1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
28 #include "../common/util.h"
30 #include "../common/iobuf.h"
35 #include "../common/status.h"
36 #include "../common/i18n.h"
38 #include "keyserver-internal.h"
40 #include "../common/mbox-util.h"
41 #include "call-dirmngr.h"
42 #include "../common/compliance.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
97 ulong symkeys; /* Number of symmetrically encrypted session keys. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
128 proc_tree (c, c->list);
129 release_kbnode (c->list);
130 while (c->pkenc_list)
132 struct kidlist_item *tmp = c->pkenc_list->next;
133 xfree (c->pkenc_list);
136 c->pkenc_list = NULL;
139 c->any.uncompress_failed = 0;
140 c->last_was_session_key = 0;
147 add_onepass_sig (CTX c, PACKET *pkt)
151 if (c->list) /* Add another packet. */
152 add_kbnode (c->list, new_kbnode (pkt));
153 else /* Insert the first one. */
154 c->list = node = new_kbnode (pkt);
161 add_gpg_control (CTX c, PACKET *pkt)
163 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
165 /* New clear text signature.
166 * Process the last one and reset everything */
170 if (c->list) /* Add another packet. */
171 add_kbnode (c->list, new_kbnode (pkt));
172 else /* Insert the first one. */
173 c->list = new_kbnode (pkt);
180 add_user_id (CTX c, PACKET *pkt)
184 log_error ("orphaned user ID\n");
187 add_kbnode (c->list, new_kbnode (pkt));
193 add_subkey (CTX c, PACKET *pkt)
197 log_error ("subkey w/o mainkey\n");
200 add_kbnode (c->list, new_kbnode (pkt));
206 add_ring_trust (CTX c, PACKET *pkt)
210 log_error ("ring trust w/o key\n");
213 add_kbnode (c->list, new_kbnode (pkt));
219 add_signature (CTX c, PACKET *pkt)
224 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
226 /* This is the first signature for the following datafile.
227 * GPG does not write such packets; instead it always uses
228 * onepass-sig packets. The drawback of PGP's method
229 * of prepending the signature to the data is
230 * that it is not possible to make a signature from data read
231 * from stdin. (GPG is able to read PGP stuff anyway.) */
232 node = new_kbnode (pkt);
237 return 0; /* oops (invalid packet sequence)*/
238 else if (!c->list->pkt)
239 BUG(); /* so nicht */
241 /* Add a new signature node item at the end. */
242 node = new_kbnode (pkt);
243 add_kbnode (c->list, node);
249 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
253 if(slen < 17 || slen > 33)
255 log_error ( _("weird size for an encrypted session key (%d)\n"),
257 return GPG_ERR_BAD_KEY;
260 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
262 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
264 gcry_cipher_setiv ( hd, NULL, 0 );
265 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
266 gcry_cipher_close ( hd );
268 /* Now we replace the dek components with the real session key to
269 decrypt the contents of the sequencing packet. */
274 if(dek->keylen > DIM(dek->key))
277 memcpy(dek->key, seskey + 1, dek->keylen);
279 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
286 proc_symkey_enc (CTX c, PACKET *pkt)
290 enc = pkt->pkt.symkey_enc;
292 log_error ("invalid symkey encrypted packet\n");
295 int algo = enc->cipher_algo;
296 const char *s = openpgp_cipher_algo_name (algo);
298 if (!openpgp_cipher_test_algo (algo))
303 log_info (_("%s encrypted session key\n"), s );
305 log_info (_("%s encrypted data\n"), s );
309 log_error (_("encrypted with unknown algorithm %d\n"), algo);
311 if (openpgp_md_test_algo (enc->s2k.hash_algo))
313 log_error(_("passphrase generated with unknown digest"
314 " algorithm %d\n"),enc->s2k.hash_algo);
318 c->last_was_session_key = 2;
319 if (!s || opt.list_only)
322 if (opt.override_session_key)
324 c->dek = xmalloc_clear (sizeof *c->dek);
325 if (get_override_session_key (c->dek, opt.override_session_key))
333 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
336 c->dek->symmetric = 1;
338 /* FIXME: This doesn't work perfectly if a symmetric key
339 comes before a public key in the message - if the
340 user doesn't know the passphrase, then there is a
341 chance that the "decrypted" algorithm will happen to
342 be a valid one, which will make the returned dek
343 appear valid, so we won't try any public keys that
347 if (symkey_decrypt_seskey (c->dek,
348 enc->seskey, enc->seskeylen))
355 c->dek->algo_info_printed = 1;
362 free_packet (pkt, NULL);
367 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
372 /* Check whether the secret key is available and store in this case. */
373 c->last_was_session_key = 1;
374 enc = pkt->pkt.pubkey_enc;
375 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
376 /* Hmmm: why do I have this algo check here - anyway there is
377 * function to check it. */
379 log_info (_("public key is %s\n"), keystr (enc->keyid));
381 if (is_status_enabled())
384 /* FIXME: For ECC support we need to map the OpenPGP algo number
385 to the Libgcrypt defined one. This is due a chicken-egg
386 problem: We need to have code in Libgcrypt for a new
387 algorithm so to implement a proposed new algorithm before the
388 IANA will finally assign an OpenPGP identifier. */
389 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
390 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
391 write_status_text (STATUS_ENC_TO, buf);
394 if (!opt.list_only && opt.override_session_key)
396 /* It does not make much sense to store the session key in
397 * secure memory because it has already been passed on the
398 * command line and the GCHQ knows about it. */
399 c->dek = xmalloc_clear (sizeof *c->dek);
400 result = get_override_session_key (c->dek, opt.override_session_key);
407 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
408 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA
410 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
411 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
413 /* Note that we also allow type 20 Elgamal keys for decryption.
