_session_key)
556 c->dek = xmalloc_clear (sizeof *c->dek);
557 result = get_override_session_key (c->dek, opt.override_session_key);
566 /* Assume this is old style conventional encrypted data. */
567 algo = opt.def_cipher_algo;
569 log_info (_("assuming %s encrypted data\n"),
570 openpgp_cipher_algo_name (algo));
571 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
573 algo = opt.def_cipher_algo;
575 algo = opt.s2k_cipher_algo;
576 log_info (_("IDEA cipher unavailable, "
577 "optimistically attempting to use %s instead\n"),
578 openpgp_cipher_algo_name (algo));
582 algo = CIPHER_ALGO_IDEA;
583 if (!opt.s2k_digest_algo)
585 /* If no digest is given we assume SHA-1. */
587 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
590 log_info (_("assuming %s encrypted data\n"), "IDEA");
593 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
595 c->dek->algo_info_printed = 1;
597 result = gpg_error (GPG_ERR_CANCELED);
599 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
603 result = GPG_ERR_NO_SECKEY;
606 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
610 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
611 && opt.ignore_mdc_error))
613 write_status (STATUS_DECRYPTION_OKAY);
615 log_info(_("decryption okay\n"));
616 if (pkt->pkt.encrypted->mdc_method && !result)
617 write_status (STATUS_GOODMDC);
618 else if (!opt.no_mdc_warn)
619 log_info (_("WARNING: message was not integrity protected\n"));
621 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
623 glo_ctrl.lasterr = result;
624 log_error (_("WARNING: encrypted message has been manipulated!\n"));
625 write_status (STATUS_BADMDC);
626 write_status (STATUS_DECRYPTION_FAILED);
630 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
631 && *c->dek->s2k_cacheid != '\0')
633 log_debug (_("cleared passphrase cached with ID: %s\n"),
634 c->dek->s2k_cacheid);
635 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
637 glo_ctrl.lasterr = result;
638 write_status (STATUS_DECRYPTION_FAILED);
639 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
640 /* Hmmm: does this work when we have encrypted using multiple
641 * ways to specify the session key (symmmetric and PK). */
647 c->last_was_session_key = 0;
648 write_status (STATUS_END_DECRYPTION);
653 proc_plaintext( CTX c, PACKET *pkt )
655 PKT_plaintext *pt = pkt->pkt.plaintext;
656 int any, clearsig, rc;
661 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
662 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
663 else if (opt.verbose)
664 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
666 free_md_filter_context (&c->mfx);
667 if (gcry_md_open (&c->mfx.md, 0, 0))
669 /* fixme: we may need to push the textfilter if we have sigclass 1
670 * and no armoring - Not yet tested
671 * Hmmm, why don't we need it at all if we have sigclass 1
672 * Should we assume that plaintext in mode 't' has always sigclass 1??
673 * See: Russ Allbery's mail 1999-02-09
676 for (n=c->list; n; n = n->next )
678 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
680 /* The onepass signature case. */
681 if (n->pkt->pkt.onepass_sig->digest_algo)
683 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
687 else if (n->pkt->pkttype == PKT_GPG_CONTROL
688 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
690 /* The clearsigned message case. */
691 size_t datalen = n->pkt->pkt.gpg_control->datalen;
692 const byte *data = n->pkt->pkt.gpg_control->data;
694 /* Check that we have at least the sigclass and one hash. */
696 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
697 /* Note that we don't set the clearsig flag for not-dash-escaped
699 clearsig = (*data == 0x01);
700 for (data++, datalen--; datalen; datalen--, data++)
701 gcry_md_enable (c->mfx.md, *data);
703 break; /* Stop here as one-pass signature packets are not
706 else if (n->pkt->pkttype == PKT_SIGNATURE)
708 /* The SIG+LITERAL case that PGP used to use. */
709 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
714 if (!any && !opt.skip_verify)
716 /* This is for the old GPG LITERAL+SIG case. It's not legal
717 according to 2440, so hopefully it won't come up that often.
718 There is no good way to specify what algorithms to use in
719 that case, so these there are the historical answer. */
720 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
721 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
725 gcry_md_debug (c->mfx.md, "verify");
727 gcry_md_debug (c->mfx.md2, "verify2");
732 if (literals_seen > 1)
734 log_info (_("WARNING: multiple plaintexts seen\n"));
736 if (!opt.flags.allow_multiple_messages)
738 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
739 log_inc_errorcount ();
740 rc = gpg_error (GPG_ERR_UNEXPECTED);
746 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
747 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
749 /* Can't write output but we hash it anyway to check the
751 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
756 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
759 c->last_was_session_key = 0;
761 /* We add a marker control packet instead of the plaintext packet.
