1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
28 #include "../common/util.h"
30 #include "../common/iobuf.h"
35 #include "../common/status.h"
36 #include "../common/i18n.h"
38 #include "keyserver-internal.h"
40 #include "../common/mbox-util.h"
41 #include "call-dirmngr.h"
42 #include "../common/compliance.h"
44 /* Put an upper limit on nested packets. The 32 is an arbitrary
45 value, a much lower should actually be sufficient. */
46 #define MAX_NESTING_DEPTH 32
49 /* An object to build a list of keyid related info. */
52 struct kidlist_item *next;
60 * Object to hold the processing context.
62 typedef struct mainproc_context *CTX;
63 struct mainproc_context
66 struct mainproc_context *anchor; /* May be useful in the future. */
67 PKT_public_key *last_pubkey;
68 PKT_user_id *last_user_id;
69 md_filter_context_t mfx;
70 int sigs_only; /* Process only signatures and reject all other stuff. */
71 int encrypt_only; /* Process only encryption messages. */
73 /* Name of the file with the complete signature or the file with the
74 detached signature. This is currently only used to deduce the
75 file name of the data file if that has not been given. */
76 const char *sigfilename;
78 /* A structure to describe the signed data in case of a detached
82 /* A file descriptor of the signed data. Only used if not -1. */
84 /* A list of filenames with the data files or NULL. This is only
85 used if DATA_FD is -1. */
87 /* Flag to indicated that either one of the next previous fields
88 is used. This is only needed for better readability. */
93 int last_was_session_key;
94 kbnode_t list; /* The current list of packets. */
95 iobuf_t iobuf; /* Used to get the filename etc. */
96 int trustletter; /* Temporary usage in list_node. */
97 ulong symkeys; /* Number of symmetrically encrypted session keys. */
98 struct kidlist_item *pkenc_list; /* List of encryption packets. */
100 unsigned int sig_seen:1; /* Set to true if a signature packet
102 unsigned int data:1; /* Any data packet seen */
103 unsigned int uncompress_failed:1;
108 /*** Local prototypes. ***/
109 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
110 static void list_node (CTX c, kbnode_t node);
111 static void proc_tree (CTX c, kbnode_t node);
112 static int literals_seen;
119 reset_literals_seen(void)
126 release_list( CTX c )
128 proc_tree (c, c->list);
129 release_kbnode (c->list);
130 while (c->pkenc_list)
132 struct kidlist_item *tmp = c->pkenc_list->next;
133 xfree (c->pkenc_list);
136 c->pkenc_list = NULL;
139 c->any.uncompress_failed = 0;
140 c->last_was_session_key = 0;
147 add_onepass_sig (CTX c, PACKET *pkt)
151 if (c->list) /* Add another packet. */
152 add_kbnode (c->list, new_kbnode (pkt));
153 else /* Insert the first one. */
154 c->list = node = new_kbnode (pkt);
161 add_gpg_control (CTX c, PACKET *pkt)
163 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
165 /* New clear text signature.
166 * Process the last one and reset everything */
170 if (c->list) /* Add another packet. */
171 add_kbnode (c->list, new_kbnode (pkt));
172 else /* Insert the first one. */
173 c->list = new_kbnode (pkt);
180 add_user_id (CTX c, PACKET *pkt)
184 log_error ("orphaned user ID\n");
187 add_kbnode (c->list, new_kbnode (pkt));
193 add_subkey (CTX c, PACKET *pkt)
197 log_error ("subkey w/o mainkey\n");
200 add_kbnode (c->list, new_kbnode (pkt));
206 add_ring_trust (CTX c, PACKET *pkt)
210 log_error ("ring trust w/o key\n");
213 add_kbnode (c->list, new_kbnode (pkt));
219 add_signature (CTX c, PACKET *pkt)
224 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
226 /* This is the first signature for the following datafile.
227 * GPG does not write such packets; instead it always uses
228 * onepass-sig packets. The drawback of PGP's method
229 * of prepending the signature to the data is
230 * that it is not possible to make a signature from data read
231 * from stdin. (GPG is able to read PGP stuff anyway.) */
232 node = new_kbnode (pkt);
237 return 0; /* oops (invalid packet sequence)*/
238 else if (!c->list->pkt)
239 BUG(); /* so nicht */
241 /* Add a new signature node item at the end. */
242 node = new_kbnode (pkt);
243 add_kbnode (c->list, node);
249 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
253 if(slen < 17 || slen > 33)
255 log_error ( _("weird size for an encrypted session key (%d)\n"),
257 return GPG_ERR_BAD_KEY;
260 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
262 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
264 gcry_cipher_setiv ( hd, NULL, 0 );
265 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
266 gcry_cipher_close ( hd );
268 /* Now we replace the dek components with the real session key to
269 decrypt the contents of the sequencing packet. */
274 if(dek->keylen > DIM(dek->key))
277 memcpy(dek->key, seskey + 1, dek->keylen);
279 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
286 proc_symkey_enc (CTX c, PACKET *pkt)
290 enc = pkt->pkt.symkey_enc;
292 log_error ("invalid symkey encrypted packet\n");
295 int algo = enc->cipher_algo;
296 const char *s = openpgp_cipher_algo_name (algo);
298 if (!openpgp_cipher_test_algo (algo))
303 log_info (_("%s encrypted session key\n"), s );
305 log_info (_("%s encrypted data\n"), s );
309 log_error (_("encrypted with unknown algorithm %d\n"), algo);
311 if (openpgp_md_test_algo (enc->s2k.hash_algo))
313 log_error(_("passphrase generated with unknown digest"
314 " algorithm %d\n"),enc->s2k.hash_algo);
318 c->last_was_session_key = 2;
319 if (!s || opt.list_only)
322 if (opt.override_session_key)
324 c->dek = xmalloc_clear (sizeof *c->dek);
325 if (get_override_session_key (c->dek, opt.override_session_key))
333 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
336 c->dek->symmetric = 1;
338 /* FIXME: This doesn't work perfectly if a symmetric key
339 comes before a public key in the message - if the
340 user doesn't know the passphrase, then there is a
341 chance that the "decrypted" algorithm will happen to
342 be a valid one, which will make the returned dek
343 appear valid, so we won't try any public keys that
347 if (symkey_decrypt_seskey (c->dek,
348 enc->seskey, enc->seskeylen))
355 c->dek->algo_info_printed = 1;
362 free_packet (pkt, NULL);
367 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
372 /* Check whether the secret key is available and store in this case. */
373 c->last_was_session_key = 1;
374 enc = pkt->pkt.pubkey_enc;
375 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
376 /* Hmmm: why do I have this algo check here - anyway there is
377 * function to check it. */
379 log_info (_("public key is %s\n"), keystr (enc->keyid));
381 if (is_status_enabled())
384 /* FIXME: For ECC support we need to map the OpenPGP algo number
385 to the Libgcrypt defined one. This is due a chicken-egg
386 problem: We need to have code in Libgcrypt for a new
387 algorithm so to implement a proposed new algorithm before the
388 IANA will finally assign an OpenPGP identifier. */
389 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
390 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
391 write_status_text (STATUS_ENC_TO, buf);
394 if (!opt.list_only && opt.override_session_key)
396 /* It does not make much sense to store the session key in
397 * secure memory because it has already been passed on the
398 * command line and the GCHQ knows about it. */
399 c->dek = xmalloc_clear (sizeof *c->dek);
400 result = get_override_session_key (c->dek, opt.override_session_key);
407 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
408 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA
410 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
411 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
413 /* Note that we also allow type 20 Elgamal keys for decryption.
