1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
4 * Copyright (C) 2020 g10 Code GmbH
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
29 #include "../common/util.h"
31 #include "../common/iobuf.h"
36 #include "../common/status.h"
37 #include "../common/i18n.h"
39 #include "keyserver-internal.h"
41 #include "../common/mbox-util.h"
42 #include "call-dirmngr.h"
43 #include "../common/compliance.h"
45 /* Put an upper limit on nested packets. The 32 is an arbitrary
46 value, a much lower should actually be sufficient. */
47 #define MAX_NESTING_DEPTH 32
50 /* An object to build a list of keyid related info. */
53 struct kidlist_item *next;
59 /* An object to build a list of symkey packet info. */
62 struct symlist_item *next;
70 * Object to hold the processing context.
72 typedef struct mainproc_context *CTX;
73 struct mainproc_context
76 struct mainproc_context *anchor; /* May be useful in the future. */
77 PKT_public_key *last_pubkey;
78 PKT_user_id *last_user_id;
79 md_filter_context_t mfx;
80 int sigs_only; /* Process only signatures and reject all other stuff. */
81 int encrypt_only; /* Process only encryption messages. */
83 /* Name of the file with the complete signature or the file with the
84 detached signature. This is currently only used to deduce the
85 file name of the data file if that has not been given. */
86 const char *sigfilename;
88 /* A structure to describe the signed data in case of a detached
92 /* A file descriptor of the signed data. Only used if not -1. */
94 /* A list of filenames with the data files or NULL. This is only
95 used if DATA_FD is -1. */
97 /* Flag to indicated that either one of the next previous fields
98 is used. This is only needed for better readability. */
103 int last_was_session_key;
104 kbnode_t list; /* The current list of packets. */
105 iobuf_t iobuf; /* Used to get the filename etc. */
106 int trustletter; /* Temporary usage in list_node. */
107 ulong symkeys; /* Number of symmetrically encrypted session keys. */
108 struct kidlist_item *pkenc_list; /* List of encryption packets. */
109 struct symlist_item *symenc_list; /* List of sym. encryption packets. */
110 int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */
111 int seen_pkt_encrypted_mdc; /* PKT_ENCRYPTED_MDC packet seen. */
113 unsigned int sig_seen:1; /* Set to true if a signature packet
115 unsigned int data:1; /* Any data packet seen */
116 unsigned int uncompress_failed:1;
121 /* Counter with the number of literal data packets seen. Note that
122 * this is also bumped at the end of an encryption. This counter is
123 * used for a basic consistency check of a received PGP message. */
124 static int literals_seen;
127 /*** Local prototypes. ***/
128 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
129 static void list_node (CTX c, kbnode_t node);
130 static void proc_tree (CTX c, kbnode_t node);
135 /* Reset the literal data counter. This is required to setup a new
136 * decryption or verification context. */
138 reset_literals_seen(void)
145 release_list( CTX c )
147 proc_tree (c, c->list);
148 release_kbnode (c->list);
149 while (c->pkenc_list)
151 struct kidlist_item *tmp = c->pkenc_list->next;
152 xfree (c->pkenc_list);
155 c->pkenc_list = NULL;
156 while (c->symenc_list)
158 struct symlist_item *tmp = c->symenc_list->next;
159 xfree (c->symenc_list);
160 c->symenc_list = tmp;
162 c->symenc_list = NULL;
165 c->any.uncompress_failed = 0;
166 c->last_was_session_key = 0;
167 c->seen_pkt_encrypted_aead = 0;
168 c->seen_pkt_encrypted_mdc = 0;
175 add_onepass_sig (CTX c, PACKET *pkt)
179 if (c->list) /* Add another packet. */
180 add_kbnode (c->list, new_kbnode (pkt));
181 else /* Insert the first one. */
182 c->list = node = new_kbnode (pkt);
189 add_gpg_control (CTX c, PACKET *pkt)
191 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
193 /* New clear text signature.
194 * Process the last one and reset everything */
198 if (c->list) /* Add another packet. */
199 add_kbnode (c->list, new_kbnode (pkt));
200 else /* Insert the first one. */
201 c->list = new_kbnode (pkt);
208 add_user_id (CTX c, PACKET *pkt)
212 log_error ("orphaned user ID\n");
215 add_kbnode (c->list, new_kbnode (pkt));
221 add_subkey (CTX c, PACKET *pkt)
225 log_error ("subkey w/o mainkey\n");
228 add_kbnode (c->list, new_kbnode (pkt));
234 add_ring_trust (CTX c, PACKET *pkt)
238 log_error ("ring trust w/o key\n");
241 add_kbnode (c->list, new_kbnode (pkt));
247 add_signature (CTX c, PACKET *pkt)
252 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
254 /* This is the first signature for the following datafile.
255 * GPG does not write such packets; instead it always uses
256 * onepass-sig packets. The drawback of PGP's method
257 * of prepending the signature to the data is
258 * that it is not possible to make a signature from data read
259 * from stdin. (GPG is able to read PGP stuff anyway.) */
260 node = new_kbnode (pkt);
265 return 0; /* oops (invalid packet sequence)*/
266 else if (!c->list->pkt)
267 BUG(); /* so nicht */
269 /* Add a new signature node item at the end. */
270 node = new_kbnode (pkt);
271 add_kbnode (c->list, node);
278 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
282 enum gcry_cipher_modes ciphermode;
283 unsigned int noncelen, keylen;
287 err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen);
293 ciphermode = GCRY_CIPHER_MODE_CFB;
297 /* Check that the session key has a size of 16 to 32 bytes. */
298 if ((dek->use_aead && (slen < (noncelen + 16 + 16)
299 || slen > (noncelen + 32 + 16)))
300 || (!dek->use_aead && (slen < 17 || slen > 33)))
302 log_error ( _("weird size for an encrypted session key (%d)\n"),
304 return gpg_error (GPG_ERR_BAD_KEY);
307 err = openpgp_cipher_open (&hd, dek->algo, ciphermode, 1);
309 err = gcry_cipher_setkey (hd, dek->key, dek->keylen);
311 err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen);
319 ad[0] = (0xc0 | PKT_SYMKEY_ENC);
322 ad[3] = dek->use_aead;
323 err = gcry_cipher_authenticate (hd, ad, 4);
326 gcry_cipher_final (hd);
327 keylen = slen - noncelen - 16;
328 err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0);
331 err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16);
334 /* Now we replace the dek components with the real session key to
335 * decrypt the contents of the sequencing packet. */
336 if (keylen > DIM(dek->key))
338 err = gpg_error (GPG_ERR_TOO_LARGE);
341 dek->keylen = keylen;
342 memcpy (dek->key, seskey + noncelen, dek->keylen);
346 gcry_cipher_decrypt (hd, seskey, slen, NULL, 0);
348 /* Here we can only test whether the algo given in decrypted
349 * session key is a valid OpenPGP algo. With 11 defined
350 * symmetric algorithms we will miss 4.3% of wrong passphrases
351 * here. The actual checking is done later during bulk
352 * decryption; we can't bring this check forward easily. We
353 * need to use the GPG_ERR_CHECKSUM so that we won't run into
354 * the gnupg < 2.2 bug compatible case which would terminate the
355 * process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above)
356 * we will have a reliable test here. */
357 if (openpgp_cipher_test_algo (seskey[0])
358 || openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1)
360 err = gpg_error (GPG_ERR_CHECKSUM);
364 /* Now we replace the dek components with the real session key to
365 * decrypt the contents of the sequencing packet. */
367 if (keylen > DIM(dek->key))
369 err = gpg_error (GPG_ERR_TOO_LARGE);
372 dek->algo = seskey[0];
373 dek->keylen = slen-1;
374 memcpy (dek->key, seskey + 1, dek->keylen);
377 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
380 gcry_cipher_close (hd);
386 proc_symkey_enc (CTX c, PACKET *pkt)
391 enc = pkt->pkt.symkey_enc;
393 log_error ("invalid symkey encrypted packet\n");
396 int algo = enc->cipher_algo;
397 const char *s = openpgp_cipher_algo_name (algo);
398 const char *a = (enc->aead_algo ? openpgp_aead_algo_name (enc->aead_algo)
401 if (!openpgp_cipher_test_algo (algo))
405 /* Note: TMPSTR is only used to avoid i18n changes. */
406 char *tmpstr = xstrconcat (s, ".", a, NULL);
408 log_info (_("%s encrypted session key\n"), tmpstr);
410 log_info (_("%s encrypted data\n"), tmpstr);
416 log_error (_("encrypted with unknown algorithm %d\n"), algo);
417 s = NULL; /* Force a goto leave. */
420 if (openpgp_md_test_algo (enc->s2k.hash_algo))
422 log_error(_("passphrase generated with unknown digest"
423 " algorithm %d\n"),enc->s2k.hash_algo);
427 c->last_was_session_key = 2;
428 if (!s || opt.list_only)
431 if (opt.override_session_key)
433 c->dek = xmalloc_clear (sizeof *c->dek);
434 if (get_override_session_key (c->dek, opt.override_session_key))
442 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL,
443 GETPASSWORD_FLAG_SYMDECRYPT, NULL);
446 c->dek->symmetric = 1;
447 c->dek->use_aead = enc->aead_algo;
449 /* FIXME: This doesn't work perfectly if a symmetric key
450 comes before a public key in the message - if the
451 user doesn't know the passphrase, then there is a