414 There are still a couple of those keys in active use as a
417 /* FIXME: Store this all in a list and process it later so that
418 we can prioritize what key to use. This gives a better user
419 experience if wildcard keyids are used. */
420 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
421 || opt.try_all_secrets
422 || have_secret_key_with_kid (enc->keyid)))
425 result = GPG_ERR_MISSING_ACTION; /* fixme: Use better error code. */
428 c->dek = xmalloc_secure_clear (sizeof *c->dek);
429 if ((result = get_session_key (ctrl, enc, c->dek)))
431 /* Error: Delete the DEK. */
438 result = GPG_ERR_NO_SECKEY;
441 result = GPG_ERR_PUBKEY_ALGO;
445 /* Store it for later display. */
446 struct kidlist_item *x = xmalloc (sizeof *x);
447 x->kid[0] = enc->keyid[0];
448 x->kid[1] = enc->keyid[1];
449 x->pubkey_algo = enc->pubkey_algo;
451 x->next = c->pkenc_list;
454 if (!result && opt.verbose > 1)
455 log_info (_("public key encrypted data: good DEK\n"));
458 free_packet(pkt, NULL);
463 * Print the list of public key encrypted packets which we could
467 print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
469 for (; list; list = list->next)
474 if (failed && !list->reason)
476 if (!failed && list->reason)
479 algstr = openpgp_pk_algo_name (list->pubkey_algo);
480 pk = xmalloc_clear (sizeof *pk);
484 pk->pubkey_algo = list->pubkey_algo;
485 if (!get_pubkey (ctrl, pk, list->kid))
488 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
489 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
490 strtimestamp (pk->timestamp));
491 p = get_user_id_native (ctrl, list->kid);
492 log_printf (_(" \"%s\"\n"), p);
496 log_info (_("encrypted with %s key, ID %s\n"),
497 algstr, keystr(list->kid));
499 free_public_key (pk);
501 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
503 if (is_status_enabled())
506 snprintf (buf, sizeof buf, "%08lX%08lX",
507 (ulong)list->kid[0], (ulong)list->kid[1]);
508 write_status_text (STATUS_NO_SECKEY, buf);
511 else if (gpg_err_code (list->reason) == GPG_ERR_MISSING_ACTION)
513 /* Not tested for secret key due to --list-only mode. */
515 else if (list->reason)
517 log_info (_("public key decryption failed: %s\n"),
518 gpg_strerror (list->reason));
519 write_status_error ("pkdecrypt_failed", list->reason);
526 proc_encrypted (CTX c, PACKET *pkt)
533 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
534 else if (c->symkeys == 1)
535 log_info (_("encrypted with 1 passphrase\n"));
536 print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
537 print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
540 /* FIXME: Figure out the session key by looking at all pkenc packets. */
542 write_status (STATUS_BEGIN_DECRYPTION);
544 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
547 else if (!c->dek && !c->last_was_session_key)
551 STRING2KEY *s2k = NULL;
554 if (opt.override_session_key)
556 c->dek = xmalloc_clear (sizeof *c->dek);
557 result = get_override_session_key (c->dek, opt.override_session_key);
566 /* Assume this is old style conventional encrypted data. */
567 algo = opt.def_cipher_algo;
569 log_info (_("assuming %s encrypted data\n"),
570 openpgp_cipher_algo_name (algo));
571 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
573 algo = opt.def_cipher_algo;
575 algo = opt.s2k_cipher_algo;
576 log_info (_("IDEA cipher unavailable, "
577 "optimistically attempting to use %s instead\n"),
578 openpgp_cipher_algo_name (algo));
582 algo = CIPHER_ALGO_IDEA;
583 if (!opt.s2k_digest_algo)
585 /* If no digest is given we assume SHA-1. */
587 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
590 log_info (_("assuming %s encrypted data\n"), "IDEA");
593 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
595 c->dek->algo_info_printed = 1;
597 result = gpg_error (GPG_ERR_CANCELED);
599 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
603 result = GPG_ERR_NO_SECKEY;
605 /* Compute compliance with CO_DE_VS. */
606 if (!result && is_status_enabled ()
607 /* Symmetric encryption and asymmetric encryption voids compliance. */
608 && (c->symkeys != !!c->pkenc_list )
609 /* Overriding session key voids compliance. */
610 && !opt.override_session_key
611 /* Check symmetric cipher. */
612 && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
613 GCRY_CIPHER_MODE_CFB))
615 struct kidlist_item *i;
617 PKT_public_key *pk = xmalloc (sizeof *pk);
619 if ( !(c->pkenc_list || c->symkeys) )
620 log_debug ("%s: where else did the session key come from?\n", __func__);
622 /* Now check that every key used to encrypt the session key is
624 for (i = c->pkenc_list; i && compliant; i = i->next)
626 memset (pk, 0, sizeof *pk);
627 pk->pubkey_algo = i->pubkey_algo;
628 if (get_pubkey (c->ctrl, pk, i->kid) != 0
629 || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
630 nbits_from_pk (pk), NULL))
632 release_public_key_parts (pk);
638 write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
639 gnupg_status_compliance_flag (CO_DE_VS),
646 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
651 && !opt.ignore_mdc_error
652 && !pkt->pkt.encrypted->mdc_method
653 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
654 && c->dek->algo != CIPHER_ALGO_TWOFISH)
656 /* The message has been decrypted but has no MDC despite that a
657 modern cipher (blocklength != 64 bit, except for Twofish) is
658 used and the option to ignore MDC errors is not used: To
659 avoid attacks changing an MDC message to a non-MDC message,
661 log_error (_("WARNING: message was not integrity protected\n"));
663 log_info ("decryption forced to fail\n");
664 write_status (STATUS_DECRYPTION_FAILED);
666 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
667 && opt.ignore_mdc_error))
669 write_status (STATUS_DECRYPTION_OKAY);
671 log_info(_("decryption okay\n"));
672 if (pkt->pkt.encrypted->mdc_method && !result)
673 write_status (STATUS_GOODMDC);
674 else if (!opt.no_mdc_warn)
675 log_info (_("WARNING: message was not integrity protected\n"));
677 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
679 glo_ctrl.lasterr = result;
680 log_error (_("WARNING: encrypted message has been manipulated!\n"));
681 write_status (STATUS_BADMDC);
682 write_status (STATUS_DECRYPTION_FAILED);
686 if ((gpg_err_code (result) == GPG_ERR_BAD_KEY
687 || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
688 && *c->dek->s2k_cacheid != '\0')
691 log_debug ("cleared passphrase cached with ID: %s\n",
692 c->dek->s2k_cacheid);
693 passphrase_clear_cache (c->dek->s2k_cacheid);
695 glo_ctrl.lasterr = result;
696 write_status (STATUS_DECRYPTION_FAILED);
697 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
698 /* Hmmm: does this work when we have encrypted using multiple
699 * ways to specify the session key (symmmetric and PK). */
704 free_packet (pkt, NULL);
705 c->last_was_session_key = 0;
706 write_status (STATUS_END_DECRYPTION);
711 proc_plaintext( CTX c, PACKET *pkt )
713 PKT_plaintext *pt = pkt->pkt.plaintext;
714 int any, clearsig, rc;
719 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
720 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
721 else if (opt.verbose)
722 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
724 free_md_filter_context (&c->mfx);
725 if (gcry_md_open (&c->mfx.md, 0, 0))
727 /* fixme: we may need to push the textfilter if we have sigclass 1
728 * and no armoring - Not yet tested
729 * Hmmm, why don't we need it at all if we have sigclass 1
730 * Should we assume that plaintext in mode 't' has always sigclass 1??
