1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
28 #include "../common/util.h"
30 #include "../common/iobuf.h"
35 #include "../common/status.h"
36 #include "../common/i18n.h"
38 #include "keyserver-internal.h"
40 #include "../common/mbox-util.h"
41 #include "call-dirmngr.h"
43 /* Put an upper limit on nested packets. The 32 is an arbitrary
44 value, a much lower should actually be sufficient. */
45 #define MAX_NESTING_DEPTH 32
48 /* An object to build a list of keyid related info. */
51 struct kidlist_item *next;
59 * Object to hold the processing context.
61 typedef struct mainproc_context *CTX;
62 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_user_id *last_user_id;
68 md_filter_context_t mfx;
69 int sigs_only; /* Process only signatures and reject all other stuff. */
70 int encrypt_only; /* Process only encryption messages. */
72 /* Name of the file with the complete signature or the file with the
73 detached signature. This is currently only used to deduce the
74 file name of the data file if that has not been given. */
75 const char *sigfilename;
77 /* A structure to describe the signed data in case of a detached
81 /* A file descriptor of the signed data. Only used if not -1. */
83 /* A list of filenames with the data files or NULL. This is only
84 used if DATA_FD is -1. */
86 /* Flag to indicated that either one of the next previous fields
87 is used. This is only needed for better readability. */
92 int last_was_session_key;
93 kbnode_t list; /* The current list of packets. */
94 iobuf_t iobuf; /* Used to get the filename etc. */
95 int trustletter; /* Temporary usage in list_node. */
97 struct kidlist_item *pkenc_list; /* List of encryption packets. */
99 unsigned int sig_seen:1; /* Set to true if a signature packet
101 unsigned int data:1; /* Any data packet seen */
102 unsigned int uncompress_failed:1;
107 /*** Local prototypes. ***/
108 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
109 static void list_node (CTX c, kbnode_t node);
110 static void proc_tree (CTX c, kbnode_t node);
111 static int literals_seen;
118 reset_literals_seen(void)
125 release_list( CTX c )
127 proc_tree (c, c->list);
128 release_kbnode (c->list);
129 while (c->pkenc_list)
131 struct kidlist_item *tmp = c->pkenc_list->next;
132 xfree (c->pkenc_list);
135 c->pkenc_list = NULL;
138 c->any.uncompress_failed = 0;
139 c->last_was_session_key = 0;
146 add_onepass_sig (CTX c, PACKET *pkt)
150 if (c->list) /* Add another packet. */
151 add_kbnode (c->list, new_kbnode (pkt));
152 else /* Insert the first one. */
153 c->list = node = new_kbnode (pkt);
160 add_gpg_control (CTX c, PACKET *pkt)
162 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
164 /* New clear text signature.
165 * Process the last one and reset everything */
169 if (c->list) /* Add another packet. */
170 add_kbnode (c->list, new_kbnode (pkt));
171 else /* Insert the first one. */
172 c->list = new_kbnode (pkt);
179 add_user_id (CTX c, PACKET *pkt)
183 log_error ("orphaned user ID\n");
186 add_kbnode (c->list, new_kbnode (pkt));
192 add_subkey (CTX c, PACKET *pkt)
196 log_error ("subkey w/o mainkey\n");
199 add_kbnode (c->list, new_kbnode (pkt));
205 add_ring_trust (CTX c, PACKET *pkt)
209 log_error ("ring trust w/o key\n");
212 add_kbnode (c->list, new_kbnode (pkt));
218 add_signature (CTX c, PACKET *pkt)
223 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
225 /* This is the first signature for the following datafile.
226 * GPG does not write such packets; instead it always uses
227 * onepass-sig packets. The drawback of PGP's method
228 * of prepending the signature to the data is
229 * that it is not possible to make a signature from data read
230 * from stdin. (GPG is able to read PGP stuff anyway.) */
231 node = new_kbnode (pkt);
236 return 0; /* oops (invalid packet sequence)*/
237 else if (!c->list->pkt)
238 BUG(); /* so nicht */
240 /* Add a new signature node item at the end. */
241 node = new_kbnode (pkt);
242 add_kbnode (c->list, node);
248 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
252 if(slen < 17 || slen > 33)
254 log_error ( _("weird size for an encrypted session key (%d)\n"),
256 return GPG_ERR_BAD_KEY;
259 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
261 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
263 gcry_cipher_setiv ( hd, NULL, 0 );
264 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
265 gcry_cipher_close ( hd );
267 /* Now we replace the dek components with the real session key to
268 decrypt the contents of the sequencing packet. */
273 if(dek->keylen > DIM(dek->key))
276 memcpy(dek->key, seskey + 1, dek->keylen);
278 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
285 proc_symkey_enc (CTX c, PACKET *pkt)
289 enc = pkt->pkt.symkey_enc;
291 log_error ("invalid symkey encrypted packet\n");
294 int algo = enc->cipher_algo;
295 const char *s = openpgp_cipher_algo_name (algo);
297 if (!openpgp_cipher_test_algo (algo))
302 log_info (_("%s encrypted session key\n"), s );
304 log_info (_("%s encrypted data\n"), s );
308 log_error (_("encrypted with unknown algorithm %d\n"), algo);
310 if (openpgp_md_test_algo (enc->s2k.hash_algo))
312 log_error(_("passphrase generated with unknown digest"
313 " algorithm %d\n"),enc->s2k.hash_algo);
317 c->last_was_session_key = 2;
318 if (!s || opt.list_only)
321 if (opt.override_session_key)
323 c->dek = xmalloc_clear (sizeof *c->dek);
324 if (get_override_session_key (c->dek, opt.override_session_key))
332 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
335 c->dek->symmetric = 1;
337 /* FIXME: This doesn't work perfectly if a symmetric key
338 comes before a public key in the message - if the
339 user doesn't know the passphrase, then there is a
340 chance that the "decrypted" algorithm will happen to
341 be a valid one, which will make the returned dek
342 appear valid, so we won't try any public keys that
346 if (symkey_decrypt_seskey (c->dek,
347 enc->seskey, enc->seskeylen))
354 c->dek->algo_info_printed = 1;
361 free_packet (pkt, NULL);
366 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
371 /* Check whether the secret key is available and store in this case. */
372 c->last_was_session_key = 1;
373 enc = pkt->pkt.pubkey_enc;
374 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
375 /* Hmmm: why do I have this algo check here - anyway there is
376 * function to check it. */
378 log_info (_("public key is %s\n"), keystr (enc->keyid));
380 if (is_status_enabled())
383 /* FIXME: For ECC support we need to map the OpenPGP algo number
384 to the Libgcrypt defined one. This is due a chicken-egg
385 problem: We need to have code in Libgcrypt for a new
386 algorithm so to implement a proposed new algorithm before the
387 IANA will finally assign an OpenPGP identifier. */
388 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
389 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
390 write_status_text (STATUS_ENC_TO, buf);
393 if (!opt.list_only && opt.override_session_key)
395 /* It does not make much sense to store the session key in
396 * secure memory because it has already been passed on the
397 * command line and the GCHQ knows about it. */
398 c->dek = xmalloc_clear (sizeof *c->dek);
399 result = get_override_session_key (c->dek, opt.override_session_key);
406 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
407 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
408 || enc->pubkey_algo == PUBKEY_ALGO_RSA
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
412 /* Note that we also allow type 20 Elgamal keys for decryption.