414 There are still a couple of those keys in active use as a
417 /* FIXME: Store this all in a list and process it later so that
418 we can prioritize what key to use. This gives a better user
419 experience if wildcard keyids are used. */
420 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
421 || opt.try_all_secrets
422 || have_secret_key_with_kid (enc->keyid)))
425 result = GPG_ERR_MISSING_ACTION; /* fixme: Use better error code. */
428 c->dek = xmalloc_secure_clear (sizeof *c->dek);
429 if ((result = get_session_key (ctrl, enc, c->dek)))
431 /* Error: Delete the DEK. */
438 result = GPG_ERR_NO_SECKEY;
441 result = GPG_ERR_PUBKEY_ALGO;
445 /* Store it for later display. */
446 struct kidlist_item *x = xmalloc (sizeof *x);
447 x->kid[0] = enc->keyid[0];
448 x->kid[1] = enc->keyid[1];
449 x->pubkey_algo = enc->pubkey_algo;
451 x->next = c->pkenc_list;
454 if (!result && opt.verbose > 1)
455 log_info (_("public key encrypted data: good DEK\n"));
458 free_packet(pkt, NULL);
463 * Print the list of public key encrypted packets which we could
467 print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
469 for (; list; list = list->next)
474 if (failed && !list->reason)
476 if (!failed && list->reason)
479 algstr = openpgp_pk_algo_name (list->pubkey_algo);
480 pk = xmalloc_clear (sizeof *pk);
484 pk->pubkey_algo = list->pubkey_algo;
485 if (!get_pubkey (ctrl, pk, list->kid))
488 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
489 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
490 strtimestamp (pk->timestamp));
491 p = get_user_id_native (ctrl, list->kid);
492 log_printf (_(" \"%s\"\n"), p);
496 log_info (_("encrypted with %s key, ID %s\n"),
497 algstr, keystr(list->kid));
499 free_public_key (pk);
501 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
503 if (is_status_enabled())
506 snprintf (buf, sizeof buf, "%08lX%08lX",
507 (ulong)list->kid[0], (ulong)list->kid[1]);
508 write_status_text (STATUS_NO_SECKEY, buf);
511 else if (gpg_err_code (list->reason) == GPG_ERR_MISSING_ACTION)
513 /* Not tested for secret key due to --list-only mode. */
515 else if (list->reason)
517 log_info (_("public key decryption failed: %s\n"),
518 gpg_strerror (list->reason));
519 write_status_error ("pkdecrypt_failed", list->reason);
526 proc_encrypted (CTX c, PACKET *pkt)
533 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
534 else if (c->symkeys == 1)
535 log_info (_("encrypted with 1 passphrase\n"));
536 print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
537 print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
540 /* FIXME: Figure out the session key by looking at all pkenc packets. */
542 write_status (STATUS_BEGIN_DECRYPTION);
544 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
547 else if (!c->dek && !c->last_was_session_key)
551 STRING2KEY *s2k = NULL;
554 if (opt.override_session_key)
556 c->dek = xmalloc_clear (sizeof *c->dek);
557 result = get_override_session_key (c->dek, opt.override_session_key);
566 /* Assume this is old style conventional encrypted data. */
567 algo = opt.def_cipher_algo;
569 log_info (_("assuming %s encrypted data\n"),
570 openpgp_cipher_algo_name (algo));
571 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
573 algo = opt.def_cipher_algo;
575 algo = opt.s2k_cipher_algo;
576 log_info (_("IDEA cipher unavailable, "
577 "optimistically attempting to use %s instead\n"),
578 openpgp_cipher_algo_name (algo));
582 algo = CIPHER_ALGO_IDEA;
583 if (!opt.s2k_digest_algo)
585 /* If no digest is given we assume SHA-1. */
587 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
590 log_info (_("assuming %s encrypted data\n"), "IDEA");
593 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
595 c->dek->algo_info_printed = 1;
597 result = gpg_error (GPG_ERR_CANCELED);
599 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
603 result = GPG_ERR_NO_SECKEY;
605 /* Compute compliance with CO_DE_VS. */
606 if (!result && is_status_enabled ()
607 /* Symmetric encryption and asymmetric encryption voids compliance. */
608 && (c->symkeys != !!c->pkenc_list )
609 /* Overriding session key voids compliance. */
610 && !opt.override_session_key
611 /* Check symmetric cipher. */
612 && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
613 GCRY_CIPHER_MODE_CFB))
615 struct kidlist_item *i;
617 PKT_public_key *pk = xmalloc (sizeof *pk);
619 if ( !(c->pkenc_list || c->symkeys) )
620 log_debug ("%s: where else did the session key come from?\n", __func__);
622 /* Now check that every key used to encrypt the session key is
624 for (i = c->pkenc_list; i && compliant; i = i->next)
626 memset (pk, 0, sizeof *pk);
627 pk->pubkey_algo = i->pubkey_algo;
628 if (get_pubkey (c->ctrl, pk, i->kid) != 0
629 || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
630 nbits_from_pk (pk), NULL))
632 release_public_key_parts (pk);
638 write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
639 gnupg_status_compliance_flag (CO_DE_VS),
646 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
651 && !opt.ignore_mdc_error
652 && !pkt->pkt.encrypted->mdc_method
653 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
654 && c->dek->algo != CIPHER_ALGO_TWOFISH)
656 /* The message has been decrypted but has no MDC despite that a
657 modern cipher (blocklength != 64 bit, except for Twofish) is
658 used and the option to ignore MDC errors is not used: To
659 avoid attacks changing an MDC message to a non-MDC message,
661 log_error (_("WARNING: message was not integrity protected\n"));
663 log_info ("decryption forced to fail\n");
664 write_status (STATUS_DECRYPTION_FAILED);
666 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
667 && opt.ignore_mdc_error))
669 write_status (STATUS_DECRYPTION_OKAY);
671 log_info(_("decryption okay\n"));
672 if (pkt->pkt.encrypted->mdc_method && !result)
673 write_status (STATUS_GOODMDC);
674 else if (!opt.no_mdc_warn)
675 log_info (_("WARNING: message was not integrity protected\n"));
677 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
679 glo_ctrl.lasterr = result;
680 log_error (_("WARNING: encrypted message has been manipulated!\n"));
681 write_status (STATUS_BADMDC);
682 write_status (STATUS_DECRYPTION_FAILED);
686 if ((gpg_err_code (result) == GPG_ERR_BAD_KEY
687 || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
688 && *c->dek->s2k_cacheid != '\0')
691 log_debug ("cleared passphrase cached with ID: %s\n",
692 c->dek->s2k_cacheid);
693 passphrase_clear_cache (c->dek->s2k_cacheid);
695 glo_ctrl.lasterr = result;
696 write_status (STATUS_DECRYPTION_FAILED);
697 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
698 /* Hmmm: does this work when we have encrypted using multiple