731 * See: Russ Allbery's mail 1999-02-09
734 for (n=c->list; n; n = n->next )
736 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
738 /* The onepass signature case. */
739 if (n->pkt->pkt.onepass_sig->digest_algo)
741 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
745 else if (n->pkt->pkttype == PKT_GPG_CONTROL
746 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
748 /* The clearsigned message case. */
749 size_t datalen = n->pkt->pkt.gpg_control->datalen;
750 const byte *data = n->pkt->pkt.gpg_control->data;
752 /* Check that we have at least the sigclass and one hash. */
754 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
755 /* Note that we don't set the clearsig flag for not-dash-escaped
757 clearsig = (*data == 0x01);
758 for (data++, datalen--; datalen; datalen--, data++)
759 gcry_md_enable (c->mfx.md, *data);
761 break; /* Stop here as one-pass signature packets are not
764 else if (n->pkt->pkttype == PKT_SIGNATURE)
766 /* The SIG+LITERAL case that PGP used to use. */
767 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
772 if (!any && !opt.skip_verify)
774 /* This is for the old GPG LITERAL+SIG case. It's not legal
775 according to 2440, so hopefully it won't come up that often.
776 There is no good way to specify what algorithms to use in
777 that case, so these there are the historical answer. */
778 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
779 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
783 gcry_md_debug (c->mfx.md, "verify");
785 gcry_md_debug (c->mfx.md2, "verify2");
790 if (literals_seen > 1)
792 log_info (_("WARNING: multiple plaintexts seen\n"));
794 if (!opt.flags.allow_multiple_messages)
796 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
797 log_inc_errorcount ();
798 rc = gpg_error (GPG_ERR_UNEXPECTED);
804 /* It we are in --verify mode, we do not want to output the
805 * signed text. However, if --output is also used we do what
806 * has been requested and write out the signed data. */
807 rc = handle_plaintext (pt, &c->mfx,
808 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
810 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
812 /* Can't write output but we hash it anyway to check the
814 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
819 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
821 free_packet (pkt, NULL);
822 c->last_was_session_key = 0;
824 /* We add a marker control packet instead of the plaintext packet.
825 * This is so that we can later detect invalid packet sequences. */
826 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
828 add_kbnode (c->list, n);
835 proc_compressed_cb (iobuf_t a, void *info)
837 if ( ((CTX)info)->signed_data.used
838 && ((CTX)info)->signed_data.data_fd != -1)
839 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
840 ((CTX)info)->signed_data.data_fd);
842 return proc_signature_packets (((CTX)info)->ctrl, info, a,
843 ((CTX)info)->signed_data.data_names,
844 ((CTX)info)->sigfilename );
849 proc_encrypt_cb (iobuf_t a, void *info )
852 return proc_encryption_packets (c->ctrl, info, a );
857 proc_compressed (CTX c, PACKET *pkt)
859 PKT_compressed *zd = pkt->pkt.compressed;
862 /*printf("zip: compressed data packet\n");*/
864 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
865 else if( c->encrypt_only )
866 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
868 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
870 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
872 if (!c->any.uncompress_failed)
876 for (cc=c; cc; cc = cc->anchor)
877 cc->any.uncompress_failed = 1;
878 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
882 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
884 free_packet (pkt, NULL);
885 c->last_was_session_key = 0;
891 * Check the signature. If R_PK is not NULL a copy of the public key
892 * used to verify the signature will be stored there, or NULL if not
893 * found. Returns: 0 = valid signature or an error code
896 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
897 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
900 gcry_md_hd_t md = NULL;
901 gcry_md_hd_t md2 = NULL;
902 gcry_md_hd_t md_good = NULL;
908 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
911 sig = node->pkt->pkt.signature;
913 algo = sig->digest_algo;
914 rc = openpgp_md_test_algo (algo);
918 if (sig->sig_class == 0x00)
922 if (gcry_md_copy (&md, c->mfx.md ))
925 else /* detached signature */
927 /* check_signature() will enable the md. */
928 if (gcry_md_open (&md, 0, 0 ))
932 else if (sig->sig_class == 0x01)
934 /* How do we know that we have to hash the (already hashed) text
935 in canonical mode ??? (calculating both modes???) */
938 if (gcry_md_copy (&md, c->mfx.md ))
940 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
943 else /* detached signature */
945 log_debug ("Do we really need this here?");
946 /* check_signature() will enable the md*/
947 if (gcry_md_open (&md, 0, 0 ))
949 if (gcry_md_open (&md2, 0, 0 ))
953 else if ((sig->sig_class&~3) == 0x10
954 || sig->sig_class == 0x18
955 || sig->sig_class == 0x1f
956 || sig->sig_class == 0x20
957 || sig->sig_class == 0x28
958 || sig->sig_class == 0x30)
960 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
961 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
963 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
965 else if (sig->sig_class == 0x20)
967 log_error (_("standalone revocation - "
968 "use \"gpg --import\" to apply\n"));
969 return GPG_ERR_NOT_PROCESSED;
973 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
974 return GPG_ERR_SIG_CLASS;
978 return GPG_ERR_SIG_CLASS;
980 /* We only get here if we are checking the signature of a binary
981 (0x00) or text document (0x01). */
982 rc = check_signature2 (c->ctrl, sig, md, NULL, is_expkey, is_revkey, r_pk);
985 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
989 rc = check_signature2 (c->ctrl, sig, md2, NULL, is_expkey, is_revkey,
996 free_public_key (*r_pk);
1004 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1005 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1006 memcpy (sig->digest, buffer, sig->digest_len);
1010 gcry_md_close (md2);
1017 print_userid (PACKET *pkt)
1022 if (pkt->pkttype != PKT_USER_ID)