413 There are still a couple of those keys in active use as a
416 /* FIXME: Store this all in a list and process it later so that
417 we can prioritize what key to use. This gives a better user
418 experience if wildcard keyids are used. */
419 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
420 || opt.try_all_secrets
421 || have_secret_key_with_kid (enc->keyid)))
427 c->dek = xmalloc_secure_clear (sizeof *c->dek);
428 if ((result = get_session_key (ctrl, enc, c->dek)))
430 /* Error: Delete the DEK. */
437 result = GPG_ERR_NO_SECKEY;
440 result = GPG_ERR_PUBKEY_ALGO;
446 /* Store it for later display. */
447 struct kidlist_item *x = xmalloc (sizeof *x);
448 x->kid[0] = enc->keyid[0];
449 x->kid[1] = enc->keyid[1];
450 x->pubkey_algo = enc->pubkey_algo;
452 x->next = c->pkenc_list;
455 if (!result && opt.verbose > 1)
456 log_info (_("public key encrypted data: good DEK\n"));
459 free_packet(pkt, NULL);
464 * Print the list of public key encrypted packets which we could
468 print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
470 for (; list; list = list->next)
475 if (failed && !list->reason)
477 if (!failed && list->reason)
480 algstr = openpgp_pk_algo_name (list->pubkey_algo);
481 pk = xmalloc_clear (sizeof *pk);
485 pk->pubkey_algo = list->pubkey_algo;
486 if (!get_pubkey (ctrl, pk, list->kid))
489 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
490 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
491 strtimestamp (pk->timestamp));
492 p = get_user_id_native (ctrl, list->kid);
493 log_printf (_(" \"%s\"\n"), p);
497 log_info (_("encrypted with %s key, ID %s\n"),
498 algstr, keystr(list->kid));
500 free_public_key (pk);
502 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
504 if (is_status_enabled())
507 snprintf (buf, sizeof buf, "%08lX%08lX",
508 (ulong)list->kid[0], (ulong)list->kid[1]);
509 write_status_text (STATUS_NO_SECKEY, buf);
512 else if (list->reason)
514 log_info (_("public key decryption failed: %s\n"),
515 gpg_strerror (list->reason));
516 write_status_error ("pkdecrypt_failed", list->reason);
523 proc_encrypted (CTX c, PACKET *pkt)
530 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
531 else if (c->symkeys == 1)
532 log_info (_("encrypted with 1 passphrase\n"));
533 print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
534 print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
537 /* FIXME: Figure out the session key by looking at all pkenc packets. */
539 write_status (STATUS_BEGIN_DECRYPTION);
541 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
544 else if (!c->dek && !c->last_was_session_key)
548 STRING2KEY *s2k = NULL;
551 if (opt.override_session_key)
553 c->dek = xmalloc_clear (sizeof *c->dek);
554 result = get_override_session_key (c->dek, opt.override_session_key);
563 /* Assume this is old style conventional encrypted data. */
564 algo = opt.def_cipher_algo;
566 log_info (_("assuming %s encrypted data\n"),
567 openpgp_cipher_algo_name (algo));
568 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
570 algo = opt.def_cipher_algo;
572 algo = opt.s2k_cipher_algo;
573 log_info (_("IDEA cipher unavailable, "
574 "optimistically attempting to use %s instead\n"),
575 openpgp_cipher_algo_name (algo));
579 algo = CIPHER_ALGO_IDEA;
580 if (!opt.s2k_digest_algo)
582 /* If no digest is given we assume SHA-1. */
584 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
587 log_info (_("assuming %s encrypted data\n"), "IDEA");
590 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
592 c->dek->algo_info_printed = 1;
594 result = gpg_error (GPG_ERR_CANCELED);
596 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
600 result = GPG_ERR_NO_SECKEY;
603 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
608 && !opt.ignore_mdc_error
609 && !pkt->pkt.encrypted->mdc_method
610 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
611 && c->dek->algo != CIPHER_ALGO_TWOFISH)
613 /* The message has been decrypted but has no MDC despite that a
614 modern cipher (blocklength != 64 bit, except for Twofish) is
615 used and the option to ignore MDC errors is not used: To
616 avoid attacks changing an MDC message to a non-MDC message,
618 log_error (_("WARNING: message was not integrity protected\n"));
620 log_info ("decryption forced to fail\n");
621 write_status (STATUS_DECRYPTION_FAILED);
623 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
624 && opt.ignore_mdc_error))
626 write_status (STATUS_DECRYPTION_OKAY);
628 log_info(_("decryption okay\n"));
629 if (pkt->pkt.encrypted->mdc_method && !result)
630 write_status (STATUS_GOODMDC);
631 else if (!opt.no_mdc_warn)
632 log_info (_("WARNING: message was not integrity protected\n"));
634 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
636 glo_ctrl.lasterr = result;
637 log_error (_("WARNING: encrypted message has been manipulated!\n"));
638 write_status (STATUS_BADMDC);
639 write_status (STATUS_DECRYPTION_FAILED);
643 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
644 && *c->dek->s2k_cacheid != '\0')
647 log_debug ("cleared passphrase cached with ID: %s\n",
648 c->dek->s2k_cacheid);
649 passphrase_clear_cache (c->dek->s2k_cacheid);
651 glo_ctrl.lasterr = result;
652 write_status (STATUS_DECRYPTION_FAILED);
653 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
654 /* Hmmm: does this work when we have encrypted using multiple
655 * ways to specify the session key (symmmetric and PK). */
660 free_packet (pkt, NULL);
661 c->last_was_session_key = 0;
662 write_status (STATUS_END_DECRYPTION);
667 proc_plaintext( CTX c, PACKET *pkt )
669 PKT_plaintext *pt = pkt->pkt.plaintext;
670 int any, clearsig, rc;
675 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
676 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
677 else if (opt.verbose)
678 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
680 free_md_filter_context (&c->mfx);
681 if (gcry_md_open (&c->mfx.md, 0, 0))
683 /* fixme: we may need to push the textfilter if we have sigclass 1
684 * and no armoring - Not yet tested
685 * Hmmm, why don't we need it at all if we have sigclass 1
686 * Should we assume that plaintext in mode 't' has always sigclass 1??
