1 /* mainproc.c - handle packets
2 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3 * Copyright (C) 2013-2014 Werner Koch
4 * Copyright (C) 2020 g10 Code GmbH
5 *
6 * This file is part of GnuPG.
7 *
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
20 */
21
22 #include <config.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <time.h>
27
28 #include "gpg.h"
29 #include "../common/util.h"
30 #include "packet.h"
31 #include "../common/iobuf.h"
32 #include "options.h"
33 #include "keydb.h"
34 #include "filter.h"
35 #include "main.h"
36 #include "../common/status.h"
37 #include "../common/i18n.h"
38 #include "trustdb.h"
39 #include "keyserver-internal.h"
40 #include "photoid.h"
41 #include "../common/mbox-util.h"
42 #include "call-dirmngr.h"
43 #include "../common/compliance.h"
44
45 /* Put an upper limit on nested packets. The 32 is an arbitrary
46 value, a much lower should actually be sufficient. */
47 #define MAX_NESTING_DEPTH 32
48
49
50 /*
51 * Object to hold the processing context.
52 */
53 typedef struct mainproc_context *CTX;
54 struct mainproc_context
55 {
56 ctrl_t ctrl;
57 struct mainproc_context *anchor; /* May be useful in the future. */
58 PKT_public_key *last_pubkey;
59 PKT_user_id *last_user_id;
60 md_filter_context_t mfx;
61 int sigs_only; /* Process only signatures and reject all other stuff. */
62 int encrypt_only; /* Process only encryption messages. */
63
64 /* Name of the file with the complete signature or the file with the
65 detached signature. This is currently only used to deduce the
66 file name of the data file if that has not been given. */
67 const char *sigfilename;
68
69 /* A structure to describe the signed data in case of a detached
70 signature. */
71 struct
72 {
73 /* A file descriptor of the signed data. Only used if not -1. */
74 int data_fd;
75 /* A list of filenames with the data files or NULL. This is only
76 used if DATA_FD is -1. */
77 strlist_t data_names;
78 /* Flag to indicated that either one of the next previous fields
79 is used. This is only needed for better readability. */
80 int used;
81 } signed_data;
82
83 DEK *dek;
84 int last_was_session_key;
85 kbnode_t list; /* The current list of packets. */
86 iobuf_t iobuf; /* Used to get the filename etc. */
87 int trustletter; /* Temporary usage in list_node. */
88 ulong symkeys; /* Number of symmetrically encrypted session keys. */
89 struct pubkey_enc_list *pkenc_list; /* List of encryption packets. */
90 int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */
91 struct {
92 unsigned int sig_seen:1; /* Set to true if a signature packet
93 has been seen. */
94 unsigned int data:1; /* Any data packet seen */
95 unsigned int uncompress_failed:1;
96 } any;
97 };
98
99
100 /* Counter with the number of literal data packets seen. Note that
101 * this is also bumped at the end of an encryption. This counter is
102 * used for a basic consistency check of a received PGP message. */
103 static int literals_seen;
104
105
106 /*** Local prototypes. ***/
107 static int do_proc_packets (CTX c, iobuf_t a);
108 static void list_node (CTX c, kbnode_t node);
109 static void proc_tree (CTX c, kbnode_t node);
110
111
112 /*** Functions. ***/
113
114 /* Reset the literal data counter. This is required to setup a new
115 * decryption or verification context. */
116 void
reset_literals_seen(void)117 reset_literals_seen(void)
118 {
119 literals_seen = 0;
120 }
121
122
123 static void
release_list(CTX c)124 release_list( CTX c )
125 {
126 proc_tree (c, c->list);
127 release_kbnode (c->list);
128 while (c->pkenc_list)
129 {
130 struct pubkey_enc_list *tmp = c->pkenc_list->next;
131
132 mpi_release (c->pkenc_list->data[0]);
133 mpi_release (c->pkenc_list->data[1]);
134 xfree (c->pkenc_list);
135 c->pkenc_list = tmp;
136 }
137 c->pkenc_list = NULL;
138 c->list = NULL;
139 c->any.data = 0;
140 c->any.uncompress_failed = 0;
141 c->last_was_session_key = 0;
142 c->seen_pkt_encrypted_aead = 0;
143 xfree (c->dek);
144 c->dek = NULL;
145 }
146
147
148 static int
add_onepass_sig(CTX c,PACKET * pkt)149 add_onepass_sig (CTX c, PACKET *pkt)
150 {
151 kbnode_t node;
152
153 if (c->list) /* Add another packet. */
154 add_kbnode (c->list, new_kbnode (pkt));
155 else /* Insert the first one. */
156 c->list = node = new_kbnode (pkt);
157
158 return 1;
159 }
160
161
162 static int
add_gpg_control(CTX c,PACKET * pkt)163 add_gpg_control (CTX c, PACKET *pkt)
164 {
165 if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
166 {
167 /* New clear text signature.
168 * Process the last one and reset everything */
169 release_list(c);
170 }
171
172 if (c->list) /* Add another packet. */
173 add_kbnode (c->list, new_kbnode (pkt));
174 else /* Insert the first one. */
175 c->list = new_kbnode (pkt);
176
177 return 1;
178 }
179
180
181 static int
add_user_id(CTX c,PACKET * pkt)182 add_user_id (CTX c, PACKET *pkt)
183 {
184 if (!c->list)
185 {
186 log_error ("orphaned user ID\n");
187 return 0;
188 }
189 add_kbnode (c->list, new_kbnode (pkt));
190 return 1;
191 }
192
193
194 static int
add_subkey(CTX c,PACKET * pkt)195 add_subkey (CTX c, PACKET *pkt)
196 {
197 if (!c->list)
198 {
199 log_error ("subkey w/o mainkey\n");
200 return 0;
201 }
202 add_kbnode (c->list, new_kbnode (pkt));
203 return 1;
204 }
205
206
207 static int
add_ring_trust(CTX c,PACKET * pkt)208 add_ring_trust (CTX c, PACKET *pkt)
209 {
210 if (!c->list)
211 {
212 log_error ("ring trust w/o key\n");
213 return 0;
214 }
215 add_kbnode (c->list, new_kbnode (pkt));
216 return 1;
217 }
218
219
220 static int
add_signature(CTX c,PACKET * pkt)221 add_signature (CTX c, PACKET *pkt)
222 {
223 kbnode_t node;
224
225 c->any.sig_seen = 1;
226 if (pkt->pkttype == PKT_SIGNATURE && !c->list)
227 {
228 /* This is the first signature for the following datafile.
229 * GPG does not write such packets; instead it always uses
230 * onepass-sig packets. The drawback of PGP's method
231 * of prepending the signature to the data is
232 * that it is not possible to make a signature from data read
233 * from stdin. (GPG is able to read PGP stuff anyway.) */
234 node = new_kbnode (pkt);
235 c->list = node;
236 return 1;
237 }
238 else if (!c->list)
239 return 0; /* oops (invalid packet sequence)*/
240 else if (!c->list->pkt)
241 BUG(); /* so nicht */
242
243 /* Add a new signature node item at the end. */
244 node = new_kbnode (pkt);
245 add_kbnode (c->list, node);
246
247 return 1;
248 }
249
250 static gpg_error_t
symkey_decrypt_seskey(DEK * dek,byte * seskey,size_t slen)251 symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
252 {
253 gpg_error_t err;
254 gcry_cipher_hd_t hd;
255 unsigned int noncelen, keylen;
256 enum gcry_cipher_modes ciphermode;
257
258 if (dek->use_aead)
259 {
260 err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen);
261 if (err)
262 return err;
263 }
264 else
265 {
266 ciphermode = GCRY_CIPHER_MODE_CFB;
267 noncelen = 0;
268 }
269
270 /* Check that the session key has a size of 16 to 32 bytes. */
271 if ((dek->use_aead && (slen < (noncelen + 16 + 16)
272 || slen > (noncelen + 32 + 16)))
273 || (!dek->use_aead && (slen < 17 || slen > 33)))
274 {
275 log_error ( _("weird size for an encrypted session key (%d)\n"),
276 (int)slen);
277 return gpg_error (GPG_ERR_BAD_KEY);
278 }
279
280 err = openpgp_cipher_open (&hd, dek->algo, ciphermode, GCRY_CIPHER_SECURE);
281 if (!err)
282 err = gcry_cipher_setkey (hd, dek->key, dek->keylen);
283 if (!err)
284 err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen);
285 if (err)
286 goto leave;
287
288 if (dek->use_aead)
289 {
290 byte ad[4];
291
292 ad[0] = (0xc0 | PKT_SYMKEY_ENC);
293 ad[1] = 5;
294 ad[2] = dek->algo;
295 ad[3] = dek->use_aead;
296 err = gcry_cipher_authenticate (hd, ad, 4);
297 if (err)
298 goto leave;
299 gcry_cipher_final (hd);
300 keylen = slen - noncelen - 16;
301 err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0);
302 if (err)
303 goto leave;
304 err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16);
305 if (err)
306 goto leave;
307 /* Now we replace the dek components with the real session key to
308 * decrypt the contents of the sequencing packet. */
309 if (keylen > DIM(dek->key))
310 {
311 err = gpg_error (GPG_ERR_TOO_LARGE);
312 goto leave;
313 }
314 dek->keylen = keylen;
315 memcpy (dek->key, seskey + noncelen, dek->keylen);
316 }
317 else
318 {
319 gcry_cipher_decrypt (hd, seskey, slen, NULL, 0 );
320 /* Here we can only test whether the algo given in decrypted
321 * session key is a valid OpenPGP algo. With 11 defined
322 * symmetric algorithms we will miss 4.3% of wrong passphrases
323 * here. The actual checking is done later during bulk
324 * decryption; we can't bring this check forward easily. We
325 * need to use the GPG_ERR_CHECKSUM so that we won't run into
326 * the gnupg < 2.2 bug compatible case which would terminate the
327 * process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above)
328 * we will have a reliable test here. */
329 if (openpgp_cipher_test_algo (seskey[0])
330 || openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1)
331 {
332 err = gpg_error (GPG_ERR_CHECKSUM);
333 goto leave;
334 }
335
336 /* Now we replace the dek components with the real session key to
337 * decrypt the contents of the sequencing packet. */
