1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
38 #include "keyserver-internal.h"
40 #include "mbox-util.h"
41 #include "call-dirmngr.h"
43 /* Put an upper limit on nested packets. The 32 is an arbitrary
44 value, a much lower should actually be sufficient. */
45 #define MAX_NESTING_DEPTH 32
48 /* An object to build a list of keyid related info. */
51 struct kidlist_item *next;
59 * Object to hold the processing context.
61 typedef struct mainproc_context *CTX;
62 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_user_id *last_user_id;
68 md_filter_context_t mfx;
69 int sigs_only; /* Process only signatures and reject all other stuff. */
70 int encrypt_only; /* Process only encryption messages. */
72 /* Name of the file with the complete signature or the file with the
73 detached signature. This is currently only used to deduce the
74 file name of the data file if that has not been given. */
75 const char *sigfilename;
77 /* A structure to describe the signed data in case of a detached
81 /* A file descriptor of the the signed data. Only used if not -1. */
83 /* A list of filenames with the data files or NULL. This is only
84 used if DATA_FD is -1. */
86 /* Flag to indicated that either one of the next previous fields
87 is used. This is only needed for better readability. */
92 int last_was_session_key;
93 kbnode_t list; /* The current list of packets. */
94 iobuf_t iobuf; /* Used to get the filename etc. */
95 int trustletter; /* Temporary usage in list_node. */
97 struct kidlist_item *pkenc_list; /* List of encryption packets. */
99 unsigned int sig_seen:1; /* Set to true if a signature packet
101 unsigned int data:1; /* Any data packet seen */
102 unsigned int uncompress_failed:1;
107 /*** Local prototypes. ***/
108 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
109 static void list_node (CTX c, kbnode_t node);
110 static void proc_tree (CTX c, kbnode_t node);
111 static int literals_seen;
118 reset_literals_seen(void)
125 release_list( CTX c )
129 proc_tree (c, c->list);
130 release_kbnode (c->list);
131 while (c->pkenc_list)
133 struct kidlist_item *tmp = c->pkenc_list->next;
134 xfree (c->pkenc_list);
137 c->pkenc_list = NULL;
140 c->any.uncompress_failed = 0;
141 c->last_was_session_key = 0;
148 add_onepass_sig (CTX c, PACKET *pkt)
152 if (c->list) /* Add another packet. */
153 add_kbnode (c->list, new_kbnode (pkt));
154 else /* Insert the first one. */
155 c->list = node = new_kbnode (pkt);
162 add_gpg_control (CTX c, PACKET *pkt)
164 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
166 /* New clear text signature.
167 * Process the last one and reset everything */
171 if (c->list) /* Add another packet. */
172 add_kbnode (c->list, new_kbnode (pkt));
173 else /* Insert the first one. */
174 c->list = new_kbnode (pkt);
181 add_user_id (CTX c, PACKET *pkt)
185 log_error ("orphaned user ID\n");
188 add_kbnode (c->list, new_kbnode (pkt));
194 add_subkey (CTX c, PACKET *pkt)
198 log_error ("subkey w/o mainkey\n");
201 add_kbnode (c->list, new_kbnode (pkt));
207 add_ring_trust (CTX c, PACKET *pkt)
211 log_error ("ring trust w/o key\n");
214 add_kbnode (c->list, new_kbnode (pkt));
220 add_signature (CTX c, PACKET *pkt)
225 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
227 /* This is the first signature for the following datafile.
228 * GPG does not write such packets; instead it always uses
229 * onepass-sig packets. The drawback of PGP's method
230 * of prepending the signature to the data is
231 * that it is not possible to make a signature from data read
232 * from stdin. (GPG is able to read PGP stuff anyway.) */
233 node = new_kbnode (pkt);
238 return 0; /* oops (invalid packet sequence)*/
239 else if (!c->list->pkt)
240 BUG(); /* so nicht */
242 /* Add a new signature node item at the end. */
243 node = new_kbnode (pkt);
244 add_kbnode (c->list, node);
250 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
254 if(slen < 17 || slen > 33)
256 log_error ( _("weird size for an encrypted session key (%d)\n"),
258 return GPG_ERR_BAD_KEY;
261 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
263 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
265 gcry_cipher_setiv ( hd, NULL, 0 );
266 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
267 gcry_cipher_close ( hd );
269 /* Now we replace the dek components with the real session key to
270 decrypt the contents of the sequencing packet. */
275 if(dek->keylen > DIM(dek->key))
278 memcpy(dek->key, seskey + 1, dek->keylen);
280 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
287 proc_symkey_enc (CTX c, PACKET *pkt)
291 enc = pkt->pkt.symkey_enc;
293 log_error ("invalid symkey encrypted packet\n");
296 int algo = enc->cipher_algo;
297 const char *s = openpgp_cipher_algo_name (algo);
299 if (!openpgp_cipher_test_algo (algo))
304 log_info (_("%s encrypted session key\n"), s );
306 log_info (_("%s encrypted data\n"), s );
310 log_error (_("encrypted with unknown algorithm %d\n"), algo);
312 if (openpgp_md_test_algo (enc->s2k.hash_algo))
314 log_error(_("passphrase generated with unknown digest"
315 " algorithm %d\n"),enc->s2k.hash_algo);
319 c->last_was_session_key = 2;
320 if (!s || opt.list_only)
323 if (opt.override_session_key)
325 c->dek = xmalloc_clear (sizeof *c->dek);
326 if (get_override_session_key (c->dek, opt.override_session_key))
334 c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3, NULL, NULL);
337 c->dek->symmetric = 1;
339 /* FIXME: This doesn't work perfectly if a symmetric key
340 comes before a public key in the message - if the
341 user doesn't know the passphrase, then there is a
342 chance that the "decrypted" algorithm will happen to
343 be a valid one, which will make the returned dek
344 appear valid, so we won't try any public keys that
348 if (symkey_decrypt_seskey (c->dek,
349 enc->seskey, enc->seskeylen))
356 c->dek->algo_info_printed = 1;
368 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
373 /* Check whether the secret key is available and store in this case. */
374 c->last_was_session_key = 1;
375 enc = pkt->pkt.pubkey_enc;
376 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
377 /* Hmmm: why do I have this algo check here - anyway there is
378 * function to check it. */
380 log_info (_("public key is %s\n"), keystr (enc->keyid));
382 if (is_status_enabled())
385 /* FIXME: For ECC support we need to map the OpenPGP algo number
386 to the Libgcrypt defined one. This is due a chicken-egg
387 problem: We need to have code in Libgcrypt for a new
388 algorithm so to implement a proposed new algorithm before the
389 IANA will finally assign an OpenPGP identifier. */
390 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
391 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
392 write_status_text (STATUS_ENC_TO, buf);
395 if (!opt.list_only && opt.override_session_key)
397 /* It does not make much sense to store the session key in
398 * secure memory because it has already been passed on the
399 * command line and the GCHQ knows about it. */
400 c->dek = xmalloc_clear (sizeof *c->dek);
401 result = get_override_session_key (c->dek, opt.override_session_key);
408 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
409 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
410 || enc->pubkey_algo == PUBKEY_ALGO_RSA
411 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
412 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
414 /* Note that we also allow type 20 Elgamal keys for decryption.
