Line | Count | Source |
1 | | /* verify.c - Verify signed data |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004, 2005, 2006, |
3 | | * 2007, 2010 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2003, 2006-2008, 2010-2011, 2015-2017, |
5 | | * 2020, 2023 g10 Code GmbH |
6 | | * |
7 | | * This file is part of GnuPG. |
8 | | * |
9 | | * GnuPG is free software; you can redistribute it and/or modify |
10 | | * it under the terms of the GNU General Public License as published by |
11 | | * the Free Software Foundation; either version 3 of the License, or |
12 | | * (at your option) any later version. |
13 | | * |
14 | | * GnuPG is distributed in the hope that it will be useful, |
15 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | | * GNU General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU General Public License |
20 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
21 | | * SPDX-License-Identifier: GPL-3.0-or-later |
22 | | */ |
23 | | |
24 | | #include <config.h> |
25 | | #include <stdio.h> |
26 | | #include <stdlib.h> |
27 | | #include <string.h> |
28 | | #include <errno.h> |
29 | | |
30 | | #include "gpg.h" |
31 | | #include "options.h" |
32 | | #include "packet.h" |
33 | | #include "../common/status.h" |
34 | | #include "../common/iobuf.h" |
35 | | #include "keydb.h" |
36 | | #include "../common/util.h" |
37 | | #include "main.h" |
38 | | #include "filter.h" |
39 | | #include "../common/ttyio.h" |
40 | | #include "../common/i18n.h" |
41 | | |
42 | | |
43 | | /**************** |
44 | | * Assume that the input is a signature and verify it without |
45 | | * generating any output. With no arguments, the signature packet |
46 | | * is read from stdin (it may be a detached signature when not |
47 | | * used in batch mode). If only a sigfile is given, it may be a complete |
48 | | * signature or a detached signature in which case the signed stuff |
49 | | * is expected from stdin. With more than 1 argument, the first should |
50 | | * be a detached signature and the remaining files are the signed stuff. |
51 | | */ |
52 | | |
53 | | int |
54 | | verify_signatures (ctrl_t ctrl, int nfiles, char **files ) |
55 | 0 | { |
56 | 0 | IOBUF fp; |
57 | 0 | armor_filter_context_t *afx = NULL; |
58 | 0 | progress_filter_context_t *pfx = new_progress_context (); |
59 | 0 | const char *sigfile; |
60 | 0 | int i, rc; |
61 | 0 | strlist_t sl; |
62 | | |
63 | | /* Decide whether we should handle a detached or a normal signature, |
64 | | * which is needed so that the code later can hash the correct data and |
65 | | * not have a normal signature act as detached signature and ignoring the |
66 | | * intended signed material from the 2nd file or stdin. |
67 | | * 1. gpg <file - normal |
68 | | * 2. gpg file - normal (or detached) |
69 | | * 3. gpg file <file2 - detached |
70 | | * 4. gpg file file2 - detached |
71 | | * The question is how decide between case 2 and 3? The only way |
72 | | * we can do it is by reading one byte from stdin and then unget |
73 | | * it; the problem here is that we may be reading from the |
74 | | * terminal (which could be detected using isatty() but won't work |
75 | | * when under control of a pty using program (e.g. expect)) and |
76 | | * might get us in trouble when stdin is used for another purpose |