338 keylen = slen-1;
339 if (keylen > DIM(dek->key))
340 {
341 err = gpg_error (GPG_ERR_TOO_LARGE);
342 goto leave;
343 }
344 dek->algo = seskey[0];
345 dek->keylen = keylen;
346 memcpy (dek->key, seskey + 1, dek->keylen);
347 }
348
349 /*log_hexdump( "thekey", dek->key, dek->keylen );*/
350
351 leave:
352 gcry_cipher_close (hd);
353 return err;
354 }
355
356
357 static void
proc_symkey_enc(CTX c,PACKET * pkt)358 proc_symkey_enc (CTX c, PACKET *pkt)
359 {
360 gpg_error_t err;
361 PKT_symkey_enc *enc;
362
363 enc = pkt->pkt.symkey_enc;
364 if (!enc)
365 log_error ("invalid symkey encrypted packet\n");
366 else if(!c->dek)
367 {
368 int algo = enc->cipher_algo;
369 const char *s = openpgp_cipher_algo_name (algo);
370 const char *a = (enc->aead_algo ? openpgp_aead_algo_name (enc->aead_algo)
371 /**/ : "CFB");
372
373 if (!openpgp_cipher_test_algo (algo))
374 {
375 if (!opt.quiet)
376 {
377 if (enc->seskeylen)
378 log_info (_("%s.%s encrypted session key\n"), s, a );
379 else
380 log_info (_("%s.%s encrypted data\n"), s, a );
381 }
382 }
383 else
384 {
385 log_error (_("encrypted with unknown algorithm %d.%s\n"), algo, a);
386 s = NULL; /* Force a goto leave. */
387 }
388
389 if (openpgp_md_test_algo (enc->s2k.hash_algo))
390 {
391 log_error(_("passphrase generated with unknown digest"
392 " algorithm %d\n"),enc->s2k.hash_algo);
393 s = NULL;
394 }
395
396 c->last_was_session_key = 2;
397 if (!s || opt.list_only)
398 goto leave;
399
400 if (opt.override_session_key)
401 {
402 c->dek = xmalloc_clear (sizeof *c->dek);
403 if (get_override_session_key (c->dek, opt.override_session_key))
404 {
405 xfree (c->dek);
406 c->dek = NULL;
407 }
408 }
409 else
410 {
411 c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL,
412 GETPASSWORD_FLAG_SYMDECRYPT, NULL);
413 if (c->dek)
414 {
415 c->dek->symmetric = 1;
416 c->dek->use_aead = enc->aead_algo;
417
418 /* FIXME: This doesn't work perfectly if a symmetric key
419 comes before a public key in the message - if the
420 user doesn't know the passphrase, then there is a
421 chance that the "decrypted" algorithm will happen to
422 be a valid one, which will make the returned dek
423 appear valid, so we won't try any public keys that
424 come later. */
425 if (enc->seskeylen)
426 {
427 err = symkey_decrypt_seskey (c->dek,
428 enc->seskey, enc->seskeylen);
429 if (err)
430 {
431 log_info ("decryption of the symmetrically encrypted"
432 " session key failed: %s\n",
433 gpg_strerror (err));
434 if (gpg_err_code (err) != GPG_ERR_BAD_KEY
435 && gpg_err_code (err) != GPG_ERR_CHECKSUM)
436 log_fatal ("process terminated to be bug compatible"
437 " with GnuPG <= 2.2\n");
438 if (c->dek->s2k_cacheid[0])
439 {
440 if (opt.debug)
441 log_debug ("cleared passphrase cached with ID:"
442 " %s\n", c->dek->s2k_cacheid);
443 passphrase_clear_cache (c->dek->s2k_cacheid);
444 }
445 xfree (c->dek);
446 c->dek = NULL;
447 }
448 }
449 else
450 c->dek->algo_info_printed = 1;
451 }
452 }
453 }
454
455 leave:
456 c->symkeys++;
457 free_packet (pkt, NULL);
458 }
459
460
461 static void
proc_pubkey_enc(CTX c,PACKET * pkt)462 proc_pubkey_enc (CTX c, PACKET *pkt)
463 {
464 PKT_pubkey_enc *enc;
465
466 /* Check whether the secret key is available and store in this case. */
467 c->last_was_session_key = 1;
468 enc = pkt->pkt.pubkey_enc;
469 /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
470 /* Hmmm: why do I have this algo check here - anyway there is
471 * function to check it. */
472 if (opt.verbose)
473 log_info (_("public key is %s\n"), keystr (enc->keyid));
474
475 if (is_status_enabled ())
476 {
477 char buf[50];
478 snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
479 (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
480 write_status_text (STATUS_ENC_TO, buf);
481 }
482
483 if (!opt.list_only && !opt.override_session_key)
484 {
485 struct pubkey_enc_list *x = xmalloc (sizeof *x);
486
487 x->keyid[0] = enc->keyid[0];
488 x->keyid[1] = enc->keyid[1];
489 x->pubkey_algo = enc->pubkey_algo;
490 x->result = -1;
491 x->data[0] = x->data[1] = NULL;
492 if (enc->data[0])
493 {
494 x->data[0] = mpi_copy (enc->data[0]);
495 x->data[1] = mpi_copy (enc->data[1]);
496 }
497 x->next = c->pkenc_list;
498 c->pkenc_list = x;
499 }
500
501 free_packet(pkt, NULL);
502 }
503
504
505 /*
506 * Print the list of public key encrypted packets which we could
507 * not decrypt.
508 */
509 static void
print_pkenc_list(ctrl_t ctrl,struct pubkey_enc_list * list)510 print_pkenc_list (ctrl_t ctrl, struct pubkey_enc_list *list)
511 {
512 for (; list; list = list->next)
513 {
514 PKT_public_key *pk;
515 char pkstrbuf[PUBKEY_STRING_SIZE];
516 char *p;
517
518 pk = xmalloc_clear (sizeof *pk);
519
520 pk->pubkey_algo = list->pubkey_algo;
521 if (!get_pubkey (ctrl, pk, list->keyid))
522 {
523 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
524
525 log_info (_("encrypted with %s key, ID %s, created %s\n"),
526 pkstrbuf, keystr_from_pk (pk),
527 strtimestamp (pk->timestamp));
528 p = get_user_id_native (ctrl, list->keyid);
529 log_printf (_(" \"%s\"\n"), p);
530 xfree (p);
531 }
532 else
533 log_info (_("encrypted with %s key, ID %s\n"),
534 openpgp_pk_algo_name (list->pubkey_algo),
535 keystr(list->keyid));
536
537 free_public_key (pk);
538 }
539 }
540
541
542 static void
proc_encrypted(CTX c,PACKET * pkt)543 proc_encrypted (CTX c, PACKET *pkt)
544 {
545 int result = 0;
546 int early_plaintext = literals_seen;
547
548 if (pkt->pkttype == PKT_ENCRYPTED_AEAD)
549 c->seen_pkt_encrypted_aead = 1;
550
551 if (early_plaintext)
552 {
553 log_info (_("WARNING: multiple plaintexts seen\n"));
554 write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA);
555 /* We fail only later so that we can print some more info first. */
556 }
557
558 if (!opt.quiet)
559 {
560 if (c->symkeys>1)
561 log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
562 else if (c->symkeys == 1)
563 log_info (_("encrypted with 1 passphrase\n"));
564 print_pkenc_list (c->ctrl, c->pkenc_list);
565 }
566
567 /* Figure out the session key by looking at all pkenc packets. */
568 if (opt.list_only || c->dek)
569 ;
570 else if (opt.override_session_key)
571 {
572 c->dek = xmalloc_clear (sizeof *c->dek);
573 result = get_override_session_key (c->dek, opt.override_session_key);
574 if (result)
575 {
576 xfree (c->dek);
577 c->dek = NULL;
578 log_info (_("public key decryption failed: %s\n"),
579 gpg_strerror (result));
580 write_status_error ("pkdecrypt_failed", result);
581 }
582 }
583 else if (c->pkenc_list)
584 {
585 c->dek = xmalloc_secure_clear (sizeof *c->dek);
586 result = get_session_key (c->ctrl, c->pkenc_list, c->dek);
587 if (is_status_enabled ())
588 {
589 struct pubkey_enc_list *list;
590
591 for (list = c->pkenc_list; list; list = list->next)
592 if (list->result)
593 { /* Key was not tried or it caused an error. */
594 char buf[20];
595 snprintf (buf, sizeof buf, "%08lX%08lX",
596 (ulong)list->keyid[0], (ulong)list->keyid[1]);
597 write_status_text (STATUS_NO_SECKEY, buf);
598 }
599 }
600
601 if (result)
602 {
603 log_info (_("public key decryption failed: %s\n"),
604 gpg_strerror (result));
605 write_status_error ("pkdecrypt_failed", result);
606
607 /* Error: Delete the DEK. */
608 xfree (c->dek);
609 c->dek = NULL;
610 }
611 }
612
613 if (c->dek && opt.verbose > 1)
614 log_info (_("public key encrypted data: good DEK\n"));
615
616 write_status (STATUS_BEGIN_DECRYPTION);
617
618 /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
619 if (opt.list_only)
620 result = -1;
621 else if (!c->dek && !c->last_was_session_key)
622 {
623 int algo;
624 STRING2KEY s2kbuf;
625 STRING2KEY *s2k = NULL;
626 int canceled;
627
628 if (opt.override_session_key)
629 {
630 c->dek = xmalloc_clear (sizeof *c->dek);
631 result = get_override_session_key (c->dek, opt.override_session_key);
632 if (result)
633 {
634 xfree (c->dek);
635 c->dek = NULL;
636 }
637 }
638 else
639 {
640 /* Assume this is old style conventional encrypted data. */
641 algo = opt.def_cipher_algo;
642 if (algo)
643 log_info (_("assuming %s encrypted data\n"),
644 openpgp_cipher_algo_name (algo));
645 else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
646 {
647 algo = opt.def_cipher_algo;
648 if (!algo)
649 algo = opt.s2k_cipher_algo;
650 log_info (_("IDEA cipher unavailable, "
651 "optimistically attempting to use %s instead\n"),
652 openpgp_cipher_algo_name (algo));
653 }
654 else
655 {
656 algo = CIPHER_ALGO_IDEA;
657 if (!opt.s2k_digest_algo)
658 {
659 /* If no digest is given we assume SHA-1. */
660 s2kbuf.mode = 0;
661 s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
662 s2k = &s2kbuf;
663 }
664 log_info (_("assuming %s encrypted data\n"), "IDEA");
665 }
666
667 c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL,
668 GETPASSWORD_FLAG_SYMDECRYPT, &canceled);
669 if (c->dek)
670 c->dek->algo_info_printed = 1;
671 else if (canceled)
672 result = gpg_error (GPG_ERR_CANCELED);
673 else
674 result = gpg_error (GPG_ERR_INV_PASSPHRASE);
675 }
676 }
677 else if (!c->dek)
678 {
679 if (c->symkeys && !c->pkenc_list)
680 result = gpg_error (GPG_ERR_BAD_KEY);
681
682 if (!result)
683 result = gpg_error (GPG_ERR_NO_SECKEY);
684 }
685
686 /* Compute compliance with CO_DE_VS. */