415 There are still a couple of those keys in active use as a
418 /* FIXME: Store this all in a list and process it later so that
419 we can prioritize what key to use. This gives a better user
420 experience if wildcard keyids are used. */
421 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
422 || opt.try_all_secrets
423 || have_secret_key_with_kid (enc->keyid)))
429 c->dek = xmalloc_secure_clear (sizeof *c->dek);
430 if ((result = get_session_key (ctrl, enc, c->dek)))
432 /* Error: Delete the DEK. */
439 result = GPG_ERR_NO_SECKEY;
442 result = GPG_ERR_PUBKEY_ALGO;
448 /* Store it for later display. */
449 struct kidlist_item *x = xmalloc (sizeof *x);
450 x->kid[0] = enc->keyid[0];
451 x->kid[1] = enc->keyid[1];
452 x->pubkey_algo = enc->pubkey_algo;
454 x->next = c->pkenc_list;
457 if (!result && opt.verbose > 1)
458 log_info (_("public key encrypted data: good DEK\n"));
466 * Print the list of public key encrypted packets which we could
470 print_pkenc_list (struct kidlist_item *list, int failed)
472 for (; list; list = list->next)
477 if (failed && !list->reason)
479 if (!failed && list->reason)
482 algstr = openpgp_pk_algo_name (list->pubkey_algo);
483 pk = xmalloc_clear (sizeof *pk);
487 pk->pubkey_algo = list->pubkey_algo;
488 if (!get_pubkey (pk, list->kid))
491 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
492 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
493 strtimestamp (pk->timestamp));
494 p = get_user_id_native (list->kid);
495 log_printf (_(" \"%s\"\n"), p);
499 log_info (_("encrypted with %s key, ID %s\n"),
500 algstr, keystr(list->kid));
502 free_public_key (pk);
504 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
506 if (is_status_enabled())
509 snprintf (buf, sizeof buf, "%08lX%08lX",
510 (ulong)list->kid[0], (ulong)list->kid[1]);
511 write_status_text (STATUS_NO_SECKEY, buf);
514 else if (list->reason)
516 log_info (_("public key decryption failed: %s\n"),
517 gpg_strerror (list->reason));
518 write_status_error ("pkdecrypt_failed", list->reason);
525 proc_encrypted (CTX c, PACKET *pkt)
532 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
533 else if (c->symkeys == 1)
534 log_info (_("encrypted with 1 passphrase\n"));
535 print_pkenc_list ( c->pkenc_list, 1 );
536 print_pkenc_list ( c->pkenc_list, 0 );
539 /* FIXME: Figure out the session key by looking at all pkenc packets. */
541 write_status (STATUS_BEGIN_DECRYPTION);
543 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
546 else if (!c->dek && !c->last_was_session_key)
550 STRING2KEY *s2k = NULL;
553 if (opt.override_session_key)
555 c->dek = xmalloc_clear (sizeof *c->dek);
556 result = get_override_session_key (c->dek, opt.override_session_key);
565 /* Assume this is old style conventional encrypted data. */
566 algo = opt.def_cipher_algo;
568 log_info (_("assuming %s encrypted data\n"),
569 openpgp_cipher_algo_name (algo));
570 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
572 algo = opt.def_cipher_algo;
574 algo = opt.s2k_cipher_algo;
575 log_info (_("IDEA cipher unavailable, "
576 "optimistically attempting to use %s instead\n"),
577 openpgp_cipher_algo_name (algo));
581 algo = CIPHER_ALGO_IDEA;
582 if (!opt.s2k_digest_algo)
584 /* If no digest is given we assume SHA-1. */
586 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
589 log_info (_("assuming %s encrypted data\n"), "IDEA");
592 c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, &canceled);
594 c->dek->algo_info_printed = 1;
596 result = gpg_error (GPG_ERR_CANCELED);
598 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
602 result = GPG_ERR_NO_SECKEY;
605 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
610 && !opt.ignore_mdc_error
611 && !pkt->pkt.encrypted->mdc_method
612 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
613 && c->dek->algo != CIPHER_ALGO_TWOFISH)
615 /* The message has been decrypted but has no MDC despite that a
616 modern cipher (blocklength != 64 bit, except for Twofish) is
617 used and the option to ignore MDC errors is not used: To
618 avoid attacks changing an MDC message to a non-MDC message,
620 log_error (_("WARNING: message was not integrity protected\n"));
622 log_info ("decryption forced to fail\n");
623 write_status (STATUS_DECRYPTION_FAILED);
625 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
626 && opt.ignore_mdc_error))
628 write_status (STATUS_DECRYPTION_OKAY);
630 log_info(_("decryption okay\n"));
631 if (pkt->pkt.encrypted->mdc_method && !result)
632 write_status (STATUS_GOODMDC);
633 else if (!opt.no_mdc_warn)
634 log_info (_("WARNING: message was not integrity protected\n"));
636 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
638 glo_ctrl.lasterr = result;
639 log_error (_("WARNING: encrypted message has been manipulated!\n"));
640 write_status (STATUS_BADMDC);
641 write_status (STATUS_DECRYPTION_FAILED);
645 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
646 && *c->dek->s2k_cacheid != '\0')
649 log_debug ("cleared passphrase cached with ID: %s\n",
650 c->dek->s2k_cacheid);
651 passphrase_clear_cache (NULL, c->dek->s2k_cacheid, 0);
653 glo_ctrl.lasterr = result;
654 write_status (STATUS_DECRYPTION_FAILED);
655 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
656 /* Hmmm: does this work when we have encrypted using multiple
657 * ways to specify the session key (symmmetric and PK). */
663 c->last_was_session_key = 0;
664 write_status (STATUS_END_DECRYPTION);
669 proc_plaintext( CTX c, PACKET *pkt )
671 PKT_plaintext *pt = pkt->pkt.plaintext;
672 int any, clearsig, rc;
677 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
678 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
679 else if (opt.verbose)
680 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
682 free_md_filter_context (&c->mfx);
683 if (gcry_md_open (&c->mfx.md, 0, 0))
685 /* fixme: we may need to push the textfilter if we have sigclass 1
686 * and no armoring - Not yet tested
687 * Hmmm, why don't we need it at all if we have sigclass 1
688 * Should we assume that plaintext in mode 't' has always sigclass 1??