699 * ways to specify the session key (symmmetric and PK). */
704 free_packet (pkt, NULL);
705 c->last_was_session_key = 0;
706 write_status (STATUS_END_DECRYPTION);
711 proc_plaintext( CTX c, PACKET *pkt )
713 PKT_plaintext *pt = pkt->pkt.plaintext;
714 int any, clearsig, rc;
719 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
720 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
721 else if (opt.verbose)
722 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
724 free_md_filter_context (&c->mfx);
725 if (gcry_md_open (&c->mfx.md, 0, 0))
727 /* fixme: we may need to push the textfilter if we have sigclass 1
728 * and no armoring - Not yet tested
729 * Hmmm, why don't we need it at all if we have sigclass 1
730 * Should we assume that plaintext in mode 't' has always sigclass 1??
731 * See: Russ Allbery's mail 1999-02-09
734 for (n=c->list; n; n = n->next )
736 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
738 /* The onepass signature case. */
739 if (n->pkt->pkt.onepass_sig->digest_algo)
741 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
745 else if (n->pkt->pkttype == PKT_GPG_CONTROL
746 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
748 /* The clearsigned message case. */
749 size_t datalen = n->pkt->pkt.gpg_control->datalen;
750 const byte *data = n->pkt->pkt.gpg_control->data;
752 /* Check that we have at least the sigclass and one hash. */
754 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
755 /* Note that we don't set the clearsig flag for not-dash-escaped
757 clearsig = (*data == 0x01);
758 for (data++, datalen--; datalen; datalen--, data++)
759 gcry_md_enable (c->mfx.md, *data);
761 break; /* Stop here as one-pass signature packets are not
764 else if (n->pkt->pkttype == PKT_SIGNATURE)
766 /* The SIG+LITERAL case that PGP used to use. */
767 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
772 if (!any && !opt.skip_verify)
774 /* This is for the old GPG LITERAL+SIG case. It's not legal
775 according to 2440, so hopefully it won't come up that often.
776 There is no good way to specify what algorithms to use in
777 that case, so these there are the historical answer. */
778 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
779 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
783 gcry_md_debug (c->mfx.md, "verify");
785 gcry_md_debug (c->mfx.md2, "verify2");
790 if (literals_seen > 1)
792 log_info (_("WARNING: multiple plaintexts seen\n"));
794 if (!opt.flags.allow_multiple_messages)
796 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
797 log_inc_errorcount ();
798 rc = gpg_error (GPG_ERR_UNEXPECTED);
804 /* It we are in --verify mode, we do not want to output the
805 * signed text. However, if --output is also used we do what
806 * has been requested and write out the signed data. */
807 rc = handle_plaintext (pt, &c->mfx,
808 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
810 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
812 /* Can't write output but we hash it anyway to check the
814 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
819 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
821 free_packet (pkt, NULL);
822 c->last_was_session_key = 0;
824 /* We add a marker control packet instead of the plaintext packet.
825 * This is so that we can later detect invalid packet sequences. */
826 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
828 add_kbnode (c->list, n);
835 proc_compressed_cb (iobuf_t a, void *info)
837 if ( ((CTX)info)->signed_data.used
838 && ((CTX)info)->signed_data.data_fd != -1)
839 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
840 ((CTX)info)->signed_data.data_fd);
842 return proc_signature_packets (((CTX)info)->ctrl, info, a,
843 ((CTX)info)->signed_data.data_names,
844 ((CTX)info)->sigfilename );
849 proc_encrypt_cb (iobuf_t a, void *info )
852 return proc_encryption_packets (c->ctrl, info, a );
857 proc_compressed (CTX c, PACKET *pkt)
859 PKT_compressed *zd = pkt->pkt.compressed;
862 /*printf("zip: compressed data packet\n");*/
864 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
865 else if( c->encrypt_only )
866 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
868 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
870 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
872 if (!c->any.uncompress_failed)
876 for (cc=c; cc; cc = cc->anchor)
877 cc->any.uncompress_failed = 1;
878 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
882 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
884 free_packet (pkt, NULL);
885 c->last_was_session_key = 0;
891 * Check the signature. If R_PK is not NULL a copy of the public key
892 * used to verify the signature will be stored there, or NULL if not
893 * found. Returns: 0 = valid signature or an error code
896 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
897 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
900 gcry_md_hd_t md = NULL;
901 gcry_md_hd_t md2 = NULL;
902 gcry_md_hd_t md_good = NULL;
908 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
911 sig = node->pkt->pkt.signature;
913 algo = sig->digest_algo;
914 rc = openpgp_md_test_algo (algo);
918 if (sig->sig_class == 0x00)
922 if (gcry_md_copy (&md, c->mfx.md ))
925 else /* detached signature */
927 /* check_signature() will enable the md. */
928 if (gcry_md_open (&md, 0, 0 ))
932 else if (sig->sig_class == 0x01)
934 /* How do we know that we have to hash the (already hashed) text
935 in canonical mode ??? (calculating both modes???) */
938 if (gcry_md_copy (&md, c->mfx.md ))
940 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
943 else /* detached signature */
945 log_debug ("Do we really need this here?");
946 /* check_signature() will enable the md*/
947 if (gcry_md_open (&md, 0, 0 ))
949 if (gcry_md_open (&md2, 0, 0 ))
953 else if ((sig->sig_class&~3) == 0x10
954 || sig->sig_class == 0x18
955 || sig->sig_class == 0x1f
956 || sig->sig_class == 0x20
957 || sig->sig_class == 0x28
958 || sig->sig_class == 0x30)
960 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
961 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
963 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
965 else if (sig->sig_class == 0x20)
967 log_error (_("standalone revocation - "
968 "use \"gpg --import\" to apply\n"));
969 return GPG_ERR_NOT_PROCESSED;
973 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
974 return GPG_ERR_SIG_CLASS;
978 return GPG_ERR_SIG_CLASS;
980 /* We only get here if we are checking the signature of a binary
981 (0x00) or text document (0x01). */
982 rc = check_signature2 (c->ctrl, sig, md, NULL, is_expkey, is_revkey, r_pk);