1024 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1027 if (opt.with_colons)
1029 if (pkt->pkt.user_id->attrib_data)
1031 pkt->pkt.user_id->numattribs,
1032 pkt->pkt.user_id->attrib_len);
1034 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1035 pkt->pkt.user_id->len, ":", NULL);
1038 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1039 pkt->pkt.user_id->len );
1044 * List the keyblock in a user friendly way
1047 list_node (CTX c, kbnode_t node)
1051 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1052 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1054 PKT_public_key *pk = node->pkt->pkt.public_key;
1056 if (opt.with_colons)
1060 keyid_from_pk( pk, keyid );
1061 if (pk->flags.primary)
1062 c->trustletter = (opt.fast_list_mode
1066 node->pkt->pkttype == PKT_PUBLIC_KEY
1069 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1071 es_putc (c->trustletter, es_stdout);
1072 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1073 nbits_from_pk( pk ),
1075 (ulong)keyid[0],(ulong)keyid[1],
1076 colon_datestr_from_pk( pk ),
1077 colon_strtime (pk->expiredate) );
1078 if (pk->flags.primary && !opt.fast_list_mode)
1079 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1080 es_putc (':', es_stdout);
1081 es_putc ('\n', es_stdout);
1085 print_key_line (c->ctrl, es_stdout, pk, 0);
1088 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1089 ; /* Already printed. */
1090 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1091 print_fingerprint (c->ctrl, NULL, pk, 0);
1093 if (pk->flags.primary)
1095 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1097 /* Now list all userids with their signatures. */
1098 for (node = node->next; node; node = node->next)
1100 if (node->pkt->pkttype == PKT_SIGNATURE)
1102 list_node (c, node );
1104 else if (node->pkt->pkttype == PKT_USER_ID)
1106 if (opt.with_colons)
1107 es_printf ("%s:::::::::",
1108 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1110 es_printf ("uid%*s",
1111 kl + (opt.legacy_list_mode? 9:11),
1113 print_userid (node->pkt);
1114 if (opt.with_colons)
1115 es_putc (':', es_stdout);
1116 es_putc ('\n', es_stdout);
1118 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1120 list_node(c, node );
1125 else if (node->pkt->pkttype == PKT_SECRET_KEY
1126 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1129 log_debug ("FIXME: No way to print secret key packets here\n");
1130 /* fixme: We may use a function to turn a secret key packet into
1131 a public key one and use that here. */
1133 else if (node->pkt->pkttype == PKT_SIGNATURE)
1135 PKT_signature *sig = node->pkt->pkt.signature;
1145 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1146 es_fputs ("rev", es_stdout);
1148 es_fputs ("sig", es_stdout);
1152 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
1153 switch (gpg_err_code (rc2))
1155 case 0: sigrc = '!'; break;
1156 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1157 case GPG_ERR_NO_PUBKEY:
1158 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1159 default: sigrc = '%'; break;
1162 else /* Check whether this is a self signature. */
1166 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1167 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1169 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1171 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1176 if (opt.with_colons)
1178 es_putc (':', es_stdout);
1180 es_putc (sigrc, es_stdout);
1181 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1182 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1183 colon_datestr_from_sig (sig),
1184 colon_expirestr_from_sig (sig));
1186 if (sig->trust_depth || sig->trust_value)
1187 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1188 es_putc (':', es_stdout);
1190 if (sig->trust_regexp)
1191 es_write_sanitized (es_stdout, sig->trust_regexp,
1192 strlen (sig->trust_regexp), ":", NULL);
1193 es_putc (':', es_stdout);
1196 es_printf ("%c %s %s ",
1197 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1199 es_printf ("[%s] ", gpg_strerror (rc2) );
1200 else if (sigrc == '?')
1202 else if (is_selfsig)
1204 if (opt.with_colons)
1205 es_putc (':', es_stdout);
1206 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1207 if (opt.with_colons)
1208 es_putc (':', es_stdout);
1210 else if (!opt.fast_list_mode)
1212 p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
1213 es_write_sanitized (es_stdout, p, n,
1214 opt.with_colons?":":NULL, NULL );
1217 if (opt.with_colons)
1218 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1219 es_putc ('\n', es_stdout);
1222 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1227 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1230 CTX c = xmalloc_clear (sizeof *c);
1234 rc = do_proc_packets (ctrl, c, a);
1242 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1243 strlist_t signedfiles, const char *sigfilename )
1245 CTX c = xmalloc_clear (sizeof *c);
1252 c->signed_data.data_fd = -1;
1253 c->signed_data.data_names = signedfiles;
1254 c->signed_data.used = !!signedfiles;
1256 c->sigfilename = sigfilename;
1257 rc = do_proc_packets (ctrl, c, a);
1259 /* If we have not encountered any signature we print an error
1260 messages, send a NODATA status back and return an error code.
1261 Using log_error is required because verify_files does not check
1262 error codes for each file but we want to terminate the process
1264 if (!rc && !c->any.sig_seen)
1266 write_status_text (STATUS_NODATA, "4");
1267 log_error (_("no signature found\n"));
1268 rc = GPG_ERR_NO_DATA;
1271 /* Propagate the signature seen flag upward. Do this only on success
1272 so that we won't issue the nodata status several times. */
1273 if (!rc && c->anchor && c->any.sig_seen)
1274 c->anchor->any.sig_seen = 1;
1282 proc_signature_packets_by_fd (ctrl_t ctrl,
1283 void *anchor, iobuf_t a, int signed_data_fd )
1288 c = xtrycalloc (1, sizeof *c);
1290 return gpg_error_from_syserror ();
1296 c->signed_data.data_fd = signed_data_fd;
1297 c->signed_data.data_names = NULL;
1298 c->signed_data.used = (signed_data_fd != -1);
1300 rc = do_proc_packets (ctrl, c, a);
1302 /* If we have not encountered any signature we print an error
1303 messages, send a NODATA status back and return an error code.