77 | | * (--passphrase-fd 0). So we have to break with the behaviour |
78 | | * prior to gpg 1.0.4 by assuming that case 3 is a normal |
79 | | * signature (where file2 is ignored and require for a detached |
80 | | * signature to indicate signed material comes from stdin by using |
81 | | * case 4 with a file2 of "-". |
82 | | * |
83 | | * Actually we don't have to change anything here but can handle |
84 | | * that all quite easily in mainproc.c |
85 | | */ |
86 | |
|
87 | 0 | sigfile = nfiles? *files : NULL; |
88 | | |
89 | | /* open the signature file */ |
90 | 0 | fp = iobuf_open(sigfile); |
91 | 0 | if (fp && is_secured_file (iobuf_get_fd (fp))) |
92 | 0 | { |
93 | 0 | iobuf_close (fp); |
94 | 0 | fp = NULL; |
95 | 0 | gpg_err_set_errno (EPERM); |
96 | 0 | } |
97 | 0 | if( !fp ) { |
98 | 0 | rc = gpg_error_from_syserror (); |
99 | 0 | log_error(_("can't open '%s': %s\n"), |
100 | 0 | print_fname_stdin(sigfile), gpg_strerror (rc)); |
101 | 0 | goto leave; |
102 | 0 | } |
103 | 0 | handle_progress (pfx, fp, sigfile); |
104 | |
|
105 | 0 | if ( !opt.no_armor && use_armor_filter( fp ) ) |
106 | 0 | { |
107 | 0 | afx = new_armor_context (); |
108 | 0 | push_armor_filter (afx, fp); |
109 | 0 | } |
110 | |
|
111 | 0 | sl = NULL; |
112 | 0 | for(i=nfiles-1 ; i > 0 ; i-- ) |
113 | 0 | add_to_strlist( &sl, files[i] ); |
114 | 0 | rc = proc_signature_packets (ctrl, NULL, fp, sl, sigfile ); |
115 | 0 | free_strlist(sl); |
116 | 0 | iobuf_close(fp); |
117 | 0 | if( (afx && afx->no_openpgp_data && rc == -1) |
118 | 0 | || gpg_err_code (rc) == GPG_ERR_NO_DATA ) { |
119 | 0 | log_error(_("the signature could not be verified.\n" |
120 | 0 | "Please remember that the signature file (.sig or .asc)\n" |
121 | 0 | "should be the first file given on the command line.\n") ); |
122 | 0 | rc = 0; |
123 | 0 | } |
124 | |
|
125 | 0 | leave: |
126 | 0 | release_armor_context (afx); |
127 | 0 | release_progress_context (pfx); |
128 | 0 | return rc; |
129 | 0 | } |
130 | | |
131 | | |
132 | | |
133 | | void |
134 | | print_file_status( int status, const char *name, int what ) |
135 | 12 | { |
136 | 12 | char *p = xmalloc(strlen(name)+10); |
137 | 12 | sprintf(p, "%d %s", what, name ); |
138 | 12 | write_status_text( status, p ); |
139 | 12 | xfree(p); |
140 | 12 | } |
141 | | |
142 | | |
143 | | static int |
144 | | verify_one_file (ctrl_t ctrl, const char *name ) |
145 | 0 | { |
146 | 0 | IOBUF fp; |
147 | 0 | armor_filter_context_t *afx = NULL; |
148 | 0 | progress_filter_context_t *pfx = new_progress_context (); |
149 | 0 | int rc; |
150 | |
|
151 | 0 | print_file_status( STATUS_FILE_START, name, 1 ); |
152 | 0 | fp = iobuf_open(name); |
153 | 0 | if (fp) |
154 | 0 | iobuf_ioctl (fp, IOBUF_IOCTL_NO_CACHE, 1, NULL); |
155 | 0 | if (fp && is_secured_file (iobuf_get_fd (fp))) |
156 | 0 | { |
157 | 0 | iobuf_close (fp); |
158 | 0 | fp = NULL; |
159 | 0 | gpg_err_set_errno (EPERM); |
160 | 0 | } |
161 | 0 | if( !fp ) { |
162 | 0 | rc = gpg_error_from_syserror (); |
163 | 0 | log_error(_("can't open '%s': %s\n"), |
164 | 0 | print_fname_stdin(name), strerror (errno)); |
165 | 0 | print_file_status( STATUS_FILE_ERROR, name, 1 ); |
166 | 0 | goto leave; |
167 | 0 | } |
168 | 0 | handle_progress (pfx, fp, name); |
169 | |
|
170 | 0 | if( !opt.no_armor ) { |
171 | 0 | if( use_armor_filter( fp ) ) { |