452 chance that the "decrypted" algorithm will happen to
453 be a valid one, which will make the returned dek
454 appear valid, so we won't try any public keys that
458 err = symkey_decrypt_seskey (c->dek,
459 enc->seskey, enc->seskeylen);
462 log_info ("decryption of the symmetrically encrypted"
463 " session key failed: %s\n",
465 if (gpg_err_code (err) != GPG_ERR_BAD_KEY
466 && gpg_err_code (err) != GPG_ERR_CHECKSUM)
467 log_fatal ("process terminated to be bug compatible\n");
469 write_status_text (STATUS_ERROR,
470 "symkey_decrypt.maybe_error"
471 " 11_BAD_PASSPHRASE");
473 if (c->dek->s2k_cacheid[0])
476 log_debug ("cleared passphrase cached with ID:"
477 " %s\n", c->dek->s2k_cacheid);
478 passphrase_clear_cache (c->dek->s2k_cacheid);
485 c->dek->algo_info_printed = 1;
491 /* Record infos from the packet. */
493 struct symlist_item *symitem;
494 symitem = xcalloc (1, sizeof *symitem);
497 symitem->cipher_algo = enc->cipher_algo;
498 symitem->cfb_mode = !enc->aead_algo;
501 symitem->other_error = 1;
502 symitem->next = c->symenc_list;
503 c->symenc_list = symitem;
506 free_packet (pkt, NULL);
511 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
516 /* Check whether the secret key is available and store in this case. */
517 c->last_was_session_key = 1;
518 enc = pkt->pkt.pubkey_enc;
519 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
520 /* Hmmm: why do I have this algo check here - anyway there is
521 * function to check it. */
523 log_info (_("public key is %s\n"), keystr (enc->keyid));
525 if (is_status_enabled())
528 /* FIXME: For ECC support we need to map the OpenPGP algo number
529 to the Libgcrypt defined one. This is due a chicken-egg
530 problem: We need to have code in Libgcrypt for a new
531 algorithm so to implement a proposed new algorithm before the
532 IANA will finally assign an OpenPGP identifier. */
533 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
534 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
535 write_status_text (STATUS_ENC_TO, buf);
538 if (!opt.list_only && opt.override_session_key)
540 /* It does not make much sense to store the session key in
541 * secure memory because it has already been passed on the
542 * command line and the GCHQ knows about it. */
543 c->dek = xmalloc_clear (sizeof *c->dek);
544 result = get_override_session_key (c->dek, opt.override_session_key);
551 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
552 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
553 || enc->pubkey_algo == PUBKEY_ALGO_RSA
554 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
555 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
557 /* Note that we also allow type 20 Elgamal keys for decryption.
558 There are still a couple of those keys in active use as a
561 /* FIXME: Store this all in a list and process it later so that
562 we can prioritize what key to use. This gives a better user
563 experience if wildcard keyids are used. */
564 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
565 || opt.try_all_secrets
566 || have_secret_key_with_kid (enc->keyid)))
569 result = GPG_ERR_MISSING_ACTION; /* fixme: Use better error code. */
572 c->dek = xmalloc_secure_clear (sizeof *c->dek);
573 if ((result = get_session_key (ctrl, enc, c->dek)))
575 /* Error: Delete the DEK. */
582 result = GPG_ERR_NO_SECKEY;
585 result = GPG_ERR_PUBKEY_ALGO;
589 /* Store it for later display. */
590 struct kidlist_item *x = xmalloc (sizeof *x);
591 x->kid[0] = enc->keyid[0];
592 x->kid[1] = enc->keyid[1];
593 x->pubkey_algo = enc->pubkey_algo;
595 x->next = c->pkenc_list;
598 if (!result && opt.verbose > 1)
599 log_info (_("public key encrypted data: good DEK\n"));
602 free_packet(pkt, NULL);
607 * Print the list of public key encrypted packets which we could
611 print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
613 for (; list; list = list->next)
618 if (failed && !list->reason)
620 if (!failed && list->reason)
623 algstr = openpgp_pk_algo_name (list->pubkey_algo);
624 pk = xmalloc_clear (sizeof *pk);
628 pk->pubkey_algo = list->pubkey_algo;
629 if (!get_pubkey (ctrl, pk, list->kid))
632 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
633 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
634 strtimestamp (pk->timestamp));
635 p = get_user_id_native (ctrl, list->kid);
636 log_printf (_(" \"%s\"\n"), p);
640 log_info (_("encrypted with %s key, ID %s\n"),
641 algstr, keystr(list->kid));
643 free_public_key (pk);
645 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
647 if (is_status_enabled())
650 snprintf (buf, sizeof buf, "%08lX%08lX",
651 (ulong)list->kid[0], (ulong)list->kid[1]);
652 write_status_text (STATUS_NO_SECKEY, buf);
655 else if (gpg_err_code (list->reason) == GPG_ERR_MISSING_ACTION)
657 /* Not tested for secret key due to --list-only mode. */
659 else if (list->reason)
661 log_info (_("public key decryption failed: %s\n"),
662 gpg_strerror (list->reason));
663 if (gpg_err_source (list->reason) == GPG_ERR_SOURCE_SCD
664 && gpg_err_code (list->reason) == GPG_ERR_INV_ID)
665 print_further_info ("a reason might be a card with replaced keys");
666 write_status_error ("pkdecrypt_failed", list->reason);
673 proc_encrypted (CTX c, PACKET *pkt)
676 int early_plaintext = literals_seen;
677 unsigned int compliance_de_vs = 0;
679 if (pkt->pkttype == PKT_ENCRYPTED_AEAD)
680 c->seen_pkt_encrypted_aead = 1;
681 if (pkt->pkttype == PKT_ENCRYPTED_MDC)
682 c->seen_pkt_encrypted_mdc = 1;
686 log_info (_("WARNING: multiple plaintexts seen\n"));
687 write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA);
688 /* We fail only later so that we can print some more info first. */
694 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
695 else if (c->symkeys == 1)
696 log_info (_("encrypted with 1 passphrase\n"));
697 print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
698 print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
701 /* FIXME: Figure out the session key by looking at all pkenc packets. */
703 write_status (STATUS_BEGIN_DECRYPTION);
705 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
708 else if (!c->dek && !c->last_was_session_key)
712 STRING2KEY *s2k = NULL;
715 if (opt.override_session_key)
717 c->dek = xmalloc_clear (sizeof *c->dek);
718 result = get_override_session_key (c->dek, opt.override_session_key);
727 /* Assume this is old style conventional encrypted data. */
728 algo = opt.def_cipher_algo;
730 log_info (_("assuming %s encrypted data\n"),
731 openpgp_cipher_algo_name (algo));
732 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
734 algo = opt.def_cipher_algo;
736 algo = opt.s2k_cipher_algo;
737 log_info (_("IDEA cipher unavailable, "
738 "optimistically attempting to use %s instead\n"),
739 openpgp_cipher_algo_name (algo));
743 algo = CIPHER_ALGO_IDEA;
744 if (!opt.s2k_digest_algo)
746 /* If no digest is given we assume SHA-1. */
748 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
751 log_info (_("assuming %s encrypted data\n"), "IDEA");
754 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL,
755 GETPASSWORD_FLAG_SYMDECRYPT, &canceled);
757 c->dek->algo_info_printed = 1;
759 result = gpg_error (GPG_ERR_CANCELED);
761 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
765 result = GPG_ERR_NO_SECKEY;
767 /* Compute compliance with CO_DE_VS. */
768 if (!result && is_status_enabled ()
769 /* Overriding session key voids compliance. */
770 && !opt.override_session_key
771 /* Check symmetric cipher. */
772 && gnupg_gcrypt_is_compliant (CO_DE_VS)
773 && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
774 GCRY_CIPHER_MODE_CFB))
776 struct kidlist_item *i;
777 struct symlist_item *si;
779 PKT_public_key *pk = xmalloc (sizeof *pk);
781 if ( !(c->pkenc_list || c->symkeys) )
782 log_debug ("%s: where else did the session key come from?\n", __func__);
784 /* Check that all seen symmetric key packets use compliant
785 * algos. This is so that no non-compliant encrypted session
786 * key can be sneaked in. */
787 for (si = c->symenc_list; si && compliant; si = si->next)
790 || !gnupg_cipher_is_compliant (CO_DE_VS, si->cipher_algo,
791 GCRY_CIPHER_MODE_CFB))
795 /* Check that every public key used to encrypt the session key
797 for (i = c->pkenc_list; i && compliant; i = i->next)
799 memset (pk, 0, sizeof *pk);
800 pk->pubkey_algo = i->pubkey_algo;
801 if (get_pubkey (c->ctrl, pk, i->kid) != 0
802 || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0,
803 pk->pkey, nbits_from_pk (pk), NULL))
805 release_public_key_parts (pk);
811 compliance_de_vs |= 1;
818 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek,
820 if (!result && !compl_error)
821 compliance_de_vs |= 2;
824 /* Trigger the deferred error. */
825 if (!result && early_plaintext)
826 result = gpg_error (GPG_ERR_BAD_DATA);
831 && !opt.ignore_mdc_error
832 && !pkt->pkt.encrypted->mdc_method
833 && !pkt->pkt.encrypted->aead_algo)
835 /* The message has been decrypted but does not carry an MDC.