687 if (!result && is_status_enabled ()
688 /* Symmetric encryption and asymmetric encryption voids compliance. */
689 && (c->symkeys != !!c->pkenc_list )
690 /* Overriding session key voids compliance. */
691 && !opt.override_session_key
692 /* Check symmetric cipher. */
693 && gnupg_gcrypt_is_compliant (CO_DE_VS)
694 && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
695 GCRY_CIPHER_MODE_CFB))
696 {
697 struct pubkey_enc_list *i;
698 int compliant = 1;
699 PKT_public_key *pk = xmalloc (sizeof *pk);
700
701 if ( !(c->pkenc_list || c->symkeys) )
702 log_debug ("%s: where else did the session key come from?\n", __func__);
703
704 /* Now check that every key used to encrypt the session key is
705 * compliant. */
706 for (i = c->pkenc_list; i && compliant; i = i->next)
707 {
708 memset (pk, 0, sizeof *pk);
709 pk->pubkey_algo = i->pubkey_algo;
710 if (get_pubkey (c->ctrl, pk, i->keyid) != 0
711 || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0,
712 pk->pkey, nbits_from_pk (pk), NULL))
713 compliant = 0;
714 release_public_key_parts (pk);
715 }
716
717 xfree (pk);
718
719 if (compliant)
720 write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
721 gnupg_status_compliance_flag (CO_DE_VS),
722 NULL);
723
724 }
725
726 if (!result)
727 result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
728
729 /* Trigger the deferred error. */
730 if (!result && early_plaintext)
731 result = gpg_error (GPG_ERR_BAD_DATA);
732
733 if (result == -1)
734 ;
735 else if (!result
736 && !opt.ignore_mdc_error
737 && !pkt->pkt.encrypted->mdc_method
738 && !pkt->pkt.encrypted->aead_algo)
739 {
740 /* The message has been decrypted but does not carry an MDC or
741 * uses AEAD encryption. --ignore-mdc-error has also not been
742 * used. To avoid attacks changing an MDC message to a non-MDC
743 * message, we fail here. */
744 log_error (_("WARNING: message was not integrity protected\n"));
745 if (!pkt->pkt.encrypted->mdc_method
746 && (openpgp_cipher_get_algo_blklen (c->dek->algo) == 8
747 || c->dek->algo == CIPHER_ALGO_TWOFISH))
748 {
749 /* Before 2.2.8 we did not fail hard for a missing MDC if
750 * one of the old ciphers where used. Although these cases
751 * are rare in practice we print a hint on how to decrypt
752 * such messages. */
753 log_string
754 (GPGRT_LOGLVL_INFO,
755 _("Hint: If this message was created before the year 2003 it is\n"
756 "likely that this message is legitimate. This is because back\n"
757 "then integrity protection was not widely used.\n"));
758 log_info (_("Use the option '%s' to decrypt anyway.\n"),
759 "--ignore-mdc-error");
760 write_status_errcode ("nomdc_with_legacy_cipher",
761 GPG_ERR_DECRYPT_FAILED);
762 }
763 log_info (_("decryption forced to fail!\n"));
764 write_status (STATUS_DECRYPTION_FAILED);
765 }
766 else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
767 && !pkt->pkt.encrypted->aead_algo
768 && opt.ignore_mdc_error))
769 {
770 /* All is fine or for an MDC message the MDC failed but the
771 * --ignore-mdc-error option is active. For compatibility
772 * reasons we issue GOODMDC also for AEAD messages. */
773 write_status (STATUS_DECRYPTION_OKAY);
774 if (opt.verbose > 1)
775 log_info(_("decryption okay\n"));
776
777 if (pkt->pkt.encrypted->aead_algo)
778 write_status (STATUS_GOODMDC);
779 else if (pkt->pkt.encrypted->mdc_method && !result)
780 write_status (STATUS_GOODMDC);
781 else
782 log_info (_("WARNING: message was not integrity protected\n"));
783 }
784 else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
785 || gpg_err_code (result) == GPG_ERR_TRUNCATED)
786 {
787 glo_ctrl.lasterr = result;
788 log_error (_("WARNING: encrypted message has been manipulated!\n"));
789 write_status (STATUS_BADMDC);
790 write_status (STATUS_DECRYPTION_FAILED);
791 }
792 else
793 {
794 if ((gpg_err_code (result) == GPG_ERR_BAD_KEY
795 || gpg_err_code (result) == GPG_ERR_CHECKSUM
796 || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
797 && c->dek && *c->dek->s2k_cacheid != '\0')
798 {
799 if (opt.debug)
800 log_debug ("cleared passphrase cached with ID: %s\n",
801 c->dek->s2k_cacheid);
802 passphrase_clear_cache (c->dek->s2k_cacheid);
803 }
804 glo_ctrl.lasterr = result;
805 write_status (STATUS_DECRYPTION_FAILED);
806 log_error (_("decryption failed: %s\n"), gpg_strerror (result));
807 /* Hmmm: does this work when we have encrypted using multiple
808 * ways to specify the session key (symmmetric and PK). */
809 }
810
811 xfree (c->dek);
812 c->dek = NULL;
813 free_packet (pkt, NULL);
814 c->last_was_session_key = 0;
815 write_status (STATUS_END_DECRYPTION);
816
817 /* Bump the counter even if we have not seen a literal data packet
818 * inside an encryption container. This acts as a sentinel in case
819 * a misplace extra literal data packets follows after this
820 * encrypted packet. */
821 literals_seen++;
822 }
823
824
825 static int
have_seen_pkt_encrypted_aead(CTX c)826 have_seen_pkt_encrypted_aead( CTX c )
827 {
828 CTX cc;
829
830 for (cc = c; cc; cc = cc->anchor)
831 {
832 if (cc->seen_pkt_encrypted_aead)
833 return 1;
834 }
835
836 return 0;
837 }
838
839
840 static void
proc_plaintext(CTX c,PACKET * pkt)841 proc_plaintext( CTX c, PACKET *pkt )
842 {
843 PKT_plaintext *pt = pkt->pkt.plaintext;
844 int any, clearsig, rc;
845 kbnode_t n;
846 unsigned char *extrahash;
847 size_t extrahashlen;
848
849 /* This is a literal data packet. Bump a counter for later checks. */
850 literals_seen++;
851
852 if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
853 log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
854 else if (opt.verbose)
855 {
856 /* We don't use print_utf8_buffer because that would require a
857 * string change which we don't want in 2.2. It is also not
858 * clear whether the filename is always utf-8 encoded. */
859 char *tmp = make_printable_string (pt->name, pt->namelen, 0);
860 log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
861 xfree (tmp);
862 }
863
864 free_md_filter_context (&c->mfx);
865 if (gcry_md_open (&c->mfx.md, 0, 0))
866 BUG ();
867 /* fixme: we may need to push the textfilter if we have sigclass 1
868 * and no armoring - Not yet tested
869 * Hmmm, why don't we need it at all if we have sigclass 1
870 * Should we assume that plaintext in mode 't' has always sigclass 1??
871 * See: Russ Allbery's mail 1999-02-09
872 */
873 any = clearsig = 0;
874 for (n=c->list; n; n = n->next )
875 {
876 if (n->pkt->pkttype == PKT_ONEPASS_SIG)
877 {
878 /* The onepass signature case. */
879 if (n->pkt->pkt.onepass_sig->digest_algo)
880 {
881 if (!opt.skip_verify)
882 gcry_md_enable (c->mfx.md,
883 n->pkt->pkt.onepass_sig->digest_algo);
884
885 any = 1;
886 }
887 }
888 else if (n->pkt->pkttype == PKT_GPG_CONTROL
889 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
890 {
891 /* The clearsigned message case. */
892 size_t datalen = n->pkt->pkt.gpg_control->datalen;
893 const byte *data = n->pkt->pkt.gpg_control->data;
894
895 /* Check that we have at least the sigclass and one hash. */
896 if (datalen < 2)
897 log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
898 /* Note that we don't set the clearsig flag for not-dash-escaped
899 * documents. */
900 clearsig = (*data == 0x01);
901 for (data++, datalen--; datalen; datalen--, data++)
902 if (!opt.skip_verify)
903 gcry_md_enable (c->mfx.md, *data);
904 any = 1;
905 break; /* Stop here as one-pass signature packets are not
906 expected. */
907 }
908 else if (n->pkt->pkttype == PKT_SIGNATURE)
909 {
910 /* The SIG+LITERAL case that PGP used to use. */
911 if (!opt.skip_verify)
912 gcry_md_enable (c->mfx.md, n->pkt->pkt.signature->digest_algo);
913 any = 1;
914 }
915 }
916
917 if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead(c))
918 {
919 /* This is for the old GPG LITERAL+SIG case. It's not legal
920 according to 2440, so hopefully it won't come up that often.
921 There is no good way to specify what algorithms to use in
922 that case, so these there are the historical answer. */
923 gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
924 gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
925 }
926 if (DBG_HASHING)
927 {
928 gcry_md_debug (c->mfx.md, "verify");
929 if (c->mfx.md2)
930 gcry_md_debug (c->mfx.md2, "verify2");
931 }
932
933 rc=0;
934
935 if (literals_seen > 1)
936 {
937 log_info (_("WARNING: multiple plaintexts seen\n"));
938
939 write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
940 log_inc_errorcount ();
941 rc = gpg_error (GPG_ERR_UNEXPECTED);
942 }
943
944 if (!rc)
945 {
946 /* It we are in --verify mode, we do not want to output the
947 * signed text. However, if --output is also used we do what
948 * has been requested and write out the signed data. */
949 rc = handle_plaintext (pt, &c->mfx,
950 (opt.outfp || opt.outfile)? 0 : c->sigs_only,
951 clearsig);
952 if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
953 {
954 /* Can't write output but we hash it anyway to check the
955 signature. */
956 rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
957 }
958 }
959
960 if (rc)
961 log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
962
963 /* We add a marker control packet instead of the plaintext packet.
964 * This is so that we can later detect invalid packet sequences.