687 * See: Russ Allbery's mail 1999-02-09
690 for (n=c->list; n; n = n->next )
692 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
694 /* The onepass signature case. */
695 if (n->pkt->pkt.onepass_sig->digest_algo)
697 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
701 else if (n->pkt->pkttype == PKT_GPG_CONTROL
702 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
704 /* The clearsigned message case. */
705 size_t datalen = n->pkt->pkt.gpg_control->datalen;
706 const byte *data = n->pkt->pkt.gpg_control->data;
708 /* Check that we have at least the sigclass and one hash. */
710 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
711 /* Note that we don't set the clearsig flag for not-dash-escaped
713 clearsig = (*data == 0x01);
714 for (data++, datalen--; datalen; datalen--, data++)
715 gcry_md_enable (c->mfx.md, *data);
717 break; /* Stop here as one-pass signature packets are not
720 else if (n->pkt->pkttype == PKT_SIGNATURE)
722 /* The SIG+LITERAL case that PGP used to use. */
723 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
728 if (!any && !opt.skip_verify)
730 /* This is for the old GPG LITERAL+SIG case. It's not legal
731 according to 2440, so hopefully it won't come up that often.
732 There is no good way to specify what algorithms to use in
733 that case, so these there are the historical answer. */
734 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
735 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
739 gcry_md_debug (c->mfx.md, "verify");
741 gcry_md_debug (c->mfx.md2, "verify2");
746 if (literals_seen > 1)
748 log_info (_("WARNING: multiple plaintexts seen\n"));
750 if (!opt.flags.allow_multiple_messages)
752 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
753 log_inc_errorcount ();
754 rc = gpg_error (GPG_ERR_UNEXPECTED);
760 /* It we are in --verify mode, we do not want to output the
761 * signed text. However, if --output is also used we do what
762 * has been requested and write out the signed data. */
763 rc = handle_plaintext (pt, &c->mfx,
764 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
766 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
768 /* Can't write output but we hash it anyway to check the
770 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
775 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
777 free_packet (pkt, NULL);
778 c->last_was_session_key = 0;
780 /* We add a marker control packet instead of the plaintext packet.
781 * This is so that we can later detect invalid packet sequences. */
782 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
784 add_kbnode (c->list, n);
791 proc_compressed_cb (iobuf_t a, void *info)
793 if ( ((CTX)info)->signed_data.used
794 && ((CTX)info)->signed_data.data_fd != -1)
795 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
796 ((CTX)info)->signed_data.data_fd);
798 return proc_signature_packets (((CTX)info)->ctrl, info, a,
799 ((CTX)info)->signed_data.data_names,
800 ((CTX)info)->sigfilename );
805 proc_encrypt_cb (iobuf_t a, void *info )
808 return proc_encryption_packets (c->ctrl, info, a );
813 proc_compressed (CTX c, PACKET *pkt)
815 PKT_compressed *zd = pkt->pkt.compressed;
818 /*printf("zip: compressed data packet\n");*/
820 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
821 else if( c->encrypt_only )
822 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
824 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
826 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
828 if (!c->any.uncompress_failed)
832 for (cc=c; cc; cc = cc->anchor)
833 cc->any.uncompress_failed = 1;
834 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
838 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
840 free_packet (pkt, NULL);
841 c->last_was_session_key = 0;
847 * Check the signature. If R_PK is not NULL a copy of the public key
848 * used to verify the signature will be stored tehre, or NULL if not
849 * found. Returns: 0 = valid signature or an error code
852 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
853 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
856 gcry_md_hd_t md = NULL;
857 gcry_md_hd_t md2 = NULL;
858 gcry_md_hd_t md_good = NULL;
864 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
867 sig = node->pkt->pkt.signature;
869 algo = sig->digest_algo;
870 rc = openpgp_md_test_algo (algo);
874 if (sig->sig_class == 0x00)
878 if (gcry_md_copy (&md, c->mfx.md ))
881 else /* detached signature */
883 /* check_signature() will enable the md. */
884 if (gcry_md_open (&md, 0, 0 ))
888 else if (sig->sig_class == 0x01)
890 /* How do we know that we have to hash the (already hashed) text
891 in canonical mode ??? (calculating both modes???) */
894 if (gcry_md_copy (&md, c->mfx.md ))
896 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
899 else /* detached signature */
901 log_debug ("Do we really need this here?");
902 /* check_signature() will enable the md*/
903 if (gcry_md_open (&md, 0, 0 ))
905 if (gcry_md_open (&md2, 0, 0 ))
909 else if ((sig->sig_class&~3) == 0x10
910 || sig->sig_class == 0x18
911 || sig->sig_class == 0x1f
912 || sig->sig_class == 0x20
913 || sig->sig_class == 0x28
914 || sig->sig_class == 0x30)
916 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
917 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
919 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
921 else if (sig->sig_class == 0x20)
923 log_error (_("standalone revocation - "
924 "use \"gpg --import\" to apply\n"));
925 return GPG_ERR_NOT_PROCESSED;
929 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
930 return GPG_ERR_SIG_CLASS;
934 return GPG_ERR_SIG_CLASS;
936 /* We only get here if we are checking the signature of a binary
937 (0x00) or text document (0x01). */
938 rc = check_signature2 (c->ctrl, sig, md, NULL, is_expkey, is_revkey, r_pk);
941 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
945 rc = check_signature2 (c->ctrl, sig, md2, NULL, is_expkey, is_revkey,
952 free_public_key (*r_pk);
960 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
961 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
962 memcpy (sig->digest, buffer, sig->digest_len);
973 print_userid (PACKET *pkt)
978 if (pkt->pkttype != PKT_USER_ID)