689 * See: Russ Allbery's mail 1999-02-09
692 for (n=c->list; n; n = n->next )
694 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
696 /* The onepass signature case. */
697 if (n->pkt->pkt.onepass_sig->digest_algo)
699 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
703 else if (n->pkt->pkttype == PKT_GPG_CONTROL
704 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
706 /* The clearsigned message case. */
707 size_t datalen = n->pkt->pkt.gpg_control->datalen;
708 const byte *data = n->pkt->pkt.gpg_control->data;
710 /* Check that we have at least the sigclass and one hash. */
712 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
713 /* Note that we don't set the clearsig flag for not-dash-escaped
715 clearsig = (*data == 0x01);
716 for (data++, datalen--; datalen; datalen--, data++)
717 gcry_md_enable (c->mfx.md, *data);
719 break; /* Stop here as one-pass signature packets are not
722 else if (n->pkt->pkttype == PKT_SIGNATURE)
724 /* The SIG+LITERAL case that PGP used to use. */
725 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
730 if (!any && !opt.skip_verify)
732 /* This is for the old GPG LITERAL+SIG case. It's not legal
733 according to 2440, so hopefully it won't come up that often.
734 There is no good way to specify what algorithms to use in
735 that case, so these there are the historical answer. */
736 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
737 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
741 gcry_md_debug (c->mfx.md, "verify");
743 gcry_md_debug (c->mfx.md2, "verify2");
748 if (literals_seen > 1)
750 log_info (_("WARNING: multiple plaintexts seen\n"));
752 if (!opt.flags.allow_multiple_messages)
754 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
755 log_inc_errorcount ();
756 rc = gpg_error (GPG_ERR_UNEXPECTED);
762 rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
763 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
765 /* Can't write output but we hash it anyway to check the
767 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
772 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
775 c->last_was_session_key = 0;
777 /* We add a marker control packet instead of the plaintext packet.
778 * This is so that we can later detect invalid packet sequences. */
779 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
781 add_kbnode (c->list, n);
788 proc_compressed_cb (iobuf_t a, void *info)
790 if ( ((CTX)info)->signed_data.used
791 && ((CTX)info)->signed_data.data_fd != -1)
792 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
793 ((CTX)info)->signed_data.data_fd);
795 return proc_signature_packets (((CTX)info)->ctrl, info, a,
796 ((CTX)info)->signed_data.data_names,
797 ((CTX)info)->sigfilename );
802 proc_encrypt_cb (iobuf_t a, void *info )
805 return proc_encryption_packets (c->ctrl, info, a );
810 proc_compressed (CTX c, PACKET *pkt)
812 PKT_compressed *zd = pkt->pkt.compressed;
815 /*printf("zip: compressed data packet\n");*/
817 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
818 else if( c->encrypt_only )
819 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
821 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
823 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
825 if (!c->any.uncompress_failed)
829 for (cc=c; cc; cc = cc->anchor)
830 cc->any.uncompress_failed = 1;
831 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
835 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
838 c->last_was_session_key = 0;
844 * check the signature
845 * Returns: 0 = valid signature or an error code
848 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
849 int *is_expkey, int *is_revkey)
852 gcry_md_hd_t md = NULL;
853 gcry_md_hd_t md2 = NULL;
854 gcry_md_hd_t md_good = NULL;
857 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
860 sig = node->pkt->pkt.signature;
862 algo = sig->digest_algo;
863 rc = openpgp_md_test_algo (algo);
867 if (sig->sig_class == 0x00)
871 if (gcry_md_copy (&md, c->mfx.md ))
874 else /* detached signature */
876 /* check_signature() will enable the md. */
877 if (gcry_md_open (&md, 0, 0 ))
881 else if (sig->sig_class == 0x01)
883 /* How do we know that we have to hash the (already hashed) text
884 in canonical mode ??? (calculating both modes???) */
887 if (gcry_md_copy (&md, c->mfx.md ))
889 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
892 else /* detached signature */
894 log_debug ("Do we really need this here?");
895 /* check_signature() will enable the md*/
896 if (gcry_md_open (&md, 0, 0 ))
898 if (gcry_md_open (&md2, 0, 0 ))
902 else if ((sig->sig_class&~3) == 0x10
903 || sig->sig_class == 0x18
904 || sig->sig_class == 0x1f
905 || sig->sig_class == 0x20
906 || sig->sig_class == 0x28
907 || sig->sig_class == 0x30)
909 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
910 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
912 return check_key_signature( c->list, node, is_selfsig );
914 else if (sig->sig_class == 0x20)
916 log_error (_("standalone revocation - "
917 "use \"gpg --import\" to apply\n"));
918 return GPG_ERR_NOT_PROCESSED;
922 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
923 return GPG_ERR_SIG_CLASS;
927 return GPG_ERR_SIG_CLASS;
929 /* We only get here if we are checking the signature of a binary
930 (0x00) or text document (0x01). */
931 rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, NULL);
934 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
936 rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey, NULL);
943 unsigned char *buffer = gcry_md_read (md_good, 0);
944 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
945 memcpy (sig->digest, buffer, sig->digest_len);
956 print_userid (PACKET *pkt)
961 if (pkt->pkttype != PKT_USER_ID)
963 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
968 if (pkt->pkt.user_id->attrib_data)
970 pkt->pkt.user_id->numattribs,
971 pkt->pkt.user_id->attrib_len);
973 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
974 pkt->pkt.user_id->len, ":", NULL);
977 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
978 pkt->pkt.user_id->len );
983 * List the keyblock in a user friendly way
986 list_node (CTX c, kbnode_t node)
990 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
991 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
993 PKT_public_key *pk = node->pkt->pkt.public_key;
999 keyid_from_pk( pk, keyid );
1000 if (pk->flags.primary)
1001 c->trustletter = (opt.fast_list_mode?