965 * The packet is further used to convey extra data from the
966 * plaintext packet to the signature verification. */
967 extrahash = xtrymalloc (6 + pt->namelen);
968 if (!extrahash)
969 {
970 /* No way to return an error. */
971 rc = gpg_error_from_syserror ();
972 log_error ("malloc failed in %s: %s\n", __func__, gpg_strerror (rc));
973 extrahashlen = 0;
974 }
975 else
976 {
977 extrahash[0] = pt->mode;
978 extrahash[1] = pt->namelen;
979 if (pt->namelen)
980 memcpy (extrahash+2, pt->name, pt->namelen);
981 extrahashlen = 2 + pt->namelen;
982 extrahash[extrahashlen++] = pt->timestamp >> 24;
983 extrahash[extrahashlen++] = pt->timestamp >> 16;
984 extrahash[extrahashlen++] = pt->timestamp >> 8;
985 extrahash[extrahashlen++] = pt->timestamp ;
986 }
987
988 free_packet (pkt, NULL);
989 c->last_was_session_key = 0;
990
991 n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK,
992 extrahash, extrahashlen));
993 xfree (extrahash);
994 if (c->list)
995 add_kbnode (c->list, n);
996 else
997 c->list = n;
998 }
999
1000
1001 static int
proc_compressed_cb(iobuf_t a,void * info)1002 proc_compressed_cb (iobuf_t a, void *info)
1003 {
1004 if ( ((CTX)info)->signed_data.used
1005 && ((CTX)info)->signed_data.data_fd != -1)
1006 return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
1007 ((CTX)info)->signed_data.data_fd);
1008 else
1009 return proc_signature_packets (((CTX)info)->ctrl, info, a,
1010 ((CTX)info)->signed_data.data_names,
1011 ((CTX)info)->sigfilename );
1012 }
1013
1014
1015 static int
proc_encrypt_cb(iobuf_t a,void * info)1016 proc_encrypt_cb (iobuf_t a, void *info )
1017 {
1018 CTX c = info;
1019 return proc_encryption_packets (c->ctrl, info, a );
1020 }
1021
1022
1023 static int
proc_compressed(CTX c,PACKET * pkt)1024 proc_compressed (CTX c, PACKET *pkt)
1025 {
1026 PKT_compressed *zd = pkt->pkt.compressed;
1027 int rc;
1028
1029 /*printf("zip: compressed data packet\n");*/
1030 if (c->sigs_only)
1031 rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
1032 else if( c->encrypt_only )
1033 rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
1034 else
1035 rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
1036
1037 if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
1038 {
1039 if (!c->any.uncompress_failed)
1040 {
1041 CTX cc;
1042
1043 for (cc=c; cc; cc = cc->anchor)
1044 cc->any.uncompress_failed = 1;
1045 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1046 }
1047 }
1048 else if (rc)
1049 log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1050
1051 free_packet (pkt, NULL);
1052 c->last_was_session_key = 0;
1053 return rc;
1054 }
1055
1056
1057 /*
1058 * Check the signature. If R_PK is not NULL a copy of the public key
1059 * used to verify the signature will be stored there, or NULL if not
1060 * found. If FORCED_PK is not NULL, this public key is used to verify
1061 * _data signatures_ and no key lookup is done. Returns: 0 = valid
1062 * signature or an error code
1063 */
1064 static int
do_check_sig(CTX c,kbnode_t node,const void * extrahash,size_t extrahashlen,PKT_public_key * forced_pk,int * is_selfsig,int * is_expkey,int * is_revkey,PKT_public_key ** r_pk)1065 do_check_sig (CTX c, kbnode_t node, const void *extrahash, size_t extrahashlen,
1066 PKT_public_key *forced_pk, int *is_selfsig,
1067 int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
1068 {
1069 PKT_signature *sig;
1070 gcry_md_hd_t md = NULL;
1071 gcry_md_hd_t md2 = NULL;
1072 gcry_md_hd_t md_good = NULL;
1073 int algo, rc;
1074
1075 if (r_pk)
1076 *r_pk = NULL;
1077
1078 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
1079 if (is_selfsig)
1080 *is_selfsig = 0;
1081 sig = node->pkt->pkt.signature;
1082
1083 algo = sig->digest_algo;
1084 rc = openpgp_md_test_algo (algo);
1085 if (rc)
1086 return rc;
1087
1088 if (sig->sig_class == 0x00)
1089 {
1090 if (c->mfx.md)
1091 {
1092 if (gcry_md_copy (&md, c->mfx.md ))
1093 BUG ();
1094 }
1095 else /* detached signature */
1096 {
1097 /* check_signature() will enable the md. */
1098 if (gcry_md_open (&md, 0, 0 ))
1099 BUG ();
1100 }
1101 }
1102 else if (sig->sig_class == 0x01)
1103 {
1104 /* How do we know that we have to hash the (already hashed) text
1105 in canonical mode ??? (calculating both modes???) */
1106 if (c->mfx.md)
1107 {
1108 if (gcry_md_copy (&md, c->mfx.md ))
1109 BUG ();
1110 if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
1111 BUG ();
1112 }
1113 else /* detached signature */
1114 {
1115 log_debug ("Do we really need this here?");
1116 /* check_signature() will enable the md*/
1117 if (gcry_md_open (&md, 0, 0 ))
1118 BUG ();
1119 if (gcry_md_open (&md2, 0, 0 ))
1120 BUG ();
1121 }
1122 }
1123 else if ((sig->sig_class&~3) == 0x10
1124 || sig->sig_class == 0x18
1125 || sig->sig_class == 0x1f
1126 || sig->sig_class == 0x20
1127 || sig->sig_class == 0x28
1128 || sig->sig_class == 0x30)
1129 {
1130 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1131 || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1132 {
1133 return check_key_signature (c->ctrl, c->list, node, is_selfsig);
1134 }
1135 else if (sig->sig_class == 0x20)
1136 {
1137 log_error (_("standalone revocation - "
1138 "use \"gpg --import\" to apply\n"));
1139 return GPG_ERR_NOT_PROCESSED;
1140 }
1141 else
1142 {
1143 log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
1144 return GPG_ERR_SIG_CLASS;
1145 }
1146 }
1147 else
1148 return GPG_ERR_SIG_CLASS;
1149
1150 /* We only get here if we are checking the signature of a binary
1151 (0x00) or text document (0x01). */
1152 rc = check_signature2 (c->ctrl, sig, md, extrahash, extrahashlen,
1153 forced_pk,
1154 NULL, is_expkey, is_revkey, r_pk);
1155 if (! rc)
1156 md_good = md;
1157 else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
1158 {
1159 PKT_public_key *pk2;
1160
1161 rc = check_signature2 (c->ctrl, sig, md2, extrahash, extrahashlen,
1162 forced_pk,
1163 NULL, is_expkey, is_revkey,
1164 r_pk? &pk2 : NULL);
1165 if (!rc)
1166 {
1167 md_good = md2;
1168 if (r_pk)
1169 {
1170 free_public_key (*r_pk);
1171 *r_pk = pk2;
1172 }
1173 }
1174 }
1175
1176 if (md_good)
1177 {
1178 unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1179 sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1180 memcpy (sig->digest, buffer, sig->digest_len);
1181 }
1182
1183 gcry_md_close (md);
1184 gcry_md_close (md2);
1185
1186 return rc;
1187 }
1188
1189
1190 static void
print_userid(PACKET * pkt)1191 print_userid (PACKET *pkt)
1192 {
1193 if (!pkt)
1194 BUG();
1195
1196 if (pkt->pkttype != PKT_USER_ID)
1197 {
1198 es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1199 return;
1200 }
1201 if (opt.with_colons)
1202 {
1203 if (pkt->pkt.user_id->attrib_data)
1204 es_printf("%u %lu",
1205 pkt->pkt.user_id->numattribs,
1206 pkt->pkt.user_id->attrib_len);
1207 else
1208 es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1209 pkt->pkt.user_id->len, ":", NULL);
1210 }
1211 else
1212 print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1213 pkt->pkt.user_id->len );
1214 }
1215
1216
1217 /*
1218 * List the keyblock in a user friendly way
1219 */
1220 static void
list_node(CTX c,kbnode_t node)1221 list_node (CTX c, kbnode_t node)
1222 {
1223 if (!node)
1224 ;
1225 else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1226 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1227 {
1228 PKT_public_key *pk = node->pkt->pkt.public_key;
1229
1230 if (opt.with_colons)
1231 {
1232 u32 keyid[2];
1233
1234 keyid_from_pk( pk, keyid );
1235 if (pk->flags.primary)
1236 c->trustletter = (opt.fast_list_mode
1237 ? 0
1238 : get_validity_info
1239 (c->ctrl,
1240 node->pkt->pkttype == PKT_PUBLIC_KEY
1241 ? node : NULL,
1242 pk, NULL));
1243 es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1244 if (c->trustletter)
1245 es_putc (c->trustletter, es_stdout);
1246 es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1247 nbits_from_pk( pk ),
1248 pk->pubkey_algo,
1249 (ulong)keyid[0],(ulong)keyid[1],
1250 colon_datestr_from_pk( pk ),
1251 colon_strtime (pk->expiredate) );
1252 if (pk->flags.primary && !opt.fast_list_mode)
1253 es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1254 es_putc (':', es_stdout);
1255 es_putc ('\n', es_stdout);
1256 }
1257 else
1258 {
1259 print_key_line (c->ctrl, es_stdout, pk, 0);
1260 }
1261
1262 if (opt.keyid_format == KF_NONE && !opt.with_colons)
1263 ; /* Already printed. */
1264 else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1265 print_fingerprint (c->ctrl, NULL, pk, 0);
1266
1267 if (pk->flags.primary)
1268 {
1269 int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1270
1271 /* Now list all userids with their signatures. */
1272 for (node = node->next; node; node = node->next)
1273 {
1274 if (node->pkt->pkttype == PKT_SIGNATURE)
1275 {
1276 list_node (c, node );
1277 }
1278 else if (node->pkt->pkttype == PKT_USER_ID)
1279 {
1280 if (opt.with_colons)
1281 es_printf ("%s:::::::::",
1282 node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1283 else
1284 es_printf ("uid%*s",
1285 kl + (opt.legacy_list_mode? 9:11),
1286 "" );
1287 print_userid (node->pkt);
1288 if (opt.with_colons)
1289 es_putc (':', es_stdout);
1290 es_putc ('\n', es_stdout);
1291 }
1292 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1293 {
1294 list_node(c, node );
1295 }
1296 }
1297 }
1298 }
1299 else if (node->pkt->pkttype == PKT_SECRET_KEY
1300 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1301 {
1302
1303 log_debug ("FIXME: No way to print secret key packets here\n");
1304 /* fixme: We may use a function to turn a secret key packet into
1305 a public key one and use that here. */
1306 }
1307 else if (node->pkt->pkttype == PKT_SIGNATURE)
1308 {
1309 PKT_signature *sig = node->pkt->pkt.signature;
1310 int is_selfsig = 0;
1311 int rc2 = 0;
1312 size_t n;
1313 char *p;
1314 int sigrc = ' ';
1315
1316 if (!opt.verbose)
1317 return;
1318
1319 if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1320 es_fputs ("rev", es_stdout);
1321 else
1322 es_fputs ("sig", es_stdout);
1323 if (opt.check_sigs)
1324 {
1325 fflush (stdout);
1326 rc2 = do_check_sig (c, node, NULL, 0, NULL,
1327 &is_selfsig, NULL, NULL, NULL);
1328 switch (gpg_err_code (rc2))
1329 {
1330 case 0: sigrc = '!'; break;
1331 case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
1332 case GPG_ERR_NO_PUBKEY:
1333 case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1334 default: sigrc = '%'; break;
1335 }
1336 }
1337 else /* Check whether this is a self signature. */
1338 {
1339 u32 keyid[2];
1340
1341 if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1342 || c->list->pkt->pkttype == PKT_SECRET_KEY )
1343 {
1344 keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1345
1346 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1347 is_selfsig = 1;
1348 }
1349 }
1350
1351 if (opt.with_colons)
1352 {
1353 es_putc (':', es_stdout);
1354 if (sigrc != ' ')
1355 es_putc (sigrc, es_stdout);
1356 es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1357 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1358 colon_datestr_from_sig (sig),
1359 colon_expirestr_from_sig (sig));
1360
1361 if (sig->trust_depth || sig->trust_value)
1362 es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1363 es_putc (':', es_stdout);
1364
1365 if (sig->trust_regexp)
1366 es_write_sanitized (es_stdout, sig->trust_regexp,
1367 strlen (sig->trust_regexp), ":", NULL);
1368 es_putc (':', es_stdout);
1369 }
1370 else
1371 es_printf ("%c %s %s ",
1372 sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1373 if (sigrc == '%')
1374 es_printf ("[%s] ", gpg_strerror (rc2) );
1375 else if (sigrc == '?')