1304 Using log_error is required because verify_files does not check
1305 error codes for each file but we want to terminate the process
1307 if (!rc && !c->any.sig_seen)
1309 write_status_text (STATUS_NODATA, "4");
1310 log_error (_("no signature found\n"));
1311 rc = gpg_error (GPG_ERR_NO_DATA);
1314 /* Propagate the signature seen flag upward. Do this only on success
1315 so that we won't issue the nodata status several times. */
1316 if (!rc && c->anchor && c->any.sig_seen)
1317 c->anchor->any.sig_seen = 1;
1325 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1327 CTX c = xmalloc_clear (sizeof *c);
1332 c->encrypt_only = 1;
1333 rc = do_proc_packets (ctrl, c, a);
1340 check_nesting (CTX c)
1344 for (level=0; c; c = c->anchor)
1347 if (level > MAX_NESTING_DEPTH)
1349 log_error ("input data with too deeply nested packets\n");
1350 write_status_text (STATUS_UNEXPECTED, "1");
1351 return GPG_ERR_BAD_DATA;
1359 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1362 struct parse_packet_ctx_s parsectx;
1367 rc = check_nesting (c);
1371 pkt = xmalloc( sizeof *pkt );
1374 init_parse_packet (&parsectx, a);
1375 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1380 free_packet (pkt, &parsectx);
1381 /* Stop processing when an invalid packet has been encountered
1382 * but don't do so when we are doing a --list-packets. */
1383 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1384 && opt.list_packets == 0)
1389 if (opt.list_packets)
1391 switch (pkt->pkttype)
1393 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1394 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1396 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1397 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1398 default: newpkt = 0; break;
1401 else if (c->sigs_only)
1403 switch (pkt->pkttype)
1405 case PKT_PUBLIC_KEY:
1406 case PKT_SECRET_KEY:
1408 case PKT_SYMKEY_ENC:
1409 case PKT_PUBKEY_ENC:
1411 case PKT_ENCRYPTED_MDC:
1412 write_status_text( STATUS_UNEXPECTED, "0" );
1413 rc = GPG_ERR_UNEXPECTED;
1416 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1417 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1418 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1419 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1420 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1421 default: newpkt = 0; break;
1424 else if (c->encrypt_only)
1426 switch (pkt->pkttype)
1428 case PKT_PUBLIC_KEY:
1429 case PKT_SECRET_KEY:
1431 write_status_text (STATUS_UNEXPECTED, "0");
1432 rc = GPG_ERR_UNEXPECTED;
1435 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1436 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1437 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1439 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1440 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1441 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1442 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1443 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1444 default: newpkt = 0; break;
1449 switch (pkt->pkttype)
1451 case PKT_PUBLIC_KEY:
1452 case PKT_SECRET_KEY:
1454 c->list = new_kbnode (pkt);
1457 case PKT_PUBLIC_SUBKEY:
1458 case PKT_SECRET_SUBKEY:
1459 newpkt = add_subkey (c, pkt);
1461 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1462 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1463 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1464 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1466 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1467 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1468 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1469 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1470 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1471 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1472 default: newpkt = 0; break;
1479 /* This is a very ugly construct and frankly, I don't remember why
1480 * I used it. Adding the MDC check here is a hack.
1481 * The right solution is to initiate another context for encrypted
1482 * packet and not to reuse the current one ... It works right
1483 * when there is a compression packet between which adds just
1485 * Hmmm: Rewrite this whole module here??
1487 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1488 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1494 pkt = xmalloc (sizeof *pkt);
1498 free_packet (pkt, &parsectx);
1501 if (rc == GPG_ERR_INV_PACKET)
1502 write_status_text (STATUS_NODATA, "3");
1507 write_status_text (STATUS_NODATA, "2");
1513 free_packet (pkt, &parsectx);
1514 deinit_parse_packet (&parsectx);
1516 free_md_filter_context (&c->mfx);
1521 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1522 of the notation data. */
1524 get_pka_address (PKT_signature *sig)
1526 pka_info_t *pka = NULL;
1527 struct notation *nd,*notation;
1529 notation=sig_to_notation(sig);
1531 for(nd=notation;nd;nd=nd->next)
1533 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1534 continue; /* Not the notation we want. */
1536 /* For now we only use the first valid PKA notation. In future
1537 we might want to keep additional PKA notations in a linked
1539 if (is_valid_mailbox (nd->value))
1541 pka = xmalloc (sizeof *pka + strlen(nd->value));
1545 strcpy (pka->email, nd->value);
1550 free_notation(notation);
1556 /* Return the URI from a DNS PKA record. If this record has already
1557 be retrieved for the signature we merely return it; if not we go
1558 out and try to get that DNS record. */
1560 pka_uri_from_sig (CTX c, PKT_signature *sig)
1562 if (!sig->flags.pka_tried)
1564 log_assert (!sig->pka_info);
1565 sig->flags.pka_tried = 1;
1566 sig->pka_info = get_pka_address (sig);
1573 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1574 &fpr, &fprlen, &url))
1576 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1578 memcpy (sig->pka_info->fpr, fpr, fprlen);
1581 sig->pka_info->valid = 1;
1585 sig->pka_info->uri = url;
1594 return sig->pka_info? sig->pka_info->uri : NULL;
1598 /* Return true if the AKL has the WKD method specified. */
1600 akl_has_wkd_method (void)
1604 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1605 if (akl->type == AKL_WKD)
1611 /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
1612 * Returns NULL if not available. The returned buffer is valid as
1613 * long as SIG is not modified. */
1615 issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
1620 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1621 if (p && n == 21 && p[0] == 4)
1631 /* Return the ISSUER fingerprint string in human readbale format if
1632 * available. Caller must release the string. */
1633 /* FIXME: Move to another file. */
1635 issuer_fpr_string (PKT_signature *sig)
1640 p = issuer_fpr_raw (sig, &n);
1641 return p? bin2hex (p, n, NULL) : NULL;
1646 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1647 PKT_signature *sig, int rc)
1651 write_status_text_and_buffer (statno, keyid_str,
1652 un? un->pkt->pkt.user_id->name:"[?]",
1653 un? un->pkt->pkt.user_id->len:3,
1657 p = utf8_to_native (un->pkt->pkt.user_id->name,
1658 un->pkt->pkt.user_id->len, 0);
1660 p = xstrdup ("[?]");
1663 log_info (_("BAD signature from \"%s\""), p);
1664 else if (sig->flags.expired)
1665 log_info (_("Expired signature from \"%s\""), p);
1667 log_info (_("Good signature from \"%s\""), p);
1674 check_sig_and_print (CTX c, kbnode_t node)
1676 PKT_signature *sig = node->pkt->pkt.signature;
1681 char *issuer_fpr = NULL;
1682 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1683 int tried_ks_by_fpr;
1685 if (opt.skip_verify)
1687 log_info(_("signature verification suppressed\n"));
1691 /* Check that the message composition is valid.
1693 * Per RFC-2440bis (-15) allowed:
1695 * S{1,n} -- detached signature.
1696 * S{1,n} P -- old style PGP2 signature
1697 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1698 * C P S{1,n} -- cleartext signature.