1002 0 : get_validity_info (c->ctrl, pk, NULL));
1003 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1005 es_putc (c->trustletter, es_stdout);
1006 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1007 nbits_from_pk( pk ),
1009 (ulong)keyid[0],(ulong)keyid[1],
1010 colon_datestr_from_pk( pk ),
1011 colon_strtime (pk->expiredate) );
1012 if (pk->flags.primary && !opt.fast_list_mode)
1013 es_putc (get_ownertrust_info (pk), es_stdout);
1014 es_putc (':', es_stdout);
1015 es_putc ('\n', es_stdout);
1019 print_key_line (es_stdout, pk, 0);
1022 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1023 ; /* Already printed. */
1024 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1025 print_fingerprint (NULL, pk, 0);
1027 if (opt.with_colons)
1029 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1030 es_printf ("rtv:1:%u:\n",
1031 node->next->pkt->pkt.ring_trust->trustval);
1034 if (pk->flags.primary)
1036 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1038 /* Now list all userids with their signatures. */
1039 for (node = node->next; node; node = node->next)
1041 if (node->pkt->pkttype == PKT_SIGNATURE)
1043 list_node (c, node );
1045 else if (node->pkt->pkttype == PKT_USER_ID)
1047 if (opt.with_colons)
1048 es_printf ("%s:::::::::",
1049 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1051 es_printf ("uid%*s",
1052 kl + (opt.legacy_list_mode? 9:11),
1054 print_userid (node->pkt);
1055 if (opt.with_colons)
1056 es_putc (':', es_stdout);
1057 es_putc ('\n', es_stdout);
1060 && node->next->pkt->pkttype == PKT_RING_TRUST)
1062 es_printf ("rtv:2:%u:\n",
1063 node->next->pkt->pkt.ring_trust?
1064 node->next->pkt->pkt.ring_trust->trustval : 0);
1067 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1069 list_node(c, node );
1074 else if (node->pkt->pkttype == PKT_SECRET_KEY
1075 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1078 log_debug ("FIXME: No way to print secret key packets here\n");
1079 /* fixme: We may use a function to turn a secret key packet into
1080 a public key one and use that here. */
1082 else if (node->pkt->pkttype == PKT_SIGNATURE)
1084 PKT_signature *sig = node->pkt->pkt.signature;
1094 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1095 es_fputs ("rev", es_stdout);
1097 es_fputs ("sig", es_stdout);
1101 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL);
1102 switch (gpg_err_code (rc2))
1104 case 0: sigrc = '!'; break;
1105 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1106 case GPG_ERR_NO_PUBKEY:
1107 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1108 default: sigrc = '%'; break;
1111 else /* Check whether this is a self signature. */
1115 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1116 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1118 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1120 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1125 if (opt.with_colons)
1127 es_putc (':', es_stdout);
1129 es_putc (sigrc, es_stdout);
1130 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1131 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1132 colon_datestr_from_sig (sig),
1133 colon_expirestr_from_sig (sig));
1135 if (sig->trust_depth || sig->trust_value)
1136 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1137 es_putc (':', es_stdout);
1139 if (sig->trust_regexp)
1140 es_write_sanitized (es_stdout, sig->trust_regexp,
1141 strlen (sig->trust_regexp), ":", NULL);
1142 es_putc (':', es_stdout);
1145 es_printf ("%c %s %s ",
1146 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1148 es_printf ("[%s] ", gpg_strerror (rc2) );
1149 else if (sigrc == '?')
1151 else if (is_selfsig)
1153 if (opt.with_colons)
1154 es_putc (':', es_stdout);
1155 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1156 if (opt.with_colons)
1157 es_putc (':', es_stdout);
1159 else if (!opt.fast_list_mode)
1161 p = get_user_id (sig->keyid, &n);
1162 es_write_sanitized (es_stdout, p, n,
1163 opt.with_colons?":":NULL, NULL );
1166 if (opt.with_colons)
1167 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1168 es_putc ('\n', es_stdout);
1171 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1176 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1179 CTX c = xmalloc_clear (sizeof *c);
1183 rc = do_proc_packets (ctrl, c, a);
1191 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1192 strlist_t signedfiles, const char *sigfilename )
1194 CTX c = xmalloc_clear (sizeof *c);
1201 c->signed_data.data_fd = -1;
1202 c->signed_data.data_names = signedfiles;
1203 c->signed_data.used = !!signedfiles;
1205 c->sigfilename = sigfilename;
1206 rc = do_proc_packets (ctrl, c, a);
1208 /* If we have not encountered any signature we print an error
1209 messages, send a NODATA status back and return an error code.
1210 Using log_error is required because verify_files does not check
1211 error codes for each file but we want to terminate the process
1213 if (!rc && !c->any.sig_seen)
1215 write_status_text (STATUS_NODATA, "4");
1216 log_error (_("no signature found\n"));
1217 rc = GPG_ERR_NO_DATA;
1220 /* Propagate the signature seen flag upward. Do this only on success
1221 so that we won't issue the nodata status several times. */
1222 if (!rc && c->anchor && c->any.sig_seen)
1223 c->anchor->any.sig_seen = 1;
1231 proc_signature_packets_by_fd (ctrl_t ctrl,
1232 void *anchor, iobuf_t a, int signed_data_fd )
1237 c = xtrycalloc (1, sizeof *c);
1239 return gpg_error_from_syserror ();
1245 c->signed_data.data_fd = signed_data_fd;
1246 c->signed_data.data_names = NULL;
1247 c->signed_data.used = (signed_data_fd != -1);
1249 rc = do_proc_packets (ctrl, c, a);
1251 /* If we have not encountered any signature we print an error
1252 messages, send a NODATA status back and return an error code.