836 * The option --ignore-mdc-error has also not been used. To
837 * avoid attacks changing an MDC message to a non-MDC message,
839 log_error (_("WARNING: message was not integrity protected\n"));
840 if (!pkt->pkt.encrypted->mdc_method
841 && (openpgp_cipher_get_algo_blklen (c->dek->algo) == 8
842 || c->dek->algo == CIPHER_ALGO_TWOFISH))
844 /* Before 2.2.8 we did not fail hard for a missing MDC if
845 * one of the old ciphers where used. Although these cases
846 * are rare in practice we print a hint on how to decrypt
850 _("Hint: If this message was created before the year 2003 it is\n"
851 "likely that this message is legitimate. This is because back\n"
852 "then integrity protection was not widely used.\n"));
853 log_info (_("Use the option '%s' to decrypt anyway.\n"),
854 "--ignore-mdc-error");
855 write_status_errcode ("nomdc_with_legacy_cipher",
856 GPG_ERR_DECRYPT_FAILED);
858 log_info (_("decryption forced to fail!\n"));
859 write_status (STATUS_DECRYPTION_FAILED);
861 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
862 && !pkt->pkt.encrypted->aead_algo
863 && opt.ignore_mdc_error))
865 /* All is fine or for an MDC message the MDC failed but the
866 * --ignore-mdc-error option is active. For compatibility
867 * reasons we issue GOODMDC also for AEAD messages. */
868 write_status (STATUS_DECRYPTION_OKAY);
870 log_info(_("decryption okay\n"));
872 if (pkt->pkt.encrypted->aead_algo)
874 write_status (STATUS_GOODMDC);
875 compliance_de_vs |= 4;
877 else if (pkt->pkt.encrypted->mdc_method && !result)
879 write_status (STATUS_GOODMDC);
880 compliance_de_vs |= 4;
883 log_info (_("WARNING: message was not integrity protected\n"));
885 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
886 || gpg_err_code (result) == GPG_ERR_TRUNCATED)
888 glo_ctrl.lasterr = result;
889 log_error (_("WARNING: encrypted message has been manipulated!\n"));
890 write_status (STATUS_BADMDC);
891 write_status (STATUS_DECRYPTION_FAILED);
895 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
896 || gpg_err_code (result) == GPG_ERR_CHECKSUM
897 || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
900 write_status_text (STATUS_ERROR,
901 "symkey_decrypt.maybe_error"
902 " 11_BAD_PASSPHRASE");
904 if (*c->dek->s2k_cacheid != '\0')
907 log_debug ("cleared passphrase cached with ID: %s\n",
908 c->dek->s2k_cacheid);
909 passphrase_clear_cache (c->dek->s2k_cacheid);
912 glo_ctrl.lasterr = result;
913 write_status (STATUS_DECRYPTION_FAILED);
914 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
915 /* Hmmm: does this work when we have encrypted using multiple
916 * ways to specify the session key (symmmetric and PK). */
920 /* If we concluded that the decryption was compliant, issue a
921 * compliance status before the end of the decryption status. */
922 if (compliance_de_vs == (4|2|1))
924 write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
925 gnupg_status_compliance_flag (CO_DE_VS),
931 free_packet (pkt, NULL);
932 c->last_was_session_key = 0;
933 write_status (STATUS_END_DECRYPTION);
935 /* Bump the counter even if we have not seen a literal data packet
936 * inside an encryption container. This acts as a sentinel in case
937 * a misplace extra literal data packets follows after this
938 * encrypted packet. */
941 /* The --require-compliance option allows to simplify decryption in
942 * de-vs compliance mode by just looking at the exit status. */
943 if (opt.flags.require_compliance
944 && opt.compliance == CO_DE_VS
945 && compliance_de_vs != (4|2|1))
947 log_error (_("operation forced to fail due to"
948 " unfulfilled compliance rules\n"));
955 have_seen_pkt_encrypted_aead_or_mdc( CTX c )
959 for (cc = c; cc; cc = cc->anchor)
961 if (cc->seen_pkt_encrypted_aead)
963 if (cc->seen_pkt_encrypted_mdc)
972 proc_plaintext( CTX c, PACKET *pkt )
974 PKT_plaintext *pt = pkt->pkt.plaintext;
975 int any, clearsig, rc;
978 /* This is a literal data packet. Bumb a counter for later checks. */
981 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
982 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
983 else if (opt.verbose)
985 /* We don't use print_utf8_buffer because that would require a
986 * string change which we don't want in 2.2. It is also not
987 * clear whether the filename is always utf-8 encoded. */
988 char *tmp = make_printable_string (pt->name, pt->namelen, 0);
989 log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
993 free_md_filter_context (&c->mfx);
994 if (gcry_md_open (&c->mfx.md, 0, 0))
996 /* fixme: we may need to push the textfilter if we have sigclass 1
997 * and no armoring - Not yet tested
998 * Hmmm, why don't we need it at all if we have sigclass 1
999 * Should we assume that plaintext in mode 't' has always sigclass 1??
1000 * See: Russ Allbery's mail 1999-02-09
1003 for (n=c->list; n; n = n->next )
1005 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1007 /* The onepass signature case. */
1008 if (n->pkt->pkt.onepass_sig->digest_algo)
1010 if (!opt.skip_verify)
1011 gcry_md_enable (c->mfx.md,
1012 n->pkt->pkt.onepass_sig->digest_algo);
1017 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1018 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
1020 /* The clearsigned message case. */
1021 size_t datalen = n->pkt->pkt.gpg_control->datalen;
1022 const byte *data = n->pkt->pkt.gpg_control->data;
1024 /* Check that we have at least the sigclass and one hash. */
1026 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
1027 /* Note that we don't set the clearsig flag for not-dash-escaped
1029 clearsig = (*data == 0x01);
1030 for (data++, datalen--; datalen; datalen--, data++)
1031 if (!opt.skip_verify)
1032 gcry_md_enable (c->mfx.md, *data);
1034 break; /* Stop here as one-pass signature packets are not
1037 else if (n->pkt->pkttype == PKT_SIGNATURE)
1039 /* The SIG+LITERAL case that PGP used to use. */
1040 if (!opt.skip_verify)
1041 gcry_md_enable (c->mfx.md, n->pkt->pkt.signature->digest_algo);
1046 if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead_or_mdc(c))
1048 /* This is for the old GPG LITERAL+SIG case. It's not legal
1049 according to 2440, so hopefully it won't come up that often.