980 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
985 if (pkt->pkt.user_id->attrib_data)
987 pkt->pkt.user_id->numattribs,
988 pkt->pkt.user_id->attrib_len);
990 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
991 pkt->pkt.user_id->len, ":", NULL);
994 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
995 pkt->pkt.user_id->len );
1000 * List the keyblock in a user friendly way
1003 list_node (CTX c, kbnode_t node)
1007 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1008 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1010 PKT_public_key *pk = node->pkt->pkt.public_key;
1012 if (opt.with_colons)
1016 keyid_from_pk( pk, keyid );
1017 if (pk->flags.primary)
1018 c->trustletter = (opt.fast_list_mode
1022 node->pkt->pkttype == PKT_PUBLIC_KEY
1025 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1027 es_putc (c->trustletter, es_stdout);
1028 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1029 nbits_from_pk( pk ),
1031 (ulong)keyid[0],(ulong)keyid[1],
1032 colon_datestr_from_pk( pk ),
1033 colon_strtime (pk->expiredate) );
1034 if (pk->flags.primary && !opt.fast_list_mode)
1035 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1036 es_putc (':', es_stdout);
1037 es_putc ('\n', es_stdout);
1041 print_key_line (c->ctrl, es_stdout, pk, 0);
1044 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1045 ; /* Already printed. */
1046 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1047 print_fingerprint (c->ctrl, NULL, pk, 0);
1049 if (pk->flags.primary)
1051 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1053 /* Now list all userids with their signatures. */
1054 for (node = node->next; node; node = node->next)
1056 if (node->pkt->pkttype == PKT_SIGNATURE)
1058 list_node (c, node );
1060 else if (node->pkt->pkttype == PKT_USER_ID)
1062 if (opt.with_colons)
1063 es_printf ("%s:::::::::",
1064 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1066 es_printf ("uid%*s",
1067 kl + (opt.legacy_list_mode? 9:11),
1069 print_userid (node->pkt);
1070 if (opt.with_colons)
1071 es_putc (':', es_stdout);
1072 es_putc ('\n', es_stdout);
1074 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1076 list_node(c, node );
1081 else if (node->pkt->pkttype == PKT_SECRET_KEY
1082 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1085 log_debug ("FIXME: No way to print secret key packets here\n");
1086 /* fixme: We may use a function to turn a secret key packet into
1087 a public key one and use that here. */
1089 else if (node->pkt->pkttype == PKT_SIGNATURE)
1091 PKT_signature *sig = node->pkt->pkt.signature;
1101 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1102 es_fputs ("rev", es_stdout);
1104 es_fputs ("sig", es_stdout);
1108 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
1109 switch (gpg_err_code (rc2))
1111 case 0: sigrc = '!'; break;
1112 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1113 case GPG_ERR_NO_PUBKEY:
1114 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1115 default: sigrc = '%'; break;
1118 else /* Check whether this is a self signature. */
1122 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1123 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1125 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1127 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1132 if (opt.with_colons)
1134 es_putc (':', es_stdout);
1136 es_putc (sigrc, es_stdout);
1137 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1138 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1139 colon_datestr_from_sig (sig),
1140 colon_expirestr_from_sig (sig));
1142 if (sig->trust_depth || sig->trust_value)
1143 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1144 es_putc (':', es_stdout);
1146 if (sig->trust_regexp)
1147 es_write_sanitized (es_stdout, sig->trust_regexp,
1148 strlen (sig->trust_regexp), ":", NULL);
1149 es_putc (':', es_stdout);
1152 es_printf ("%c %s %s ",
1153 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1155 es_printf ("[%s] ", gpg_strerror (rc2) );
1156 else if (sigrc == '?')
1158 else if (is_selfsig)
1160 if (opt.with_colons)
1161 es_putc (':', es_stdout);
1162 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1163 if (opt.with_colons)
1164 es_putc (':', es_stdout);
1166 else if (!opt.fast_list_mode)
1168 p = get_user_id (c->ctrl, sig->keyid, &n);
1169 es_write_sanitized (es_stdout, p, n,
1170 opt.with_colons?":":NULL, NULL );
1173 if (opt.with_colons)
1174 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1175 es_putc ('\n', es_stdout);
1178 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1183 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1186 CTX c = xmalloc_clear (sizeof *c);
1190 rc = do_proc_packets (ctrl, c, a);
1198 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1199 strlist_t signedfiles, const char *sigfilename )
1201 CTX c = xmalloc_clear (sizeof *c);
1208 c->signed_data.data_fd = -1;
1209 c->signed_data.data_names = signedfiles;
1210 c->signed_data.used = !!signedfiles;
1212 c->sigfilename = sigfilename;
1213 rc = do_proc_packets (ctrl, c, a);
1215 /* If we have not encountered any signature we print an error
1216 messages, send a NODATA status back and return an error code.
1217 Using log_error is required because verify_files does not check
1218 error codes for each file but we want to terminate the process
1220 if (!rc && !c->any.sig_seen)
1222 write_status_text (STATUS_NODATA, "4");
1223 log_error (_("no signature found\n"));
1224 rc = GPG_ERR_NO_DATA;
1227 /* Propagate the signature seen flag upward. Do this only on success
1228 so that we won't issue the nodata status several times. */
1229 if (!rc && c->anchor && c->any.sig_seen)
1230 c->anchor->any.sig_seen = 1;
1238 proc_signature_packets_by_fd (ctrl_t ctrl,
1239 void *anchor, iobuf_t a, int signed_data_fd )
1244 c = xtrycalloc (1, sizeof *c);
1246 return gpg_error_from_syserror ();
1252 c->signed_data.data_fd = signed_data_fd;
1253 c->signed_data.data_names = NULL;
1254 c->signed_data.used = (signed_data_fd != -1);
1256 rc = do_proc_packets (ctrl, c, a);
1258 /* If we have not encountered any signature we print an error
1259 messages, send a NODATA status back and return an error code.