1253 Using log_error is required because verify_files does not check
1254 error codes for each file but we want to terminate the process
1256 if (!rc && !c->any.sig_seen)
1258 write_status_text (STATUS_NODATA, "4");
1259 log_error (_("no signature found\n"));
1260 rc = gpg_error (GPG_ERR_NO_DATA);
1263 /* Propagate the signature seen flag upward. Do this only on success
1264 so that we won't issue the nodata status several times. */
1265 if (!rc && c->anchor && c->any.sig_seen)
1266 c->anchor->any.sig_seen = 1;
1274 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1276 CTX c = xmalloc_clear (sizeof *c);
1281 c->encrypt_only = 1;
1282 rc = do_proc_packets (ctrl, c, a);
1289 check_nesting (CTX c)
1293 for (level=0; c; c = c->anchor)
1296 if (level > MAX_NESTING_DEPTH)
1298 log_error ("input data with too deeply nested packets\n");
1299 write_status_text (STATUS_UNEXPECTED, "1");
1300 return GPG_ERR_BAD_DATA;
1308 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1315 rc = check_nesting (c);
1319 pkt = xmalloc( sizeof *pkt );
1322 while ((rc=parse_packet(a, pkt)) != -1)
1328 /* Stop processing when an invalid packet has been encountered
1329 * but don't do so when we are doing a --list-packets. */
1330 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1331 && opt.list_packets != 2 )
1336 if (opt.list_packets)
1338 switch (pkt->pkttype)
1340 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1341 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1343 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1344 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1345 default: newpkt = 0; break;
1348 else if (c->sigs_only)
1350 switch (pkt->pkttype)
1352 case PKT_PUBLIC_KEY:
1353 case PKT_SECRET_KEY:
1355 case PKT_SYMKEY_ENC:
1356 case PKT_PUBKEY_ENC:
1358 case PKT_ENCRYPTED_MDC:
1359 write_status_text( STATUS_UNEXPECTED, "0" );
1360 rc = GPG_ERR_UNEXPECTED;
1363 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1364 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1365 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1366 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1367 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1368 default: newpkt = 0; break;
1371 else if (c->encrypt_only)
1373 switch (pkt->pkttype)
1375 case PKT_PUBLIC_KEY:
1376 case PKT_SECRET_KEY:
1378 write_status_text (STATUS_UNEXPECTED, "0");
1379 rc = GPG_ERR_UNEXPECTED;
1382 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1383 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1384 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1386 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1387 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1388 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1389 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1390 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1391 default: newpkt = 0; break;
1396 switch (pkt->pkttype)
1398 case PKT_PUBLIC_KEY:
1399 case PKT_SECRET_KEY:
1401 c->list = new_kbnode (pkt);
1404 case PKT_PUBLIC_SUBKEY:
1405 case PKT_SECRET_SUBKEY:
1406 newpkt = add_subkey (c, pkt);
1408 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1409 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1410 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1411 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1413 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1414 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1415 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1416 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1417 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1418 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1419 default: newpkt = 0; break;
1426 /* This is a very ugly construct and frankly, I don't remember why
1427 * I used it. Adding the MDC check here is a hack.
1428 * The right solution is to initiate another context for encrypted
1429 * packet and not to reuse the current one ... It works right
1430 * when there is a compression packet between which adds just
1432 * Hmmm: Rewrite this whole module here??
1434 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1435 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1441 pkt = xmalloc (sizeof *pkt);
1448 if (rc == GPG_ERR_INV_PACKET)
1449 write_status_text (STATUS_NODATA, "3");
1454 write_status_text (STATUS_NODATA, "2");
1462 free_md_filter_context (&c->mfx);
1467 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1468 of the notation data. */
1470 get_pka_address (PKT_signature *sig)
1472 pka_info_t *pka = NULL;
1473 struct notation *nd,*notation;
1475 notation=sig_to_notation(sig);
1477 for(nd=notation;nd;nd=nd->next)
1479 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1480 continue; /* Not the notation we want. */
1482 /* For now we only use the first valid PKA notation. In future
1483 we might want to keep additional PKA notations in a linked
1485 if (is_valid_mailbox (nd->value))
1487 pka = xmalloc (sizeof *pka + strlen(nd->value));
1491 strcpy (pka->email, nd->value);
1496 free_notation(notation);
1502 /* Return the URI from a DNS PKA record. If this record has already
1503 be retrieved for the signature we merely return it; if not we go
1504 out and try to get that DNS record. */
1506 pka_uri_from_sig (CTX c, PKT_signature *sig)
1508 if (!sig->flags.pka_tried)
1510 log_assert (!sig->pka_info);
1511 sig->flags.pka_tried = 1;
1512 sig->pka_info = get_pka_address (sig);
1519 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1520 &fpr, &fprlen, &url))
1522 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1524 memcpy (sig->pka_info->fpr, fpr, fprlen);
1527 sig->pka_info->valid = 1;
1531 sig->pka_info->uri = url;
1540 return sig->pka_info? sig->pka_info->uri : NULL;
1544 /* Return true if the AKL has the WKD method specified. */
1546 akl_has_wkd_method (void)
1550 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1551 if (akl->type == AKL_WKD)
1558 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1559 PKT_signature *sig, int rc)
1563 write_status_text_and_buffer (statno, keyid_str,
1564 un? un->pkt->pkt.user_id->name:"[?]",
1565 un? un->pkt->pkt.user_id->len:3,
1569 p = utf8_to_native (un->pkt->pkt.user_id->name,
1570 un->pkt->pkt.user_id->len, 0);
1572 p = xstrdup ("[?]");
1575 log_info (_("BAD signature from \"%s\""), p);
1576 else if (sig->flags.expired)
1577 log_info (_("Expired signature from \"%s\""), p);
1579 log_info (_("Good signature from \"%s\""), p);
1586 check_sig_and_print (CTX c, kbnode_t node)
1588 PKT_signature *sig = node->pkt->pkt.signature;
1593 char pkstrbuf[PUBKEY_STRING_SIZE];
1597 if (opt.skip_verify)
1599 log_info(_("signature verification suppressed\n"));
1603 /* Check that the message composition is valid.