1050 There is no good way to specify what algorithms to use in
1051 that case, so these there are the historical answer. */
1052 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
1053 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
1057 gcry_md_debug (c->mfx.md, "verify");
1059 gcry_md_debug (c->mfx.md2, "verify2");
1064 if (literals_seen > 1)
1066 log_info (_("WARNING: multiple plaintexts seen\n"));
1068 if (!opt.flags.allow_multiple_messages)
1070 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
1071 log_inc_errorcount ();
1072 rc = gpg_error (GPG_ERR_UNEXPECTED);
1078 /* It we are in --verify mode, we do not want to output the
1079 * signed text. However, if --output is also used we do what
1080 * has been requested and write out the signed data. */
1081 rc = handle_plaintext (pt, &c->mfx,
1082 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
1084 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
1086 /* Can't write output but we hash it anyway to check the
1088 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
1093 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
1095 free_packet (pkt, NULL);
1096 c->last_was_session_key = 0;
1098 /* We add a marker control packet instead of the plaintext packet.
1099 * This is so that we can later detect invalid packet sequences. */
1100 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
1102 add_kbnode (c->list, n);
1109 proc_compressed_cb (iobuf_t a, void *info)
1111 if ( ((CTX)info)->signed_data.used
1112 && ((CTX)info)->signed_data.data_fd != -1)
1113 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
1114 ((CTX)info)->signed_data.data_fd);
1116 return proc_signature_packets (((CTX)info)->ctrl, info, a,
1117 ((CTX)info)->signed_data.data_names,
1118 ((CTX)info)->sigfilename );
1123 proc_encrypt_cb (iobuf_t a, void *info )
1126 return proc_encryption_packets (c->ctrl, info, a );
1131 proc_compressed (CTX c, PACKET *pkt)
1133 PKT_compressed *zd = pkt->pkt.compressed;
1136 /*printf("zip: compressed data packet\n");*/
1138 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
1139 else if( c->encrypt_only )
1140 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
1142 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
1144 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
1146 if (!c->any.uncompress_failed)
1150 for (cc=c; cc; cc = cc->anchor)
1151 cc->any.uncompress_failed = 1;
1152 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1156 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1158 free_packet (pkt, NULL);
1159 c->last_was_session_key = 0;
1165 * Check the signature. If R_PK is not NULL a copy of the public key
1166 * used to verify the signature will be stored there, or NULL if not
1167 * found. If FORCED_PK is not NULL, this public key is used to verify
1168 * _data signatures_ and no key lookup is done. Returns: 0 = valid
1169 * signature or an error code
1172 do_check_sig (CTX c, kbnode_t node,
1173 PKT_public_key *forced_pk, int *is_selfsig,
1174 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
1177 gcry_md_hd_t md = NULL;
1178 gcry_md_hd_t md2 = NULL;
1179 gcry_md_hd_t md_good = NULL;
1185 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
1188 sig = node->pkt->pkt.signature;
1190 algo = sig->digest_algo;
1191 rc = openpgp_md_test_algo (algo);
1195 if (sig->sig_class == 0x00)
1199 if (gcry_md_copy (&md, c->mfx.md ))
1202 else /* detached signature */
1204 /* check_signature() will enable the md. */
1205 if (gcry_md_open (&md, 0, 0 ))
1209 else if (sig->sig_class == 0x01)
1211 /* How do we know that we have to hash the (already hashed) text
1212 in canonical mode ??? (calculating both modes???) */
1215 if (gcry_md_copy (&md, c->mfx.md ))
1217 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
1220 else /* detached signature */
1222 log_debug ("Do we really need this here?");
1223 /* check_signature() will enable the md*/
1224 if (gcry_md_open (&md, 0, 0 ))
1226 if (gcry_md_open (&md2, 0, 0 ))
1230 else if ((sig->sig_class&~3) == 0x10
1231 || sig->sig_class == 0x18
1232 || sig->sig_class == 0x1f
1233 || sig->sig_class == 0x20
1234 || sig->sig_class == 0x28
1235 || sig->sig_class == 0x30)
1237 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1238 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1240 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
1242 else if (sig->sig_class == 0x20)
1244 log_error (_("standalone revocation - "
1245 "use \"gpg --import\" to apply\n"));
1246 return GPG_ERR_NOT_PROCESSED;
1250 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
1251 return GPG_ERR_SIG_CLASS;
1255 return GPG_ERR_SIG_CLASS;
1257 /* We only get here if we are checking the signature of a binary
1258 (0x00) or text document (0x01). */
1259 rc = check_signature2 (c->ctrl, sig, md,
1261 NULL, is_expkey, is_revkey, r_pk);
1264 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
1266 PKT_public_key *pk2;
1268 rc = check_signature2 (c->ctrl, sig, md2,
1270 NULL, is_expkey, is_revkey,
1277 free_public_key (*r_pk);
1285 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1286 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1287 memcpy (sig->digest, buffer, sig->digest_len);
1291 gcry_md_close (md2);
1298 print_userid (PACKET *pkt)
1303 if (pkt->pkttype != PKT_USER_ID)
1305 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1308 if (opt.with_colons)
1310 if (pkt->pkt.user_id->attrib_data)
1312 pkt->pkt.user_id->numattribs,
1313 pkt->pkt.user_id->attrib_len);
1315 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1316 pkt->pkt.user_id->len, ":", NULL);
1319 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1320 pkt->pkt.user_id->len );
1325 * List the keyblock in a user friendly way
1328 list_node (CTX c, kbnode_t node)
1332 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1333 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1335 PKT_public_key *pk = node->pkt->pkt.public_key;
1337 if (opt.with_colons)
1341 keyid_from_pk( pk, keyid );
1342 if (pk->flags.primary)
1343 c->trustletter = (opt.fast_list_mode
1347 node->pkt->pkttype == PKT_PUBLIC_KEY
1350 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1352 es_putc (c->trustletter, es_stdout);
1353 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1354 nbits_from_pk( pk ),
1356 (ulong)keyid[0],(ulong)keyid[1],
1357 colon_datestr_from_pk( pk ),
1358 colon_strtime (pk->expiredate) );
1359 if (pk->flags.primary && !opt.fast_list_mode)
1360 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1361 es_putc (':', es_stdout);
1362 es_putc ('\n', es_stdout);
1366 print_key_line (c->ctrl, es_stdout, pk, 0);
1369 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1370 ; /* Already printed. */
1371 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1372 print_fingerprint (c->ctrl, NULL, pk, 0);
1374 if (pk->flags.primary)
1376 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1378 /* Now list all userids with their signatures. */
1379 for (node = node->next; node; node = node->next)
1381 if (node->pkt->pkttype == PKT_SIGNATURE)
1383 list_node (c, node );
1385 else if (node->pkt->pkttype == PKT_USER_ID)
1387 if (opt.with_colons)
1388 es_printf ("%s:::::::::",
1389 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1391 es_printf ("uid%*s",
1392 kl + (opt.legacy_list_mode? 9:11),
1394 print_userid (node->pkt);
1395 if (opt.with_colons)
1396 es_putc (':', es_stdout);
1397 es_putc ('\n', es_stdout);
1399 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1401 list_node(c, node );
1406 else if (node->pkt->pkttype == PKT_SECRET_KEY
1407 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1410 log_debug ("FIXME: No way to print secret key packets here\n");
1411 /* fixme: We may use a function to turn a secret key packet into
1412 a public key one and use that here. */
1414 else if (node->pkt->pkttype == PKT_SIGNATURE)
1416 PKT_signature *sig = node->pkt->pkt.signature;
1426 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1427 es_fputs ("rev", es_stdout);
1429 es_fputs ("sig", es_stdout);
1433 rc2 = do_check_sig (c, node, NULL, &is_selfsig, NULL, NULL, NULL);
1434 switch (gpg_err_code (rc2))
1436 case 0: sigrc = '!'; break;
1437 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1438 case GPG_ERR_NO_PUBKEY:
1439 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1440 default: sigrc = '%'; break;
1443 else /* Check whether this is a self signature. */
1447 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1448 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1450 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1452 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1457 if (opt.with_colons)
1459 es_putc (':', es_stdout);
1461 es_putc (sigrc, es_stdout);
1462 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1463 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1464 colon_datestr_from_sig (sig),
1465 colon_expirestr_from_sig (sig));
1467 if (sig->trust_depth || sig->trust_value)
1468 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1469 es_putc (':', es_stdout);
1471 if (sig->trust_regexp)
1472 es_write_sanitized (es_stdout, sig->trust_regexp,
1473 strlen (sig->trust_regexp), ":", NULL);
1474 es_putc (':', es_stdout);
1477 es_printf ("%c %s %s ",
1478 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1480 es_printf ("[%s] ", gpg_strerror (rc2) );
1481 else if (sigrc == '?')