1701 * O = One-Pass Signature packet.
1702 * S = Signature packet.
1703 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1704 * (Note that the current rfc2440bis draft also allows
1705 * for a signed message but that does not work as it
1706 * introduces ambiguities.)
1707 * We keep track of these packages using the marker packet
1708 * CTRLPKT_PLAINTEXT_MARK.
1709 * C = Marker packet for cleartext signatures.
1711 * We reject all other messages.
1713 * Actually we are calling this too often, i.e. for verification of
1714 * each message but better have some duplicate work than to silently
1715 * introduce a bug here.
1719 int n_onepass, n_sig;
1721 /* log_debug ("checking signature packet composition\n"); */
1722 /* dump_kbnode (c->list); */
1726 if ( n->pkt->pkttype == PKT_SIGNATURE )
1728 /* This is either "S{1,n}" case (detached signature) or
1729 "S{1,n} P" (old style PGP2 signature). */
1730 for (n = n->next; n; n = n->next)
1731 if (n->pkt->pkttype != PKT_SIGNATURE)
1734 ; /* Okay, this is a detached signature. */
1735 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1736 && (n->pkt->pkt.gpg_control->control
1737 == CTRLPKT_PLAINTEXT_MARK) )
1740 goto ambiguous; /* We only allow one P packet. */
1745 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1747 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1748 for (n_onepass=1, n = n->next;
1749 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1751 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1752 && (n->pkt->pkt.gpg_control->control
1753 == CTRLPKT_PLAINTEXT_MARK)))
1755 for (n_sig=0, n = n->next;
1756 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1761 /* If we wanted to disallow multiple sig verification, we'd do
1762 something like this:
1764 if (n && !opt.allow_multisig_verification)
1767 However, now that we have --allow-multiple-messages, this
1768 can stay allowable as we can't get here unless multiple
1769 messages (i.e. multiple literals) are allowed. */
1771 if (n_onepass != n_sig)
1773 log_info ("number of one-pass packets does not match "
1774 "number of signature packets\n");
1778 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1779 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1781 /* This is the "C P S{1,n}" case (clear text signature). */
1783 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1784 && (n->pkt->pkt.gpg_control->control
1785 == CTRLPKT_PLAINTEXT_MARK)))
1787 for (n_sig=0, n = n->next;
1788 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1796 log_error(_("can't handle this ambiguous signature data\n"));
1801 if (sig->signers_uid)
1802 write_status_buffer (STATUS_NEWSIG,
1803 sig->signers_uid, strlen (sig->signers_uid), 0);
1805 write_status_text (STATUS_NEWSIG, NULL);
1807 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1808 issuer_fpr = issuer_fpr_string (sig);
1812 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1813 log_info (_(" using %s key %s\n"),
1814 astr? astr: "?", issuer_fpr);
1817 else if (!keystrlen () || keystrlen () > 8)
1819 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1820 log_info (_(" using %s key %s\n"),
1821 astr? astr: "?", keystr(sig->keyid));
1823 else /* Legacy format. */
1824 log_info (_("Signature made %s using %s key ID %s\n"),
1825 asctimestamp(sig->timestamp), astr? astr: "?",
1826 keystr(sig->keyid));
1828 /* In verbose mode print the signers UID. */
1829 if (sig->signers_uid)
1830 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1832 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1834 /* If the key isn't found, check for a preferred keyserver. */
1835 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1841 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1843 /* According to my favorite copy editor, in English grammar,
1844 you say "at" if the key is located on a web page, but
1845 "from" if it is located on a keyserver. I'm not going to
1846 even try to make two strings here :) */
1847 log_info(_("Key available at: ") );
1848 print_utf8_buffer (log_get_stream(), p, n);
1851 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1852 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1854 struct keyserver_spec *spec;
1856 spec = parse_preferred_keyserver (sig);
1861 free_public_key (pk);
1863 glo_ctrl.in_auto_key_retrieve++;
1864 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
1865 glo_ctrl.in_auto_key_retrieve--;
1867 rc = do_check_sig (c, node, NULL,
1868 &is_expkey, &is_revkey, &pk);
1869 free_keyserver_spec (spec);
1878 /* If the avove methods didn't work, our next try is to use the URI
1879 * from a DNS PKA record. */
1880 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1881 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1882 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1884 const char *uri = pka_uri_from_sig (c, sig);
1888 /* FIXME: We might want to locate the key using the
1889 fingerprint instead of the keyid. */
1891 struct keyserver_spec *spec;
1893 spec = parse_keyserver_uri (uri, 1);
1896 free_public_key (pk);
1898 glo_ctrl.in_auto_key_retrieve++;
1899 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
1900 glo_ctrl.in_auto_key_retrieve--;
1901 free_keyserver_spec (spec);
1903 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1908 /* If the above methods didn't work, our next try is to locate
1909 * the key via its fingerprint from a keyserver. This requires
1910 * that the signers fingerprint is encoded in the signature. We
1911 * favor this over the WKD method (to be tried next), because an
1912 * arbitrary keyserver is less subject to web bug like monitoring. */
1913 tried_ks_by_fpr = 0;
1914 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1915 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1916 && keyserver_any_configured (c->ctrl))
1922 p = issuer_fpr_raw (sig, &n);
1925 /* v4 packet with a SHA-1 fingerprint. */
1926 free_public_key (pk);
1928 glo_ctrl.in_auto_key_retrieve++;
1929 res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver, 1);
1930 tried_ks_by_fpr = 1;
1931 glo_ctrl.in_auto_key_retrieve--;
1933 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1937 /* If the above methods didn't work, our next try is to retrieve the
1938 * key from the WKD. */
1939 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1940 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1941 && !opt.flags.disable_signer_uid
1942 && akl_has_wkd_method ()
1943 && sig->signers_uid)
1947 free_public_key (pk);
1949 glo_ctrl.in_auto_key_retrieve++;
1950 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
1951 glo_ctrl.in_auto_key_retrieve--;
1952 /* Fixme: If the fingerprint is embedded in the signature,
1953 * compare it to the fingerprint of the returned key. */
1955 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1958 /* If the above methods did't work, our next try is to use a
1960 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1961 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1963 && keyserver_any_configured (c->ctrl))
1967 free_public_key (pk);
1969 glo_ctrl.in_auto_key_retrieve++;
1970 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