1605 * Per RFC-2440bis (-15) allowed:
1607 * S{1,n} -- detached signature.
1608 * S{1,n} P -- old style PGP2 signature
1609 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1610 * C P S{1,n} -- cleartext signature.
1613 * O = One-Pass Signature packet.
1614 * S = Signature packet.
1615 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1616 * (Note that the current rfc2440bis draft also allows
1617 * for a signed message but that does not work as it
1618 * introduces ambiguities.)
1619 * We keep track of these packages using the marker packet
1620 * CTRLPKT_PLAINTEXT_MARK.
1621 * C = Marker packet for cleartext signatures.
1623 * We reject all other messages.
1625 * Actually we are calling this too often, i.e. for verification of
1626 * each message but better have some duplicate work than to silently
1627 * introduce a bug here.
1631 int n_onepass, n_sig;
1633 /* log_debug ("checking signature packet composition\n"); */
1634 /* dump_kbnode (c->list); */
1638 if ( n->pkt->pkttype == PKT_SIGNATURE )
1640 /* This is either "S{1,n}" case (detached signature) or
1641 "S{1,n} P" (old style PGP2 signature). */
1642 for (n = n->next; n; n = n->next)
1643 if (n->pkt->pkttype != PKT_SIGNATURE)
1646 ; /* Okay, this is a detached signature. */
1647 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1648 && (n->pkt->pkt.gpg_control->control
1649 == CTRLPKT_PLAINTEXT_MARK) )
1652 goto ambiguous; /* We only allow one P packet. */
1657 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1659 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1660 for (n_onepass=1, n = n->next;
1661 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1663 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1664 && (n->pkt->pkt.gpg_control->control
1665 == CTRLPKT_PLAINTEXT_MARK)))
1667 for (n_sig=0, n = n->next;
1668 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1673 /* If we wanted to disallow multiple sig verification, we'd do
1674 something like this:
1676 if (n && !opt.allow_multisig_verification)
1679 However, now that we have --allow-multiple-messages, this
1680 can stay allowable as we can't get here unless multiple
1681 messages (i.e. multiple literals) are allowed. */
1683 if (n_onepass != n_sig)
1685 log_info ("number of one-pass packets does not match "
1686 "number of signature packets\n");
1690 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1691 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1693 /* This is the "C P S{1,n}" case (clear text signature). */
1695 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1696 && (n->pkt->pkt.gpg_control->control
1697 == CTRLPKT_PLAINTEXT_MARK)))
1699 for (n_sig=0, n = n->next;
1700 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1708 log_error(_("can't handle this ambiguous signature data\n"));
1713 if (sig->signers_uid)
1714 write_status_buffer (STATUS_NEWSIG,
1715 sig->signers_uid, strlen (sig->signers_uid), 0);
1717 write_status_text (STATUS_NEWSIG, NULL);
1719 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1720 if (keystrlen () > 8)
1722 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1723 log_info (_(" using %s key %s\n"),
1724 astr? astr: "?", keystr(sig->keyid));
1727 log_info (_("Signature made %s using %s key ID %s\n"),
1728 asctimestamp(sig->timestamp), astr? astr: "?",
1729 keystr(sig->keyid));
1731 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1733 /* If the key isn't found, check for a preferred keyserver. */
1734 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1740 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1742 /* According to my favorite copy editor, in English grammar,
1743 you say "at" if the key is located on a web page, but
1744 "from" if it is located on a keyserver. I'm not going to
1745 even try to make two strings here :) */
1746 log_info(_("Key available at: ") );
1747 print_utf8_buffer (log_get_stream(), p, n);
1750 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1751 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1753 struct keyserver_spec *spec;
1755 spec = parse_preferred_keyserver (sig);
1760 glo_ctrl.in_auto_key_retrieve++;
1761 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
1762 glo_ctrl.in_auto_key_retrieve--;
1764 rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey );
1765 free_keyserver_spec (spec);
1774 /* If the avove methods didn't work, our next try is to use the URI
1775 * from a DNS PKA record. */
1776 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1777 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1778 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1780 const char *uri = pka_uri_from_sig (c, sig);
1784 /* FIXME: We might want to locate the key using the
1785 fingerprint instead of the keyid. */
1787 struct keyserver_spec *spec;
1789 spec = parse_keyserver_uri (uri, 1);
1792 glo_ctrl.in_auto_key_retrieve++;
1793 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
1794 glo_ctrl.in_auto_key_retrieve--;
1795 free_keyserver_spec (spec);
1797 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1802 /* If the above methods didn't work, our next try is to use locate
1803 * the key via its fingerprint from a keyserver. This requires
1804 * that the signers fingerprint is encoded in the signature. We
1805 * favor this over the WKD method (to be tried next), because an
1806 * arbitrary keyserver is less subject to web bug like
1808 /* if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY */
1809 /* && signature_hash_full_fingerprint (sig) */
1810 /* && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) */
1811 /* && keyserver_any_configured (c->ctrl)) */
1815 /* glo_ctrl.in_auto_key_retrieve++; */
1816 /* res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver ); */
1817 /* glo_ctrl.in_auto_key_retrieve--; */
1819 /* rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); */
1822 /* If the above methods didn't work, our next try is to retrieve the
1823 * key from the WKD. */
1824 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1825 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1826 && !opt.flags.disable_signer_uid
1827 && akl_has_wkd_method ()
1828 && sig->signers_uid)
1832 glo_ctrl.in_auto_key_retrieve++;
1833 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, NULL, NULL);
1834 glo_ctrl.in_auto_key_retrieve--;
1835 /* Fixme: If the fingerprint is embedded in the signature,
1836 * compare it to the fingerprint of the returned key. */
1838 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1841 /* If the above methods did't work, our next try is to use a