1483 else if (is_selfsig)
1485 if (opt.with_colons)
1486 es_putc (':', es_stdout);
1487 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1488 if (opt.with_colons)
1489 es_putc (':', es_stdout);
1491 else if (!opt.fast_list_mode)
1493 p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
1494 es_write_sanitized (es_stdout, p, n,
1495 opt.with_colons?":":NULL, NULL );
1498 if (opt.with_colons)
1499 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1500 es_putc ('\n', es_stdout);
1503 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1508 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1511 CTX c = xmalloc_clear (sizeof *c);
1515 rc = do_proc_packets (ctrl, c, a);
1523 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1524 strlist_t signedfiles, const char *sigfilename )
1526 CTX c = xmalloc_clear (sizeof *c);
1533 c->signed_data.data_fd = -1;
1534 c->signed_data.data_names = signedfiles;
1535 c->signed_data.used = !!signedfiles;
1537 c->sigfilename = sigfilename;
1538 rc = do_proc_packets (ctrl, c, a);
1540 /* If we have not encountered any signature we print an error
1541 messages, send a NODATA status back and return an error code.
1542 Using log_error is required because verify_files does not check
1543 error codes for each file but we want to terminate the process
1545 if (!rc && !c->any.sig_seen)
1547 write_status_text (STATUS_NODATA, "4");
1548 log_error (_("no signature found\n"));
1549 rc = GPG_ERR_NO_DATA;
1552 /* Propagate the signature seen flag upward. Do this only on success
1553 so that we won't issue the nodata status several times. */
1554 if (!rc && c->anchor && c->any.sig_seen)
1555 c->anchor->any.sig_seen = 1;
1563 proc_signature_packets_by_fd (ctrl_t ctrl,
1564 void *anchor, iobuf_t a, int signed_data_fd )
1569 c = xtrycalloc (1, sizeof *c);
1571 return gpg_error_from_syserror ();
1577 c->signed_data.data_fd = signed_data_fd;
1578 c->signed_data.data_names = NULL;
1579 c->signed_data.used = (signed_data_fd != -1);
1581 rc = do_proc_packets (ctrl, c, a);
1583 /* If we have not encountered any signature we print an error
1584 messages, send a NODATA status back and return an error code.
1585 Using log_error is required because verify_files does not check
1586 error codes for each file but we want to terminate the process
1588 if (!rc && !c->any.sig_seen)
1590 write_status_text (STATUS_NODATA, "4");
1591 log_error (_("no signature found\n"));
1592 rc = gpg_error (GPG_ERR_NO_DATA);
1595 /* Propagate the signature seen flag upward. Do this only on success
1596 so that we won't issue the nodata status several times. */
1597 if (!rc && c->anchor && c->any.sig_seen)
1598 c->anchor->any.sig_seen = 1;
1606 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1608 CTX c = xmalloc_clear (sizeof *c);
1613 c->encrypt_only = 1;
1614 rc = do_proc_packets (ctrl, c, a);
1621 check_nesting (CTX c)
1625 for (level=0; c; c = c->anchor)
1628 if (level > MAX_NESTING_DEPTH)
1630 log_error ("input data with too deeply nested packets\n");
1631 write_status_text (STATUS_UNEXPECTED, "1");
1632 return GPG_ERR_BAD_DATA;
1640 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1643 struct parse_packet_ctx_s parsectx;
1648 rc = check_nesting (c);
1652 pkt = xmalloc( sizeof *pkt );
1655 init_parse_packet (&parsectx, a);
1656 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1661 free_packet (pkt, &parsectx);
1662 /* Stop processing when an invalid packet has been encountered
1663 * but don't do so when we are doing a --list-packets. */
1664 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1665 && opt.list_packets == 0)
1670 if (opt.list_packets)
1672 switch (pkt->pkttype)
1674 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1675 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1677 case PKT_ENCRYPTED_MDC:
1678 case PKT_ENCRYPTED_AEAD:proc_encrypted (c, pkt); break;
1679 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1680 default: newpkt = 0; break;
1683 else if (c->sigs_only)
1685 switch (pkt->pkttype)
1687 case PKT_PUBLIC_KEY:
1688 case PKT_SECRET_KEY:
1690 case PKT_SYMKEY_ENC:
1691 case PKT_PUBKEY_ENC:
1693 case PKT_ENCRYPTED_MDC:
1694 case PKT_ENCRYPTED_AEAD:
1695 write_status_text( STATUS_UNEXPECTED, "0" );
1696 rc = GPG_ERR_UNEXPECTED;
1699 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1700 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1701 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1702 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1703 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1704 default: newpkt = 0; break;
1707 else if (c->encrypt_only)
1709 switch (pkt->pkttype)
1711 case PKT_PUBLIC_KEY:
1712 case PKT_SECRET_KEY:
1714 write_status_text (STATUS_UNEXPECTED, "0");
1715 rc = GPG_ERR_UNEXPECTED;
1718 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1719 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1720 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1722 case PKT_ENCRYPTED_MDC:
1723 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1724 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1725 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1726 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1727 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1728 default: newpkt = 0; break;
1733 switch (pkt->pkttype)
1735 case PKT_PUBLIC_KEY:
1736 case PKT_SECRET_KEY:
1738 c->list = new_kbnode (pkt);
1741 case PKT_PUBLIC_SUBKEY:
1742 case PKT_SECRET_SUBKEY:
1743 newpkt = add_subkey (c, pkt);
1745 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1746 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1747 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1748 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1750 case PKT_ENCRYPTED_MDC:
1751 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1752 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1753 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1754 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1755 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1756 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1757 default: newpkt = 0; break;
1764 /* This is a very ugly construct and frankly, I don't remember why
1765 * I used it. Adding the MDC check here is a hack.
1766 * The right solution is to initiate another context for encrypted
1767 * packet and not to reuse the current one ... It works right
1768 * when there is a compression packet between which adds just
1770 * Hmmm: Rewrite this whole module here??