1971 glo_ctrl.in_auto_key_retrieve--;
1973 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1976 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1978 kbnode_t un, keyblock;
1982 PKT_public_key *mainpk = NULL;
1985 statno = STATUS_BADSIG;
1986 else if (sig->flags.expired)
1987 statno = STATUS_EXPSIG;
1989 statno = STATUS_EXPKEYSIG;
1991 statno = STATUS_REVKEYSIG;
1993 statno = STATUS_GOODSIG;
1995 /* FIXME: We should have the public key in PK and thus the
1996 * keyblock has already been fetched. Thus we could use the
1997 * fingerprint or PK itself to lookup the entire keyblock. That
1998 * would best be done with a cache. */
1999 keyblock = get_pubkeyblock (c->ctrl, sig->keyid);
2001 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
2002 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2004 /* Find and print the primary user ID along with the
2005 "Good|Expired|Bad signature" line. */
2006 for (un=keyblock; un; un = un->next)
2010 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
2012 mainpk = un->pkt->pkt.public_key;
2015 if (un->pkt->pkttype != PKT_USER_ID)
2017 if (!un->pkt->pkt.user_id->created)
2019 if (un->pkt->pkt.user_id->flags.revoked)
2021 if (un->pkt->pkt.user_id->flags.expired)
2023 if (!un->pkt->pkt.user_id->flags.primary)
2025 /* We want the textual primary user ID here */
2026 if (un->pkt->pkt.user_id->attrib_data)
2029 log_assert (mainpk);
2031 /* Since this is just informational, don't actually ask the
2032 user to update any trust information. (Note: we register
2033 the signature later.) Because print_good_bad_signature
2034 does not print a LF we need to compute the validity
2035 before calling that function. */
2036 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2037 valid = get_validity (c->ctrl, keyblock, mainpk,
2038 un->pkt->pkt.user_id, NULL, 0);
2040 valid = 0; /* Not used. */
2042 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2044 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2046 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2047 log_printf (" [%s]\n",trust_value_to_string(valid));
2054 log_assert (mainpk);
2056 /* In case we did not found a valid textual userid above
2057 we print the first user id packet or a "[?]" instead along
2058 with the "Good|Expired|Bad signature" line. */
2061 /* Try for an invalid textual userid */
2062 for (un=keyblock; un; un = un->next)
2064 if (un->pkt->pkttype == PKT_USER_ID
2065 && !un->pkt->pkt.user_id->attrib_data)
2069 /* Try for any userid at all */
2072 for (un=keyblock; un; un = un->next)
2074 if (un->pkt->pkttype == PKT_USER_ID)
2079 if (opt.trust_model==TM_ALWAYS || !un)
2080 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2082 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2084 if (opt.trust_model != TM_ALWAYS && un)
2085 log_printf (" %s",_("[uncertain]") );
2089 /* If we have a good signature and already printed
2090 * the primary user ID, print all the other user IDs */
2093 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2096 for( un=keyblock; un; un = un->next)
2098 if (un->pkt->pkttype != PKT_USER_ID)
2100 if ((un->pkt->pkt.user_id->flags.revoked
2101 || un->pkt->pkt.user_id->flags.expired)
2102 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2104 /* Skip textual primary user ids which we printed above. */
2105 if (un->pkt->pkt.user_id->flags.primary
2106 && !un->pkt->pkt.user_id->attrib_data )
2109 /* If this user id has attribute data, print that. */
2110 if (un->pkt->pkt.user_id->attrib_data)
2112 dump_attribs (un->pkt->pkt.user_id, mainpk);
2114 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2115 show_photos (c->ctrl,
2116 un->pkt->pkt.user_id->attribs,
2117 un->pkt->pkt.user_id->numattribs,
2118 mainpk ,un->pkt->pkt.user_id);
2121 p = utf8_to_native (un->pkt->pkt.user_id->name,
2122 un->pkt->pkt.user_id->len, 0);
2123 log_info (_(" aka \"%s\""), p);
2126 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2130 if (un->pkt->pkt.user_id->flags.revoked)
2131 valid = _("revoked");
2132 else if (un->pkt->pkt.user_id->flags.expired)
2133 valid = _("expired");
2135 /* Since this is just informational, don't
2136 actually ask the user to update any trust
2138 valid = (trust_value_to_string
2139 (get_validity (c->ctrl, keyblock, mainpk,
2140 un->pkt->pkt.user_id, NULL, 0)));
2141 log_printf (" [%s]\n",valid);
2148 /* For good signatures print notation data. */
2151 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2152 show_policy_url (sig, 0, 1);
2154 show_policy_url (sig, 0, 2);
2156 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2157 show_keyserver_url (sig, 0, 1);
2159 show_keyserver_url (sig, 0, 2);
2161 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2164 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2165 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2167 show_notation (sig, 0, 2, 0);
2170 /* For good signatures print the VALIDSIG status line. */
2171 if (!rc && is_status_enabled () && pk)
2173 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2174 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2176 hexfingerprint (pk, pkhex, sizeof pkhex);
2177 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2179 /* TODO: Replace the reserved '0' in the field below with
2180 bits for status flags (policy url, notation, etc.). */
2181 write_status_printf (STATUS_VALIDSIG,
2182 "%s %s %lu %lu %d 0 %d %d %02X %s",
2184 strtimestamp (sig->timestamp),
2185 (ulong)sig->timestamp,
2186 (ulong)sig->expiredate,
2187 sig->version, sig->pubkey_algo,
2193 /* Print compliance warning for Good signatures. */
2194 if (!rc && pk && !opt.quiet
2195 && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
2196 pk->pkey, nbits_from_pk (pk), NULL))
2198 log_info (_("WARNING: This key is not suitable for signing"
2200 gnupg_compliance_option_string (opt.compliance));
2203 /* For good signatures compute and print the trust information.
2204 Note that in the Tofu trust model this may ask the user on
2205 how to resolve a conflict. */
2208 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2209 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2210 rc = check_signatures_trust (c->ctrl, sig);
2213 /* Print extra information about the signature. */
2214 if (sig->flags.expired)
2216 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2217 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2219 else if (sig->expiredate)
2220 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2224 char pkstrbuf[PUBKEY_STRING_SIZE];
2227 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2231 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2232 sig->sig_class==0x00?_("binary"):
2233 sig->sig_class==0x01?_("textmode"):_("unknown"),
2234 gcry_md_algo_name (sig->digest_algo),
2235 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2238 /* Print final warnings. */
2239 if (!rc && !c->signed_data.used)
2241 /* Signature is basically good but we test whether the
2243 gpg --verify FILE.sig
2245 gpg --verify FILE.sig FILE
2246 to verify a detached signature. If we figure out that a
2247 data file with a matching name exists, we print a warning.