762 * This is so that we can later detect invalid packet sequences. */
763 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
765 add_kbnode (c->list, n);
772 proc_compressed_cb (iobuf_t a, void *info)
774 if ( ((CTX)info)->signed_data.used
775 && ((CTX)info)->signed_data.data_fd != -1)
776 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
777 ((CTX)info)->signed_data.data_fd);
779 return proc_signature_packets (((CTX)info)->ctrl, info, a,
780 ((CTX)info)->signed_data.data_names,
781 ((CTX)info)->sigfilename );
786 proc_encrypt_cb (iobuf_t a, void *info )
789 return proc_encryption_packets (c->ctrl, info, a );
794 proc_compressed (CTX c, PACKET *pkt)
796 PKT_compressed *zd = pkt->pkt.compressed;
799 /*printf("zip: compressed data packet\n");*/
801 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
802 else if( c->encrypt_only )
803 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
805 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
807 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
809 if (!c->any.uncompress_failed)
813 for (cc=c; cc; cc = cc->anchor)
814 cc->any.uncompress_failed = 1;
815 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
819 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
822 c->last_was_session_key = 0;
828 * check the signature
829 * Returns: 0 = valid signature or an error code
832 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
833 int *is_expkey, int *is_revkey)
836 gcry_md_hd_t md = NULL;
837 gcry_md_hd_t md2 = NULL;
840 assert (node->pkt->pkttype == PKT_SIGNATURE);
843 sig = node->pkt->pkt.signature;
845 algo = sig->digest_algo;
846 rc = openpgp_md_test_algo (algo);
850 if (sig->sig_class == 0x00)
854 if (gcry_md_copy (&md, c->mfx.md ))
857 else /* detached signature */
859 /* signature_check() will enable the md. */
860 if (gcry_md_open (&md, 0, 0 ))
864 else if (sig->sig_class == 0x01)
866 /* How do we know that we have to hash the (already hashed) text
867 in canonical mode ??? (calculating both modes???) */
870 if (gcry_md_copy (&md, c->mfx.md ))
872 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
875 else /* detached signature */
877 log_debug ("Do we really need this here?");
878 /* signature_check() will enable the md*/
879 if (gcry_md_open (&md, 0, 0 ))
881 if (gcry_md_open (&md2, 0, 0 ))
885 else if ((sig->sig_class&~3) == 0x10
886 || sig->sig_class == 0x18
887 || sig->sig_class == 0x1f
888 || sig->sig_class == 0x20
889 || sig->sig_class == 0x28
890 || sig->sig_class == 0x30)
892 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
893 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
895 return check_key_signature( c->list, node, is_selfsig );
897 else if (sig->sig_class == 0x20)
899 log_error (_("standalone revocation - "
900 "use \"gpg --import\" to apply\n"));
901 return GPG_ERR_NOT_PROCESSED;
905 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
906 return GPG_ERR_SIG_CLASS;
910 return GPG_ERR_SIG_CLASS;
912 rc = signature_check2 (sig, md, NULL, is_expkey, is_revkey, NULL);
913 if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
914 rc = signature_check2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
924 print_userid (PACKET *pkt)
929 if (pkt->pkttype != PKT_USER_ID)
931 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
936 if (pkt->pkt.user_id->attrib_data)
938 pkt->pkt.user_id->numattribs,
939 pkt->pkt.user_id->attrib_len);
941 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
942 pkt->pkt.user_id->len, ":", NULL);
945 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
946 pkt->pkt.user_id->len );
951 * List the keyblock in a user friendly way
954 list_node (CTX c, kbnode_t node)
957 char pkstrbuf[PUBKEY_STRING_SIZE];
961 else if ((mainkey = (node->pkt->pkttype == PKT_PUBLIC_KEY))
962 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY )
964 PKT_public_key *pk = node->pkt->pkt.public_key;
970 keyid_from_pk( pk, keyid );
972 c->trustletter = (opt.fast_list_mode?