1376 ;
1377 else if (is_selfsig)
1378 {
1379 if (opt.with_colons)
1380 es_putc (':', es_stdout);
1381 es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1382 if (opt.with_colons)
1383 es_putc (':', es_stdout);
1384 }
1385 else if (!opt.fast_list_mode)
1386 {
1387 p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
1388 es_write_sanitized (es_stdout, p, n,
1389 opt.with_colons?":":NULL, NULL );
1390 xfree (p);
1391 }
1392 if (opt.with_colons)
1393 es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1394 es_putc ('\n', es_stdout);
1395 }
1396 else
1397 log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1398 }
1399
1400
1401 int
proc_packets(ctrl_t ctrl,void * anchor,iobuf_t a)1402 proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1403 {
1404 int rc;
1405 CTX c = xmalloc_clear (sizeof *c);
1406
1407 c->ctrl = ctrl;
1408 c->anchor = anchor;
1409 rc = do_proc_packets (c, a);
1410 xfree (c);
1411
1412 return rc;
1413 }
1414
1415
1416 int
proc_signature_packets(ctrl_t ctrl,void * anchor,iobuf_t a,strlist_t signedfiles,const char * sigfilename)1417 proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1418 strlist_t signedfiles, const char *sigfilename )
1419 {
1420 CTX c = xmalloc_clear (sizeof *c);
1421 int rc;
1422
1423 c->ctrl = ctrl;
1424 c->anchor = anchor;
1425 c->sigs_only = 1;
1426
1427 c->signed_data.data_fd = -1;
1428 c->signed_data.data_names = signedfiles;
1429 c->signed_data.used = !!signedfiles;
1430
1431 c->sigfilename = sigfilename;
1432 rc = do_proc_packets (c, a);
1433
1434 /* If we have not encountered any signature we print an error
1435 messages, send a NODATA status back and return an error code.
1436 Using log_error is required because verify_files does not check
1437 error codes for each file but we want to terminate the process
1438 with an error. */
1439 if (!rc && !c->any.sig_seen)
1440 {
1441 write_status_text (STATUS_NODATA, "4");
1442 log_error (_("no signature found\n"));
1443 rc = GPG_ERR_NO_DATA;
1444 }
1445
1446 /* Propagate the signature seen flag upward. Do this only on success
1447 so that we won't issue the nodata status several times. */
1448 if (!rc && c->anchor && c->any.sig_seen)
1449 c->anchor->any.sig_seen = 1;
1450
1451 xfree (c);
1452 return rc;
1453 }
1454
1455
1456 int
proc_signature_packets_by_fd(ctrl_t ctrl,void * anchor,iobuf_t a,int signed_data_fd)1457 proc_signature_packets_by_fd (ctrl_t ctrl,
1458 void *anchor, iobuf_t a, int signed_data_fd )
1459 {
1460 int rc;
1461 CTX c;
1462
1463 c = xtrycalloc (1, sizeof *c);
1464 if (!c)
1465 return gpg_error_from_syserror ();
1466
1467 c->ctrl = ctrl;
1468 c->anchor = anchor;
1469 c->sigs_only = 1;
1470
1471 c->signed_data.data_fd = signed_data_fd;
1472 c->signed_data.data_names = NULL;
1473 c->signed_data.used = (signed_data_fd != -1);
1474
1475 rc = do_proc_packets (c, a);
1476
1477 /* If we have not encountered any signature we print an error
1478 messages, send a NODATA status back and return an error code.
1479 Using log_error is required because verify_files does not check
1480 error codes for each file but we want to terminate the process
1481 with an error. */
1482 if (!rc && !c->any.sig_seen)
1483 {
1484 write_status_text (STATUS_NODATA, "4");
1485 log_error (_("no signature found\n"));
1486 rc = gpg_error (GPG_ERR_NO_DATA);
1487 }
1488
1489 /* Propagate the signature seen flag upward. Do this only on success
1490 so that we won't issue the nodata status several times. */
1491 if (!rc && c->anchor && c->any.sig_seen)
1492 c->anchor->any.sig_seen = 1;
1493
1494 xfree ( c );
1495 return rc;
1496 }
1497
1498
1499 int
proc_encryption_packets(ctrl_t ctrl,void * anchor,iobuf_t a)1500 proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1501 {
1502 CTX c = xmalloc_clear (sizeof *c);
1503 int rc;
1504
1505 c->ctrl = ctrl;
1506 c->anchor = anchor;
1507 c->encrypt_only = 1;
1508 rc = do_proc_packets (c, a);
1509 xfree (c);
1510 return rc;
1511 }
1512
1513
1514 static int
check_nesting(CTX c)1515 check_nesting (CTX c)
1516 {
1517 int level;
1518
1519 for (level=0; c; c = c->anchor)
1520 level++;
1521
1522 if (level > MAX_NESTING_DEPTH)
1523 {
1524 log_error ("input data with too deeply nested packets\n");
1525 write_status_text (STATUS_UNEXPECTED, "1");
1526 return GPG_ERR_BAD_DATA;
1527 }
1528
1529 return 0;
1530 }
1531
1532
1533 static int
do_proc_packets(CTX c,iobuf_t a)1534 do_proc_packets (CTX c, iobuf_t a)
1535 {
1536 PACKET *pkt;
1537 struct parse_packet_ctx_s parsectx;
1538 int rc = 0;
1539 int any_data = 0;
1540 int newpkt;
1541
1542 rc = check_nesting (c);
1543 if (rc)
1544 return rc;
1545
1546 pkt = xmalloc( sizeof *pkt );
1547 c->iobuf = a;
1548 init_packet(pkt);
1549 init_parse_packet (&parsectx, a);
1550 while ((rc=parse_packet (&parsectx, pkt)) != -1)
1551 {
1552 any_data = 1;
1553 if (rc)
1554 {
1555 free_packet (pkt, &parsectx);
1556 /* Stop processing when an invalid packet has been encountered
1557 * but don't do so when we are doing a --list-packets. */
1558 if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1559 && opt.list_packets == 0)
1560 break;
1561 continue;
1562 }
1563 newpkt = -1;
1564 if (opt.list_packets)
1565 {
1566 switch (pkt->pkttype)
1567 {
1568 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1569 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1570 case PKT_ENCRYPTED:
1571 case PKT_ENCRYPTED_MDC:
1572 case PKT_ENCRYPTED_AEAD:proc_encrypted (c, pkt); break;
1573 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1574 default: newpkt = 0; break;
1575 }
1576 }
1577 else if (c->sigs_only)
1578 {
1579 switch (pkt->pkttype)
1580 {
1581 case PKT_PUBLIC_KEY:
1582 case PKT_SECRET_KEY:
1583 case PKT_USER_ID:
1584 case PKT_SYMKEY_ENC:
1585 case PKT_PUBKEY_ENC:
1586 case PKT_ENCRYPTED:
1587 case PKT_ENCRYPTED_MDC:
1588 case PKT_ENCRYPTED_AEAD:
1589 write_status_text( STATUS_UNEXPECTED, "0" );
1590 rc = GPG_ERR_UNEXPECTED;
1591 goto leave;
1592
1593 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1594 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1595 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1596 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1597 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1598 default: newpkt = 0; break;
1599 }
1600 }
1601 else if (c->encrypt_only)
1602 {
1603 switch (pkt->pkttype)
1604 {
1605 case PKT_PUBLIC_KEY:
1606 case PKT_SECRET_KEY:
1607 case PKT_USER_ID:
1608 write_status_text (STATUS_UNEXPECTED, "0");
1609 rc = GPG_ERR_UNEXPECTED;
1610 goto leave;
1611
1612 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1613 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1614 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1615 case PKT_ENCRYPTED:
1616 case PKT_ENCRYPTED_MDC:
1617 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1618 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1619 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1620 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1621 case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1622 default: newpkt = 0; break;
1623 }
1624 }
1625 else
1626 {
1627 switch (pkt->pkttype)
1628 {
1629 case PKT_PUBLIC_KEY:
1630 case PKT_SECRET_KEY:
1631 release_list (c);
1632 c->list = new_kbnode (pkt);
1633 newpkt = 1;
1634 break;
1635 case PKT_PUBLIC_SUBKEY:
1636 case PKT_SECRET_SUBKEY:
1637 newpkt = add_subkey (c, pkt);
1638 break;
1639 case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
1640 case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
1641 case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break;
1642 case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
1643 case PKT_ENCRYPTED:
1644 case PKT_ENCRYPTED_MDC:
1645 case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1646 case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
1647 case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
1648 case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1649 case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1650 case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
1651 default: newpkt = 0; break;
1652 }
1653 }
1654
1655 if (rc)
1656 goto leave;
1657
1658 /* This is a very ugly construct and frankly, I don't remember why
1659 * I used it. Adding the MDC check here is a hack.
1660 * The right solution is to initiate another context for encrypted
1661 * packet and not to reuse the current one ... It works right
1662 * when there is a compression packet between which adds just
1663 * an extra layer.
1664 * Hmmm: Rewrite this whole module here??
1665 */
1666 if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1667 c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
1668
1669 if (newpkt == -1)
1670 ;
1671 else if (newpkt)
1672 {
1673 pkt = xmalloc (sizeof *pkt);
1674 init_packet (pkt);
1675 }
1676 else
1677 free_packet (pkt, &parsectx);
1678 }
1679
1680 if (rc == GPG_ERR_INV_PACKET)
1681 write_status_text (STATUS_NODATA, "3");
1682
1683 if (any_data)
1684 rc = 0;
1685 else if (rc == -1)
1686 write_status_text (STATUS_NODATA, "2");
1687
1688
1689 leave:
1690 release_list (c);
1691 xfree(c->dek);
1692 free_packet (pkt, &parsectx);
1693 deinit_parse_packet (&parsectx);
1694 xfree (pkt);
1695 free_md_filter_context (&c->mfx);
1696 return rc;
1697 }
1698
1699
1700 /* Return true if the AKL has the WKD method specified. */
1701 static int
akl_has_wkd_method(void)1702 akl_has_wkd_method (void)
1703 {
1704 struct akl *akl;
1705
1706 for (akl = opt.auto_key_locate; akl; akl = akl->next)
1707 if (akl->type == AKL_WKD)
1708 return 1;
1709 return 0;
1710 }
1711
1712
1713 /* Return the ISSUER fingerprint buffer and its length at R_LEN.