985 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
989 rc = check_signature2 (c->ctrl, sig, md2, NULL, is_expkey, is_revkey,
996 free_public_key (*r_pk);
1004 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1005 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1006 memcpy (sig->digest, buffer, sig->digest_len);
1010 gcry_md_close (md2);
1017 print_userid (PACKET *pkt)
1022 if (pkt->pkttype != PKT_USER_ID)
1024 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1027 if (opt.with_colons)
1029 if (pkt->pkt.user_id->attrib_data)
1031 pkt->pkt.user_id->numattribs,
1032 pkt->pkt.user_id->attrib_len);
1034 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1035 pkt->pkt.user_id->len, ":", NULL);
1038 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1039 pkt->pkt.user_id->len );
1044 * List the keyblock in a user friendly way
1047 list_node (CTX c, kbnode_t node)
1051 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1052 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1054 PKT_public_key *pk = node->pkt->pkt.public_key;
1056 if (opt.with_colons)
1060 keyid_from_pk( pk, keyid );
1061 if (pk->flags.primary)
1062 c->trustletter = (opt.fast_list_mode
1066 node->pkt->pkttype == PKT_PUBLIC_KEY
1069 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1071 es_putc (c->trustletter, es_stdout);
1072 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1073 nbits_from_pk( pk ),
1075 (ulong)keyid[0],(ulong)keyid[1],
1076 colon_datestr_from_pk( pk ),
1077 colon_strtime (pk->expiredate) );
1078 if (pk->flags.primary && !opt.fast_list_mode)
1079 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1080 es_putc (':', es_stdout);
1081 es_putc ('\n', es_stdout);
1085 print_key_line (c->ctrl, es_stdout, pk, 0);
1088 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1089 ; /* Already printed. */
1090 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1091 print_fingerprint (c->ctrl, NULL, pk, 0);
1093 if (pk->flags.primary)
1095 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1097 /* Now list all userids with their signatures. */
1098 for (node = node->next; node; node = node->next)
1100 if (node->pkt->pkttype == PKT_SIGNATURE)
1102 list_node (c, node );
1104 else if (node->pkt->pkttype == PKT_USER_ID)
1106 if (opt.with_colons)
1107 es_printf ("%s:::::::::",
1108 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1110 es_printf ("uid%*s",
1111 kl + (opt.legacy_list_mode? 9:11),
1113 print_userid (node->pkt);
1114 if (opt.with_colons)
1115 es_putc (':', es_stdout);
1116 es_putc ('\n', es_stdout);
1118 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1120 list_node(c, node );
1125 else if (node->pkt->pkttype == PKT_SECRET_KEY
1126 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1129 log_debug ("FIXME: No way to print secret key packets here\n");
1130 /* fixme: We may use a function to turn a secret key packet into
1131 a public key one and use that here. */
1133 else if (node->pkt->pkttype == PKT_SIGNATURE)
1135 PKT_signature *sig = node->pkt->pkt.signature;
1145 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1146 es_fputs ("rev", es_stdout);
1148 es_fputs ("sig", es_stdout);
1152 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
1153 switch (gpg_err_code (rc2))
1155 case 0: sigrc = '!'; break;
1156 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1157 case GPG_ERR_NO_PUBKEY:
1158 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1159 default: sigrc = '%'; break;
1162 else /* Check whether this is a self signature. */
1166 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1167 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1169 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1171 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1176 if (opt.with_colons)
1178 es_putc (':', es_stdout);
1180 es_putc (sigrc, es_stdout);
1181 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1182 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1183 colon_datestr_from_sig (sig),
1184 colon_expirestr_from_sig (sig));
1186 if (sig->trust_depth || sig->trust_value)
1187 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1188 es_putc (':', es_stdout);
1190 if (sig->trust_regexp)
1191 es_write_sanitized (es_stdout, sig->trust_regexp,
1192 strlen (sig->trust_regexp), ":", NULL);
1193 es_putc (':', es_stdout);
1196 es_printf ("%c %s %s ",
1197 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1199 es_printf ("[%s] ", gpg_strerror (rc2) );
1200 else if (sigrc == '?')
1202 else if (is_selfsig)
1204 if (opt.with_colons)
1205 es_putc (':', es_stdout);
1206 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1207 if (opt.with_colons)
1208 es_putc (':', es_stdout);
1210 else if (!opt.fast_list_mode)
1212 p = get_user_id (c->ctrl, sig->keyid, &n);
1213 es_write_sanitized (es_stdout, p, n,
1214 opt.with_colons?":":NULL, NULL );
1217 if (opt.with_colons)
1218 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1219 es_putc ('\n', es_stdout);
1222 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1227 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1230 CTX c = xmalloc_clear (sizeof *c);
1234 rc = do_proc_packets (ctrl, c, a);
1242 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1243 strlist_t signedfiles, const char *sigfilename )
1245 CTX c = xmalloc_clear (sizeof *c);
1252 c->signed_data.data_fd = -1;
1253 c->signed_data.data_names = signedfiles;
1254 c->signed_data.used = !!signedfiles;
1256 c->sigfilename = sigfilename;
1257 rc = do_proc_packets (ctrl, c, a);
1259 /* If we have not encountered any signature we print an error
1260 messages, send a NODATA status back and return an error code.
1261 Using log_error is required because verify_files does not check
1262 error codes for each file but we want to terminate the process
1264 if (!rc && !c->any.sig_seen)
1266 write_status_text (STATUS_NODATA, "4");
1267 log_error (_("no signature found\n"));
1268 rc = GPG_ERR_NO_DATA;
1271 /* Propagate the signature seen flag upward. Do this only on success
1272 so that we won't issue the nodata status several times. */
1273 if (!rc && c->anchor && c->any.sig_seen)
1274 c->anchor->any.sig_seen = 1;
1282 proc_signature_packets_by_fd (ctrl_t ctrl,
1283 void *anchor, iobuf_t a, int signed_data_fd )
1288 c = xtrycalloc (1, sizeof *c);
1290 return gpg_error_from_syserror ();
1296 c->signed_data.data_fd = signed_data_fd;
1297 c->signed_data.data_names = NULL;
1298 c->signed_data.used = (signed_data_fd != -1);
1300 rc = do_proc_packets (ctrl, c, a);
1302 /* If we have not encountered any signature we print an error
1303 messages, send a NODATA status back and return an error code.