973 0 : get_validity_info( pk, NULL));
974 es_printf ("%s:", mainkey? "pub":"sub" );
976 es_putc (c->trustletter, es_stdout);
977 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
980 (ulong)keyid[0],(ulong)keyid[1],
981 colon_datestr_from_pk( pk ),
982 colon_strtime (pk->expiredate) );
983 if (mainkey && !opt.fast_list_mode)
984 es_putc (get_ownertrust_info (pk), es_stdout);
985 es_putc (':', es_stdout);
988 es_printf ("%s %s/%s %s",
989 mainkey? "pub":"sub",
990 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
992 datestr_from_pk (pk));
994 if (pk->flags.revoked)
997 es_printf (_("revoked: %s"), revokestr_from_pk (pk));
1000 else if( pk->expiredate && !opt.with_colons)
1003 es_printf (_("expires: %s"), expirestr_from_pk (pk));
1007 es_putc ('\n', es_stdout);
1009 if ((mainkey && opt.fingerprint) || opt.fingerprint > 1)
1010 print_fingerprint (NULL, pk, 0);
1012 if (opt.with_colons)
1014 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1015 es_printf ("rtv:1:%u:\n",
1016 node->next->pkt->pkt.ring_trust->trustval);
1021 /* Now list all userids with their signatures. */
1022 for (node = node->next; node; node = node->next)
1024 if (node->pkt->pkttype == PKT_SIGNATURE)
1026 list_node (c, node );
1028 else if (node->pkt->pkttype == PKT_USER_ID)
1030 if (opt.with_colons)
1031 es_printf ("%s:::::::::",
1032 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1034 es_printf ("uid%*s", 28, "" );
1035 print_userid (node->pkt);
1036 if (opt.with_colons)
1037 es_putc (':', es_stdout);
1038 es_putc ('\n', es_stdout);
1041 && node->next->pkt->pkttype == PKT_RING_TRUST)
1043 es_printf ("rtv:2:%u:\n",
1044 node->next->pkt->pkt.ring_trust?
1045 node->next->pkt->pkt.ring_trust->trustval : 0);
1048 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1050 list_node(c, node );
1055 else if ((mainkey = (node->pkt->pkttype == PKT_SECRET_KEY) )
1056 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1059 log_debug ("FIXME: No way to print secret key packets here\n");
1060 /* fixme: We may use a fucntion to turn a secret key packet into
1061 a public key one and use that here. */
1063 else if (node->pkt->pkttype == PKT_SIGNATURE)
1065 PKT_signature *sig = node->pkt->pkt.signature;
1075 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1076 es_fputs ("rev", es_stdout);
1078 es_fputs ("sig", es_stdout);
1082 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1083 switch (gpg_err_code (rc2))
1085 case 0: sigrc = '!'; break;
1086 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1087 case GPG_ERR_NO_PUBKEY:
1088 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1089 default: sigrc = '%'; break;
1092 else /* Check whether this is a self signature. */
1096 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1097 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1099 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1101 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1106 if (opt.with_colons)
1108 es_putc (':', es_stdout);
1110 es_putc (sigrc, es_stdout);
1111 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1112 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1113 colon_datestr_from_sig (sig),
1114 colon_expirestr_from_sig (sig));
1116 if (sig->trust_depth || sig->trust_value)
1117 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1118 es_putc (':', es_stdout);
1120 if (sig->trust_regexp)
1121 es_write_sanitized (es_stdout, sig->trust_regexp,
1122 strlen (sig->trust_regexp), ":", NULL);
1123 es_putc (':', es_stdout);
1126 es_printf ("%c %s %s ",
1127 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1129 es_printf ("[%s] ", gpg_strerror (rc2) );
1130 else if (sigrc == '?')
1132 else if (is_selfsig)
1134 if (opt.with_colons)
1135 es_putc (':', es_stdout);
1136 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1137 if (opt.with_colons)
1138 es_putc (':', es_stdout);
1140 else if (!opt.fast_list_mode)
1142 p = get_user_id (sig->keyid, &n);
1143 es_write_sanitized (es_stdout, p, n,
1144 opt.with_colons?":":NULL, NULL );
1147 if (opt.with_colons)
1148 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1149 es_putc ('\n', es_stdout);
1152 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1157 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1160 CTX c = xmalloc_clear (sizeof *c);
1164 rc = do_proc_packets (c, a);
1172 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1173 strlist_t signedfiles, const char *sigfilename )
1175 CTX c = xmalloc_clear (sizeof *c);
1182 c->signed_data.data_fd = -1;
1183 c->signed_data.data_names = signedfiles;
1184 c->signed_data.used = !!signedfiles;
1186 c->sigfilename = sigfilename;
1187 rc = do_proc_packets ( c, a );
1189 /* If we have not encountered any signature we print an error
1190 messages, send a NODATA status back and return an error code.