1714 * Returns NULL if not available. The returned buffer is valid as
1715 * long as SIG is not modified. */
1716 const byte *
issuer_fpr_raw(PKT_signature * sig,size_t * r_len)1717 issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
1718 {
1719 const byte *p;
1720 size_t n;
1721
1722 p = parse_sig_subpkt (sig, 1, SIGSUBPKT_ISSUER_FPR, &n);
1723 if (p && ((n == 21 && p[0] == 4) || (n == 33 && p[0] == 5)))
1724 {
1725 *r_len = n - 1;
1726 return p+1;
1727 }
1728 *r_len = 0;
1729 return NULL;
1730 }
1731
1732
1733 /* Return the ISSUER fingerprint string in human readable format if
1734 * available. Caller must release the string. */
1735 /* FIXME: Move to another file. */
1736 char *
issuer_fpr_string(PKT_signature * sig)1737 issuer_fpr_string (PKT_signature *sig)
1738 {
1739 const byte *p;
1740 size_t n;
1741
1742 p = issuer_fpr_raw (sig, &n);
1743 return p? bin2hex (p, n, NULL) : NULL;
1744 }
1745
1746
1747 static void
print_good_bad_signature(int statno,const char * keyid_str,kbnode_t un,PKT_signature * sig,int rc)1748 print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1749 PKT_signature *sig, int rc)
1750 {
1751 char *p;
1752
1753 write_status_text_and_buffer (statno, keyid_str,
1754 un? un->pkt->pkt.user_id->name:"[?]",
1755 un? un->pkt->pkt.user_id->len:3,
1756 -1);
1757
1758 if (un)
1759 p = utf8_to_native (un->pkt->pkt.user_id->name,
1760 un->pkt->pkt.user_id->len, 0);
1761 else
1762 p = xstrdup ("[?]");
1763
1764 if (rc)
1765 log_info (_("BAD signature from \"%s\""), p);
1766 else if (sig->flags.expired)
1767 log_info (_("Expired signature from \"%s\""), p);
1768 else
1769 log_info (_("Good signature from \"%s\""), p);
1770
1771 xfree (p);
1772 }
1773
1774
1775 static int
check_sig_and_print(CTX c,kbnode_t node)1776 check_sig_and_print (CTX c, kbnode_t node)
1777 {
1778 PKT_signature *sig = node->pkt->pkt.signature;
1779 const char *astr;
1780 gpg_error_t rc;
1781 int is_expkey = 0;
1782 int is_revkey = 0;
1783 char *issuer_fpr = NULL;
1784 PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
1785 const void *extrahash = NULL;
1786 size_t extrahashlen = 0;
1787 kbnode_t included_keyblock = NULL;
1788
1789 if (opt.skip_verify)
1790 {
1791 log_info(_("signature verification suppressed\n"));
1792 return 0;
1793 }
1794
1795 /* Check that the message composition is valid.
1796 *
1797 * Per RFC-2440bis (-15) allowed:
1798 *
1799 * S{1,n} -- detached signature.
1800 * S{1,n} P -- old style PGP2 signature
1801 * O{1,n} P S{1,n} -- standard OpenPGP signature.
1802 * C P S{1,n} -- cleartext signature.
1803 *
1804 *
1805 * O = One-Pass Signature packet.
1806 * S = Signature packet.
1807 * P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1808 * (Note that the current rfc2440bis draft also allows
1809 * for a signed message but that does not work as it
1810 * introduces ambiguities.)
1811 * We keep track of these packages using the marker packet
1812 * CTRLPKT_PLAINTEXT_MARK.
1813 * C = Marker packet for cleartext signatures.
1814 *
1815 * We reject all other messages.
1816 *
1817 * Actually we are calling this too often, i.e. for verification of
1818 * each message but better have some duplicate work than to silently
1819 * introduce a bug here.
1820 */
1821 {
1822 kbnode_t n;
1823 int n_onepass, n_sig;
1824
1825 /* log_debug ("checking signature packet composition\n"); */
1826 /* dump_kbnode (c->list); */
1827
1828 n = c->list;
1829 log_assert (n);
1830 if ( n->pkt->pkttype == PKT_SIGNATURE )
1831 {
1832 /* This is either "S{1,n}" case (detached signature) or
1833 "S{1,n} P" (old style PGP2 signature). */
1834 for (n = n->next; n; n = n->next)
1835 if (n->pkt->pkttype != PKT_SIGNATURE)
1836 break;
1837 if (!n)
1838 ; /* Okay, this is a detached signature. */
1839 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1840 && (n->pkt->pkt.gpg_control->control
1841 == CTRLPKT_PLAINTEXT_MARK) )
1842 {
1843 if (n->next)
1844 goto ambiguous; /* We only allow one P packet. */
1845 extrahash = n->pkt->pkt.gpg_control->data;
1846 extrahashlen = n->pkt->pkt.gpg_control->datalen;
1847 }
1848 else
1849 goto ambiguous;
1850 }
1851 else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1852 {
1853 /* This is the "O{1,n} P S{1,n}" case (standard signature). */
1854 for (n_onepass=1, n = n->next;
1855 n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
1856 n_onepass++;
1857 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1858 && (n->pkt->pkt.gpg_control->control
1859 == CTRLPKT_PLAINTEXT_MARK)))
1860 goto ambiguous;
1861 extrahash = n->pkt->pkt.gpg_control->data;
1862 extrahashlen = n->pkt->pkt.gpg_control->datalen;
1863
1864 for (n_sig=0, n = n->next;
1865 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1866 n_sig++;
1867 if (!n_sig)
1868 goto ambiguous;
1869
1870 /* If we wanted to disallow multiple sig verification, we'd do
1871 * something like this:
1872 *
1873 * if (n)
1874 * goto ambiguous;
1875 *
1876 * However, this can stay allowable as we can't get here. */
1877
1878 if (n_onepass != n_sig)
1879 {
1880 log_info ("number of one-pass packets does not match "
1881 "number of signature packets\n");
1882 goto ambiguous;
1883 }
1884 }
1885 else if (n->pkt->pkttype == PKT_GPG_CONTROL
1886 && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
1887 {
1888 /* This is the "C P S{1,n}" case (clear text signature). */
1889 n = n->next;
1890 if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
1891 && (n->pkt->pkt.gpg_control->control
1892 == CTRLPKT_PLAINTEXT_MARK)))
1893 goto ambiguous;
1894 extrahash = n->pkt->pkt.gpg_control->data;
1895 extrahashlen = n->pkt->pkt.gpg_control->datalen;
1896 for (n_sig=0, n = n->next;
1897 n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1898 n_sig++;
1899 if (n || !n_sig)
1900 goto ambiguous;
1901 }
1902 else
1903 {
1904 ambiguous:
1905 log_error(_("can't handle this ambiguous signature data\n"));
1906 return 0;
1907 }
1908 } /* End checking signature packet composition. */
1909
1910 if (sig->signers_uid)
1911 write_status_buffer (STATUS_NEWSIG,
1912 sig->signers_uid, strlen (sig->signers_uid), 0);
1913 else
1914 write_status_text (STATUS_NEWSIG, NULL);
1915
1916 astr = openpgp_pk_algo_name ( sig->pubkey_algo );
1917 issuer_fpr = issuer_fpr_string (sig);
1918
1919 if (issuer_fpr)
1920 {
1921 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1922 log_info (_(" using %s key %s\n"),
1923 astr? astr: "?", issuer_fpr);
1924
1925 }
1926 else if (!keystrlen () || keystrlen () > 8)
1927 {
1928 log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
1929 log_info (_(" using %s key %s\n"),
1930 astr? astr: "?", keystr(sig->keyid));
1931 }
1932 else /* Legacy format. */
1933 log_info (_("Signature made %s using %s key ID %s\n"),
1934 asctimestamp(sig->timestamp), astr? astr: "?",
1935 keystr(sig->keyid));
1936
1937 /* In verbose mode print the signers UID. */
1938 if (sig->signers_uid)
1939 log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
1940
1941 rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
1942 NULL, &is_expkey, &is_revkey, &pk);
1943
1944 /* If the key is not found but the signature includes a key block we
1945 * use that key block for verification and on success import it. */
1946 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1947 && sig->flags.key_block
1948 && opt.flags.auto_key_import)
1949 {
1950 PKT_public_key *included_pk;
1951 const byte *kblock;
1952 size_t kblock_len;
1953
1954 included_pk = xcalloc (1, sizeof *included_pk);
1955 kblock = parse_sig_subpkt (sig, 1, SIGSUBPKT_KEY_BLOCK, &kblock_len);
1956 if (kblock && kblock_len > 1
1957 && !get_pubkey_from_buffer (c->ctrl, included_pk,
1958 kblock+1, kblock_len-1,
1959 sig->keyid, &included_keyblock))
1960 {
1961 rc = do_check_sig (c, node, extrahash, extrahashlen, included_pk,
1962 NULL, &is_expkey, &is_revkey, &pk);
1963 if (opt.verbose)
1964 log_debug ("checked signature using included key block: %s\n",
1965 gpg_strerror (rc));
1966 if (!rc)
1967 {
1968 /* The keyblock has been verified, we now import it. */
1969 rc = import_included_key_block (c->ctrl, included_keyblock);
1970 }
1971
1972 }
1973 free_public_key (included_pk);
1974 }
1975
1976 /* If the key isn't found, check for a preferred keyserver. Note
1977 * that this is only done if honor-keyserver-url has been set. We
1978 * test for this in the loop so that we can show info about the
1979 * preferred keyservers. */
1980 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
1981 && sig->flags.pref_ks)
1982 {
1983 const byte *p;
1984 int seq = 0;
1985 size_t n;
1986 int any_pref_ks = 0;
1987
1988 while ((p=enum_sig_subpkt (sig, 1, SIGSUBPKT_PREF_KS, &n, &seq, NULL)))
1989 {
1990 /* According to my favorite copy editor, in English grammar,
1991 you say "at" if the key is located on a web page, but
1992 "from" if it is located on a keyserver. I'm not going to
1993 even try to make two strings here :) */
1994 log_info(_("Key available at: ") );
1995 print_utf8_buffer (log_get_stream(), p, n);
1996 log_printf ("\n");
1997 any_pref_ks = 1;
1998
1999 if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2000 && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2001 {
2002 struct keyserver_spec *spec;
2003
2004 spec = parse_preferred_keyserver (sig);
2005 if (spec)
2006 {
2007 int res;
2008
2009 if (DBG_LOOKUP)
2010 log_debug ("trying auto-key-retrieve method %s\n",
2011 "Pref-KS");
2012
2013 free_public_key (pk);
2014 pk = NULL;
2015 glo_ctrl.in_auto_key_retrieve++;
2016 res = keyserver_import_keyid (c->ctrl, sig->keyid,spec,
2017 KEYSERVER_IMPORT_FLAG_QUICK);
2018 glo_ctrl.in_auto_key_retrieve--;
2019 if (!res)
2020 rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2021 NULL, &is_expkey, &is_revkey, &pk);
2022 else if (DBG_LOOKUP)
2023 log_debug ("lookup via %s failed: %s\n", "Pref-KS",
2024 gpg_strerror (res));
2025 free_keyserver_spec (spec);
2026
2027 if (!rc)
2028 break;
2029 }
2030 }
2031 }
2032
2033 if (any_pref_ks
2034 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2035 && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2036 log_info (_("Note: Use '%s' to make use of this info\n"),
2037 "--keyserver-option honor-keyserver-url");