1772 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1773 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1779 pkt = xmalloc (sizeof *pkt);
1783 free_packet (pkt, &parsectx);
1786 if (rc == GPG_ERR_INV_PACKET)
1787 write_status_text (STATUS_NODATA, "3");
1792 write_status_text (STATUS_NODATA, "2");
1798 free_packet (pkt, &parsectx);
1799 deinit_parse_packet (&parsectx);
1801 free_md_filter_context (&c->mfx);
1806 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1807 of the notation data. */
1809 get_pka_address (PKT_signature *sig)
1811 pka_info_t *pka = NULL;
1812 struct notation *nd,*notation;
1814 notation=sig_to_notation(sig);
1816 for(nd=notation;nd;nd=nd->next)
1818 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1819 continue; /* Not the notation we want. */
1821 /* For now we only use the first valid PKA notation. In future
1822 we might want to keep additional PKA notations in a linked
1824 if (is_valid_mailbox (nd->value))
1826 pka = xmalloc (sizeof *pka + strlen(nd->value));
1830 strcpy (pka->email, nd->value);
1835 free_notation(notation);
1841 /* Return the URI from a DNS PKA record. If this record has already
1842 be retrieved for the signature we merely return it; if not we go
1843 out and try to get that DNS record. */
1845 pka_uri_from_sig (CTX c, PKT_signature *sig)
1847 if (!sig->flags.pka_tried)
1849 log_assert (!sig->pka_info);
1850 sig->flags.pka_tried = 1;
1851 sig->pka_info = get_pka_address (sig);
1858 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1859 &fpr, &fprlen, &url))
1861 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1863 memcpy (sig->pka_info->fpr, fpr, fprlen);
1866 sig->pka_info->valid = 1;
1870 sig->pka_info->uri = url;
1879 return sig->pka_info? sig->pka_info->uri : NULL;
1883 /* Return true if the AKL has the WKD method specified. */
1885 akl_has_wkd_method (void)
1889 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1890 if (akl->type == AKL_WKD)
1896 /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
1897 * Returns NULL if not available. The returned buffer is valid as
1898 * long as SIG is not modified. */
1900 issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
1905 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1906 if (p && n == 21 && p[0] == 4)
1916 /* Return the ISSUER fingerprint string in human readable format if
1917 * available. Caller must release the string. */
1918 /* FIXME: Move to another file. */
1920 issuer_fpr_string (PKT_signature *sig)
1925 p = issuer_fpr_raw (sig, &n);
1926 return p? bin2hex (p, n, NULL) : NULL;
1931 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1932 PKT_signature *sig, int rc)
1936 write_status_text_and_buffer (statno, keyid_str,
1937 un? un->pkt->pkt.user_id->name:"[?]",
1938 un? un->pkt->pkt.user_id->len:3,
1942 p = utf8_to_native (un->pkt->pkt.user_id->name,
1943 un->pkt->pkt.user_id->len, 0);
1945 p = xstrdup ("[?]");
1948 log_info (_("BAD signature from \"%s\""), p);
1949 else if (sig->flags.expired)
1950 log_info (_("Expired signature from \"%s\""), p);
1952 log_info (_("Good signature from \"%s\""), p);
1959 check_sig_and_print (CTX c, kbnode_t node)
1961 PKT_signature *sig = node->pkt->pkt.signature;
1966 char *issuer_fpr = NULL;
1967 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1968 kbnode_t included_keyblock = NULL;
1970 if (opt.skip_verify)
1972 log_info(_("signature verification suppressed\n"));
1976 /* Check that the message composition is valid.
1978 * Per RFC-2440bis (-15) allowed:
1980 * S{1,n} -- detached signature.
1981 * S{1,n} P -- old style PGP2 signature
1982 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1983 * C P S{1,n} -- cleartext signature.
1986 * O = One-Pass Signature packet.
1987 * S = Signature packet.
1988 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1989 * (Note that the current rfc2440bis draft also allows
1990 * for a signed message but that does not work as it
1991 * introduces ambiguities.)
1992 * We keep track of these packages using the marker packet
1993 * CTRLPKT_PLAINTEXT_MARK.
1994 * C = Marker packet for cleartext signatures.
1996 * We reject all other messages.
1998 * Actually we are calling this too often, i.e. for verification of
1999 * each message but better have some duplicate work than to silently
2000 * introduce a bug here.
2004 int n_onepass, n_sig;
2006 /* log_debug ("checking signature packet composition\n"); */
2007 /* dump_kbnode (c->list); */
2011 if ( n->pkt->pkttype == PKT_SIGNATURE )
2013 /* This is either "S{1,n}" case (detached signature) or
2014 "S{1,n} P" (old style PGP2 signature). */
2015 for (n = n->next; n; n = n->next)
2016 if (n->pkt->pkttype != PKT_SIGNATURE)
2019 ; /* Okay, this is a detached signature. */
2020 else if (n->pkt->pkttype == PKT_GPG_CONTROL
2021 && (n->pkt->pkt.gpg_control->control
2022 == CTRLPKT_PLAINTEXT_MARK) )
2025 goto ambiguous; /* We only allow one P packet. */
2030 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
2032 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
2033 for (n_onepass=1, n = n->next;
2034 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
2036 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
2037 && (n->pkt->pkt.gpg_control->control
2038 == CTRLPKT_PLAINTEXT_MARK)))
2040 for (n_sig=0, n = n->next;
2041 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
2046 /* If we wanted to disallow multiple sig verification, we'd do
2047 something like this:
2049 if (n && !opt.allow_multisig_verification)
2052 However, now that we have --allow-multiple-messages, this
2053 can stay allowable as we can't get here unless multiple
2054 messages (i.e. multiple literals) are allowed. */
2056 if (n_onepass != n_sig)
2058 log_info ("number of one-pass packets does not match "
2059 "number of signature packets\n");
2063 else if (n->pkt->pkttype == PKT_GPG_CONTROL
2064 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
2066 /* This is the "C P S{1,n}" case (clear text signature). */
2068 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
2069 && (n->pkt->pkt.gpg_control->control
2070 == CTRLPKT_PLAINTEXT_MARK)))
2072 for (n_sig=0, n = n->next;
2073 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
2081 log_error(_("can't handle this ambiguous signature data\n"));
2086 if (sig->signers_uid)
2087 write_status_buffer (STATUS_NEWSIG,
2088 sig->signers_uid, strlen (sig->signers_uid), 0);
2090 write_status_text (STATUS_NEWSIG, NULL);
2092 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
2093 issuer_fpr = issuer_fpr_string (sig);
2097 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2098 log_info (_(" using %s key %s\n"),
2099 astr? astr: "?", issuer_fpr);
2102 else if (!keystrlen () || keystrlen () > 8)
2104 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2105 log_info (_(" using %s key %s\n"),
2106 astr? astr: "?", keystr(sig->keyid));
2108 else /* Legacy format. */
2109 log_info (_("Signature made %s using %s key ID %s\n"),
2110 asctimestamp(sig->timestamp), astr? astr: "?",
2111 keystr(sig->keyid));
2113 /* In verbose mode print the signers UID. */
2114 if (sig->signers_uid)
2115 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
2117 rc = do_check_sig (c, node, NULL, NULL, &is_expkey, &is_revkey, &pk);
2119 /* If the key is not found but the signature includes a key block we
2120 * use that key block for verification and on success import it. */
2121 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2122 && sig->flags.key_block
2123 && opt.flags.auto_key_import)
2125 PKT_public_key *included_pk;
2129 included_pk = xcalloc (1, sizeof *included_pk);
2130 kblock = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_BLOCK, &kblock_len);
2131 if (kblock && kblock_len > 1
2132 && !get_pubkey_from_buffer (c->ctrl, included_pk,
2133 kblock+1, kblock_len-1,
2134 sig->keyid, &included_keyblock))
2136 rc = do_check_sig (c, node, included_pk,
2137 NULL, &is_expkey, &is_revkey, &pk);
2140 /* The keyblock has been verified, we now import it. */
2141 rc = import_included_key_block (c->ctrl, included_keyblock);
2145 free_public_key (included_pk);
2148 /* If the key isn't found, check for a preferred keyserver. Note
2149 * that this is only done if honor-keyserver-url has been set. We
2150 * test for this in the loop so that we can show info about the
2151 * preferred keyservers. */
2152 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2153 && sig->flags.pref_ks)
2158 int any_pref_ks = 0;
2160 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
2162 /* According to my favorite copy editor, in English grammar,
2163 you say "at" if the key is located on a web page, but
2164 "from" if it is located on a keyserver. I'm not going to
2165 even try to make two strings here :) */
2166 log_info(_("Key available at: ") );
2167 print_utf8_buffer (log_get_stream(), p, n);
2171 if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2172 && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2174 struct keyserver_spec *spec;
2176 spec = parse_preferred_keyserver (sig);
2182 log_debug ("trying auto-key-retrieve method %s\n",
2185 free_public_key (pk);
2187 glo_ctrl.in_auto_key_retrieve++;
2188 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec,
2189 KEYSERVER_IMPORT_FLAG_QUICK);