1260 Using log_error is required because verify_files does not check
1261 error codes for each file but we want to terminate the process
1263 if (!rc && !c->any.sig_seen)
1265 write_status_text (STATUS_NODATA, "4");
1266 log_error (_("no signature found\n"));
1267 rc = gpg_error (GPG_ERR_NO_DATA);
1270 /* Propagate the signature seen flag upward. Do this only on success
1271 so that we won't issue the nodata status several times. */
1272 if (!rc && c->anchor && c->any.sig_seen)
1273 c->anchor->any.sig_seen = 1;
1281 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1283 CTX c = xmalloc_clear (sizeof *c);
1288 c->encrypt_only = 1;
1289 rc = do_proc_packets (ctrl, c, a);
1296 check_nesting (CTX c)
1300 for (level=0; c; c = c->anchor)
1303 if (level > MAX_NESTING_DEPTH)
1305 log_error ("input data with too deeply nested packets\n");
1306 write_status_text (STATUS_UNEXPECTED, "1");
1307 return GPG_ERR_BAD_DATA;
1315 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1318 struct parse_packet_ctx_s parsectx;
1323 rc = check_nesting (c);
1327 pkt = xmalloc( sizeof *pkt );
1330 init_parse_packet (&parsectx, a);
1331 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1336 free_packet (pkt, &parsectx);
1337 /* Stop processing when an invalid packet has been encountered
1338 * but don't do so when we are doing a --list-packets. */
1339 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1340 && opt.list_packets == 0)
1345 if (opt.list_packets)
1347 switch (pkt->pkttype)
1349 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1350 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1352 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1353 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1354 default: newpkt = 0; break;
1357 else if (c->sigs_only)
1359 switch (pkt->pkttype)
1361 case PKT_PUBLIC_KEY:
1362 case PKT_SECRET_KEY:
1364 case PKT_SYMKEY_ENC:
1365 case PKT_PUBKEY_ENC:
1367 case PKT_ENCRYPTED_MDC:
1368 write_status_text( STATUS_UNEXPECTED, "0" );
1369 rc = GPG_ERR_UNEXPECTED;
1372 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1373 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1374 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1375 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1376 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1377 default: newpkt = 0; break;
1380 else if (c->encrypt_only)
1382 switch (pkt->pkttype)
1384 case PKT_PUBLIC_KEY:
1385 case PKT_SECRET_KEY:
1387 write_status_text (STATUS_UNEXPECTED, "0");
1388 rc = GPG_ERR_UNEXPECTED;
1391 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1392 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1393 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1395 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1396 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1397 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1398 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1399 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1400 default: newpkt = 0; break;
1405 switch (pkt->pkttype)
1407 case PKT_PUBLIC_KEY:
1408 case PKT_SECRET_KEY:
1410 c->list = new_kbnode (pkt);
1413 case PKT_PUBLIC_SUBKEY:
1414 case PKT_SECRET_SUBKEY:
1415 newpkt = add_subkey (c, pkt);
1417 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1418 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1419 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1420 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1422 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1423 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1424 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1425 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1426 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1427 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1428 default: newpkt = 0; break;
1435 /* This is a very ugly construct and frankly, I don't remember why
1436 * I used it. Adding the MDC check here is a hack.
1437 * The right solution is to initiate another context for encrypted
1438 * packet and not to reuse the current one ... It works right
1439 * when there is a compression packet between which adds just
1441 * Hmmm: Rewrite this whole module here??
1443 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1444 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1450 pkt = xmalloc (sizeof *pkt);
1454 free_packet (pkt, &parsectx);
1457 if (rc == GPG_ERR_INV_PACKET)
1458 write_status_text (STATUS_NODATA, "3");
1463 write_status_text (STATUS_NODATA, "2");
1469 free_packet (pkt, &parsectx);
1470 deinit_parse_packet (&parsectx);
1472 free_md_filter_context (&c->mfx);
1477 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1478 of the notation data. */
1480 get_pka_address (PKT_signature *sig)
1482 pka_info_t *pka = NULL;
1483 struct notation *nd,*notation;
1485 notation=sig_to_notation(sig);
1487 for(nd=notation;nd;nd=nd->next)
1489 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1490 continue; /* Not the notation we want. */
1492 /* For now we only use the first valid PKA notation. In future
1493 we might want to keep additional PKA notations in a linked
1495 if (is_valid_mailbox (nd->value))
1497 pka = xmalloc (sizeof *pka + strlen(nd->value));
1501 strcpy (pka->email, nd->value);
1506 free_notation(notation);
1512 /* Return the URI from a DNS PKA record. If this record has already
1513 be retrieved for the signature we merely return it; if not we go
1514 out and try to get that DNS record. */
1516 pka_uri_from_sig (CTX c, PKT_signature *sig)
1518 if (!sig->flags.pka_tried)
1520 log_assert (!sig->pka_info);
1521 sig->flags.pka_tried = 1;
1522 sig->pka_info = get_pka_address (sig);
1529 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1530 &fpr, &fprlen, &url))
1532 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1534 memcpy (sig->pka_info->fpr, fpr, fprlen);
1537 sig->pka_info->valid = 1;
1541 sig->pka_info->uri = url;
1550 return sig->pka_info? sig->pka_info->uri : NULL;
1554 /* Return true if the AKL has the WKD method specified. */
1556 akl_has_wkd_method (void)
1560 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1561 if (akl->type == AKL_WKD)
1567 /* Return the ISSUER fingerprint string in human readbale format if
1568 * available. Caller must release the string. */
1570 issuer_fpr_string (PKT_signature *sig)
1575 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1576 if (p && n == 21 && p[0] == 4)
1577 return bin2hex (p+1, n-1, NULL);
1583 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1584 PKT_signature *sig, int rc)
1588 write_status_text_and_buffer (statno, keyid_str,
1589 un? un->pkt->pkt.user_id->name:"[?]",
1590 un? un->pkt->pkt.user_id->len:3,
1594 p = utf8_to_native (un->pkt->pkt.user_id->name,
1595 un->pkt->pkt.user_id->len, 0);
1597 p = xstrdup ("[?]");
1600 log_info (_("BAD signature from \"%s\""), p);
1601 else if (sig->flags.expired)
1602 log_info (_("Expired signature from \"%s\""), p);
1604 log_info (_("Good signature from \"%s\""), p);
1611 check_sig_and_print (CTX c, kbnode_t node)
1613 PKT_signature *sig = node->pkt->pkt.signature;
1619 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1621 if (opt.skip_verify)
1623 log_info(_("signature verification suppressed\n"));
1627 /* Check that the message composition is valid.