2249 The problem is that the first form would also verify a
2250 standard signature. This behavior could be used to
2251 create a made up .sig file for a tarball by creating a
2252 standard signature from a valid detached signature packet
2253 (for example from a signed git tag). Then replace the
2254 sig file on the FTP server along with a changed tarball.
2255 Using the first form the verify command would correctly
2256 verify the signature but don't even consider the tarball. */
2260 dfile = get_matching_datafile (c->sigfilename);
2263 for (n = c->list; n; n = n->next)
2264 if (n->pkt->pkttype != PKT_SIGNATURE)
2268 /* Not only signature packets in the tree thus this
2269 is not a detached signature. */
2270 log_info (_("WARNING: not a detached signature; "
2271 "file '%s' was NOT verified!\n"), dfile);
2277 /* Compute compliance with CO_DE_VS. */
2278 if (pk && is_status_enabled ()
2279 && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
2280 nbits_from_pk (pk), NULL)
2281 && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2282 write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2283 gnupg_status_compliance_flag (CO_DE_VS),
2286 free_public_key (pk);
2288 release_kbnode( keyblock );
2290 g10_errors_seen = 1;
2291 if (opt.batch && rc)
2296 write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
2297 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2298 sig->pubkey_algo, sig->digest_algo,
2299 sig->sig_class, (ulong)sig->timestamp,
2301 issuer_fpr? issuer_fpr:"-");
2302 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2304 write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
2305 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2307 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2308 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2311 free_public_key (pk);
2318 * Process the tree which starts at node
2321 proc_tree (CTX c, kbnode_t node)
2326 if (opt.list_packets || opt.list_only)
2329 /* We must skip our special plaintext marker packets here because
2330 they may be the root packet. These packets are only used in
2331 additional checks and skipping them here doesn't matter. */
2333 && node->pkt->pkttype == PKT_GPG_CONTROL
2334 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2341 c->trustletter = ' ';
2342 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2343 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2345 merge_keys_and_selfsig (c->ctrl, node);
2346 list_node (c, node);
2348 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2350 merge_keys_and_selfsig (c->ctrl, node);
2351 list_node (c, node);
2353 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2355 /* Check all signatures. */
2358 int use_textmode = 0;
2360 free_md_filter_context (&c->mfx);
2361 /* Prepare to create all requested message digests. */
2362 rc = gcry_md_open (&c->mfx.md, 0, 0);
2366 /* Fixme: why looking for the signature packet and not the
2368 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2369 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2371 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2374 /* Ask for file and hash it. */
2377 if (c->signed_data.used && c->signed_data.data_fd != -1)
2378 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2379 c->signed_data.data_fd,
2382 rc = hash_datafiles (c->mfx.md, NULL,
2383 c->signed_data.data_names,
2389 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2390 iobuf_get_real_fname (c->iobuf),
2397 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2401 else if (c->signed_data.used)
2403 log_error (_("not a detached signature\n"));
2407 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2408 check_sig_and_print (c, n1);
2411 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2412 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2414 /* Clear text signed message. */
2417 log_error ("cleartext signature without data\n");
2420 else if (c->signed_data.used)
2422 log_error (_("not a detached signature\n"));
2426 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2427 check_sig_and_print (c, n1);
2430 else if (node->pkt->pkttype == PKT_SIGNATURE)
2432 PKT_signature *sig = node->pkt->pkt.signature;
2433 int multiple_ok = 1;
2435 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2438 byte class = sig->sig_class;
2439 byte hash = sig->digest_algo;
2441 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2443 /* We can't currently handle multiple signatures of
2444 * different classes (we'd pretty much have to run a
2445 * different hash context for each), but if they are all
2446 * the same and it is detached signature, we make an
2447 * exception. Note that the old code also disallowed
2448 * multiple signatures if the digest algorithms are
2449 * different. We softened this restriction only for
2450 * detached signatures, to be on the safe side. */
2451 if (n1->pkt->pkt.signature->sig_class != class
2453 && n1->pkt->pkt.signature->digest_algo != hash))
2456 log_info (_("WARNING: multiple signatures detected. "
2457 "Only the first will be checked.\n"));
2463 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2465 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2467 else if (!c->any.data)
2469 /* Detached signature */
2470 free_md_filter_context (&c->mfx);
2471 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2473 goto detached_hash_err;
2477 /* If we have and want to handle multiple signatures we
2478 * need to enable all hash algorithms for the context. */
2479 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2480 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2481 gcry_md_enable (c->mfx.md,
2482 map_md_openpgp_to_gcry
2483 (n1->pkt->pkt.signature->digest_algo));
2486 if (RFC2440 || RFC4880)
2487 ; /* Strict RFC mode. */
2488 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2489 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2490 && sig->sig_class == 0x01)
2492 /* Enable a workaround for a pgp5 bug when the detached
2493 * signature has been created in textmode. Note that we
2494 * do not implement this for multiple signatures with
2495 * different hash algorithms. */
2496 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2498 goto detached_hash_err;
2501 /* Here we used to have another hack to work around a pgp
2502 * 2 bug: It worked by not using the textmode for detached
2503 * signatures; this would let the first signature check
2504 * (on md) fail but the second one (on md2), which adds an
2505 * extra CR would then have produced the "correct" hash.
2506 * This is very, very ugly hack but it may haved help in
2507 * some cases (and break others).
2508 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2513 gcry_md_debug (c->mfx.md, "verify");
2515 gcry_md_debug (c->mfx.md2, "verify2");
2520 if (c->signed_data.used && c->signed_data.data_fd != -1)
2521 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2522 c->signed_data.data_fd,
2523 (sig->sig_class == 0x01));
2525 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2526 c->signed_data.data_names,
2528 (sig->sig_class == 0x01));
2532 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2533 iobuf_get_real_fname(c->iobuf),
2534 (sig->sig_class == 0x01));
2540 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2544 else if (c->signed_data.used)
2546 log_error (_("not a detached signature\n"));
2549 else if (!opt.quiet)
2550 log_info (_("old style (PGP 2.x) signature\n"));
2554 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2555 check_sig_and_print (c, n1);
2558 check_sig_and_print (c, node);
2563 dump_kbnode (c->list);
2564 log_error ("invalid root packet detected in proc_tree()\n");