1191 Using log_error is required because verify_files does not check
1192 error codes for each file but we want to terminate the process
1194 if (!rc && !c->any.sig_seen)
1196 write_status_text (STATUS_NODATA, "4");
1197 log_error (_("no signature found\n"));
1198 rc = GPG_ERR_NO_DATA;
1201 /* Propagate the signature seen flag upward. Do this only on success
1202 so that we won't issue the nodata status several times. */
1203 if (!rc && c->anchor && c->any.sig_seen)
1204 c->anchor->any.sig_seen = 1;
1212 proc_signature_packets_by_fd (ctrl_t ctrl,
1213 void *anchor, iobuf_t a, int signed_data_fd )
1218 c = xtrycalloc (1, sizeof *c);
1220 return gpg_error_from_syserror ();
1226 c->signed_data.data_fd = signed_data_fd;
1227 c->signed_data.data_names = NULL;
1228 c->signed_data.used = (signed_data_fd != -1);
1230 rc = do_proc_packets ( c, a );
1232 /* If we have not encountered any signature we print an error
1233 messages, send a NODATA status back and return an error code.
1234 Using log_error is required because verify_files does not check
1235 error codes for each file but we want to terminate the process
1237 if (!rc && !c->any.sig_seen)
1239 write_status_text (STATUS_NODATA, "4");
1240 log_error (_("no signature found\n"));
1241 rc = gpg_error (GPG_ERR_NO_DATA);
1244 /* Propagate the signature seen flag upward. Do this only on success
1245 so that we won't issue the nodata status several times. */
1246 if (!rc && c->anchor && c->any.sig_seen)
1247 c->anchor->any.sig_seen = 1;
1255 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1257 CTX c = xmalloc_clear (sizeof *c);
1262 c->encrypt_only = 1;
1263 rc = do_proc_packets (c, a);
1270 check_nesting (CTX c)
1274 for (level=0; c; c = c->anchor)
1277 if (level > MAX_NESTING_DEPTH)
1279 log_error ("input data with too deeply nested packets\n");
1280 write_status_text (STATUS_UNEXPECTED, "1");
1281 return GPG_ERR_BAD_DATA;
1289 do_proc_packets (CTX c, iobuf_t a)
1296 rc = check_nesting (c);
1300 pkt = xmalloc( sizeof *pkt );
1303 while ((rc=parse_packet(a, pkt)) != -1)
1309 /* Stop processing when an invalid packet has been encountered
1310 * but don't do so when we are doing a --list-packets. */
1311 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1312 && opt.list_packets != 2 )
1317 if (opt.list_packets)
1319 switch (pkt->pkttype)
1321 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1322 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1324 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1325 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1326 default: newpkt = 0; break;
1329 else if (c->sigs_only)
1331 switch (pkt->pkttype)
1333 case PKT_PUBLIC_KEY:
1334 case PKT_SECRET_KEY:
1336 case PKT_SYMKEY_ENC:
1337 case PKT_PUBKEY_ENC:
1339 case PKT_ENCRYPTED_MDC:
1340 write_status_text( STATUS_UNEXPECTED, "0" );
1341 rc = GPG_ERR_UNEXPECTED;
1344 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1345 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1346 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1347 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1348 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1349 default: newpkt = 0; break;
1352 else if (c->encrypt_only)
1354 switch (pkt->pkttype)
1356 case PKT_PUBLIC_KEY:
1357 case PKT_SECRET_KEY:
1359 write_status_text (STATUS_UNEXPECTED, "0");
1360 rc = GPG_ERR_UNEXPECTED;
1363 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1364 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1365 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1367 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1368 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1369 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1370 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1371 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1372 default: newpkt = 0; break;
1377 switch (pkt->pkttype)
1379 case PKT_PUBLIC_KEY:
1380 case PKT_SECRET_KEY:
1382 c->list = new_kbnode (pkt);
1385 case PKT_PUBLIC_SUBKEY:
1386 case PKT_SECRET_SUBKEY:
1387 newpkt = add_subkey (c, pkt);
1389 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1390 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1391 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1392 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1394 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1395 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1396 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1397 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1398 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1399 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1400 default: newpkt = 0; break;
1407 /* This is a very ugly construct and frankly, I don't remember why
1408 * I used it. Adding the MDC check here is a hack.
1409 * The right solution is to initiate another context for encrypted
1410 * packet and not to reuse the current one ... It works right
1411 * when there is a compression packet inbetween which adds just
1413 * Hmmm: Rewrite this whole module here??