1629 * Per RFC-2440bis (-15) allowed:
1631 * S{1,n} -- detached signature.
1632 * S{1,n} P -- old style PGP2 signature
1633 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1634 * C P S{1,n} -- cleartext signature.
1637 * O = One-Pass Signature packet.
1638 * S = Signature packet.
1639 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1640 * (Note that the current rfc2440bis draft also allows
1641 * for a signed message but that does not work as it
1642 * introduces ambiguities.)
1643 * We keep track of these packages using the marker packet
1644 * CTRLPKT_PLAINTEXT_MARK.
1645 * C = Marker packet for cleartext signatures.
1647 * We reject all other messages.
1649 * Actually we are calling this too often, i.e. for verification of
1650 * each message but better have some duplicate work than to silently
1651 * introduce a bug here.
1655 int n_onepass, n_sig;
1657 /* log_debug ("checking signature packet composition\n"); */
1658 /* dump_kbnode (c->list); */
1662 if ( n->pkt->pkttype == PKT_SIGNATURE )
1664 /* This is either "S{1,n}" case (detached signature) or
1665 "S{1,n} P" (old style PGP2 signature). */
1666 for (n = n->next; n; n = n->next)
1667 if (n->pkt->pkttype != PKT_SIGNATURE)
1670 ; /* Okay, this is a detached signature. */
1671 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1672 && (n->pkt->pkt.gpg_control->control
1673 == CTRLPKT_PLAINTEXT_MARK) )
1676 goto ambiguous; /* We only allow one P packet. */
1681 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1683 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1684 for (n_onepass=1, n = n->next;
1685 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1687 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1688 && (n->pkt->pkt.gpg_control->control
1689 == CTRLPKT_PLAINTEXT_MARK)))
1691 for (n_sig=0, n = n->next;
1692 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1697 /* If we wanted to disallow multiple sig verification, we'd do
1698 something like this:
1700 if (n && !opt.allow_multisig_verification)
1703 However, now that we have --allow-multiple-messages, this
1704 can stay allowable as we can't get here unless multiple
1705 messages (i.e. multiple literals) are allowed. */
1707 if (n_onepass != n_sig)
1709 log_info ("number of one-pass packets does not match "
1710 "number of signature packets\n");
1714 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1715 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1717 /* This is the "C P S{1,n}" case (clear text signature). */
1719 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1720 && (n->pkt->pkt.gpg_control->control
1721 == CTRLPKT_PLAINTEXT_MARK)))
1723 for (n_sig=0, n = n->next;
1724 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1732 log_error(_("can't handle this ambiguous signature data\n"));
1737 if (sig->signers_uid)
1738 write_status_buffer (STATUS_NEWSIG,
1739 sig->signers_uid, strlen (sig->signers_uid), 0);
1741 write_status_text (STATUS_NEWSIG, NULL);
1743 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1744 if ((issuer_fpr = issuer_fpr_string (sig)))
1746 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1747 log_info (_(" using %s key %s\n"),
1748 astr? astr: "?", issuer_fpr);
1752 else if (!keystrlen () || keystrlen () > 8)
1754 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1755 log_info (_(" using %s key %s\n"),
1756 astr? astr: "?", keystr(sig->keyid));
1758 else /* Legacy format. */
1759 log_info (_("Signature made %s using %s key ID %s\n"),
1760 asctimestamp(sig->timestamp), astr? astr: "?",
1761 keystr(sig->keyid));
1763 /* In verbose mode print the signers UID. */
1764 if (sig->signers_uid)
1765 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1767 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1769 /* If the key isn't found, check for a preferred keyserver. */
1770 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1776 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1778 /* According to my favorite copy editor, in English grammar,
1779 you say "at" if the key is located on a web page, but
1780 "from" if it is located on a keyserver. I'm not going to
1781 even try to make two strings here :) */
1782 log_info(_("Key available at: ") );
1783 print_utf8_buffer (log_get_stream(), p, n);
1786 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1787 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1789 struct keyserver_spec *spec;
1791 spec = parse_preferred_keyserver (sig);
1796 free_public_key (pk);
1798 glo_ctrl.in_auto_key_retrieve++;
1799 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
1800 glo_ctrl.in_auto_key_retrieve--;
1802 rc = do_check_sig (c, node, NULL,
1803 &is_expkey, &is_revkey, &pk);
1804 free_keyserver_spec (spec);
1813 /* If the avove methods didn't work, our next try is to use the URI
1814 * from a DNS PKA record. */
1815 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1816 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1817 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1819 const char *uri = pka_uri_from_sig (c, sig);
1823 /* FIXME: We might want to locate the key using the
1824 fingerprint instead of the keyid. */
1826 struct keyserver_spec *spec;
1828 spec = parse_keyserver_uri (uri, 1);
1831 free_public_key (pk);
1833 glo_ctrl.in_auto_key_retrieve++;
1834 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
1835 glo_ctrl.in_auto_key_retrieve--;
1836 free_keyserver_spec (spec);
1838 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1843 /* If the above methods didn't work, our next try is to locate
1844 * the key via its fingerprint from a keyserver. This requires
1845 * that the signers fingerprint is encoded in the signature. We
1846 * favor this over the WKD method (to be tried next), because an
1847 * arbitrary keyserver is less subject to web bug like monitoring. */
1848 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1849 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1850 && keyserver_any_configured (c->ctrl))
1856 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1857 if (p && n == 21 && p[0] == 4)
1859 /* v4 packet with a SHA-1 fingerprint. */
1860 free_public_key (pk);
1862 glo_ctrl.in_auto_key_retrieve++;
1863 res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
1864 glo_ctrl.in_auto_key_retrieve--;
1866 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1870 /* If the above methods didn't work, our next try is to retrieve the
1871 * key from the WKD. */
1872 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1873 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1874 && !opt.flags.disable_signer_uid
1875 && akl_has_wkd_method ()
1876 && sig->signers_uid)
1880 free_public_key (pk);
1882 glo_ctrl.in_auto_key_retrieve++;
1883 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
1884 glo_ctrl.in_auto_key_retrieve--;
1885 /* Fixme: If the fingerprint is embedded in the signature,
1886 * compare it to the fingerprint of the returned key. */
1888 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1891 /* If the above methods did't work, our next try is to use a