2038 }
2039
2040 /* If the above methods didn't work, our next try is to retrieve the
2041 * key from the WKD. This requires that WKD is in the AKL and the
2042 * Signer's UID is in the signature. */
2043 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2044 && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2045 && !opt.flags.disable_signer_uid
2046 && akl_has_wkd_method ()
2047 && sig->signers_uid)
2048 {
2049 int res;
2050
2051 if (DBG_LOOKUP)
2052 log_debug ("trying auto-key-retrieve method %s\n", "WKD");
2053 free_public_key (pk);
2054 pk = NULL;
2055 glo_ctrl.in_auto_key_retrieve++;
2056 res = keyserver_import_wkd (c->ctrl, sig->signers_uid,
2057 KEYSERVER_IMPORT_FLAG_QUICK, NULL, NULL);
2058 glo_ctrl.in_auto_key_retrieve--;
2059 /* Fixme: If the fingerprint is embedded in the signature,
2060 * compare it to the fingerprint of the returned key. */
2061 if (!res)
2062 rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2063 NULL, &is_expkey, &is_revkey, &pk);
2064 else if (DBG_LOOKUP)
2065 log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res));
2066 }
2067
2068 /* If the above methods didn't work, our next try is to locate
2069 * the key via its fingerprint from a keyserver. This requires
2070 * that the signers fingerprint is encoded in the signature. */
2071 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2072 && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2073 && keyserver_any_configured (c->ctrl))
2074 {
2075 int res;
2076 const byte *p;
2077 size_t n;
2078
2079 p = issuer_fpr_raw (sig, &n);
2080 if (p)
2081 {
2082 if (DBG_LOOKUP)
2083 log_debug ("trying auto-key-retrieve method %s\n", "KS");
2084
2085 /* v4 or v5 packet with a SHA-1/256 fingerprint. */
2086 free_public_key (pk);
2087 pk = NULL;
2088 glo_ctrl.in_auto_key_retrieve++;
2089 res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver,
2090 KEYSERVER_IMPORT_FLAG_QUICK);
2091 glo_ctrl.in_auto_key_retrieve--;
2092 if (!res)
2093 rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2094 NULL, &is_expkey, &is_revkey, &pk);
2095 else if (DBG_LOOKUP)
2096 log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res));
2097 }
2098 }
2099
2100 /* Do do something with the result of the signature checking. */
2101 if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
2102 {
2103 /* We have checked the signature and the result is either a good
2104 * signature or a bad signature. Further examination follows. */
2105 kbnode_t un, keyblock;
2106 int count = 0;
2107 int keyblock_has_pk = 0; /* For failsafe check. */
2108 int statno;
2109 char keyid_str[50];
2110 PKT_public_key *mainpk = NULL;
2111
2112 if (rc)
2113 statno = STATUS_BADSIG;
2114 else if (sig->flags.expired)
2115 statno = STATUS_EXPSIG;
2116 else if (is_expkey)
2117 statno = STATUS_EXPKEYSIG;
2118 else if(is_revkey)
2119 statno = STATUS_REVKEYSIG;
2120 else
2121 statno = STATUS_GOODSIG;
2122
2123 /* FIXME: We should have the public key in PK and thus the
2124 * keyblock has already been fetched. Thus we could use the
2125 * fingerprint or PK itself to lookup the entire keyblock. That
2126 * would best be done with a cache. */
2127 if (included_keyblock)
2128 {
2129 keyblock = included_keyblock;
2130 included_keyblock = NULL;
2131 }
2132 else
2133 keyblock = get_pubkeyblock_for_sig (c->ctrl, sig);
2134
2135 snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
2136 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2137
2138 /* Find and print the primary user ID along with the
2139 "Good|Expired|Bad signature" line. */
2140 for (un=keyblock; un; un = un->next)
2141 {
2142 int valid;
2143
2144 if (!keyblock_has_pk
2145 && (un->pkt->pkttype == PKT_PUBLIC_KEY
2146 || un->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2147 && !cmp_public_keys (un->pkt->pkt.public_key, pk))
2148 {
2149 keyblock_has_pk = 1;
2150 }
2151 if (un->pkt->pkttype == PKT_PUBLIC_KEY)
2152 {
2153 mainpk = un->pkt->pkt.public_key;
2154 continue;
2155 }
2156 if (un->pkt->pkttype != PKT_USER_ID)
2157 continue;
2158 if (!un->pkt->pkt.user_id->created)
2159 continue;
2160 if (un->pkt->pkt.user_id->flags.revoked)
2161 continue;
2162 if (un->pkt->pkt.user_id->flags.expired)
2163 continue;
2164 if (!un->pkt->pkt.user_id->flags.primary)
2165 continue;
2166 /* We want the textual primary user ID here */
2167 if (un->pkt->pkt.user_id->attrib_data)
2168 continue;
2169
2170 log_assert (mainpk);
2171
2172 /* Since this is just informational, don't actually ask the
2173 user to update any trust information. (Note: we register
2174 the signature later.) Because print_good_bad_signature
2175 does not print a LF we need to compute the validity
2176 before calling that function. */
2177 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2178 valid = get_validity (c->ctrl, keyblock, mainpk,
2179 un->pkt->pkt.user_id, NULL, 0);
2180 else
2181 valid = 0; /* Not used. */
2182
2183 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2184
2185 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2186
2187 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2188 log_printf (" [%s]\n",trust_value_to_string(valid));
2189 else
2190 log_printf ("\n");
2191
2192 count++;
2193 /* At this point we could in theory stop because the primary
2194 * UID flag is never set for more than one User ID per
2195 * keyblock. However, we use this loop also for a failsafe
2196 * check that the public key used to create the signature is
2197 * contained in the keyring.*/
2198 }
2199
2200 log_assert (mainpk);
2201 if (!keyblock_has_pk)
2202 {
2203 log_error ("signature key lost from keyblock\n");
2204 rc = gpg_error (GPG_ERR_INTERNAL);
2205 }
2206
2207 /* In case we did not found a valid textual userid above
2208 we print the first user id packet or a "[?]" instead along
2209 with the "Good|Expired|Bad signature" line. */
2210 if (!count)
2211 {
2212 /* Try for an invalid textual userid */
2213 for (un=keyblock; un; un = un->next)
2214 {
2215 if (un->pkt->pkttype == PKT_USER_ID
2216 && !un->pkt->pkt.user_id->attrib_data)
2217 break;
2218 }
2219
2220 /* Try for any userid at all */
2221 if (!un)
2222 {
2223 for (un=keyblock; un; un = un->next)
2224 {
2225 if (un->pkt->pkttype == PKT_USER_ID)
2226 break;
2227 }
2228 }
2229
2230 if (opt.trust_model==TM_ALWAYS || !un)
2231 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2232
2233 print_good_bad_signature (statno, keyid_str, un, sig, rc);
2234
2235 if (opt.trust_model != TM_ALWAYS && un)
2236 log_printf (" %s",_("[uncertain]") );
2237 log_printf ("\n");
2238 }
2239
2240 /* If we have a good signature and already printed
2241 * the primary user ID, print all the other user IDs */
2242 if (count
2243 && !rc
2244 && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2245 {
2246 char *p;
2247 for( un=keyblock; un; un = un->next)
2248 {
2249 if (un->pkt->pkttype != PKT_USER_ID)
2250 continue;
2251 if ((un->pkt->pkt.user_id->flags.revoked
2252 || un->pkt->pkt.user_id->flags.expired)
2253 && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2254 continue;
2255 /* Skip textual primary user ids which we printed above. */
2256 if (un->pkt->pkt.user_id->flags.primary
2257 && !un->pkt->pkt.user_id->attrib_data )
2258 continue;
2259
2260 /* If this user id has attribute data, print that. */
2261 if (un->pkt->pkt.user_id->attrib_data)
2262 {
2263 dump_attribs (un->pkt->pkt.user_id, mainpk);
2264
2265 if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2266 show_photos (c->ctrl,
2267 un->pkt->pkt.user_id->attribs,
2268 un->pkt->pkt.user_id->numattribs,
2269 mainpk ,un->pkt->pkt.user_id);
2270 }
2271
2272 p = utf8_to_native (un->pkt->pkt.user_id->name,
2273 un->pkt->pkt.user_id->len, 0);
2274 log_info (_(" aka \"%s\""), p);
2275 xfree (p);
2276
2277 if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2278 {
2279 const char *valid;
2280
2281 if (un->pkt->pkt.user_id->flags.revoked)
2282 valid = _("revoked");
2283 else if (un->pkt->pkt.user_id->flags.expired)
2284 valid = _("expired");
2285 else
2286 /* Since this is just informational, don't
2287 actually ask the user to update any trust
2288 information. */
2289 valid = (trust_value_to_string
2290 (get_validity (c->ctrl, keyblock, mainpk,
2291 un->pkt->pkt.user_id, NULL, 0)));
2292 log_printf (" [%s]\n",valid);
2293 }
2294 else
2295 log_printf ("\n");
2296 }
2297 }
2298
2299 /* For good signatures print notation data. */
2300 if (!rc)
2301 {
2302 if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2303 show_policy_url (sig, 0, 1);
2304 else
2305 show_policy_url (sig, 0, 2);
2306
2307 if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2308 show_keyserver_url (sig, 0, 1);
2309 else
2310 show_keyserver_url (sig, 0, 2);
2311
2312 if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2313 show_notation
2314 (sig, 0, 1,
2315 (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2316 + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
2317 else
2318 show_notation (sig, 0, 2, 0);
2319 }
2320
2321 /* For good signatures print the VALIDSIG status line. */
2322 if (!rc && is_status_enabled () && pk)
2323 {
2324 char pkhex[MAX_FINGERPRINT_LEN*2+1];
2325 char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2326
2327 hexfingerprint (pk, pkhex, sizeof pkhex);
2328 hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2329
2330 /* TODO: Replace the reserved '0' in the field below with
2331 bits for status flags (policy url, notation, etc.). */
2332 write_status_printf (STATUS_VALIDSIG,
2333 "%s %s %lu %lu %d 0 %d %d %02X %s",
2334 pkhex,
2335 strtimestamp (sig->timestamp),
2336 (ulong)sig->timestamp,
2337 (ulong)sig->expiredate,
2338 sig->version, sig->pubkey_algo,
2339 sig->digest_algo,
2340 sig->sig_class,
2341 mainpkhex);
2342 }
2343
2344 /* Print compliance warning for Good signatures. */
2345 if (!rc && pk && !opt.quiet
2346 && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
2347 pk->pkey, nbits_from_pk (pk), NULL))
2348 {
2349 log_info (_("WARNING: This key is not suitable for signing"
2350 " in %s mode\n"),
2351 gnupg_compliance_option_string (opt.compliance));
2352 }
2353
2354 /* For good signatures compute and print the trust information.