1304 Using log_error is required because verify_files does not check
1305 error codes for each file but we want to terminate the process
1307 if (!rc && !c->any.sig_seen)
1309 write_status_text (STATUS_NODATA, "4");
1310 log_error (_("no signature found\n"));
1311 rc = gpg_error (GPG_ERR_NO_DATA);
1314 /* Propagate the signature seen flag upward. Do this only on success
1315 so that we won't issue the nodata status several times. */
1316 if (!rc && c->anchor && c->any.sig_seen)
1317 c->anchor->any.sig_seen = 1;
1325 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1327 CTX c = xmalloc_clear (sizeof *c);
1332 c->encrypt_only = 1;
1333 rc = do_proc_packets (ctrl, c, a);
1340 check_nesting (CTX c)
1344 for (level=0; c; c = c->anchor)
1347 if (level > MAX_NESTING_DEPTH)
1349 log_error ("input data with too deeply nested packets\n");
1350 write_status_text (STATUS_UNEXPECTED, "1");
1351 return GPG_ERR_BAD_DATA;
1359 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1362 struct parse_packet_ctx_s parsectx;
1367 rc = check_nesting (c);
1371 pkt = xmalloc( sizeof *pkt );
1374 init_parse_packet (&parsectx, a);
1375 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1380 free_packet (pkt, &parsectx);
1381 /* Stop processing when an invalid packet has been encountered
1382 * but don't do so when we are doing a --list-packets. */
1383 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1384 && opt.list_packets == 0)
1389 if (opt.list_packets)
1391 switch (pkt->pkttype)
1393 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1394 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1396 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1397 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1398 default: newpkt = 0; break;
1401 else if (c->sigs_only)
1403 switch (pkt->pkttype)
1405 case PKT_PUBLIC_KEY:
1406 case PKT_SECRET_KEY:
1408 case PKT_SYMKEY_ENC:
1409 case PKT_PUBKEY_ENC:
1411 case PKT_ENCRYPTED_MDC:
1412 write_status_text( STATUS_UNEXPECTED, "0" );
1413 rc = GPG_ERR_UNEXPECTED;
1416 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1417 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1418 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1419 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1420 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1421 default: newpkt = 0; break;
1424 else if (c->encrypt_only)
1426 switch (pkt->pkttype)
1428 case PKT_PUBLIC_KEY:
1429 case PKT_SECRET_KEY:
1431 write_status_text (STATUS_UNEXPECTED, "0");
1432 rc = GPG_ERR_UNEXPECTED;
1435 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1436 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1437 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1439 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1440 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1441 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1442 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1443 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1444 default: newpkt = 0; break;
1449 switch (pkt->pkttype)
1451 case PKT_PUBLIC_KEY:
1452 case PKT_SECRET_KEY:
1454 c->list = new_kbnode (pkt);
1457 case PKT_PUBLIC_SUBKEY:
1458 case PKT_SECRET_SUBKEY:
1459 newpkt = add_subkey (c, pkt);
1461 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1462 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1463 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1464 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1466 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1467 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1468 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1469 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1470 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1471 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1472 default: newpkt = 0; break;
1479 /* This is a very ugly construct and frankly, I don't remember why
1480 * I used it. Adding the MDC check here is a hack.
1481 * The right solution is to initiate another context for encrypted
1482 * packet and not to reuse the current one ... It works right
1483 * when there is a compression packet between which adds just
1485 * Hmmm: Rewrite this whole module here??
1487 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1488 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1494 pkt = xmalloc (sizeof *pkt);
1498 free_packet (pkt, &parsectx);
1501 if (rc == GPG_ERR_INV_PACKET)
1502 write_status_text (STATUS_NODATA, "3");
1507 write_status_text (STATUS_NODATA, "2");
1513 free_packet (pkt, &parsectx);
1514 deinit_parse_packet (&parsectx);
1516 free_md_filter_context (&c->mfx);
1521 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1522 of the notation data. */
1524 get_pka_address (PKT_signature *sig)
1526 pka_info_t *pka = NULL;
1527 struct notation *nd,*notation;
1529 notation=sig_to_notation(sig);
1531 for(nd=notation;nd;nd=nd->next)
1533 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1534 continue; /* Not the notation we want. */
1536 /* For now we only use the first valid PKA notation. In future
1537 we might want to keep additional PKA notations in a linked
1539 if (is_valid_mailbox (nd->value))
1541 pka = xmalloc (sizeof *pka + strlen(nd->value));
1545 strcpy (pka->email, nd->value);
1550 free_notation(notation);
1556 /* Return the URI from a DNS PKA record. If this record has already
1557 be retrieved for the signature we merely return it; if not we go
1558 out and try to get that DNS record. */
1560 pka_uri_from_sig (CTX c, PKT_signature *sig)
1562 if (!sig->flags.pka_tried)
1564 log_assert (!sig->pka_info);
1565 sig->flags.pka_tried = 1;
1566 sig->pka_info = get_pka_address (sig);
1573 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1574 &fpr, &fprlen, &url))
1576 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1578 memcpy (sig->pka_info->fpr, fpr, fprlen);
1581 sig->pka_info->valid = 1;
1585 sig->pka_info->uri = url;
1594 return sig->pka_info? sig->pka_info->uri : NULL;
1598 /* Return true if the AKL has the WKD method specified. */
1600 akl_has_wkd_method (void)
1604 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1605 if (akl->type == AKL_WKD)
1611 /* Return the ISSUER fingerprint string in human readbale format if
1612 * available. Caller must release the string. */
1614 issuer_fpr_string (PKT_signature *sig)
1619 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1620 if (p && n == 21 && p[0] == 4)
1621 return bin2hex (p+1, n-1, NULL);
1627 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1628 PKT_signature *sig, int rc)
1632 write_status_text_and_buffer (statno, keyid_str,
1633 un? un->pkt->pkt.user_id->name:"[?]",
1634 un? un->pkt->pkt.user_id->len:3,
1638 p = utf8_to_native (un->pkt->pkt.user_id->name,
1639 un->pkt->pkt.user_id->len, 0);
1641 p = xstrdup ("[?]");
1644 log_info (_("BAD signature from \"%s\""), p);
1645 else if (sig->flags.expired)
1646 log_info (_("Expired signature from \"%s\""), p);
1648 log_info (_("Good signature from \"%s\""), p);
1655 check_sig_and_print (CTX c, kbnode_t node)
1657 PKT_signature *sig = node->pkt->pkt.signature;
1663 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1664 int tried_ks_by_fpr;
1666 if (opt.skip_verify)
1668 log_info(_("signature verification suppressed\n"));
1672 /* Check that the message composition is valid.