1843 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1844 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1845 && keyserver_any_configured (c->ctrl))
1849 glo_ctrl.in_auto_key_retrieve++;
1850 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
1851 glo_ctrl.in_auto_key_retrieve--;
1853 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey );
1856 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1858 kbnode_t un, keyblock;
1862 PKT_public_key *pk = NULL;
1865 statno = STATUS_BADSIG;
1866 else if (sig->flags.expired)
1867 statno = STATUS_EXPSIG;
1869 statno = STATUS_EXPKEYSIG;
1871 statno = STATUS_REVKEYSIG;
1873 statno = STATUS_GOODSIG;
1875 keyblock = get_pubkeyblock (sig->keyid);
1877 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1878 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1880 /* Find and print the primary user ID along with the
1881 "Good|Expired|Bad signature" line. */
1882 for (un=keyblock; un; un = un->next)
1886 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1888 pk=un->pkt->pkt.public_key;
1891 if (un->pkt->pkttype != PKT_USER_ID)
1893 if (!un->pkt->pkt.user_id->created)
1895 if (un->pkt->pkt.user_id->is_revoked)
1897 if (un->pkt->pkt.user_id->is_expired)
1899 if (!un->pkt->pkt.user_id->is_primary)
1901 /* We want the textual primary user ID here */
1902 if (un->pkt->pkt.user_id->attrib_data)
1907 /* Since this is just informational, don't actually ask the
1908 user to update any trust information. (Note: we register
1909 the signature later.) Because print_good_bad_signature
1910 does not print a LF we need to compute the validity
1911 before calling that function. */
1912 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1913 valid = get_validity (c->ctrl, pk, un->pkt->pkt.user_id, NULL, 0);
1915 valid = 0; /* Not used. */
1917 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1919 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1921 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1922 log_printf (" [%s]\n",trust_value_to_string(valid));
1926 /* Get a string description of the algo for informational
1927 output we want to print later. It is convenient to do it
1928 here because we already have the right public key. */
1929 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
1933 /* In case we did not found a valid valid textual userid above
1934 we print the first user id packet or a "[?]" instead along
1935 with the "Good|Expired|Bad signature" line. */
1938 /* Try for an invalid textual userid */
1939 for (un=keyblock; un; un = un->next)
1941 if (un->pkt->pkttype == PKT_USER_ID
1942 && !un->pkt->pkt.user_id->attrib_data)
1946 /* Try for any userid at all */
1949 for (un=keyblock; un; un = un->next)
1951 if (un->pkt->pkttype == PKT_USER_ID)
1956 if (opt.trust_model==TM_ALWAYS || !un)
1957 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1959 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1961 if (opt.trust_model != TM_ALWAYS && un)
1962 log_printf (" %s",_("[uncertain]") );
1966 /* If we have a good signature and already printed
1967 * the primary user ID, print all the other user IDs */
1970 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
1973 for( un=keyblock; un; un = un->next)
1975 if (un->pkt->pkttype != PKT_USER_ID)
1977 if ((un->pkt->pkt.user_id->is_revoked
1978 || un->pkt->pkt.user_id->is_expired)
1979 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
1981 /* Skip textual primary user ids which we printed above. */
1982 if (un->pkt->pkt.user_id->is_primary
1983 && !un->pkt->pkt.user_id->attrib_data )
1986 /* If this user id has attribute data, print that. */
1987 if (un->pkt->pkt.user_id->attrib_data)
1989 dump_attribs (un->pkt->pkt.user_id, pk);
1991 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
1992 show_photos (c->ctrl,
1993 un->pkt->pkt.user_id->attribs,
1994 un->pkt->pkt.user_id->numattribs,
1995 pk ,un->pkt->pkt.user_id);
1998 p = utf8_to_native (un->pkt->pkt.user_id->name,
1999 un->pkt->pkt.user_id->len, 0);
2000 log_info (_(" aka \"%s\""), p);
2003 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2007 if (un->pkt->pkt.user_id->is_revoked)
2008 valid = _("revoked");
2009 else if (un->pkt->pkt.user_id->is_expired)
2010 valid = _("expired");
2012 /* Since this is just informational, don't
2013 actually ask the user to update any trust
2015 valid = (trust_value_to_string
2016 (get_validity (c->ctrl, pk,
2017 un->pkt->pkt.user_id, sig, 0)));
2018 log_printf (" [%s]\n",valid);
2024 release_kbnode( keyblock );
2026 /* For good signatures print notation data. */
2029 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2030 show_policy_url (sig, 0, 1);
2032 show_policy_url (sig, 0, 2);
2034 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2035 show_keyserver_url (sig, 0, 1);
2037 show_keyserver_url (sig, 0, 2);
2039 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2042 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2043 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2045 show_notation (sig, 0, 2, 0);
2048 /* For good signatures print the VALIDSIG status line. */
2049 if (!rc && is_status_enabled ())
2051 PKT_public_key *vpk = xmalloc_clear (sizeof *vpk);
2053 if (!get_pubkey (vpk, sig->keyid))
2055 byte array[MAX_FINGERPRINT_LEN], *p;
2056 char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
2060 fingerprint_from_pk (vpk, array, &n);
2062 for(i=0; i < n ; i++, p++, bufp += 2)
2063 sprintf (bufp, "%02X", *p );
2064 /* TODO: Replace the reserved '0' in the field below
2065 with bits for status flags (policy url, notation,
2066 etc.). Remember to make the buffer larger to match! */
2067 sprintf (bufp, " %s %lu %lu %d 0 %d %d %02X ",
2068 strtimestamp( sig->timestamp ),
2069 (ulong)sig->timestamp,(ulong)sig->expiredate,
2070 sig->version,sig->pubkey_algo,sig->digest_algo,
2072 bufp = bufp + strlen (bufp);
2073 if (!vpk->flags.primary)
2077 akid[0] = vpk->main_keyid[0];
2078 akid[1] = vpk->main_keyid[1];
2079 free_public_key (vpk);
2080 vpk = xmalloc_clear (sizeof *vpk);
2081 if (get_pubkey (vpk, akid))
2083 /* Impossible error, we simply return a zeroed out fpr */
2084 n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
2085 memset (array, 0, n);
2088 fingerprint_from_pk( vpk, array, &n );
2091 for (i=0; i < n ; i++, p++, bufp += 2)
2092 sprintf(bufp, "%02X", *p );
2093 write_status_text (STATUS_VALIDSIG, buf);
2095 free_public_key (vpk);
2098 /* For good signatures compute and print the trust information.
