1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
38 #include "keyserver-internal.h"
40 #include "mbox-util.h"
41 #include "call-dirmngr.h"
43 /* Put an upper limit on nested packets. The 32 is an arbitrary
44 value, a much lower should actually be sufficient. */
45 #define MAX_NESTING_DEPTH 32
48 /* An object to build a list of keyid related info. */
51 struct kidlist_item *next;
59 * Object to hold the processing context.
61 typedef struct mainproc_context *CTX;
62 struct mainproc_context
65 struct mainproc_context *anchor; /* May be useful in the future. */
66 PKT_public_key *last_pubkey;
67 PKT_user_id *last_user_id;
68 md_filter_context_t mfx;
69 int sigs_only; /* Process only signatures and reject all other stuff. */
70 int encrypt_only; /* Process only encryption messages. */
72 /* Name of the file with the complete signature or the file with the
73 detached signature. This is currently only used to deduce the
74 file name of the data file if that has not been given. */
75 const char *sigfilename;
77 /* A structure to describe the signed data in case of a detached
81 /* A file descriptor of the the signed data. Only used if not -1. */
83 /* A list of filenames with the data files or NULL. This is only
84 used if DATA_FD is -1. */
86 /* Flag to indicated that either one of the next previous fields
87 is used. This is only needed for better readability. */
92 int last_was_session_key;
93 kbnode_t list; /* The current list of packets. */
94 iobuf_t iobuf; /* Used to get the filename etc. */
95 int trustletter; /* Temporary usage in list_node. */
97 struct kidlist_item *pkenc_list; /* List of encryption packets. */
99 unsigned int sig_seen:1; /* Set to true if a signature packet
101 unsigned int data:1; /* Any data packet seen */
102 unsigned int uncompress_failed:1;
107 /*** Local prototypes. ***/
108 static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
109 static void list_node (CTX c, kbnode_t node);
110 static void proc_tree (CTX c, kbnode_t node);
111 static int literals_seen;
118 reset_literals_seen(void)
125 release_list( CTX c )
127 proc_tree (c, c->list);
128 release_kbnode (c->list);
129 while (c->pkenc_list)
131 struct kidlist_item *tmp = c->pkenc_list->next;
132 xfree (c->pkenc_list);
135 c->pkenc_list = NULL;
138 c->any.uncompress_failed = 0;
139 c->last_was_session_key = 0;
146 add_onepass_sig (CTX c, PACKET *pkt)
150 if (c->list) /* Add another packet. */
151 add_kbnode (c->list, new_kbnode (pkt));
152 else /* Insert the first one. */
153 c->list = node = new_kbnode (pkt);
160 add_gpg_control (CTX c, PACKET *pkt)
162 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
164 /* New clear text signature.
165 * Process the last one and reset everything */
169 if (c->list) /* Add another packet. */
170 add_kbnode (c->list, new_kbnode (pkt));
171 else /* Insert the first one. */
172 c->list = new_kbnode (pkt);
179 add_user_id (CTX c, PACKET *pkt)
183 log_error ("orphaned user ID\n");
186 add_kbnode (c->list, new_kbnode (pkt));
192 add_subkey (CTX c, PACKET *pkt)
196 log_error ("subkey w/o mainkey\n");
199 add_kbnode (c->list, new_kbnode (pkt));
205 add_ring_trust (CTX c, PACKET *pkt)
209 log_error ("ring trust w/o key\n");
212 add_kbnode (c->list, new_kbnode (pkt));
218 add_signature (CTX c, PACKET *pkt)
223 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
225 /* This is the first signature for the following datafile.
226 * GPG does not write such packets; instead it always uses
227 * onepass-sig packets. The drawback of PGP's method
228 * of prepending the signature to the data is
229 * that it is not possible to make a signature from data read
230 * from stdin. (GPG is able to read PGP stuff anyway.) */
231 node = new_kbnode (pkt);
236 return 0; /* oops (invalid packet sequence)*/
237 else if (!c->list->pkt)
238 BUG(); /* so nicht */
240 /* Add a new signature node item at the end. */
241 node = new_kbnode (pkt);
242 add_kbnode (c->list, node);
248 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
252 if(slen < 17 || slen > 33)
254 log_error ( _("weird size for an encrypted session key (%d)\n"),
256 return GPG_ERR_BAD_KEY;
259 if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
261 if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
263 gcry_cipher_setiv ( hd, NULL, 0 );
264 gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
265 gcry_cipher_close ( hd );
267 /* Now we replace the dek components with the real session key to
268 decrypt the contents of the sequencing packet. */
273 if(dek->keylen > DIM(dek->key))
276 memcpy(dek->key, seskey + 1, dek->keylen);
278 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
285 proc_symkey_enc (CTX c, PACKET *pkt)
289 enc = pkt->pkt.symkey_enc;
291 log_error ("invalid symkey encrypted packet\n");
294 int algo = enc->cipher_algo;
295 const char *s = openpgp_cipher_algo_name (algo);
297 if (!openpgp_cipher_test_algo (algo))
302 log_info (_("%s encrypted session key\n"), s );
304 log_info (_("%s encrypted data\n"), s );
308 log_error (_("encrypted with unknown algorithm %d\n"), algo);
310 if (openpgp_md_test_algo (enc->s2k.hash_algo))
312 log_error(_("passphrase generated with unknown digest"
313 " algorithm %d\n"),enc->s2k.hash_algo);
317 c->last_was_session_key = 2;
318 if (!s || opt.list_only)
321 if (opt.override_session_key)
323 c->dek = xmalloc_clear (sizeof *c->dek);
324 if (get_override_session_key (c->dek, opt.override_session_key))
332 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
335 c->dek->symmetric = 1;
337 /* FIXME: This doesn't work perfectly if a symmetric key
338 comes before a public key in the message - if the
339 user doesn't know the passphrase, then there is a
340 chance that the "decrypted" algorithm will happen to
341 be a valid one, which will make the returned dek
342 appear valid, so we won't try any public keys that
346 if (symkey_decrypt_seskey (c->dek,
347 enc->seskey, enc->seskeylen))
354 c->dek->algo_info_printed = 1;
366 proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
371 /* Check whether the secret key is available and store in this case. */
372 c->last_was_session_key = 1;
373 enc = pkt->pkt.pubkey_enc;
374 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
375 /* Hmmm: why do I have this algo check here - anyway there is
376 * function to check it. */
378 log_info (_("public key is %s\n"), keystr (enc->keyid));
380 if (is_status_enabled())
383 /* FIXME: For ECC support we need to map the OpenPGP algo number
384 to the Libgcrypt defined one. This is due a chicken-egg
385 problem: We need to have code in Libgcrypt for a new
386 algorithm so to implement a proposed new algorithm before the
387 IANA will finally assign an OpenPGP identifier. */
388 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
389 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
390 write_status_text (STATUS_ENC_TO, buf);
393 if (!opt.list_only && opt.override_session_key)
395 /* It does not make much sense to store the session key in
396 * secure memory because it has already been passed on the
397 * command line and the GCHQ knows about it. */
398 c->dek = xmalloc_clear (sizeof *c->dek);
399 result = get_override_session_key (c->dek, opt.override_session_key);
406 else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
407 || enc->pubkey_algo == PUBKEY_ALGO_ECDH
408 || enc->pubkey_algo == PUBKEY_ALGO_RSA
409 || enc->pubkey_algo == PUBKEY_ALGO_RSA_E
410 || enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
412 /* Note that we also allow type 20 Elgamal keys for decryption.