1674 * Per RFC-2440bis (-15) allowed:
1676 * S{1,n} -- detached signature.
1677 * S{1,n} P -- old style PGP2 signature
1678 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1679 * C P S{1,n} -- cleartext signature.
1682 * O = One-Pass Signature packet.
1683 * S = Signature packet.
1684 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1685 * (Note that the current rfc2440bis draft also allows
1686 * for a signed message but that does not work as it
1687 * introduces ambiguities.)
1688 * We keep track of these packages using the marker packet
1689 * CTRLPKT_PLAINTEXT_MARK.
1690 * C = Marker packet for cleartext signatures.
1692 * We reject all other messages.
1694 * Actually we are calling this too often, i.e. for verification of
1695 * each message but better have some duplicate work than to silently
1696 * introduce a bug here.
1700 int n_onepass, n_sig;
1702 /* log_debug ("checking signature packet composition\n"); */
1703 /* dump_kbnode (c->list); */
1707 if ( n->pkt->pkttype == PKT_SIGNATURE )
1709 /* This is either "S{1,n}" case (detached signature) or
1710 "S{1,n} P" (old style PGP2 signature). */
1711 for (n = n->next; n; n = n->next)
1712 if (n->pkt->pkttype != PKT_SIGNATURE)
1715 ; /* Okay, this is a detached signature. */
1716 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1717 && (n->pkt->pkt.gpg_control->control
1718 == CTRLPKT_PLAINTEXT_MARK) )
1721 goto ambiguous; /* We only allow one P packet. */
1726 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1728 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1729 for (n_onepass=1, n = n->next;
1730 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1732 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1733 && (n->pkt->pkt.gpg_control->control
1734 == CTRLPKT_PLAINTEXT_MARK)))
1736 for (n_sig=0, n = n->next;
1737 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1742 /* If we wanted to disallow multiple sig verification, we'd do
1743 something like this:
1745 if (n && !opt.allow_multisig_verification)
1748 However, now that we have --allow-multiple-messages, this
1749 can stay allowable as we can't get here unless multiple
1750 messages (i.e. multiple literals) are allowed. */
1752 if (n_onepass != n_sig)
1754 log_info ("number of one-pass packets does not match "
1755 "number of signature packets\n");
1759 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1760 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1762 /* This is the "C P S{1,n}" case (clear text signature). */
1764 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1765 && (n->pkt->pkt.gpg_control->control
1766 == CTRLPKT_PLAINTEXT_MARK)))
1768 for (n_sig=0, n = n->next;
1769 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1777 log_error(_("can't handle this ambiguous signature data\n"));
1782 if (sig->signers_uid)
1783 write_status_buffer (STATUS_NEWSIG,
1784 sig->signers_uid, strlen (sig->signers_uid), 0);
1786 write_status_text (STATUS_NEWSIG, NULL);
1788 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1789 if ((issuer_fpr = issuer_fpr_string (sig)))
1791 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1792 log_info (_(" using %s key %s\n"),
1793 astr? astr: "?", issuer_fpr);
1797 else if (!keystrlen () || keystrlen () > 8)
1799 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1800 log_info (_(" using %s key %s\n"),
1801 astr? astr: "?", keystr(sig->keyid));
1803 else /* Legacy format. */
1804 log_info (_("Signature made %s using %s key ID %s\n"),
1805 asctimestamp(sig->timestamp), astr? astr: "?",
1806 keystr(sig->keyid));
1808 /* In verbose mode print the signers UID. */
1809 if (sig->signers_uid)
1810 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1812 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1814 /* If the key isn't found, check for a preferred keyserver. */
1815 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1821 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1823 /* According to my favorite copy editor, in English grammar,
1824 you say "at" if the key is located on a web page, but
1825 "from" if it is located on a keyserver. I'm not going to
1826 even try to make two strings here :) */
1827 log_info(_("Key available at: ") );
1828 print_utf8_buffer (log_get_stream(), p, n);
1831 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1832 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1834 struct keyserver_spec *spec;
1836 spec = parse_preferred_keyserver (sig);
1841 free_public_key (pk);
1843 glo_ctrl.in_auto_key_retrieve++;
1844 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
1845 glo_ctrl.in_auto_key_retrieve--;
1847 rc = do_check_sig (c, node, NULL,
1848 &is_expkey, &is_revkey, &pk);
1849 free_keyserver_spec (spec);
1858 /* If the avove methods didn't work, our next try is to use the URI
1859 * from a DNS PKA record. */
1860 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1861 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1862 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1864 const char *uri = pka_uri_from_sig (c, sig);
1868 /* FIXME: We might want to locate the key using the
1869 fingerprint instead of the keyid. */
1871 struct keyserver_spec *spec;
1873 spec = parse_keyserver_uri (uri, 1);
1876 free_public_key (pk);
1878 glo_ctrl.in_auto_key_retrieve++;
1879 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
1880 glo_ctrl.in_auto_key_retrieve--;
1881 free_keyserver_spec (spec);
1883 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1888 /* If the above methods didn't work, our next try is to locate
1889 * the key via its fingerprint from a keyserver. This requires
1890 * that the signers fingerprint is encoded in the signature. We
1891 * favor this over the WKD method (to be tried next), because an
1892 * arbitrary keyserver is less subject to web bug like monitoring. */
1893 tried_ks_by_fpr = 0;
1894 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1895 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1896 && keyserver_any_configured (c->ctrl))
1902 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1903 if (p && n == 21 && p[0] == 4)
1905 /* v4 packet with a SHA-1 fingerprint. */
1906 free_public_key (pk);
1908 glo_ctrl.in_auto_key_retrieve++;
1909 res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
1910 tried_ks_by_fpr = 1;
1911 glo_ctrl.in_auto_key_retrieve--;
1913 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1917 /* If the above methods didn't work, our next try is to retrieve the
1918 * key from the WKD. */
1919 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1920 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1921 && !opt.flags.disable_signer_uid
1922 && akl_has_wkd_method ()
1923 && sig->signers_uid)
1927 free_public_key (pk);
1929 glo_ctrl.in_auto_key_retrieve++;
1930 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
1931 glo_ctrl.in_auto_key_retrieve--;
1932 /* Fixme: If the fingerprint is embedded in the signature,
1933 * compare it to the fingerprint of the returned key. */
1935 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1938 /* If the above methods did't work, our next try is to use a
1940 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1941 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1943 && keyserver_any_configured (c->ctrl))