2190 glo_ctrl.in_auto_key_retrieve--;
2192 rc = do_check_sig (c, node, NULL,
2193 NULL, &is_expkey, &is_revkey, &pk);
2194 else if (DBG_LOOKUP)
2195 log_debug ("lookup via %s failed: %s\n", "Pref-KS",
2196 gpg_strerror (res));
2197 free_keyserver_spec (spec);
2206 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2207 && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2208 log_info (_("Note: Use '%s' to make use of this info\n"),
2209 "--keyserver-option honor-keyserver-url");
2212 /* If the above methods didn't work, our next try is to retrieve the
2213 * key from the WKD. This requires that WKD is in the AKL and the
2214 * Signer's UID is in the signature. */
2215 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2216 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2217 && !opt.flags.disable_signer_uid
2218 && akl_has_wkd_method ()
2219 && sig->signers_uid)
2224 log_debug ("trying auto-key-retrieve method %s\n", "WKD");
2225 free_public_key (pk);
2227 glo_ctrl.in_auto_key_retrieve++;
2228 res = keyserver_import_wkd (c->ctrl, sig->signers_uid,
2229 KEYSERVER_IMPORT_FLAG_QUICK, NULL, NULL);
2230 glo_ctrl.in_auto_key_retrieve--;
2231 /* Fixme: If the fingerprint is embedded in the signature,
2232 * compare it to the fingerprint of the returned key. */
2234 rc = do_check_sig (c, node, NULL, NULL, &is_expkey, &is_revkey, &pk);
2235 else if (DBG_LOOKUP)
2236 log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res));
2239 /* If the avove methods didn't work, our next try is to use the URI
2240 * from a DNS PKA record. This is a legacy method which will
2241 * eventually be removed. */
2242 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2243 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2244 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
2246 const char *uri = pka_uri_from_sig (c, sig);
2250 /* FIXME: We might want to locate the key using the
2251 fingerprint instead of the keyid. */
2253 struct keyserver_spec *spec;
2255 spec = parse_keyserver_uri (uri, 1);
2259 log_debug ("trying auto-key-retrieve method %s\n", "PKA");
2261 free_public_key (pk);
2263 glo_ctrl.in_auto_key_retrieve++;
2264 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
2265 glo_ctrl.in_auto_key_retrieve--;
2266 free_keyserver_spec (spec);
2268 rc = do_check_sig (c, node, NULL,
2269 NULL, &is_expkey, &is_revkey, &pk);
2270 else if (DBG_LOOKUP)
2271 log_debug ("lookup via %s failed: %s\n", "PKA",
2272 gpg_strerror (res));
2277 /* If the above methods didn't work, our next try is to locate
2278 * the key via its fingerprint from a keyserver. This requires
2279 * that the signers fingerprint is encoded in the signature. */
2280 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2281 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2282 && keyserver_any_configured (c->ctrl))
2288 p = issuer_fpr_raw (sig, &n);
2291 /* v4 packet with a SHA-1 fingerprint. */
2293 log_debug ("trying auto-key-retrieve method %s\n", "KS");
2295 free_public_key (pk);
2297 glo_ctrl.in_auto_key_retrieve++;
2298 res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver,
2299 KEYSERVER_IMPORT_FLAG_QUICK);
2300 glo_ctrl.in_auto_key_retrieve--;
2302 rc = do_check_sig (c, node, NULL,
2303 NULL, &is_expkey, &is_revkey, &pk);
2304 else if (DBG_LOOKUP)
2305 log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res));
2309 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
2311 kbnode_t un, keyblock;
2315 PKT_public_key *mainpk = NULL;
2318 statno = STATUS_BADSIG;
2319 else if (sig->flags.expired)
2320 statno = STATUS_EXPSIG;
2322 statno = STATUS_EXPKEYSIG;
2324 statno = STATUS_REVKEYSIG;
2326 statno = STATUS_GOODSIG;
2328 /* FIXME: We should have the public key in PK and thus the
2329 * keyblock has already been fetched. Thus we could use the
2330 * fingerprint or PK itself to lookup the entire keyblock. That
2331 * would best be done with a cache. */
2332 if (included_keyblock)
2334 keyblock = included_keyblock;
2335 included_keyblock = NULL;
2338 keyblock = get_pubkeyblock_for_sig (c->ctrl, sig);
2340 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
2341 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2343 /* Find and print the primary user ID along with the
2344 "Good|Expired|Bad signature" line. */
2345 for (un=keyblock; un; un = un->next)
2349 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
2351 mainpk = un->pkt->pkt.public_key;
2354 if (un->pkt->pkttype != PKT_USER_ID)
2356 if (!un->pkt->pkt.user_id->created)
2358 if (un->pkt->pkt.user_id->flags.revoked)
2360 if (un->pkt->pkt.user_id->flags.expired)
2362 if (!un->pkt->pkt.user_id->flags.primary)
2364 /* We want the textual primary user ID here */
2365 if (un->pkt->pkt.user_id->attrib_data)
2368 log_assert (mainpk);
2370 /* Since this is just informational, don't actually ask the
2371 user to update any trust information. (Note: we register
2372 the signature later.) Because print_good_bad_signature
2373 does not print a LF we need to compute the validity
2374 before calling that function. */
2375 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2376 valid = get_validity (c->ctrl, keyblock, mainpk,
2377 un->pkt->pkt.user_id, NULL, 0);
2379 valid = 0; /* Not used. */
2381 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2383 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2385 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2386 log_printf (" [%s]\n",trust_value_to_string(valid));
2393 log_assert (mainpk);
2395 /* In case we did not found a valid textual userid above
2396 we print the first user id packet or a "[?]" instead along
2397 with the "Good|Expired|Bad signature" line. */
2400 /* Try for an invalid textual userid */
2401 for (un=keyblock; un; un = un->next)
2403 if (un->pkt->pkttype == PKT_USER_ID
2404 && !un->pkt->pkt.user_id->attrib_data)
2408 /* Try for any userid at all */
2411 for (un=keyblock; un; un = un->next)
2413 if (un->pkt->pkttype == PKT_USER_ID)
2418 if (opt.trust_model==TM_ALWAYS || !un)
2419 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2421 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2423 if (opt.trust_model != TM_ALWAYS && un)
2424 log_printf (" %s",_("[uncertain]") );
2428 /* If we have a good signature and already printed
2429 * the primary user ID, print all the other user IDs */
2432 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2435 for( un=keyblock; un; un = un->next)
2437 if (un->pkt->pkttype != PKT_USER_ID)
2439 if ((un->pkt->pkt.user_id->flags.revoked
2440 || un->pkt->pkt.user_id->flags.expired)
2441 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2443 /* Skip textual primary user ids which we printed above. */
2444 if (un->pkt->pkt.user_id->flags.primary
2445 && !un->pkt->pkt.user_id->attrib_data )
2448 /* If this user id has attribute data, print that. */
2449 if (un->pkt->pkt.user_id->attrib_data)
2451 dump_attribs (un->pkt->pkt.user_id, mainpk);
2453 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2454 show_photos (c->ctrl,
2455 un->pkt->pkt.user_id->attribs,
2456 un->pkt->pkt.user_id->numattribs,
2457 mainpk ,un->pkt->pkt.user_id);
2460 p = utf8_to_native (un->pkt->pkt.user_id->name,
2461 un->pkt->pkt.user_id->len, 0);
2462 log_info (_(" aka \"%s\""), p);
2465 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2469 if (un->pkt->pkt.user_id->flags.revoked)
2470 valid = _("revoked");
2471 else if (un->pkt->pkt.user_id->flags.expired)
2472 valid = _("expired");
2474 /* Since this is just informational, don't
2475 actually ask the user to update any trust
2477 valid = (trust_value_to_string
2478 (get_validity (c->ctrl, keyblock, mainpk,
2479 un->pkt->pkt.user_id, NULL, 0)));
2480 log_printf (" [%s]\n",valid);
2487 /* For good signatures print notation data. */
2490 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2491 show_policy_url (sig, 0, 1);
2493 show_policy_url (sig, 0, 2);
2495 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2496 show_keyserver_url (sig, 0, 1);
2498 show_keyserver_url (sig, 0, 2);
2500 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2503 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2504 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2506 show_notation (sig, 0, 2, 0);
2509 /* For good signatures print the VALIDSIG status line. */
2510 if (!rc && is_status_enabled () && pk)
2512 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2513 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2515 hexfingerprint (pk, pkhex, sizeof pkhex);
2516 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2518 /* TODO: Replace the reserved '0' in the field below with
2519 bits for status flags (policy url, notation, etc.). */
2520 write_status_printf (STATUS_VALIDSIG,
2521 "%s %s %lu %lu %d 0 %d %d %02X %s",
2523 strtimestamp (sig->timestamp),
2524 (ulong)sig->timestamp,
2525 (ulong)sig->expiredate,
2526 sig->version, sig->pubkey_algo,
2532 /* Print compliance warning for Good signatures. */
2533 if (!rc && pk && !opt.quiet
2534 && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
2535 pk->pkey, nbits_from_pk (pk), NULL))
2537 log_info (_("WARNING: This key is not suitable for signing"
2539 gnupg_compliance_option_string (opt.compliance));
2542 /* For good signatures compute and print the trust information.