413 There are still a couple of those keys in active use as a
416 /* FIXME: Store this all in a list and process it later so that
417 we can prioritize what key to use. This gives a better user
418 experience if wildcard keyids are used. */
419 if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
420 || opt.try_all_secrets
421 || have_secret_key_with_kid (enc->keyid)))
427 c->dek = xmalloc_secure_clear (sizeof *c->dek);
428 if ((result = get_session_key (ctrl, enc, c->dek)))
430 /* Error: Delete the DEK. */
437 result = GPG_ERR_NO_SECKEY;
440 result = GPG_ERR_PUBKEY_ALGO;
446 /* Store it for later display. */
447 struct kidlist_item *x = xmalloc (sizeof *x);
448 x->kid[0] = enc->keyid[0];
449 x->kid[1] = enc->keyid[1];
450 x->pubkey_algo = enc->pubkey_algo;
452 x->next = c->pkenc_list;
455 if (!result && opt.verbose > 1)
456 log_info (_("public key encrypted data: good DEK\n"));
464 * Print the list of public key encrypted packets which we could
468 print_pkenc_list (struct kidlist_item *list, int failed)
470 for (; list; list = list->next)
475 if (failed && !list->reason)
477 if (!failed && list->reason)
480 algstr = openpgp_pk_algo_name (list->pubkey_algo);
481 pk = xmalloc_clear (sizeof *pk);
485 pk->pubkey_algo = list->pubkey_algo;
486 if (!get_pubkey (pk, list->kid))
489 log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
490 nbits_from_pk (pk), algstr, keystr_from_pk(pk),
491 strtimestamp (pk->timestamp));
492 p = get_user_id_native (list->kid);
493 log_printf (_(" \"%s\"\n"), p);
497 log_info (_("encrypted with %s key, ID %s\n"),
498 algstr, keystr(list->kid));
500 free_public_key (pk);
502 if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
504 if (is_status_enabled())
507 snprintf (buf, sizeof buf, "%08lX%08lX",
508 (ulong)list->kid[0], (ulong)list->kid[1]);
509 write_status_text (STATUS_NO_SECKEY, buf);
512 else if (list->reason)
514 log_info (_("public key decryption failed: %s\n"),
515 gpg_strerror (list->reason));
516 write_status_error ("pkdecrypt_failed", list->reason);
523 proc_encrypted (CTX c, PACKET *pkt)
530 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
531 else if (c->symkeys == 1)
532 log_info (_("encrypted with 1 passphrase\n"));
533 print_pkenc_list ( c->pkenc_list, 1 );
534 print_pkenc_list ( c->pkenc_list, 0 );
537 /* FIXME: Figure out the session key by looking at all pkenc packets. */
539 write_status (STATUS_BEGIN_DECRYPTION);
541 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
544 else if (!c->dek && !c->last_was_session_key)
548 STRING2KEY *s2k = NULL;
551 if (opt.override_session_key)
553 c->dek = xmalloc_clear (sizeof *c->dek);
554 result = get_override_session_key (c->dek, opt.override_session_key);
563 /* Assume this is old style conventional encrypted data. */
564 algo = opt.def_cipher_algo;
566 log_info (_("assuming %s encrypted data\n"),
567 openpgp_cipher_algo_name (algo));
568 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
570 algo = opt.def_cipher_algo;
572 algo = opt.s2k_cipher_algo;
573 log_info (_("IDEA cipher unavailable, "
574 "optimistically attempting to use %s instead\n"),
575 openpgp_cipher_algo_name (algo));
579 algo = CIPHER_ALGO_IDEA;
580 if (!opt.s2k_digest_algo)
582 /* If no digest is given we assume SHA-1. */
584 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
587 log_info (_("assuming %s encrypted data\n"), "IDEA");
590 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
592 c->dek->algo_info_printed = 1;
594 result = gpg_error (GPG_ERR_CANCELED);
596 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
600 result = GPG_ERR_NO_SECKEY;
603 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
608 && !opt.ignore_mdc_error
609 && !pkt->pkt.encrypted->mdc_method
610 && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
611 && c->dek->algo != CIPHER_ALGO_TWOFISH)
613 /* The message has been decrypted but has no MDC despite that a
614 modern cipher (blocklength != 64 bit, except for Twofish) is
615 used and the option to ignore MDC errors is not used: To
616 avoid attacks changing an MDC message to a non-MDC message,
618 log_error (_("WARNING: message was not integrity protected\n"));
620 log_info ("decryption forced to fail\n");
621 write_status (STATUS_DECRYPTION_FAILED);
623 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
624 && opt.ignore_mdc_error))
626 write_status (STATUS_DECRYPTION_OKAY);
628 log_info(_("decryption okay\n"));
629 if (pkt->pkt.encrypted->mdc_method && !result)
630 write_status (STATUS_GOODMDC);
631 else if (!opt.no_mdc_warn)
632 log_info (_("WARNING: message was not integrity protected\n"));
634 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
636 glo_ctrl.lasterr = result;
637 log_error (_("WARNING: encrypted message has been manipulated!\n"));
638 write_status (STATUS_BADMDC);
639 write_status (STATUS_DECRYPTION_FAILED);
643 if (gpg_err_code (result) == GPG_ERR_BAD_KEY
644 && *c->dek->s2k_cacheid != '\0')
647 log_debug ("cleared passphrase cached with ID: %s\n",
648 c->dek->s2k_cacheid);
649 passphrase_clear_cache (c->dek->s2k_cacheid);
651 glo_ctrl.lasterr = result;
652 write_status (STATUS_DECRYPTION_FAILED);
653 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
654 /* Hmmm: does this work when we have encrypted using multiple
655 * ways to specify the session key (symmmetric and PK). */
661 c->last_was_session_key = 0;
662 write_status (STATUS_END_DECRYPTION);
667 proc_plaintext( CTX c, PACKET *pkt )
669 PKT_plaintext *pt = pkt->pkt.plaintext;
670 int any, clearsig, rc;
675 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
676 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
677 else if (opt.verbose)
678 log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
680 free_md_filter_context (&c->mfx);
681 if (gcry_md_open (&c->mfx.md, 0, 0))
683 /* fixme: we may need to push the textfilter if we have sigclass 1
684 * and no armoring - Not yet tested
685 * Hmmm, why don't we need it at all if we have sigclass 1
686 * Should we assume that plaintext in mode 't' has always sigclass 1??