1893 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1894 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1895 && keyserver_any_configured (c->ctrl))
1899 free_public_key (pk);
1901 glo_ctrl.in_auto_key_retrieve++;
1902 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
1903 glo_ctrl.in_auto_key_retrieve--;
1905 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1908 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1910 kbnode_t un, keyblock;
1914 PKT_public_key *mainpk = NULL;
1917 statno = STATUS_BADSIG;
1918 else if (sig->flags.expired)
1919 statno = STATUS_EXPSIG;
1921 statno = STATUS_EXPKEYSIG;
1923 statno = STATUS_REVKEYSIG;
1925 statno = STATUS_GOODSIG;
1927 /* FIXME: We should have the public key in PK and thus the
1928 * keyboock has already been fetched. Thus we could use the
1929 * fingerprint or PK itself to lookup the entire keyblock. That
1930 * would best be done with a cache. */
1931 keyblock = get_pubkeyblock (c->ctrl, sig->keyid);
1933 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1934 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1936 /* Find and print the primary user ID along with the
1937 "Good|Expired|Bad signature" line. */
1938 for (un=keyblock; un; un = un->next)
1942 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1944 mainpk = un->pkt->pkt.public_key;
1947 if (un->pkt->pkttype != PKT_USER_ID)
1949 if (!un->pkt->pkt.user_id->created)
1951 if (un->pkt->pkt.user_id->flags.revoked)
1953 if (un->pkt->pkt.user_id->flags.expired)
1955 if (!un->pkt->pkt.user_id->flags.primary)
1957 /* We want the textual primary user ID here */
1958 if (un->pkt->pkt.user_id->attrib_data)
1961 log_assert (mainpk);
1963 /* Since this is just informational, don't actually ask the
1964 user to update any trust information. (Note: we register
1965 the signature later.) Because print_good_bad_signature
1966 does not print a LF we need to compute the validity
1967 before calling that function. */
1968 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1969 valid = get_validity (c->ctrl, keyblock, mainpk,
1970 un->pkt->pkt.user_id, NULL, 0);
1972 valid = 0; /* Not used. */
1974 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1976 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1978 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1979 log_printf (" [%s]\n",trust_value_to_string(valid));
1986 log_assert (mainpk);
1988 /* In case we did not found a valid textual userid above
1989 we print the first user id packet or a "[?]" instead along
1990 with the "Good|Expired|Bad signature" line. */
1993 /* Try for an invalid textual userid */
1994 for (un=keyblock; un; un = un->next)
1996 if (un->pkt->pkttype == PKT_USER_ID
1997 && !un->pkt->pkt.user_id->attrib_data)
2001 /* Try for any userid at all */
2004 for (un=keyblock; un; un = un->next)
2006 if (un->pkt->pkttype == PKT_USER_ID)
2011 if (opt.trust_model==TM_ALWAYS || !un)
2012 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2014 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2016 if (opt.trust_model != TM_ALWAYS && un)
2017 log_printf (" %s",_("[uncertain]") );
2021 /* If we have a good signature and already printed
2022 * the primary user ID, print all the other user IDs */
2025 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2028 for( un=keyblock; un; un = un->next)
2030 if (un->pkt->pkttype != PKT_USER_ID)
2032 if ((un->pkt->pkt.user_id->flags.revoked
2033 || un->pkt->pkt.user_id->flags.expired)
2034 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2036 /* Skip textual primary user ids which we printed above. */
2037 if (un->pkt->pkt.user_id->flags.primary
2038 && !un->pkt->pkt.user_id->attrib_data )
2041 /* If this user id has attribute data, print that. */
2042 if (un->pkt->pkt.user_id->attrib_data)
2044 dump_attribs (un->pkt->pkt.user_id, mainpk);
2046 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2047 show_photos (c->ctrl,
2048 un->pkt->pkt.user_id->attribs,
2049 un->pkt->pkt.user_id->numattribs,
2050 mainpk ,un->pkt->pkt.user_id);
2053 p = utf8_to_native (un->pkt->pkt.user_id->name,
2054 un->pkt->pkt.user_id->len, 0);
2055 log_info (_(" aka \"%s\""), p);
2058 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2062 if (un->pkt->pkt.user_id->flags.revoked)
2063 valid = _("revoked");
2064 else if (un->pkt->pkt.user_id->flags.expired)
2065 valid = _("expired");
2067 /* Since this is just informational, don't
2068 actually ask the user to update any trust
2070 valid = (trust_value_to_string
2071 (get_validity (c->ctrl, keyblock, mainpk,
2072 un->pkt->pkt.user_id, NULL, 0)));
2073 log_printf (" [%s]\n",valid);
2080 /* For good signatures print notation data. */
2083 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2084 show_policy_url (sig, 0, 1);
2086 show_policy_url (sig, 0, 2);
2088 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2089 show_keyserver_url (sig, 0, 1);
2091 show_keyserver_url (sig, 0, 2);
2093 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2096 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2097 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2099 show_notation (sig, 0, 2, 0);
2102 /* For good signatures print the VALIDSIG status line. */
2103 if (!rc && is_status_enabled () && pk)
2105 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2106 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2108 hexfingerprint (pk, pkhex, sizeof pkhex);
2109 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2111 /* TODO: Replace the reserved '0' in the field below with
2112 bits for status flags (policy url, notation, etc.). */
2113 write_status_printf (STATUS_VALIDSIG,
2114 "%s %s %lu %lu %d 0 %d %d %02X %s",
2116 strtimestamp (sig->timestamp),
2117 (ulong)sig->timestamp,
2118 (ulong)sig->expiredate,
2119 sig->version, sig->pubkey_algo,
2125 /* For good signatures compute and print the trust information.
2126 Note that in the Tofu trust model this may ask the user on
2127 how to resolve a conflict. */
2130 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2131 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2132 rc = check_signatures_trust (c->ctrl, sig);
2135 /* Print extra information about the signature. */
2136 if (sig->flags.expired)
2138 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2139 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2141 else if (sig->expiredate)
2142 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2146 char pkstrbuf[PUBKEY_STRING_SIZE];
2149 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2153 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2154 sig->sig_class==0x00?_("binary"):
2155 sig->sig_class==0x01?_("textmode"):_("unknown"),
2156 gcry_md_algo_name (sig->digest_algo),
2157 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2160 /* Print final warnings. */
2161 if (!rc && !c->signed_data.used)
2163 /* Signature is basically good but we test whether the
2165 gpg --verify FILE.sig
2167 gpg --verify FILE.sig FILE
2168 to verify a detached signature. If we figure out that a
2169 data file with a matching name exists, we print a warning.