172 | 0 | afx = new_armor_context (); |
173 | 0 | push_armor_filter (afx, fp); |
174 | 0 | } |
175 | 0 | } |
176 | |
|
177 | 0 | rc = proc_signature_packets (ctrl, NULL, fp, NULL, name ); |
178 | 0 | iobuf_close(fp); |
179 | 0 | write_status( STATUS_FILE_DONE ); |
180 | |
|
181 | 0 | reset_literals_seen(); |
182 | |
|
183 | 0 | leave: |
184 | 0 | release_armor_context (afx); |
185 | 0 | release_progress_context (pfx); |
186 | 0 | return rc; |
187 | 0 | } |
188 | | |
189 | | /**************** |
190 | | * Verify each file given in the files array or read the names of the |
191 | | * files from stdin. |
192 | | * Note: This function can not handle detached signatures. |
193 | | */ |
194 | | int |
195 | | verify_files (ctrl_t ctrl, int nfiles, char **files ) |
196 | 0 | { |
197 | 0 | int i, rc; |
198 | 0 | int first_rc = 0; |
199 | |
|
200 | 0 | if( !nfiles ) { /* read the filenames from stdin */ |
201 | 0 | char line[2048]; |
202 | 0 | unsigned int lno = 0; |
203 | |
|
204 | 0 | while( fgets(line, DIM(line), stdin) ) { |
205 | 0 | lno++; |
206 | 0 | if( !*line || line[strlen(line)-1] != '\n' ) { |
207 | 0 | log_error(_("input line %u too long or missing LF\n"), lno ); |
208 | 0 | return GPG_ERR_GENERAL; |
209 | 0 | } |
210 | | /* This code does not work on MSDOS but hwo cares there are |
211 | | * also no script languages available. We don't strip any |
212 | | * spaces, so that we can process nearly all filenames */ |
213 | 0 | line[strlen(line)-1] = 0; |
214 | 0 | rc = verify_one_file (ctrl, line); |
215 | 0 | if (!first_rc) |
216 | 0 | first_rc = rc; |
217 | 0 | } |
218 | |
|
219 | 0 | } |
220 | 0 | else { /* take filenames from the array */ |
221 | 0 | for(i=0; i < nfiles; i++ ) |
222 | 0 | { |
223 | 0 | rc = verify_one_file (ctrl, files[i]); |
224 | 0 | if (!first_rc) |
225 | 0 | first_rc = rc; |
226 | 0 | } |
227 | 0 | } |
228 | | |
229 | 0 | return first_rc; |
230 | 0 | } |
231 | | |
232 | | |
233 | | |
234 | | |
235 | | /* Perform a verify operation. To verify detached signatures, DATA_FD |
236 | | shall be the descriptor of the signed data; for regular signatures |
237 | | it needs to be -1. If OUT_FP is not NULL and DATA_FD is not -1 the |
238 | | the signed material gets written that stream. |
239 | | |
240 | | FIXME: OUTFP is not yet implemented. |
241 | | */ |
242 | | int |
243 | | gpg_verify (ctrl_t ctrl, gnupg_fd_t sig_fd, gnupg_fd_t data_fd, |
244 | | estream_t out_fp) |
245 | 0 | { |
246 | 0 | int rc; |
247 | 0 | iobuf_t fp; |
248 | 0 | armor_filter_context_t *afx = NULL; |
249 | 0 | progress_filter_context_t *pfx = new_progress_context (); |
250 | |
|
251 | 0 | (void)ctrl; |
252 | 0 | (void)out_fp; |
253 | |
|
254 | 0 | if (is_secured_file (sig_fd)) |
255 | 0 | { |
256 | 0 | fp = NULL; |
257 | 0 | gpg_err_set_errno (EPERM); |
258 | 0 | } |
259 | 0 | else |
260 | 0 | fp = iobuf_fdopen_nc (sig_fd, "rb"); |
261 | 0 | if (!fp) |
262 | 0 | { |
263 | 0 | rc = gpg_error_from_syserror (); |
264 | 0 | log_error (_("can't open fd %d: %s\n"), FD_DBG (sig_fd), |
265 | 0 | strerror (errno)); |
266 | 0 | goto leave; |
267 | 0 | } |
268 | | |
269 | 0 | handle_progress (pfx, fp, NULL); |
270 | |
|
271 | 0 | if ( !opt.no_armor && use_armor_filter (fp) ) |
272 | 0 | { |
273 | 0 | afx = new_armor_context (); |
274 | 0 | push_armor_filter (afx, fp); |
275 | 0 | } |