1415 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1416 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1422 pkt = xmalloc (sizeof *pkt);
1429 if (rc == GPG_ERR_INV_PACKET)
1430 write_status_text (STATUS_NODATA, "3");
1435 write_status_text (STATUS_NODATA, "2");
1443 free_md_filter_context (&c->mfx);
1448 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1449 of the notation data. */
1451 get_pka_address (PKT_signature *sig)
1453 pka_info_t *pka = NULL;
1454 struct notation *nd,*notation;
1456 notation=sig_to_notation(sig);
1458 for(nd=notation;nd;nd=nd->next)
1460 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1461 continue; /* Not the notation we want. */
1463 /* For now we only use the first valid PKA notation. In future
1464 we might want to keep additional PKA notations in a linked
1466 if (is_valid_mailbox (nd->value))
1468 pka = xmalloc (sizeof *pka + strlen(nd->value));
1472 strcpy (pka->email, nd->value);
1477 free_notation(notation);
1483 /* Return the URI from a DNS PKA record. If this record has already
1484 be retrieved for the signature we merely return it; if not we go
1485 out and try to get that DNS record. */
1487 pka_uri_from_sig (CTX c, PKT_signature *sig)
1489 if (!sig->flags.pka_tried)
1491 assert (!sig->pka_info);
1492 sig->flags.pka_tried = 1;
1493 sig->pka_info = get_pka_address (sig);
1500 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1501 &fpr, &fprlen, &url))
1503 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1505 memcpy (sig->pka_info->fpr, fpr, fprlen);
1508 sig->pka_info->valid = 1;
1512 sig->pka_info->uri = url;
1521 return sig->pka_info? sig->pka_info->uri : NULL;
1526 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1527 PKT_signature *sig, int rc)
1531 write_status_text_and_buffer (statno, keyid_str,
1532 un? un->pkt->pkt.user_id->name:"[?]",
1533 un? un->pkt->pkt.user_id->len:3,
1537 p = utf8_to_native (un->pkt->pkt.user_id->name,
1538 un->pkt->pkt.user_id->len, 0);
1540 p = xstrdup ("[?]");
1543 log_info (_("BAD signature from \"%s\""), p);
1544 else if (sig->flags.expired)
1545 log_info (_("Expired signature from \"%s\""), p);
1547 log_info (_("Good signature from \"%s\""), p);
1554 check_sig_and_print (CTX c, kbnode_t node)
1556 PKT_signature *sig = node->pkt->pkt.signature;
1561 char pkstrbuf[PUBKEY_STRING_SIZE];
1565 if (opt.skip_verify)
1567 log_info(_("signature verification suppressed\n"));
1571 /* Check that the message composition is valid.
1573 Per RFC-2440bis (-15) allowed:
1575 S{1,n} -- detached signature.
1576 S{1,n} P -- old style PGP2 signature
1577 O{1,n} P S{1,n} -- standard OpenPGP signature.
1578 C P S{1,n} -- cleartext signature.
1581 O = One-Pass Signature packet.
1582 S = Signature packet.
1583 P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1584 (Note that the current rfc2440bis draft also allows
1585 for a signed message but that does not work as it
1586 introduces ambiguities.)
1587 We keep track of these packages using the marker packet
1588 CTRLPKT_PLAINTEXT_MARK.
1589 C = Marker packet for cleartext signatures.
1591 We reject all other messages.
1593 Actually we are calling this too often, i.e. for verification of
1594 each message but better have some duplicate work than to silently
1595 introduce a bug here.
1599 int n_onepass, n_sig;
1601 /* log_debug ("checking signature packet composition\n"); */
1602 /* dump_kbnode (c->list); */
1606 if ( n->pkt->pkttype == PKT_SIGNATURE )
1608 /* This is either "S{1,n}" case (detached signature) or
1609 "S{1,n} P" (old style PGP2 signature). */
1610 for (n = n->next; n; n = n->next)
1611 if (n->pkt->pkttype != PKT_SIGNATURE)
1614 ; /* Okay, this is a detached signature. */
1615 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1616 && (n->pkt->pkt.gpg_control->control
1617 == CTRLPKT_PLAINTEXT_MARK) )
1620 goto ambiguous; /* We only allow one P packet. */
1625 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1627 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1628 for (n_onepass=1, n = n->next;
1629 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1631 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1632 && (n->pkt->pkt.gpg_control->control
1633 == CTRLPKT_PLAINTEXT_MARK)))
1635 for (n_sig=0, n = n->next;
1636 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1641 /* If we wanted to disallow multiple sig verification, we'd do
1642 something like this:
1644 if (n && !opt.allow_multisig_verification)
1647 However, now that we have --allow-multiple-messages, this
1648 can stay allowable as we can't get here unless multiple
1649 messages (i.e. multiple literals) are allowed. */
1651 if (n_onepass != n_sig)
1653 log_info ("number of one-pass packets does not match "
1654 "number of signature packets\n");