2355 Note that in the Tofu trust model this may ask the user on
2356 how to resolve a conflict. */
2357 if (!rc)
2358 {
2359 rc = check_signatures_trust (c->ctrl, keyblock, pk, sig);
2360 }
2361
2362 /* Print extra information about the signature. */
2363 if (sig->flags.expired)
2364 {
2365 log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2366 if (!rc)
2367 rc = gpg_error (GPG_ERR_GENERAL); /* Need a better error here? */
2368 }
2369 else if (sig->expiredate)
2370 log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2371
2372 if (opt.verbose)
2373 {
2374 char pkstrbuf[PUBKEY_STRING_SIZE];
2375
2376 if (pk)
2377 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2378 else
2379 *pkstrbuf = 0;
2380
2381 log_info (_("%s signature, digest algorithm %s%s%s\n"),
2382 sig->sig_class==0x00?_("binary"):
2383 sig->sig_class==0x01?_("textmode"):_("unknown"),
2384 gcry_md_algo_name (sig->digest_algo),
2385 *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2386 }
2387
2388 /* Print final warnings. */
2389 if (!rc && !c->signed_data.used)
2390 {
2391 /* Signature is basically good but we test whether the
2392 deprecated command
2393 gpg --verify FILE.sig
2394 was used instead of
2395 gpg --verify FILE.sig FILE
2396 to verify a detached signature. If we figure out that a
2397 data file with a matching name exists, we print a warning.
2398
2399 The problem is that the first form would also verify a
2400 standard signature. This behavior could be used to
2401 create a made up .sig file for a tarball by creating a
2402 standard signature from a valid detached signature packet
2403 (for example from a signed git tag). Then replace the
2404 sig file on the FTP server along with a changed tarball.
2405 Using the first form the verify command would correctly
2406 verify the signature but don't even consider the tarball. */
2407 kbnode_t n;
2408 char *dfile;
2409
2410 dfile = get_matching_datafile (c->sigfilename);
2411 if (dfile)
2412 {
2413 for (n = c->list; n; n = n->next)
2414 if (n->pkt->pkttype != PKT_SIGNATURE)
2415 break;
2416 if (n)
2417 {
2418 /* Not only signature packets in the tree thus this
2419 is not a detached signature. */
2420 log_info (_("WARNING: not a detached signature; "
2421 "file '%s' was NOT verified!\n"), dfile);
2422 }
2423 xfree (dfile);
2424 }
2425 }
2426
2427 /* Compute compliance with CO_DE_VS. */
2428 if (pk && is_status_enabled ()
2429 && gnupg_gcrypt_is_compliant (CO_DE_VS)
2430 && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
2431 nbits_from_pk (pk), NULL)
2432 && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2433 write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2434 gnupg_status_compliance_flag (CO_DE_VS),
2435 NULL);
2436
2437 free_public_key (pk);
2438 pk = NULL;
2439 release_kbnode( keyblock );
2440 if (rc)
2441 g10_errors_seen = 1;
2442 if (opt.batch && rc)
2443 g10_exit (1);
2444 }
2445 else /* Error checking the signature. (neither Good nor Bad). */
2446 {
2447 write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
2448 (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2449 sig->pubkey_algo, sig->digest_algo,
2450 sig->sig_class, (ulong)sig->timestamp,
2451 gpg_err_code (rc),
2452 issuer_fpr? issuer_fpr:"-");
2453 if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2454 {
2455 write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
2456 (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2457 }
2458 if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2459 log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2460 }
2461
2462 free_public_key (pk);
2463 release_kbnode (included_keyblock);
2464 xfree (issuer_fpr);
2465 return rc;
2466 }
2467
2468
2469 /*
2470 * Process the tree which starts at node
2471 */
2472 static void
proc_tree(CTX c,kbnode_t node)2473 proc_tree (CTX c, kbnode_t node)
2474 {
2475 kbnode_t n1;
2476 int rc;
2477
2478 if (opt.list_packets || opt.list_only)
2479 return;
2480
2481 /* We must skip our special plaintext marker packets here because
2482 they may be the root packet. These packets are only used in
2483 additional checks and skipping them here doesn't matter. */
2484 while (node
2485 && node->pkt->pkttype == PKT_GPG_CONTROL
2486 && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2487 {
2488 node = node->next;
2489 }
2490 if (!node)
2491 return;
2492
2493 c->trustletter = ' ';
2494 if (node->pkt->pkttype == PKT_PUBLIC_KEY
2495 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2496 {
2497 merge_keys_and_selfsig (c->ctrl, node);
2498 list_node (c, node);
2499 }
2500 else if (node->pkt->pkttype == PKT_SECRET_KEY)
2501 {
2502 merge_keys_and_selfsig (c->ctrl, node);
2503 list_node (c, node);
2504 }
2505 else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2506 {
2507 /* Check all signatures. */
2508 if (!c->any.data)
2509 {
2510 int use_textmode = 0;
2511
2512 free_md_filter_context (&c->mfx);
2513 /* Prepare to create all requested message digests. */
2514 rc = gcry_md_open (&c->mfx.md, 0, 0);
2515 if (rc)
2516 goto hash_err;
2517
2518 /* Fixme: why looking for the signature packet and not the
2519 one-pass packet? */
2520 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2521 gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2522
2523 if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2524 use_textmode = 1;
2525
2526 /* Ask for file and hash it. */
2527 if (c->sigs_only)
2528 {
2529 if (c->signed_data.used && c->signed_data.data_fd != -1)
2530 rc = hash_datafile_by_fd (c->mfx.md, NULL,
2531 c->signed_data.data_fd,
2532 use_textmode);
2533 else
2534 rc = hash_datafiles (c->mfx.md, NULL,
2535 c->signed_data.data_names,
2536 c->sigfilename,
2537 use_textmode);
2538 }
2539 else
2540 {
2541 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2542 iobuf_get_real_fname (c->iobuf),
2543 use_textmode);
2544 }
2545
2546 hash_err:
2547 if (rc)
2548 {
2549 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2550 return;
2551 }
2552 }
2553 else if (c->signed_data.used)
2554 {
2555 log_error (_("not a detached signature\n"));
2556 return;
2557 }
2558
2559 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2560 check_sig_and_print (c, n1);
2561
2562 }
2563 else if (node->pkt->pkttype == PKT_GPG_CONTROL
2564 && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2565 {
2566 /* Clear text signed message. */
2567 if (!c->any.data)
2568 {
2569 log_error ("cleartext signature without data\n");
2570 return;
2571 }
2572 else if (c->signed_data.used)
2573 {
2574 log_error (_("not a detached signature\n"));
2575 return;
2576 }
2577
2578 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2579 check_sig_and_print (c, n1);
2580
2581 }
2582 else if (node->pkt->pkttype == PKT_SIGNATURE)
2583 {
2584 PKT_signature *sig = node->pkt->pkt.signature;
2585 int multiple_ok = 1;
2586
2587 n1 = find_next_kbnode (node, PKT_SIGNATURE);
2588 if (n1)
2589 {
2590 byte class = sig->sig_class;
2591 byte hash = sig->digest_algo;
2592
2593 for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2594 {
2595 /* We can't currently handle multiple signatures of
2596 * different classes (we'd pretty much have to run a
2597 * different hash context for each), but if they are all
2598 * the same and it is detached signature, we make an
2599 * exception. Note that the old code also disallowed
2600 * multiple signatures if the digest algorithms are
2601 * different. We softened this restriction only for
2602 * detached signatures, to be on the safe side. */
2603 if (n1->pkt->pkt.signature->sig_class != class
2604 || (c->any.data
2605 && n1->pkt->pkt.signature->digest_algo != hash))
2606 {
2607 multiple_ok = 0;
2608 log_info (_("WARNING: multiple signatures detected. "
2609 "Only the first will be checked.\n"));
2610 break;
2611 }
2612 }
2613 }
2614
2615 if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2616 {
2617 log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2618 }
2619 else if (!c->any.data)
2620 {
2621 /* Detached signature */
2622 free_md_filter_context (&c->mfx);
2623 rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2624 if (rc)
2625 goto detached_hash_err;
2626
2627 if (multiple_ok)
2628 {
2629 /* If we have and want to handle multiple signatures we
2630 * need to enable all hash algorithms for the context. */
2631 for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2632 if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2633 gcry_md_enable (c->mfx.md,
2634 map_md_openpgp_to_gcry
2635 (n1->pkt->pkt.signature->digest_algo));
2636 }
2637
2638 if (RFC2440 || RFC4880)
2639 ; /* Strict RFC mode. */
2640 else if (sig->digest_algo == DIGEST_ALGO_SHA1
2641 && sig->pubkey_algo == PUBKEY_ALGO_DSA
2642 && sig->sig_class == 0x01)
2643 {
2644 /* Enable a workaround for a pgp5 bug when the detached
2645 * signature has been created in textmode. Note that we
2646 * do not implement this for multiple signatures with
2647 * different hash algorithms. */
2648 rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2649 if (rc)
2650 goto detached_hash_err;
2651 }
2652
2653 /* Here we used to have another hack to work around a pgp
2654 * 2 bug: It worked by not using the textmode for detached
2655 * signatures; this would let the first signature check
2656 * (on md) fail but the second one (on md2), which adds an
2657 * extra CR would then have produced the "correct" hash.
2658 * This is very, very ugly hack but it may haved help in
2659 * some cases (and break others).
2660 * c->mfx.md2? 0 :(sig->sig_class == 0x01)
2661 */
2662
2663 if (DBG_HASHING)
2664 {
2665 gcry_md_debug (c->mfx.md, "verify");
2666 if (c->mfx.md2)
2667 gcry_md_debug (c->mfx.md2, "verify2");
2668 }
2669
2670 if (c->sigs_only)
2671 {
2672 if (c->signed_data.used && c->signed_data.data_fd != -1)
2673 rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2674 c->signed_data.data_fd,
2675 (sig->sig_class == 0x01));
2676 else
2677 rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2678 c->signed_data.data_names,
2679 c->sigfilename,
2680 (sig->sig_class == 0x01));
2681 }
2682 else
2683 {
2684 rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2685 iobuf_get_real_fname(c->iobuf),
2686 (sig->sig_class == 0x01));
2687 }
2688
2689 detached_hash_err:
2690 if (rc)
2691 {
2692 log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2693 return;
2694 }
2695 }
2696 else if (c->signed_data.used)
2697 {
2698 log_error (_("not a detached signature\n"));
2699 return;
2700 }
2701 else if (!opt.quiet)
2702 log_info (_("old style (PGP 2.x) signature\n"));
2703
2704 if (multiple_ok)
2705 {
2706 for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2707 check_sig_and_print (c, n1);
2708 }
2709 else
2710 check_sig_and_print (c, node);
2711
2712 }
2713 else
2714 {
2715 dump_kbnode (c->list);
2716 log_error ("invalid root packet detected in proc_tree()\n");
2717 dump_kbnode (node);
2718 }
2719 }
2720