2543 Note that in the Tofu trust model this may ask the user on
2544 how to resolve a conflict. */
2547 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2548 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2549 rc = check_signatures_trust (c->ctrl, sig);
2552 /* Print extra information about the signature. */
2553 if (sig->flags.expired)
2555 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2556 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2558 else if (sig->expiredate)
2559 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2563 char pkstrbuf[PUBKEY_STRING_SIZE];
2566 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2570 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2571 sig->sig_class==0x00?_("binary"):
2572 sig->sig_class==0x01?_("textmode"):_("unknown"),
2573 gcry_md_algo_name (sig->digest_algo),
2574 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2577 /* Print final warnings. */
2578 if (!rc && !c->signed_data.used)
2580 /* Signature is basically good but we test whether the
2582 gpg --verify FILE.sig
2584 gpg --verify FILE.sig FILE
2585 to verify a detached signature. If we figure out that a
2586 data file with a matching name exists, we print a warning.
2588 The problem is that the first form would also verify a
2589 standard signature. This behavior could be used to
2590 create a made up .sig file for a tarball by creating a
2591 standard signature from a valid detached signature packet
2592 (for example from a signed git tag). Then replace the
2593 sig file on the FTP server along with a changed tarball.
2594 Using the first form the verify command would correctly
2595 verify the signature but don't even consider the tarball. */
2599 dfile = get_matching_datafile (c->sigfilename);
2602 for (n = c->list; n; n = n->next)
2603 if (n->pkt->pkttype != PKT_SIGNATURE)
2607 /* Not only signature packets in the tree thus this
2608 is not a detached signature. */
2609 log_info (_("WARNING: not a detached signature; "
2610 "file '%s' was NOT verified!\n"), dfile);
2616 /* Compute compliance with CO_DE_VS. */
2617 if (pk && is_status_enabled ()
2618 && gnupg_gcrypt_is_compliant (CO_DE_VS)
2619 && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
2620 nbits_from_pk (pk), NULL)
2621 && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2622 write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2623 gnupg_status_compliance_flag (CO_DE_VS),
2625 else if (opt.flags.require_compliance
2626 && opt.compliance == CO_DE_VS)
2628 log_error (_("operation forced to fail due to"
2629 " unfulfilled compliance rules\n"));
2631 rc = gpg_error (GPG_ERR_FORBIDDEN);
2635 free_public_key (pk);
2637 release_kbnode( keyblock );
2639 g10_errors_seen = 1;
2640 if (opt.batch && rc)
2645 write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
2646 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2647 sig->pubkey_algo, sig->digest_algo,
2648 sig->sig_class, (ulong)sig->timestamp,
2650 issuer_fpr? issuer_fpr:"-");
2651 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2653 write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
2654 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2656 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2657 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2660 free_public_key (pk);
2661 release_kbnode (included_keyblock);
2668 * Process the tree which starts at node
2671 proc_tree (CTX c, kbnode_t node)
2676 if (opt.list_packets || opt.list_only)
2679 /* We must skip our special plaintext marker packets here because
2680 they may be the root packet. These packets are only used in
2681 additional checks and skipping them here doesn't matter. */
2683 && node->pkt->pkttype == PKT_GPG_CONTROL
2684 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2691 c->trustletter = ' ';
2692 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2693 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2695 merge_keys_and_selfsig (c->ctrl, node);
2696 list_node (c, node);
2698 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2700 merge_keys_and_selfsig (c->ctrl, node);
2701 list_node (c, node);
2703 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2705 /* Check all signatures. */
2708 int use_textmode = 0;
2710 free_md_filter_context (&c->mfx);
2711 /* Prepare to create all requested message digests. */
2712 rc = gcry_md_open (&c->mfx.md, 0, 0);
2716 /* Fixme: why looking for the signature packet and not the
2718 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2719 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2721 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2724 /* Ask for file and hash it. */
2727 if (c->signed_data.used && c->signed_data.data_fd != -1)
2728 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2729 c->signed_data.data_fd,
2732 rc = hash_datafiles (c->mfx.md, NULL,
2733 c->signed_data.data_names,
2739 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2740 iobuf_get_real_fname (c->iobuf),
2747 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2751 else if (c->signed_data.used)
2753 log_error (_("not a detached signature\n"));
2757 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2758 check_sig_and_print (c, n1);
2761 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2762 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2764 /* Clear text signed message. */
2767 log_error ("cleartext signature without data\n");
2770 else if (c->signed_data.used)
2772 log_error (_("not a detached signature\n"));
2776 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2777 check_sig_and_print (c, n1);
2780 else if (node->pkt->pkttype == PKT_SIGNATURE)
2782 PKT_signature *sig = node->pkt->pkt.signature;
2783 int multiple_ok = 1;
2785 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2788 byte class = sig->sig_class;
2789 byte hash = sig->digest_algo;
2791 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2793 /* We can't currently handle multiple signatures of
2794 * different classes (we'd pretty much have to run a
2795 * different hash context for each), but if they are all
2796 * the same and it is detached signature, we make an
2797 * exception. Note that the old code also disallowed
2798 * multiple signatures if the digest algorithms are
2799 * different. We softened this restriction only for
2800 * detached signatures, to be on the safe side. */
2801 if (n1->pkt->pkt.signature->sig_class != class
2803 && n1->pkt->pkt.signature->digest_algo != hash))
2806 log_info (_("WARNING: multiple signatures detected. "
2807 "Only the first will be checked.\n"));
2813 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2815 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2817 else if (!c->any.data)
2819 /* Detached signature */
2820 free_md_filter_context (&c->mfx);
2821 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2823 goto detached_hash_err;
2827 /* If we have and want to handle multiple signatures we
2828 * need to enable all hash algorithms for the context. */
2829 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2830 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2831 gcry_md_enable (c->mfx.md,
2832 map_md_openpgp_to_gcry
2833 (n1->pkt->pkt.signature->digest_algo));
2836 if (RFC2440 || RFC4880)
2837 ; /* Strict RFC mode. */
2838 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2839 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2840 && sig->sig_class == 0x01)
2842 /* Enable a workaround for a pgp5 bug when the detached
2843 * signature has been created in textmode. Note that we
2844 * do not implement this for multiple signatures with
2845 * different hash algorithms. */
2846 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2848 goto detached_hash_err;
2851 /* Here we used to have another hack to work around a pgp
2852 * 2 bug: It worked by not using the textmode for detached
2853 * signatures; this would let the first signature check
2854 * (on md) fail but the second one (on md2), which adds an
2855 * extra CR would then have produced the "correct" hash.
2856 * This is very, very ugly hack but it may haved help in
2857 * some cases (and break others).
2858 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2863 gcry_md_debug (c->mfx.md, "verify");
2865 gcry_md_debug (c->mfx.md2, "verify2");
2870 if (c->signed_data.used && c->signed_data.data_fd != -1)
2871 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2872 c->signed_data.data_fd,
2873 (sig->sig_class == 0x01));
2875 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2876 c->signed_data.data_names,
2878 (sig->sig_class == 0x01));
2882 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2883 iobuf_get_real_fname(c->iobuf),
2884 (sig->sig_class == 0x01));
2890 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2894 else if (c->signed_data.used)
2896 log_error (_("not a detached signature\n"));
2899 else if (!opt.quiet)
2900 log_info (_("old style (PGP 2.x) signature\n"));
2904 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2905 check_sig_and_print (c, n1);
2908 check_sig_and_print (c, node);
2913 dump_kbnode (c->list);
2914 log_error ("invalid root packet detected in proc_tree()\n");