687 * See: Russ Allbery's mail 1999-02-09
690 for (n=c->list; n; n = n->next )
692 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
694 /* The onepass signature case. */
695 if (n->pkt->pkt.onepass_sig->digest_algo)
697 gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
701 else if (n->pkt->pkttype == PKT_GPG_CONTROL
702 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
704 /* The clearsigned message case. */
705 size_t datalen = n->pkt->pkt.gpg_control->datalen;
706 const byte *data = n->pkt->pkt.gpg_control->data;
708 /* Check that we have at least the sigclass and one hash. */
710 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
711 /* Note that we don't set the clearsig flag for not-dash-escaped
713 clearsig = (*data == 0x01);
714 for (data++, datalen--; datalen; datalen--, data++)
715 gcry_md_enable (c->mfx.md, *data);
717 break; /* Stop here as one-pass signature packets are not
720 else if (n->pkt->pkttype == PKT_SIGNATURE)
722 /* The SIG+LITERAL case that PGP used to use. */
723 gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
728 if (!any && !opt.skip_verify)
730 /* This is for the old GPG LITERAL+SIG case. It's not legal
731 according to 2440, so hopefully it won't come up that often.
732 There is no good way to specify what algorithms to use in
733 that case, so these there are the historical answer. */
734 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
735 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
739 gcry_md_debug (c->mfx.md, "verify");
741 gcry_md_debug (c->mfx.md2, "verify2");
746 if (literals_seen > 1)
748 log_info (_("WARNING: multiple plaintexts seen\n"));
750 if (!opt.flags.allow_multiple_messages)
752 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
753 log_inc_errorcount ();
754 rc = gpg_error (GPG_ERR_UNEXPECTED);
760 /* It we are in --verify mode, we do not want to output the
761 * signed text. However, if --output is also used we do what
762 * has been requested and write out the signed data. */
763 rc = handle_plaintext (pt, &c->mfx,
764 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
766 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
768 /* Can't write output but we hash it anyway to check the
770 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
775 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
778 c->last_was_session_key = 0;
780 /* We add a marker control packet instead of the plaintext packet.
781 * This is so that we can later detect invalid packet sequences. */
782 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
784 add_kbnode (c->list, n);
791 proc_compressed_cb (iobuf_t a, void *info)
793 if ( ((CTX)info)->signed_data.used
794 && ((CTX)info)->signed_data.data_fd != -1)
795 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
796 ((CTX)info)->signed_data.data_fd);
798 return proc_signature_packets (((CTX)info)->ctrl, info, a,
799 ((CTX)info)->signed_data.data_names,
800 ((CTX)info)->sigfilename );
805 proc_encrypt_cb (iobuf_t a, void *info )
808 return proc_encryption_packets (c->ctrl, info, a );
813 proc_compressed (CTX c, PACKET *pkt)
815 PKT_compressed *zd = pkt->pkt.compressed;
818 /*printf("zip: compressed data packet\n");*/
820 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
821 else if( c->encrypt_only )
822 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
824 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
826 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
828 if (!c->any.uncompress_failed)
832 for (cc=c; cc; cc = cc->anchor)
833 cc->any.uncompress_failed = 1;
834 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
838 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
841 c->last_was_session_key = 0;
847 * Check the signature. If R_PK is not NULL a copy of the public key
848 * used to verify the signature will be stored tehre, or NULL if not
849 * found. Returns: 0 = valid signature or an error code
852 do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
853 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
856 gcry_md_hd_t md = NULL;
857 gcry_md_hd_t md2 = NULL;
858 gcry_md_hd_t md_good = NULL;
864 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
867 sig = node->pkt->pkt.signature;
869 algo = sig->digest_algo;
870 rc = openpgp_md_test_algo (algo);
874 if (sig->sig_class == 0x00)
878 if (gcry_md_copy (&md, c->mfx.md ))
881 else /* detached signature */
883 /* check_signature() will enable the md. */
884 if (gcry_md_open (&md, 0, 0 ))
888 else if (sig->sig_class == 0x01)
890 /* How do we know that we have to hash the (already hashed) text
891 in canonical mode ??? (calculating both modes???) */
894 if (gcry_md_copy (&md, c->mfx.md ))
896 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
899 else /* detached signature */
901 log_debug ("Do we really need this here?");
902 /* check_signature() will enable the md*/
903 if (gcry_md_open (&md, 0, 0 ))
905 if (gcry_md_open (&md2, 0, 0 ))
909 else if ((sig->sig_class&~3) == 0x10
910 || sig->sig_class == 0x18
911 || sig->sig_class == 0x1f
912 || sig->sig_class == 0x20
913 || sig->sig_class == 0x28
914 || sig->sig_class == 0x30)
916 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
917 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
919 return check_key_signature( c->list, node, is_selfsig );
921 else if (sig->sig_class == 0x20)
923 log_error (_("standalone revocation - "
924 "use \"gpg --import\" to apply\n"));
925 return GPG_ERR_NOT_PROCESSED;
929 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
930 return GPG_ERR_SIG_CLASS;
934 return GPG_ERR_SIG_CLASS;
936 /* We only get here if we are checking the signature of a binary
937 (0x00) or text document (0x01). */
938 rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, r_pk);
941 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
945 rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey,
952 free_public_key (*r_pk);
960 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
961 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
962 memcpy (sig->digest, buffer, sig->digest_len);
973 print_userid (PACKET *pkt)
978 if (pkt->pkttype != PKT_USER_ID)
980 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
985 if (pkt->pkt.user_id->attrib_data)
987 pkt->pkt.user_id->numattribs,
988 pkt->pkt.user_id->attrib_len);