1947 free_public_key (pk);
1949 glo_ctrl.in_auto_key_retrieve++;
1950 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
1951 glo_ctrl.in_auto_key_retrieve--;
1953 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1956 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1958 kbnode_t un, keyblock;
1962 PKT_public_key *mainpk = NULL;
1965 statno = STATUS_BADSIG;
1966 else if (sig->flags.expired)
1967 statno = STATUS_EXPSIG;
1969 statno = STATUS_EXPKEYSIG;
1971 statno = STATUS_REVKEYSIG;
1973 statno = STATUS_GOODSIG;
1975 /* FIXME: We should have the public key in PK and thus the
1976 * keyblock has already been fetched. Thus we could use the
1977 * fingerprint or PK itself to lookup the entire keyblock. That
1978 * would best be done with a cache. */
1979 keyblock = get_pubkeyblock (c->ctrl, sig->keyid);
1981 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1982 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1984 /* Find and print the primary user ID along with the
1985 "Good|Expired|Bad signature" line. */
1986 for (un=keyblock; un; un = un->next)
1990 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1992 mainpk = un->pkt->pkt.public_key;
1995 if (un->pkt->pkttype != PKT_USER_ID)
1997 if (!un->pkt->pkt.user_id->created)
1999 if (un->pkt->pkt.user_id->flags.revoked)
2001 if (un->pkt->pkt.user_id->flags.expired)
2003 if (!un->pkt->pkt.user_id->flags.primary)
2005 /* We want the textual primary user ID here */
2006 if (un->pkt->pkt.user_id->attrib_data)
2009 log_assert (mainpk);
2011 /* Since this is just informational, don't actually ask the
2012 user to update any trust information. (Note: we register
2013 the signature later.) Because print_good_bad_signature
2014 does not print a LF we need to compute the validity
2015 before calling that function. */
2016 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2017 valid = get_validity (c->ctrl, keyblock, mainpk,
2018 un->pkt->pkt.user_id, NULL, 0);
2020 valid = 0; /* Not used. */
2022 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2024 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2026 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2027 log_printf (" [%s]\n",trust_value_to_string(valid));
2034 log_assert (mainpk);
2036 /* In case we did not found a valid textual userid above
2037 we print the first user id packet or a "[?]" instead along
2038 with the "Good|Expired|Bad signature" line. */
2041 /* Try for an invalid textual userid */
2042 for (un=keyblock; un; un = un->next)
2044 if (un->pkt->pkttype == PKT_USER_ID
2045 && !un->pkt->pkt.user_id->attrib_data)
2049 /* Try for any userid at all */
2052 for (un=keyblock; un; un = un->next)
2054 if (un->pkt->pkttype == PKT_USER_ID)
2059 if (opt.trust_model==TM_ALWAYS || !un)
2060 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2062 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2064 if (opt.trust_model != TM_ALWAYS && un)
2065 log_printf (" %s",_("[uncertain]") );
2069 /* If we have a good signature and already printed
2070 * the primary user ID, print all the other user IDs */
2073 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2076 for( un=keyblock; un; un = un->next)
2078 if (un->pkt->pkttype != PKT_USER_ID)
2080 if ((un->pkt->pkt.user_id->flags.revoked
2081 || un->pkt->pkt.user_id->flags.expired)
2082 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2084 /* Skip textual primary user ids which we printed above. */
2085 if (un->pkt->pkt.user_id->flags.primary
2086 && !un->pkt->pkt.user_id->attrib_data )
2089 /* If this user id has attribute data, print that. */
2090 if (un->pkt->pkt.user_id->attrib_data)
2092 dump_attribs (un->pkt->pkt.user_id, mainpk);
2094 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2095 show_photos (c->ctrl,
2096 un->pkt->pkt.user_id->attribs,
2097 un->pkt->pkt.user_id->numattribs,
2098 mainpk ,un->pkt->pkt.user_id);
2101 p = utf8_to_native (un->pkt->pkt.user_id->name,
2102 un->pkt->pkt.user_id->len, 0);
2103 log_info (_(" aka \"%s\""), p);
2106 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2110 if (un->pkt->pkt.user_id->flags.revoked)
2111 valid = _("revoked");
2112 else if (un->pkt->pkt.user_id->flags.expired)
2113 valid = _("expired");
2115 /* Since this is just informational, don't
2116 actually ask the user to update any trust
2118 valid = (trust_value_to_string
2119 (get_validity (c->ctrl, keyblock, mainpk,
2120 un->pkt->pkt.user_id, NULL, 0)));
2121 log_printf (" [%s]\n",valid);
2128 /* For good signatures print notation data. */
2131 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2132 show_policy_url (sig, 0, 1);
2134 show_policy_url (sig, 0, 2);
2136 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2137 show_keyserver_url (sig, 0, 1);
2139 show_keyserver_url (sig, 0, 2);
2141 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2144 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2145 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2147 show_notation (sig, 0, 2, 0);
2150 /* For good signatures print the VALIDSIG status line. */
2151 if (!rc && is_status_enabled () && pk)
2153 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2154 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2156 hexfingerprint (pk, pkhex, sizeof pkhex);
2157 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2159 /* TODO: Replace the reserved '0' in the field below with
2160 bits for status flags (policy url, notation, etc.). */
2161 write_status_printf (STATUS_VALIDSIG,
2162 "%s %s %lu %lu %d 0 %d %d %02X %s",
2164 strtimestamp (sig->timestamp),
2165 (ulong)sig->timestamp,
2166 (ulong)sig->expiredate,
2167 sig->version, sig->pubkey_algo,
2173 /* Print compliance warning for Good signatures. */
2174 if (!rc && pk && !opt.quiet
2175 && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
2176 pk->pkey, nbits_from_pk (pk), NULL))
2178 log_info (_("WARNING: This key is not suitable for signing"
2180 gnupg_compliance_option_string (opt.compliance));
2183 /* For good signatures compute and print the trust information.
2184 Note that in the Tofu trust model this may ask the user on
2185 how to resolve a conflict. */
2188 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2189 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2190 rc = check_signatures_trust (c->ctrl, sig);
2193 /* Print extra information about the signature. */
2194 if (sig->flags.expired)
2196 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2197 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2199 else if (sig->expiredate)
2200 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2204 char pkstrbuf[PUBKEY_STRING_SIZE];
2207 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2211 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2212 sig->sig_class==0x00?_("binary"):
2213 sig->sig_class==0x01?_("textmode"):_("unknown"),
2214 gcry_md_algo_name (sig->digest_algo),
2215 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2218 /* Print final warnings. */
2219 if (!rc && !c->signed_data.used)
2221 /* Signature is basically good but we test whether the
2223 gpg --verify FILE.sig
2225 gpg --verify FILE.sig FILE
2226 to verify a detached signature. If we figure out that a
2227 data file with a matching name exists, we print a warning.