1658 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1659 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1661 /* This is the "C P S{1,n}" case (clear text signature). */
1663 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1664 && (n->pkt->pkt.gpg_control->control
1665 == CTRLPKT_PLAINTEXT_MARK)))
1667 for (n_sig=0, n = n->next;
1668 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1676 log_error(_("can't handle this ambiguous signature data\n"));
1681 write_status_text (STATUS_NEWSIG, NULL);
1683 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1684 if (keystrlen () > 8)
1686 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1687 log_info (_(" using %s key %s\n"),
1688 astr? astr: "?",keystr(sig->keyid));
1691 log_info (_("Signature made %s using %s key ID %s\n"),
1692 asctimestamp(sig->timestamp), astr? astr: "?",
1693 keystr(sig->keyid));
1695 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1697 /* If the key isn't found, check for a preferred keyserver */
1699 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1705 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1707 /* According to my favorite copy editor, in English grammar,
1708 you say "at" if the key is located on a web page, but
1709 "from" if it is located on a keyserver. I'm not going to
1710 even try to make two strings here :) */
1711 log_info(_("Key available at: ") );
1712 print_utf8_buffer (log_get_stream(), p, n);
1715 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1716 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1718 struct keyserver_spec *spec;
1720 spec = parse_preferred_keyserver (sig);
1725 glo_ctrl.in_auto_key_retrieve++;
1726 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1727 glo_ctrl.in_auto_key_retrieve--;
1729 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1730 free_keyserver_spec (spec);
1739 /* If the preferred keyserver thing above didn't work, our second
1740 try is to use the URI from a DNS PKA record. */
1741 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1742 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1743 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1745 const char *uri = pka_uri_from_sig (c, sig);
1749 /* FIXME: We might want to locate the key using the
1750 fingerprint instead of the keyid. */
1752 struct keyserver_spec *spec;
1754 spec = parse_keyserver_uri (uri, 1);
1757 glo_ctrl.in_auto_key_retrieve++;
1758 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1759 glo_ctrl.in_auto_key_retrieve--;
1760 free_keyserver_spec (spec);
1762 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1767 /* If the preferred keyserver thing above didn't work and we got
1768 no information from the DNS PKA, this is a third try. */
1770 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1772 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE))
1776 glo_ctrl.in_auto_key_retrieve++;
1777 res=keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1778 glo_ctrl.in_auto_key_retrieve--;
1780 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1783 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1785 kbnode_t un, keyblock;
1789 PKT_public_key *pk = NULL;
1792 statno = STATUS_BADSIG;
1793 else if (sig->flags.expired)
1794 statno = STATUS_EXPSIG;
1796 statno = STATUS_EXPKEYSIG;
1798 statno = STATUS_REVKEYSIG;
1800 statno = STATUS_GOODSIG;
1802 keyblock = get_pubkeyblock (sig->keyid);
1804 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1805 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1807 /* Find and print the primary user ID. */
1808 for (un=keyblock; un; un = un->next)
1812 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1814 pk=un->pkt->pkt.public_key;
1817 if (un->pkt->pkttype != PKT_USER_ID)
1819 if (!un->pkt->pkt.user_id->created)
1821 if (un->pkt->pkt.user_id->is_revoked)
1823 if (un->pkt->pkt.user_id->is_expired)
1825 if (!un->pkt->pkt.user_id->is_primary)
1827 /* We want the textual primary user ID here */
1828 if (un->pkt->pkt.user_id->attrib_data)
1833 /* Get it before we print anything to avoid interrupting the
1834 output with the "please do a --check-trustdb" line. */
1835 valid = get_validity (pk, un->pkt->pkt.user_id);
1837 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1839 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1841 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1842 log_printf (" [%s]\n",trust_value_to_string(valid));
1846 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1850 if (!count) /* Just in case that we have no valid textual userid */
1852 /* Try for an invalid textual userid */
1853 for (un=keyblock; un; un = un->next)
1855 if (un->pkt->pkttype == PKT_USER_ID
1856 && !un->pkt->pkt.user_id->attrib_data)