990 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
991 pkt->pkt.user_id->len, ":", NULL);
994 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
995 pkt->pkt.user_id->len );
1000 * List the keyblock in a user friendly way
1003 list_node (CTX c, kbnode_t node)
1007 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1008 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1010 PKT_public_key *pk = node->pkt->pkt.public_key;
1012 if (opt.with_colons)
1016 keyid_from_pk( pk, keyid );
1017 if (pk->flags.primary)
1018 c->trustletter = (opt.fast_list_mode
1022 node->pkt->pkttype == PKT_PUBLIC_KEY
1025 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1027 es_putc (c->trustletter, es_stdout);
1028 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1029 nbits_from_pk( pk ),
1031 (ulong)keyid[0],(ulong)keyid[1],
1032 colon_datestr_from_pk( pk ),
1033 colon_strtime (pk->expiredate) );
1034 if (pk->flags.primary && !opt.fast_list_mode)
1035 es_putc (get_ownertrust_info (pk), es_stdout);
1036 es_putc (':', es_stdout);
1037 es_putc ('\n', es_stdout);
1041 print_key_line (es_stdout, pk, 0);
1044 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1045 ; /* Already printed. */
1046 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1047 print_fingerprint (NULL, pk, 0);
1049 if (opt.with_colons)
1051 if (node->next && node->next->pkt->pkttype == PKT_RING_TRUST)
1052 es_printf ("rtv:1:%u:\n",
1053 node->next->pkt->pkt.ring_trust->trustval);
1056 if (pk->flags.primary)
1058 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1060 /* Now list all userids with their signatures. */
1061 for (node = node->next; node; node = node->next)
1063 if (node->pkt->pkttype == PKT_SIGNATURE)
1065 list_node (c, node );
1067 else if (node->pkt->pkttype == PKT_USER_ID)
1069 if (opt.with_colons)
1070 es_printf ("%s:::::::::",
1071 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1073 es_printf ("uid%*s",
1074 kl + (opt.legacy_list_mode? 9:11),
1076 print_userid (node->pkt);
1077 if (opt.with_colons)
1078 es_putc (':', es_stdout);
1079 es_putc ('\n', es_stdout);
1082 && node->next->pkt->pkttype == PKT_RING_TRUST)
1084 es_printf ("rtv:2:%u:\n",
1085 node->next->pkt->pkt.ring_trust?
1086 node->next->pkt->pkt.ring_trust->trustval : 0);
1089 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1091 list_node(c, node );
1096 else if (node->pkt->pkttype == PKT_SECRET_KEY
1097 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1100 log_debug ("FIXME: No way to print secret key packets here\n");
1101 /* fixme: We may use a function to turn a secret key packet into
1102 a public key one and use that here. */
1104 else if (node->pkt->pkttype == PKT_SIGNATURE)
1106 PKT_signature *sig = node->pkt->pkt.signature;
1116 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1117 es_fputs ("rev", es_stdout);
1119 es_fputs ("sig", es_stdout);
1123 rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
1124 switch (gpg_err_code (rc2))
1126 case 0: sigrc = '!'; break;
1127 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1128 case GPG_ERR_NO_PUBKEY:
1129 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1130 default: sigrc = '%'; break;
1133 else /* Check whether this is a self signature. */
1137 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1138 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1140 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1142 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1147 if (opt.with_colons)
1149 es_putc (':', es_stdout);
1151 es_putc (sigrc, es_stdout);
1152 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1153 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1154 colon_datestr_from_sig (sig),
1155 colon_expirestr_from_sig (sig));
1157 if (sig->trust_depth || sig->trust_value)
1158 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1159 es_putc (':', es_stdout);
1161 if (sig->trust_regexp)
1162 es_write_sanitized (es_stdout, sig->trust_regexp,
1163 strlen (sig->trust_regexp), ":", NULL);
1164 es_putc (':', es_stdout);
1167 es_printf ("%c %s %s ",
1168 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1170 es_printf ("[%s] ", gpg_strerror (rc2) );
1171 else if (sigrc == '?')
1173 else if (is_selfsig)
1175 if (opt.with_colons)
1176 es_putc (':', es_stdout);
1177 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1178 if (opt.with_colons)
1179 es_putc (':', es_stdout);
1181 else if (!opt.fast_list_mode)
1183 p = get_user_id (sig->keyid, &n);
1184 es_write_sanitized (es_stdout, p, n,
1185 opt.with_colons?":":NULL, NULL );
1188 if (opt.with_colons)
1189 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1190 es_putc ('\n', es_stdout);
1193 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1198 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1201 CTX c = xmalloc_clear (sizeof *c);
1205 rc = do_proc_packets (ctrl, c, a);
1213 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1214 strlist_t signedfiles, const char *sigfilename )
1216 CTX c = xmalloc_clear (sizeof *c);
1223 c->signed_data.data_fd = -1;
1224 c->signed_data.data_names = signedfiles;
1225 c->signed_data.used = !!signedfiles;
1227 c->sigfilename = sigfilename;
1228 rc = do_proc_packets (ctrl, c, a);
1230 /* If we have not encountered any signature we print an error
1231 messages, send a NODATA status back and return an error code.
1232 Using log_error is required because verify_files does not check
1233 error codes for each file but we want to terminate the process
1235 if (!rc && !c->any.sig_seen)
1237 write_status_text (STATUS_NODATA, "4");
1238 log_error (_("no signature found\n"));
1239 rc = GPG_ERR_NO_DATA;
1242 /* Propagate the signature seen flag upward. Do this only on success
1243 so that we won't issue the nodata status several times. */
1244 if (!rc && c->anchor && c->any.sig_seen)
1245 c->anchor->any.sig_seen = 1;
1253 proc_signature_packets_by_fd (ctrl_t ctrl,
1254 void *anchor, iobuf_t a, int signed_data_fd )
1259 c = xtrycalloc (1, sizeof *c);
1261 return gpg_error_from_syserror ();
1267 c->signed_data.data_fd = signed_data_fd;
1268 c->signed_data.data_names = NULL;
1269 c->signed_data.used = (signed_data_fd != -1);
1271 rc = do_proc_packets (ctrl, c, a);
1273 /* If we have not encountered any signature we print an error
1274 messages, send a NODATA status back and return an error code.