2171 The problem is that the first form would also verify a
2172 standard signature. This behavior could be used to
2173 create a made up .sig file for a tarball by creating a
2174 standard signature from a valid detached signature packet
2175 (for example from a signed git tag). Then replace the
2176 sig file on the FTP server along with a changed tarball.
2177 Using the first form the verify command would correctly
2178 verify the signature but don't even consider the tarball. */
2182 dfile = get_matching_datafile (c->sigfilename);
2185 for (n = c->list; n; n = n->next)
2186 if (n->pkt->pkttype != PKT_SIGNATURE)
2190 /* Not only signature packets in the tree thus this
2191 is not a detached signature. */
2192 log_info (_("WARNING: not a detached signature; "
2193 "file '%s' was NOT verified!\n"), dfile);
2199 free_public_key (pk);
2201 release_kbnode( keyblock );
2203 g10_errors_seen = 1;
2204 if (opt.batch && rc)
2211 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2212 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2213 sig->pubkey_algo, sig->digest_algo,
2214 sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
2215 write_status_text (STATUS_ERRSIG, buf);
2216 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2219 write_status_text (STATUS_NO_PUBKEY, buf);
2221 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2222 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2230 * Process the tree which starts at node
2233 proc_tree (CTX c, kbnode_t node)
2238 if (opt.list_packets || opt.list_only)
2241 /* We must skip our special plaintext marker packets here because
2242 they may be the root packet. These packets are only used in
2243 additional checks and skipping them here doesn't matter. */
2245 && node->pkt->pkttype == PKT_GPG_CONTROL
2246 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2253 c->trustletter = ' ';
2254 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2255 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2257 merge_keys_and_selfsig (c->ctrl, node);
2258 list_node (c, node);
2260 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2262 merge_keys_and_selfsig (c->ctrl, node);
2263 list_node (c, node);
2265 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2267 /* Check all signatures. */
2270 int use_textmode = 0;
2272 free_md_filter_context (&c->mfx);
2273 /* Prepare to create all requested message digests. */
2274 rc = gcry_md_open (&c->mfx.md, 0, 0);
2278 /* Fixme: why looking for the signature packet and not the
2280 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2281 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2283 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2286 /* Ask for file and hash it. */
2289 if (c->signed_data.used && c->signed_data.data_fd != -1)
2290 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2291 c->signed_data.data_fd,
2294 rc = hash_datafiles (c->mfx.md, NULL,
2295 c->signed_data.data_names,
2301 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2302 iobuf_get_real_fname (c->iobuf),
2309 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2313 else if (c->signed_data.used)
2315 log_error (_("not a detached signature\n"));
2319 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2320 check_sig_and_print (c, n1);
2323 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2324 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2326 /* Clear text signed message. */
2329 log_error ("cleartext signature without data\n");
2332 else if (c->signed_data.used)
2334 log_error (_("not a detached signature\n"));
2338 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2339 check_sig_and_print (c, n1);
2342 else if (node->pkt->pkttype == PKT_SIGNATURE)
2344 PKT_signature *sig = node->pkt->pkt.signature;
2345 int multiple_ok = 1;
2347 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2350 byte class = sig->sig_class;
2351 byte hash = sig->digest_algo;
2353 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2355 /* We can't currently handle multiple signatures of
2356 * different classes (we'd pretty much have to run a
2357 * different hash context for each), but if they are all
2358 * the same and it is detached signature, we make an
2359 * exception. Note that the old code also disallowed
2360 * multiple signatures if the digest algorithms are
2361 * different. We softened this restriction only for
2362 * detached signatures, to be on the safe side. */
2363 if (n1->pkt->pkt.signature->sig_class != class
2365 && n1->pkt->pkt.signature->digest_algo != hash))
2368 log_info (_("WARNING: multiple signatures detected. "
2369 "Only the first will be checked.\n"));
2375 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2377 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2379 else if (!c->any.data)
2381 /* Detached signature */
2382 free_md_filter_context (&c->mfx);
2383 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2385 goto detached_hash_err;
2389 /* If we have and want to handle multiple signatures we
2390 * need to enable all hash algorithms for the context. */
2391 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2392 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2393 gcry_md_enable (c->mfx.md,
2394 map_md_openpgp_to_gcry
2395 (n1->pkt->pkt.signature->digest_algo));
2398 if (RFC2440 || RFC4880)
2399 ; /* Strict RFC mode. */
2400 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2401 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2402 && sig->sig_class == 0x01)
2404 /* Enable a workaround for a pgp5 bug when the detached
2405 * signature has been created in textmode. Note that we
2406 * do not implement this for multiple signatures with
2407 * different hash algorithms. */
2408 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2410 goto detached_hash_err;
2413 /* Here we used to have another hack to work around a pgp
2414 * 2 bug: It worked by not using the textmode for detached
2415 * signatures; this would let the first signature check
2416 * (on md) fail but the second one (on md2), which adds an
2417 * extra CR would then have produced the "correct" hash.
2418 * This is very, very ugly hack but it may haved help in
2419 * some cases (and break others).
2420 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2425 gcry_md_debug (c->mfx.md, "verify");
2427 gcry_md_debug (c->mfx.md2, "verify2");
2432 if (c->signed_data.used && c->signed_data.data_fd != -1)
2433 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2434 c->signed_data.data_fd,
2435 (sig->sig_class == 0x01));
2437 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2438 c->signed_data.data_names,
2440 (sig->sig_class == 0x01));
2444 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2445 iobuf_get_real_fname(c->iobuf),
2446 (sig->sig_class == 0x01));
2452 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2456 else if (c->signed_data.used)
2458 log_error (_("not a detached signature\n"));
2461 else if (!opt.quiet)
2462 log_info (_("old style (PGP 2.x) signature\n"));
2466 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2467 check_sig_and_print (c, n1);
2470 check_sig_and_print (c, node);
2475 dump_kbnode (c->list);
2476 log_error ("invalid root packet detected in proc_tree()\n");