1860 /* Try for any userid at all */
1863 for (un=keyblock; un; un = un->next)
1865 if (un->pkt->pkttype == PKT_USER_ID)
1870 if (opt.trust_model==TM_ALWAYS || !un)
1871 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1873 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1875 if (opt.trust_model != TM_ALWAYS && un)
1876 log_printf (" %s",_("[uncertain]") );
1880 /* If we have a good signature and already printed
1881 * the primary user ID, print all the other user IDs */
1884 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1887 for( un=keyblock; un; un = un->next)
1889 if (un->pkt->pkttype != PKT_USER_ID)
1891 if ((un->pkt->pkt.user_id->is_revoked
1892 || un->pkt->pkt.user_id->is_expired)
1893 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1895 /* Only skip textual primaries */
1896 if (un->pkt->pkt.user_id->is_primary
1897 && !un->pkt->pkt.user_id->attrib_data )
1900 if (un->pkt->pkt.user_id->attrib_data)
1902 dump_attribs (un->pkt->pkt.user_id, pk);
1904 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1905 show_photos (un->pkt->pkt.user_id->attribs,
1906 un->pkt->pkt.user_id->numattribs,
1907 pk ,un->pkt->pkt.user_id);
1910 p = utf8_to_native (un->pkt->pkt.user_id->name,
1911 un->pkt->pkt.user_id->len, 0);
1912 log_info (_(" aka \"%s\""), p);
1915 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1919 if (un->pkt->pkt.user_id->is_revoked)
1920 valid = _("revoked");
1921 else if (un->pkt->pkt.user_id->is_expired)
1922 valid = _("expired");
1924 valid = (trust_value_to_string
1925 (get_validity (pk, un->pkt->pkt.user_id)));
1926 log_printf (" [%s]\n",valid);
1932 release_kbnode( keyblock );
1936 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
1937 show_policy_url (sig, 0, 1);
1939 show_policy_url (sig, 0, 2);
1941 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
1942 show_keyserver_url (sig, 0, 1);
1944 show_keyserver_url (sig, 0, 2);
1946 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
1949 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
1950 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
1952 show_notation (sig, 0, 2, 0);
1955 if (!rc && is_status_enabled ())
1957 /* Print a status response with the fingerprint. */
1958 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
1960 if (!get_pubkey (vpk, sig->keyid))
1962 byte array[MAX_FINGERPRINT_LEN], *p;
1963 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
1967 fingerprint_from_pk (vpk, array, &n);
1969 for(i=0; i < n ; i++, p++, bufp += 2)
1970 sprintf (bufp, "%02X", *p );
1971 /* TODO: Replace the reserved '0' in the field below
1972 with bits for status flags (policy url, notation,
1973 etc.). Remember to make the buffer larger to match! */
1974 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
1975 strtimestamp( sig->timestamp ),
1976 (ulong)sig->timestamp,(ulong)sig->expiredate,
1977 sig->version,sig->pubkey_algo,sig->digest_algo,
1979 bufp = bufp + strlen (bufp);
1980 if (!vpk->flags.primary)
1984 akid[0] = vpk->main_keyid[0];
1985 akid[1] = vpk->main_keyid[1];
1986 free_public_key (vpk);
1987 vpk = xmalloc_clear (sizeof *vpk);
1988 if (get_pubkey (vpk, akid))
1990 /* Impossible error, we simply return a zeroed out fpr */
1991 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
1992 memset (array, 0, n);
1995 fingerprint_from_pk( vpk, array, &n );
1998 for (i=0; i < n ; i++, p++, bufp += 2)
1999 sprintf(bufp, "%02X", *p );
2000 write_status_text (STATUS_VALIDSIG, buf);
2002 free_public_key (vpk);
2007 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2008 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2009 rc = check_signatures_trust (sig);
2012 if (sig->flags.expired)
2014 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2015 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2017 else if (sig->expiredate)
2018 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2021 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2022 sig->sig_class==0x00?_("binary"):
2023 sig->sig_class==0x01?_("textmode"):_("unknown"),
2024 gcry_md_algo_name (sig->digest_algo),
2025 *pkstrbuf?_(", key algorithm "):"",
2028 if (!rc && !c->signed_data.used)
2030 /* Signature is basically good but we test whether the
2032 gpg --verify FILE.sig
2034 gpg --verify FILE.sig FILE
2035 to verify a detached signature. If we figure out that a
2036 data file with a matching name exists, we print a warning.
2038 The problem is that the first form would also verify a
2039 standard signature. This behavior could be used to
2040 create a made up .sig file for a tarball by creating a
2041 standard signature from a valid detached signature packet
2042 (for example from a signed git tag). Then replace the
2043 sig file on the FTP server along with a changed tarball.