1275 Using log_error is required because verify_files does not check
1276 error codes for each file but we want to terminate the process
1278 if (!rc && !c->any.sig_seen)
1280 write_status_text (STATUS_NODATA, "4");
1281 log_error (_("no signature found\n"));
1282 rc = gpg_error (GPG_ERR_NO_DATA);
1285 /* Propagate the signature seen flag upward. Do this only on success
1286 so that we won't issue the nodata status several times. */
1287 if (!rc && c->anchor && c->any.sig_seen)
1288 c->anchor->any.sig_seen = 1;
1296 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1298 CTX c = xmalloc_clear (sizeof *c);
1303 c->encrypt_only = 1;
1304 rc = do_proc_packets (ctrl, c, a);
1311 check_nesting (CTX c)
1315 for (level=0; c; c = c->anchor)
1318 if (level > MAX_NESTING_DEPTH)
1320 log_error ("input data with too deeply nested packets\n");
1321 write_status_text (STATUS_UNEXPECTED, "1");
1322 return GPG_ERR_BAD_DATA;
1330 do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
1337 rc = check_nesting (c);
1341 pkt = xmalloc( sizeof *pkt );
1344 while ((rc=parse_packet(a, pkt)) != -1)
1350 /* Stop processing when an invalid packet has been encountered
1351 * but don't do so when we are doing a --list-packets. */
1352 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1353 && opt.list_packets == 0)
1358 if (opt.list_packets)
1360 switch (pkt->pkttype)
1362 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1363 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1365 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1366 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1367 default: newpkt = 0; break;
1370 else if (c->sigs_only)
1372 switch (pkt->pkttype)
1374 case PKT_PUBLIC_KEY:
1375 case PKT_SECRET_KEY:
1377 case PKT_SYMKEY_ENC:
1378 case PKT_PUBKEY_ENC:
1380 case PKT_ENCRYPTED_MDC:
1381 write_status_text( STATUS_UNEXPECTED, "0" );
1382 rc = GPG_ERR_UNEXPECTED;
1385 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1386 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1387 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1388 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1389 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1390 default: newpkt = 0; break;
1393 else if (c->encrypt_only)
1395 switch (pkt->pkttype)
1397 case PKT_PUBLIC_KEY:
1398 case PKT_SECRET_KEY:
1400 write_status_text (STATUS_UNEXPECTED, "0");
1401 rc = GPG_ERR_UNEXPECTED;
1404 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1405 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1406 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1408 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1409 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1410 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1411 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1412 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1413 default: newpkt = 0; break;
1418 switch (pkt->pkttype)
1420 case PKT_PUBLIC_KEY:
1421 case PKT_SECRET_KEY:
1423 c->list = new_kbnode (pkt);
1426 case PKT_PUBLIC_SUBKEY:
1427 case PKT_SECRET_SUBKEY:
1428 newpkt = add_subkey (c, pkt);
1430 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1431 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1432 case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
1433 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1435 case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
1436 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1437 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1438 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1439 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1440 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1441 default: newpkt = 0; break;
1448 /* This is a very ugly construct and frankly, I don't remember why
1449 * I used it. Adding the MDC check here is a hack.
1450 * The right solution is to initiate another context for encrypted
1451 * packet and not to reuse the current one ... It works right
1452 * when there is a compression packet between which adds just
1454 * Hmmm: Rewrite this whole module here??
1456 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1457 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1463 pkt = xmalloc (sizeof *pkt);
1470 if (rc == GPG_ERR_INV_PACKET)
1471 write_status_text (STATUS_NODATA, "3");
1476 write_status_text (STATUS_NODATA, "2");
1484 free_md_filter_context (&c->mfx);
1489 /* Helper for pka_uri_from_sig to parse the to-be-verified address out
1490 of the notation data. */
1492 get_pka_address (PKT_signature *sig)
1494 pka_info_t *pka = NULL;
1495 struct notation *nd,*notation;
1497 notation=sig_to_notation(sig);
1499 for(nd=notation;nd;nd=nd->next)
1501 if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
1502 continue; /* Not the notation we want. */
1504 /* For now we only use the first valid PKA notation. In future
1505 we might want to keep additional PKA notations in a linked
1507 if (is_valid_mailbox (nd->value))
1509 pka = xmalloc (sizeof *pka + strlen(nd->value));
1513 strcpy (pka->email, nd->value);
1518 free_notation(notation);
1524 /* Return the URI from a DNS PKA record. If this record has already
1525 be retrieved for the signature we merely return it; if not we go
1526 out and try to get that DNS record. */
1528 pka_uri_from_sig (CTX c, PKT_signature *sig)
1530 if (!sig->flags.pka_tried)
1532 log_assert (!sig->pka_info);
1533 sig->flags.pka_tried = 1;
1534 sig->pka_info = get_pka_address (sig);
1541 if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
1542 &fpr, &fprlen, &url))
1544 if (fpr && fprlen == sizeof sig->pka_info->fpr)
1546 memcpy (sig->pka_info->fpr, fpr, fprlen);
1549 sig->pka_info->valid = 1;
1553 sig->pka_info->uri = url;
1562 return sig->pka_info? sig->pka_info->uri : NULL;
1566 /* Return true if the AKL has the WKD method specified. */
1568 akl_has_wkd_method (void)
1572 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1573 if (akl->type == AKL_WKD)
1579 /* Return the ISSUER fingerprint string in human readbale format if
1580 * available. Caller must release the string. */
1582 issuer_fpr_string (PKT_signature *sig)
1587 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1588 if (p && n == 21 && p[0] == 4)
1589 return bin2hex (p+1, n-1, NULL);
1595 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1596 PKT_signature *sig, int rc)
1600 write_status_text_and_buffer (statno, keyid_str,
1601 un? un->pkt->pkt.user_id->name:"[?]",
1602 un? un->pkt->pkt.user_id->len:3,
1606 p = utf8_to_native (un->pkt->pkt.user_id->name,
1607 un->pkt->pkt.user_id->len, 0);
1609 p = xstrdup ("[?]");
1612 log_info (_("BAD signature from \"%s\""), p);
1613 else if (sig->flags.expired)
1614 log_info (_("Expired signature from \"%s\""), p);
1616 log_info (_("Good signature from \"%s\""), p);
1623 check_sig_and_print (CTX c, kbnode_t node)
1625 PKT_signature *sig = node->pkt->pkt.signature;
1631 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1633 if (opt.skip_verify)
1635 log_info(_("signature verification suppressed\n"));
1639 /* Check that the message composition is valid.