2099 Note that in the Tofu trust model this may ask the user on
2100 how to resolve a conflict. */
2103 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2104 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2105 rc = check_signatures_trust (c->ctrl, sig);
2108 /* Print extra information about the signature. */
2109 if (sig->flags.expired)
2111 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2112 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2114 else if (sig->expiredate)
2115 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2118 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2119 sig->sig_class==0x00?_("binary"):
2120 sig->sig_class==0x01?_("textmode"):_("unknown"),
2121 gcry_md_algo_name (sig->digest_algo),
2122 *pkstrbuf?_(", key algorithm "):"",
2125 /* Print final warnings. */
2126 if (!rc && !c->signed_data.used)
2128 /* Signature is basically good but we test whether the
2130 gpg --verify FILE.sig
2132 gpg --verify FILE.sig FILE
2133 to verify a detached signature. If we figure out that a
2134 data file with a matching name exists, we print a warning.
2136 The problem is that the first form would also verify a
2137 standard signature. This behavior could be used to
2138 create a made up .sig file for a tarball by creating a
2139 standard signature from a valid detached signature packet
2140 (for example from a signed git tag). Then replace the
2141 sig file on the FTP server along with a changed tarball.
2142 Using the first form the verify command would correctly
2143 verify the signature but don't even consider the tarball. */
2147 dfile = get_matching_datafile (c->sigfilename);
2150 for (n = c->list; n; n = n->next)
2151 if (n->pkt->pkttype != PKT_SIGNATURE)
2155 /* Not only signature packets in the tree thus this
2156 is not a detached signature. */
2157 log_info (_("WARNING: not a detached signature; "
2158 "file '%s' was NOT verified!\n"), dfile);
2165 g10_errors_seen = 1;
2166 if (opt.batch && rc)
2173 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2174 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2175 sig->pubkey_algo, sig->digest_algo,
2176 sig->sig_class, (ulong)sig->timestamp, rc);
2177 write_status_text (STATUS_ERRSIG, buf);
2178 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2181 write_status_text (STATUS_NO_PUBKEY, buf);
2183 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2184 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2192 * Process the tree which starts at node
2195 proc_tree (CTX c, kbnode_t node)
2200 if (opt.list_packets || opt.list_only)
2203 /* We must skip our special plaintext marker packets here because
2204 they may be the root packet. These packets are only used in
2205 addional checks and skipping them here doesn't matter. */
2207 && node->pkt->pkttype == PKT_GPG_CONTROL
2208 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2215 c->trustletter = ' ';
2216 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2217 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2219 merge_keys_and_selfsig (node);
2220 list_node (c, node);
2222 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2224 merge_keys_and_selfsig (node);
2225 list_node (c, node);
2227 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2229 /* Check all signatures. */
2232 int use_textmode = 0;
2234 free_md_filter_context (&c->mfx);
2235 /* Prepare to create all requested message digests. */
2236 rc = gcry_md_open (&c->mfx.md, 0, 0);
2240 /* Fixme: why looking for the signature packet and not the
2242 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2243 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2245 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2248 /* Ask for file and hash it. */
2251 if (c->signed_data.used && c->signed_data.data_fd != -1)
2252 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2253 c->signed_data.data_fd,
2256 rc = hash_datafiles (c->mfx.md, NULL,
2257 c->signed_data.data_names,
2263 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2264 iobuf_get_real_fname (c->iobuf),
2271 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2275 else if (c->signed_data.used)
2277 log_error (_("not a detached signature\n"));
2281 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2282 check_sig_and_print (c, n1);
2285 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2286 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2288 /* Clear text signed message. */
2291 log_error ("cleartext signature without data\n");
2294 else if (c->signed_data.used)
2296 log_error (_("not a detached signature\n"));
2300 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2301 check_sig_and_print (c, n1);
2304 else if (node->pkt->pkttype == PKT_SIGNATURE)
2306 PKT_signature *sig = node->pkt->pkt.signature;
2307 int multiple_ok = 1;
2309 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2312 byte class = sig->sig_class;
2313 byte hash = sig->digest_algo;
2315 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2317 /* We can't currently handle multiple signatures of
2318 different classes or digests (we'd pretty much have
2319 to run a different hash context for each), but if
2320 they are all the same, make an exception. */
2321 if (n1->pkt->pkt.signature->sig_class != class
2322 || n1->pkt->pkt.signature->digest_algo != hash)
2325 log_info (_("WARNING: multiple signatures detected. "
2326 "Only the first will be checked.\n"));
2332 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2334 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2336 else if (!c->any.data)
2338 /* Detached signature */
2339 free_md_filter_context (&c->mfx);
2340 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2342 goto detached_hash_err;
2344 if (RFC2440 || RFC4880)
2345 ; /* Strict RFC mode. */
2346 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2347 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2348 && sig->sig_class == 0x01)
2350 /* Enable a workaround for a pgp5 bug when the detached
2351 * signature has been created in textmode. */
2352 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2354 goto detached_hash_err;
2357 /* Here we used to have another hack to work around a pgp
2358 * 2 bug: It worked by not using the textmode for detached
2359 * signatures; this would let the first signature check
2360 * (on md) fail but the second one (on md2), which adds an
2361 * extra CR would then have produced the "correct" hash.
2362 * This is very, very ugly hack but it may haved help in
2363 * some cases (and break others).
2364 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2369 gcry_md_debug (c->mfx.md, "verify");
2371 gcry_md_debug (c->mfx.md2, "verify2");
2376 if (c->signed_data.used && c->signed_data.data_fd != -1)
2377 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2378 c->signed_data.data_fd,
2379 (sig->sig_class == 0x01));
2381 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2382 c->signed_data.data_names,
2384 (sig->sig_class == 0x01));
2388 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2389 iobuf_get_real_fname(c->iobuf),
2390 (sig->sig_class == 0x01));
2396 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2400 else if (c->signed_data.used)
2402 log_error (_("not a detached signature\n"));
2405 else if (!opt.quiet)
2406 log_info (_("old style (PGP 2.x) signature\n"));
2410 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2411 check_sig_and_print (c, n1);
2414 check_sig_and_print (c, node);
2419 dump_kbnode (c->list);
2420 log_error ("invalid root packet detected in proc_tree()\n");