2044 Using the first form the verify command would correctly
2045 verify the signature but don't even consider the tarball. */
2049 dfile = get_matching_datafile (c->sigfilename);
2052 for (n = c->list; n; n = n->next)
2053 if (n->pkt->pkttype != PKT_SIGNATURE)
2057 /* Not only signature packets in the tree thus this
2058 is not a detached signature. */
2059 log_info (_("WARNING: not a detached signature; "
2060 "file '%s' was NOT verified!\n"), dfile);
2067 g10_errors_seen = 1;
2068 if (opt.batch && rc)
2075 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2076 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2077 sig->pubkey_algo, sig->digest_algo,
2078 sig->sig_class, (ulong)sig->timestamp, rc);
2079 write_status_text (STATUS_ERRSIG, buf);
2080 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2083 write_status_text (STATUS_NO_PUBKEY, buf);
2085 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2086 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2094 * Process the tree which starts at node
2097 proc_tree (CTX c, kbnode_t node)
2102 if (opt.list_packets || opt.list_only)
2105 /* We must skip our special plaintext marker packets here because
2106 they may be the root packet. These packets are only used in
2107 addional checks and skipping them here doesn't matter. */
2109 && node->pkt->pkttype == PKT_GPG_CONTROL
2110 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2117 c->trustletter = ' ';
2118 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2119 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2121 merge_keys_and_selfsig (node);
2122 list_node (c, node);
2124 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2126 merge_keys_and_selfsig (node);
2127 list_node (c, node);
2129 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2131 /* Check all signatures. */
2134 int use_textmode = 0;
2136 free_md_filter_context (&c->mfx);
2137 /* Prepare to create all requested message digests. */
2138 rc = gcry_md_open (&c->mfx.md, 0, 0);
2142 /* Fixme: why looking for the signature packet and not the
2144 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2145 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2147 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2150 /* Ask for file and hash it. */
2153 if (c->signed_data.used && c->signed_data.data_fd != -1)
2154 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2155 c->signed_data.data_fd,
2158 rc = hash_datafiles (c->mfx.md, NULL,
2159 c->signed_data.data_names,
2165 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2166 iobuf_get_real_fname (c->iobuf),
2173 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2177 else if (c->signed_data.used)
2179 log_error (_("not a detached signature\n"));
2183 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2184 check_sig_and_print (c, n1);
2187 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2188 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2190 /* Clear text signed message. */
2193 log_error ("cleartext signature without data\n");
2196 else if (c->signed_data.used)
2198 log_error (_("not a detached signature\n"));
2202 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2203 check_sig_and_print (c, n1);
2206 else if (node->pkt->pkttype == PKT_SIGNATURE)
2208 PKT_signature *sig = node->pkt->pkt.signature;
2209 int multiple_ok = 1;
2211 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2214 byte class = sig->sig_class;
2215 byte hash = sig->digest_algo;
2217 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2219 /* We can't currently handle multiple signatures of
2220 different classes or digests (we'd pretty much have
2221 to run a different hash context for each), but if
2222 they are all the same, make an exception. */
2223 if (n1->pkt->pkt.signature->sig_class != class
2224 || n1->pkt->pkt.signature->digest_algo != hash)
2227 log_info (_("WARNING: multiple signatures detected. "
2228 "Only the first will be checked.\n"));
2234 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2236 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2238 else if (!c->any.data)
2240 /* Detached signature */
2241 free_md_filter_context (&c->mfx);
2242 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2244 goto detached_hash_err;
2246 if (RFC2440 || RFC4880)
2247 ; /* Strict RFC mode. */
2248 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2249 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2250 && sig->sig_class == 0x01)
2252 /* Enable a workaround for a pgp5 bug when the detached
2253 * signature has been created in textmode. */
2254 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2256 goto detached_hash_err;
2259 /* Here we used to have another hack to work around a pgp
2260 * 2 bug: It worked by not using the textmode for detached
2261 * signatures; this would let the first signature check
2262 * (on md) fail but the second one (on md2), which adds an
2263 * extra CR would then have produced the "correct" hash.
2264 * This is very, very ugly hack but it may haved help in
2265 * some cases (and break others).
2266 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2271 gcry_md_debug (c->mfx.md, "verify");
2273 gcry_md_debug (c->mfx.md2, "verify2");
2278 if (c->signed_data.used && c->signed_data.data_fd != -1)
2279 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2280 c->signed_data.data_fd,
2281 (sig->sig_class == 0x01));
2283 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2284 c->signed_data.data_names,
2286 (sig->sig_class == 0x01));
2290 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2291 iobuf_get_real_fname(c->iobuf),
2292 (sig->sig_class == 0x01));
2298 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2302 else if (c->signed_data.used)
2304 log_error (_("not a detached signature\n"));
2307 else if (!opt.quiet)
2308 log_info (_("old style (PGP 2.x) signature\n"));
2312 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2313 check_sig_and_print (c, n1);
2316 check_sig_and_print (c, node);
2321 dump_kbnode (c->list);
2322 log_error ("invalid root packet detected in proc_tree()\n");