1641 * Per RFC-2440bis (-15) allowed:
1643 * S{1,n} -- detached signature.
1644 * S{1,n} P -- old style PGP2 signature
1645 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1646 * C P S{1,n} -- cleartext signature.
1649 * O = One-Pass Signature packet.
1650 * S = Signature packet.
1651 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1652 * (Note that the current rfc2440bis draft also allows
1653 * for a signed message but that does not work as it
1654 * introduces ambiguities.)
1655 * We keep track of these packages using the marker packet
1656 * CTRLPKT_PLAINTEXT_MARK.
1657 * C = Marker packet for cleartext signatures.
1659 * We reject all other messages.
1661 * Actually we are calling this too often, i.e. for verification of
1662 * each message but better have some duplicate work than to silently
1663 * introduce a bug here.
1667 int n_onepass, n_sig;
1669 /* log_debug ("checking signature packet composition\n"); */
1670 /* dump_kbnode (c->list); */
1674 if ( n->pkt->pkttype == PKT_SIGNATURE )
1676 /* This is either "S{1,n}" case (detached signature) or
1677 "S{1,n} P" (old style PGP2 signature). */
1678 for (n = n->next; n; n = n->next)
1679 if (n->pkt->pkttype != PKT_SIGNATURE)
1682 ; /* Okay, this is a detached signature. */
1683 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1684 && (n->pkt->pkt.gpg_control->control
1685 == CTRLPKT_PLAINTEXT_MARK) )
1688 goto ambiguous; /* We only allow one P packet. */
1693 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1695 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1696 for (n_onepass=1, n = n->next;
1697 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1699 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1700 && (n->pkt->pkt.gpg_control->control
1701 == CTRLPKT_PLAINTEXT_MARK)))
1703 for (n_sig=0, n = n->next;
1704 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1709 /* If we wanted to disallow multiple sig verification, we'd do
1710 something like this:
1712 if (n && !opt.allow_multisig_verification)
1715 However, now that we have --allow-multiple-messages, this
1716 can stay allowable as we can't get here unless multiple
1717 messages (i.e. multiple literals) are allowed. */
1719 if (n_onepass != n_sig)
1721 log_info ("number of one-pass packets does not match "
1722 "number of signature packets\n");
1726 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1727 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1729 /* This is the "C P S{1,n}" case (clear text signature). */
1731 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1732 && (n->pkt->pkt.gpg_control->control
1733 == CTRLPKT_PLAINTEXT_MARK)))
1735 for (n_sig=0, n = n->next;
1736 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1744 log_error(_("can't handle this ambiguous signature data\n"));
1749 if (sig->signers_uid)
1750 write_status_buffer (STATUS_NEWSIG,
1751 sig->signers_uid, strlen (sig->signers_uid), 0);
1753 write_status_text (STATUS_NEWSIG, NULL);
1755 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1756 if ((issuer_fpr = issuer_fpr_string (sig)))
1758 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1759 log_info (_(" using %s key %s\n"),
1760 astr? astr: "?", issuer_fpr);
1764 else if (!keystrlen () || keystrlen () > 8)
1766 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1767 log_info (_(" using %s key %s\n"),
1768 astr? astr: "?", keystr(sig->keyid));
1770 else /* Legacy format. */
1771 log_info (_("Signature made %s using %s key ID %s\n"),
1772 asctimestamp(sig->timestamp), astr? astr: "?",
1773 keystr(sig->keyid));
1775 /* In verbose mode print the signers UID. */
1776 if (sig->signers_uid)
1777 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1779 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1781 /* If the key isn't found, check for a preferred keyserver. */
1782 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
1788 while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
1790 /* According to my favorite copy editor, in English grammar,
1791 you say "at" if the key is located on a web page, but
1792 "from" if it is located on a keyserver. I'm not going to
1793 even try to make two strings here :) */
1794 log_info(_("Key available at: ") );
1795 print_utf8_buffer (log_get_stream(), p, n);
1798 if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
1799 && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1801 struct keyserver_spec *spec;
1803 spec = parse_preferred_keyserver (sig);
1808 free_public_key (pk);
1810 glo_ctrl.in_auto_key_retrieve++;
1811 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
1812 glo_ctrl.in_auto_key_retrieve--;
1814 rc = do_check_sig (c, node, NULL,
1815 &is_expkey, &is_revkey, &pk);
1816 free_keyserver_spec (spec);
1825 /* If the avove methods didn't work, our next try is to use the URI
1826 * from a DNS PKA record. */
1827 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1828 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1829 && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
1831 const char *uri = pka_uri_from_sig (c, sig);
1835 /* FIXME: We might want to locate the key using the
1836 fingerprint instead of the keyid. */
1838 struct keyserver_spec *spec;
1840 spec = parse_keyserver_uri (uri, 1);
1843 free_public_key (pk);
1845 glo_ctrl.in_auto_key_retrieve++;
1846 res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
1847 glo_ctrl.in_auto_key_retrieve--;
1848 free_keyserver_spec (spec);
1850 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1855 /* If the above methods didn't work, our next try is to locate
1856 * the key via its fingerprint from a keyserver. This requires
1857 * that the signers fingerprint is encoded in the signature. We
1858 * favor this over the WKD method (to be tried next), because an
1859 * arbitrary keyserver is less subject to web bug like monitoring. */
1860 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1861 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1862 && keyserver_any_configured (c->ctrl))
1868 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
1869 if (p && n == 21 && p[0] == 4)
1871 /* v4 packet with a SHA-1 fingerprint. */
1872 free_public_key (pk);
1874 glo_ctrl.in_auto_key_retrieve++;
1875 res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
1876 glo_ctrl.in_auto_key_retrieve--;
1878 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1882 /* If the above methods didn't work, our next try is to retrieve the
1883 * key from the WKD. */
1884 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1885 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
1886 && !opt.flags.disable_signer_uid
1887 && akl_has_wkd_method ()
1888 && sig->signers_uid)
1892 free_public_key (pk);
1894 glo_ctrl.in_auto_key_retrieve++;
1895 res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
1896 glo_ctrl.in_auto_key_retrieve--;
1897 /* Fixme: If the fingerprint is embedded in the signature,
1898 * compare it to the fingerprint of the returned key. */
1900 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1903 /* If the above methods did't work, our next try is to use a