2229 The problem is that the first form would also verify a
2230 standard signature. This behavior could be used to
2231 create a made up .sig file for a tarball by creating a
2232 standard signature from a valid detached signature packet
2233 (for example from a signed git tag). Then replace the
2234 sig file on the FTP server along with a changed tarball.
2235 Using the first form the verify command would correctly
2236 verify the signature but don't even consider the tarball. */
2240 dfile = get_matching_datafile (c->sigfilename);
2243 for (n = c->list; n; n = n->next)
2244 if (n->pkt->pkttype != PKT_SIGNATURE)
2248 /* Not only signature packets in the tree thus this
2249 is not a detached signature. */
2250 log_info (_("WARNING: not a detached signature; "
2251 "file '%s' was NOT verified!\n"), dfile);
2257 /* Compute compliance with CO_DE_VS. */
2258 if (pk && is_status_enabled ()
2259 && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
2260 nbits_from_pk (pk), NULL)
2261 && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2262 write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2263 gnupg_status_compliance_flag (CO_DE_VS),
2266 free_public_key (pk);
2268 release_kbnode( keyblock );
2270 g10_errors_seen = 1;
2271 if (opt.batch && rc)
2278 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2279 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2280 sig->pubkey_algo, sig->digest_algo,
2281 sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
2282 write_status_text (STATUS_ERRSIG, buf);
2283 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2286 write_status_text (STATUS_NO_PUBKEY, buf);
2288 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2289 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2297 * Process the tree which starts at node
2300 proc_tree (CTX c, kbnode_t node)
2305 if (opt.list_packets || opt.list_only)
2308 /* We must skip our special plaintext marker packets here because
2309 they may be the root packet. These packets are only used in
2310 additional checks and skipping them here doesn't matter. */
2312 && node->pkt->pkttype == PKT_GPG_CONTROL
2313 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2320 c->trustletter = ' ';
2321 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2322 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2324 merge_keys_and_selfsig (c->ctrl, node);
2325 list_node (c, node);
2327 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2329 merge_keys_and_selfsig (c->ctrl, node);
2330 list_node (c, node);
2332 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2334 /* Check all signatures. */
2337 int use_textmode = 0;
2339 free_md_filter_context (&c->mfx);
2340 /* Prepare to create all requested message digests. */
2341 rc = gcry_md_open (&c->mfx.md, 0, 0);
2345 /* Fixme: why looking for the signature packet and not the
2347 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2348 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2350 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2353 /* Ask for file and hash it. */
2356 if (c->signed_data.used && c->signed_data.data_fd != -1)
2357 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2358 c->signed_data.data_fd,
2361 rc = hash_datafiles (c->mfx.md, NULL,
2362 c->signed_data.data_names,
2368 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2369 iobuf_get_real_fname (c->iobuf),
2376 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2380 else if (c->signed_data.used)
2382 log_error (_("not a detached signature\n"));
2386 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2387 check_sig_and_print (c, n1);
2390 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2391 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2393 /* Clear text signed message. */
2396 log_error ("cleartext signature without data\n");
2399 else if (c->signed_data.used)
2401 log_error (_("not a detached signature\n"));
2405 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2406 check_sig_and_print (c, n1);
2409 else if (node->pkt->pkttype == PKT_SIGNATURE)
2411 PKT_signature *sig = node->pkt->pkt.signature;
2412 int multiple_ok = 1;
2414 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2417 byte class = sig->sig_class;
2418 byte hash = sig->digest_algo;
2420 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2422 /* We can't currently handle multiple signatures of
2423 * different classes (we'd pretty much have to run a
2424 * different hash context for each), but if they are all
2425 * the same and it is detached signature, we make an
2426 * exception. Note that the old code also disallowed
2427 * multiple signatures if the digest algorithms are
2428 * different. We softened this restriction only for
2429 * detached signatures, to be on the safe side. */
2430 if (n1->pkt->pkt.signature->sig_class != class
2432 && n1->pkt->pkt.signature->digest_algo != hash))
2435 log_info (_("WARNING: multiple signatures detected. "
2436 "Only the first will be checked.\n"));
2442 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2444 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2446 else if (!c->any.data)
2448 /* Detached signature */
2449 free_md_filter_context (&c->mfx);
2450 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2452 goto detached_hash_err;
2456 /* If we have and want to handle multiple signatures we
2457 * need to enable all hash algorithms for the context. */
2458 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2459 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2460 gcry_md_enable (c->mfx.md,
2461 map_md_openpgp_to_gcry
2462 (n1->pkt->pkt.signature->digest_algo));
2465 if (RFC2440 || RFC4880)
2466 ; /* Strict RFC mode. */
2467 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2468 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2469 && sig->sig_class == 0x01)
2471 /* Enable a workaround for a pgp5 bug when the detached
2472 * signature has been created in textmode. Note that we
2473 * do not implement this for multiple signatures with
2474 * different hash algorithms. */
2475 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2477 goto detached_hash_err;
2480 /* Here we used to have another hack to work around a pgp
2481 * 2 bug: It worked by not using the textmode for detached
2482 * signatures; this would let the first signature check
2483 * (on md) fail but the second one (on md2), which adds an
2484 * extra CR would then have produced the "correct" hash.
2485 * This is very, very ugly hack but it may haved help in
2486 * some cases (and break others).
2487 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2492 gcry_md_debug (c->mfx.md, "verify");
2494 gcry_md_debug (c->mfx.md2, "verify2");
2499 if (c->signed_data.used && c->signed_data.data_fd != -1)
2500 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2501 c->signed_data.data_fd,
2502 (sig->sig_class == 0x01));
2504 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2505 c->signed_data.data_names,
2507 (sig->sig_class == 0x01));
2511 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2512 iobuf_get_real_fname(c->iobuf),
2513 (sig->sig_class == 0x01));
2519 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2523 else if (c->signed_data.used)
2525 log_error (_("not a detached signature\n"));
2528 else if (!opt.quiet)
2529 log_info (_("old style (PGP 2.x) signature\n"));
2533 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2534 check_sig_and_print (c, n1);
2537 check_sig_and_print (c, node);
2542 dump_kbnode (c->list);
2543 log_error ("invalid root packet detected in proc_tree()\n");