1905 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1906 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
1907 && keyserver_any_configured (c->ctrl))
1911 free_public_key (pk);
1913 glo_ctrl.in_auto_key_retrieve++;
1914 res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
1915 glo_ctrl.in_auto_key_retrieve--;
1917 rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
1920 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
1922 kbnode_t un, keyblock;
1926 PKT_public_key *mainpk = NULL;
1929 statno = STATUS_BADSIG;
1930 else if (sig->flags.expired)
1931 statno = STATUS_EXPSIG;
1933 statno = STATUS_EXPKEYSIG;
1935 statno = STATUS_REVKEYSIG;
1937 statno = STATUS_GOODSIG;
1939 /* FIXME: We should have the public key in PK and thus the
1940 * keyboock has already been fetched. Thus we could use the
1941 * fingerprint or PK itself to lookup the entire keyblock. That
1942 * would best be done with a cache. */
1943 keyblock = get_pubkeyblock (sig->keyid);
1945 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
1946 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
1948 /* Find and print the primary user ID along with the
1949 "Good|Expired|Bad signature" line. */
1950 for (un=keyblock; un; un = un->next)
1954 if (un->pkt->pkttype==PKT_PUBLIC_KEY)
1956 mainpk = un->pkt->pkt.public_key;
1959 if (un->pkt->pkttype != PKT_USER_ID)
1961 if (!un->pkt->pkt.user_id->created)
1963 if (un->pkt->pkt.user_id->is_revoked)
1965 if (un->pkt->pkt.user_id->is_expired)
1967 if (!un->pkt->pkt.user_id->is_primary)
1969 /* We want the textual primary user ID here */
1970 if (un->pkt->pkt.user_id->attrib_data)
1973 log_assert (mainpk);
1975 /* Since this is just informational, don't actually ask the
1976 user to update any trust information. (Note: we register
1977 the signature later.) Because print_good_bad_signature
1978 does not print a LF we need to compute the validity
1979 before calling that function. */
1980 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1981 valid = get_validity (c->ctrl, keyblock, mainpk,
1982 un->pkt->pkt.user_id, NULL, 0);
1984 valid = 0; /* Not used. */
1986 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
1988 print_good_bad_signature (statno, keyid_str, un, sig, rc);
1990 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
1991 log_printf (" [%s]\n",trust_value_to_string(valid));
1998 log_assert (mainpk);
2000 /* In case we did not found a valid valid textual userid above
2001 we print the first user id packet or a "[?]" instead along
2002 with the "Good|Expired|Bad signature" line. */
2005 /* Try for an invalid textual userid */
2006 for (un=keyblock; un; un = un->next)
2008 if (un->pkt->pkttype == PKT_USER_ID
2009 && !un->pkt->pkt.user_id->attrib_data)
2013 /* Try for any userid at all */
2016 for (un=keyblock; un; un = un->next)
2018 if (un->pkt->pkttype == PKT_USER_ID)
2023 if (opt.trust_model==TM_ALWAYS || !un)
2024 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2026 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2028 if (opt.trust_model != TM_ALWAYS && un)
2029 log_printf (" %s",_("[uncertain]") );
2033 /* If we have a good signature and already printed
2034 * the primary user ID, print all the other user IDs */
2037 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2040 for( un=keyblock; un; un = un->next)
2042 if (un->pkt->pkttype != PKT_USER_ID)
2044 if ((un->pkt->pkt.user_id->is_revoked
2045 || un->pkt->pkt.user_id->is_expired)
2046 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2048 /* Skip textual primary user ids which we printed above. */
2049 if (un->pkt->pkt.user_id->is_primary
2050 && !un->pkt->pkt.user_id->attrib_data )
2053 /* If this user id has attribute data, print that. */
2054 if (un->pkt->pkt.user_id->attrib_data)
2056 dump_attribs (un->pkt->pkt.user_id, mainpk);
2058 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2059 show_photos (c->ctrl,
2060 un->pkt->pkt.user_id->attribs,
2061 un->pkt->pkt.user_id->numattribs,
2062 mainpk ,un->pkt->pkt.user_id);
2065 p = utf8_to_native (un->pkt->pkt.user_id->name,
2066 un->pkt->pkt.user_id->len, 0);
2067 log_info (_(" aka \"%s\""), p);
2070 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2074 if (un->pkt->pkt.user_id->is_revoked)
2075 valid = _("revoked");
2076 else if (un->pkt->pkt.user_id->is_expired)
2077 valid = _("expired");
2079 /* Since this is just informational, don't
2080 actually ask the user to update any trust
2082 valid = (trust_value_to_string
2083 (get_validity (c->ctrl, keyblock, mainpk,
2084 un->pkt->pkt.user_id, NULL, 0)));
2085 log_printf (" [%s]\n",valid);
2092 /* For good signatures print notation data. */
2095 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2096 show_policy_url (sig, 0, 1);
2098 show_policy_url (sig, 0, 2);
2100 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2101 show_keyserver_url (sig, 0, 1);
2103 show_keyserver_url (sig, 0, 2);
2105 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2108 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2109 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2111 show_notation (sig, 0, 2, 0);
2114 /* For good signatures print the VALIDSIG status line. */
2115 if (!rc && is_status_enabled () && pk)
2117 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2118 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2120 hexfingerprint (pk, pkhex, sizeof pkhex);
2121 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2123 /* TODO: Replace the reserved '0' in the field below with
2124 bits for status flags (policy url, notation, etc.). */
2125 write_status_printf (STATUS_VALIDSIG,
2126 "%s %s %lu %lu %d 0 %d %d %02X %s",
2128 strtimestamp (sig->timestamp),
2129 (ulong)sig->timestamp,
2130 (ulong)sig->expiredate,
2131 sig->version, sig->pubkey_algo,
2137 /* For good signatures compute and print the trust information.
2138 Note that in the Tofu trust model this may ask the user on
2139 how to resolve a conflict. */
2142 if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
2143 pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
2144 rc = check_signatures_trust (c->ctrl, sig);
2147 /* Print extra information about the signature. */
2148 if (sig->flags.expired)
2150 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2151 rc = GPG_ERR_GENERAL; /* Need a better error here? */
2153 else if (sig->expiredate)
2154 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2158 char pkstrbuf[PUBKEY_STRING_SIZE];
2161 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2165 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2166 sig->sig_class==0x00?_("binary"):
2167 sig->sig_class==0x01?_("textmode"):_("unknown"),
2168 gcry_md_algo_name (sig->digest_algo),
2169 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2172 /* Print final warnings. */
2173 if (!rc && !c->signed_data.used)
2175 /* Signature is basically good but we test whether the
2177 gpg --verify FILE.sig
2179 gpg --verify FILE.sig FILE
2180 to verify a detached signature. If we figure out that a
2181 data file with a matching name exists, we print a warning.
2183 The problem is that the first form would also verify a
2184 standard signature. This behavior could be used to
2185 create a made up .sig file for a tarball by creating a
2186 standard signature from a valid detached signature packet
2187 (for example from a signed git tag). Then replace the
2188 sig file on the FTP server along with a changed tarball.
2189 Using the first form the verify command would correctly
2190 verify the signature but don't even consider the tarball. */
2194 dfile = get_matching_datafile (c->sigfilename);
2197 for (n = c->list; n; n = n->next)
2198 if (n->pkt->pkttype != PKT_SIGNATURE)
2202 /* Not only signature packets in the tree thus this
2203 is not a detached signature. */
2204 log_info (_("WARNING: not a detached signature; "
2205 "file '%s' was NOT verified!\n"), dfile);
2211 free_public_key (pk);
2213 release_kbnode( keyblock );
2215 g10_errors_seen = 1;
2216 if (opt.batch && rc)
2223 snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
2224 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2225 sig->pubkey_algo, sig->digest_algo,
2226 sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
2227 write_status_text (STATUS_ERRSIG, buf);
2228 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2231 write_status_text (STATUS_NO_PUBKEY, buf);
2233 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2234 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2242 * Process the tree which starts at node
2245 proc_tree (CTX c, kbnode_t node)
2250 if (opt.list_packets || opt.list_only)
2253 /* We must skip our special plaintext marker packets here because
2254 they may be the root packet. These packets are only used in
2255 additional checks and skipping them here doesn't matter. */
2257 && node->pkt->pkttype == PKT_GPG_CONTROL
2258 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2265 c->trustletter = ' ';
2266 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2267 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2269 merge_keys_and_selfsig (node);
2270 list_node (c, node);
2272 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2274 merge_keys_and_selfsig (node);
2275 list_node (c, node);
2277 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2279 /* Check all signatures. */
2282 int use_textmode = 0;
2284 free_md_filter_context (&c->mfx);
2285 /* Prepare to create all requested message digests. */
2286 rc = gcry_md_open (&c->mfx.md, 0, 0);
2290 /* Fixme: why looking for the signature packet and not the
2292 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2293 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2295 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2298 /* Ask for file and hash it. */
2301 if (c->signed_data.used && c->signed_data.data_fd != -1)
2302 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2303 c->signed_data.data_fd,
2306 rc = hash_datafiles (c->mfx.md, NULL,
2307 c->signed_data.data_names,
2313 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2314 iobuf_get_real_fname (c->iobuf),
2321 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2325 else if (c->signed_data.used)
2327 log_error (_("not a detached signature\n"));
2331 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2332 check_sig_and_print (c, n1);
2335 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2336 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2338 /* Clear text signed message. */
2341 log_error ("cleartext signature without data\n");
2344 else if (c->signed_data.used)
2346 log_error (_("not a detached signature\n"));
2350 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2351 check_sig_and_print (c, n1);
2354 else if (node->pkt->pkttype == PKT_SIGNATURE)
2356 PKT_signature *sig = node->pkt->pkt.signature;
2357 int multiple_ok = 1;
2359 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2362 byte class = sig->sig_class;
2363 byte hash = sig->digest_algo;
2365 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2367 /* We can't currently handle multiple signatures of
2368 * different classes (we'd pretty much have to run a
2369 * different hash context for each), but if they are all
2370 * the same and it is detached signature, we make an
2371 * exception. Note that the old code also disallowed
2372 * multiple signatures if the digest algorithms are
2373 * different. We softened this restriction only for
2374 * detached signatures, to be on the safe side. */
2375 if (n1->pkt->pkt.signature->sig_class != class
2377 && n1->pkt->pkt.signature->digest_algo != hash))
2380 log_info (_("WARNING: multiple signatures detected. "
2381 "Only the first will be checked.\n"));
2387 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2389 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2391 else if (!c->any.data)
2393 /* Detached signature */
2394 free_md_filter_context (&c->mfx);
2395 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2397 goto detached_hash_err;
2401 /* If we have and want to handle multiple signatures we
2402 * need to enable all hash algorithms for the context. */
2403 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2404 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2405 gcry_md_enable (c->mfx.md,
2406 map_md_openpgp_to_gcry
2407 (n1->pkt->pkt.signature->digest_algo));
2410 if (RFC2440 || RFC4880)
2411 ; /* Strict RFC mode. */
2412 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2413 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2414 && sig->sig_class == 0x01)
2416 /* Enable a workaround for a pgp5 bug when the detached
2417 * signature has been created in textmode. Note that we
2418 * do not implement this for multiple signatures with
2419 * different hash algorithms. */
2420 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2422 goto detached_hash_err;
2425 /* Here we used to have another hack to work around a pgp
2426 * 2 bug: It worked by not using the textmode for detached
2427 * signatures; this would let the first signature check
2428 * (on md) fail but the second one (on md2), which adds an
2429 * extra CR would then have produced the "correct" hash.
2430 * This is very, very ugly hack but it may haved help in
2431 * some cases (and break others).
2432 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2437 gcry_md_debug (c->mfx.md, "verify");
2439 gcry_md_debug (c->mfx.md2, "verify2");
2444 if (c->signed_data.used && c->signed_data.data_fd != -1)
2445 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2446 c->signed_data.data_fd,
2447 (sig->sig_class == 0x01));
2449 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2450 c->signed_data.data_names,
2452 (sig->sig_class == 0x01));
2456 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2457 iobuf_get_real_fname(c->iobuf),
2458 (sig->sig_class == 0x01));
2464 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2468 else if (c->signed_data.used)
2470 log_error (_("not a detached signature\n"));
2473 else if (!opt.quiet)
2474 log_info (_("old style (PGP 2.x) signature\n"));
2478 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2479 check_sig_and_print (c, n1);
2482 check_sig_and_print (c, node);
2487 dump_kbnode (c->list);
2488 log_error ("invalid root packet detected in proc_tree()\n");