276 | |
|
277 | 0 | rc = proc_signature_packets_by_fd (ctrl, NULL, fp, data_fd); |
278 | |
|
279 | 0 | if ( afx && afx->no_openpgp_data |
280 | 0 | && (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF) ) |
281 | 0 | rc = gpg_error (GPG_ERR_NO_DATA); |
282 | |
|
283 | 0 | leave: |
284 | 0 | iobuf_close (fp); |
285 | 0 | release_progress_context (pfx); |
286 | 0 | release_armor_context (afx); |
287 | 0 | return rc; |
288 | 0 | } |
289 | | |
290 | | |
291 | | static int |
292 | | is_fingerprint (const char *string) |
293 | 0 | { |
294 | 0 | int n; |
295 | |
|
296 | 0 | if (!string || !*string) |
297 | 0 | return 0; |
298 | 0 | for (n=0; hexdigitp (string); string++) |
299 | 0 | n++; |
300 | 0 | if (!*string && (n == 40 || n == 64)) |
301 | 0 | return 1; /* v4 or v5 fingerprint. */ |
302 | | |
303 | 0 | return 0; |
304 | 0 | } |
305 | | |
306 | | |
307 | | /* This function shall be called with the main and subkey fingerprint |
308 | | * iff a signature is fully valid. If the option --assert-signer is |
309 | | * active it check whether the signing key matches one of the keys |
310 | | * given by this option and if so, sets a global flag. */ |
311 | | void |
312 | | check_assert_signer_list (const char *mainpkhex, const char *pkhex) |
313 | 0 | { |
314 | 0 | gpg_error_t err; |
315 | 0 | strlist_t item; |
316 | 0 | const char *fname; |
317 | 0 | estream_t fp = NULL; |
318 | 0 | int lnr; |
319 | 0 | int n, c; |
320 | 0 | char *p, *pend; |
321 | 0 | char line[256]; |
322 | |
|
323 | 0 | if (!opt.assert_signer_list) |
324 | 0 | return; /* Nothing to do. */ |
325 | 0 | if (assert_signer_true) |
326 | 0 | return; /* Already one valid signature seen. */ |
327 | | |
328 | 0 | for (item = opt.assert_signer_list; item; item = item->next) |
329 | 0 | { |
330 | 0 | if (is_fingerprint (item->d)) |
331 | 0 | { |
332 | 0 | ascii_strupr (item->d); |
333 | 0 | if (!strcmp (item->d, mainpkhex) || !strcmp (item->d, pkhex)) |
334 | 0 | { |
335 | 0 | assert_signer_true = 1; |
336 | 0 | write_status_text (STATUS_ASSERT_SIGNER, item->d); |
337 | 0 | if (!opt.quiet) |
338 | 0 | log_info ("asserted signer '%s'\n", item->d); |
339 | 0 | goto leave; |
340 | 0 | } |
341 | 0 | } |
342 | 0 | else /* Assume this is a file - read and compare. */ |
343 | 0 | { |
344 | 0 | fname = item->d; |
345 | 0 | es_fclose (fp); |
346 | 0 | fp = es_fopen (fname, "r"); |
347 | 0 | if (!fp) |
348 | 0 | { |
349 | 0 | err = gpg_error_from_syserror (); |
350 | 0 | log_error (_("error opening '%s': %s\n"), |
351 | 0 | fname, gpg_strerror (err)); |
352 | 0 | continue; |
353 | 0 | } |
354 | | |
355 | 0 | lnr = 0; |
356 | 0 | err = 0; |
357 | 0 | while (es_fgets (line, DIM(line)-1, fp)) |
358 | 0 | { |
359 | 0 | lnr++; |
360 | |
|
361 | 0 | n = strlen (line); |
362 | 0 | if (!n || line[n-1] != '\n') |
363 | 0 | { |
364 | | /* Eat until end of line. */ |
365 | 0 | while ( (c=es_getc (fp)) != EOF && c != '\n') |
366 | 0 | ; |
367 | 0 | err = gpg_error (GPG_ERR_INCOMPLETE_LINE); |
368 | 0 | log_error (_("file '%s', line %d: %s\n"), |
369 | 0 | fname, lnr, gpg_strerror (err)); |
370 | 0 | continue; |
371 | 0 | } |
372 | 0 | line[--n] = 0; /* Chop the LF. */ |
373 | 0 | if (n && line[n-1] == '\r') |
374 | 0 | line[--n] = 0; /* Chop an optional CR. */ |
375 | | |
376 | | /* Allow for empty lines and spaces */ |
377 | 0 | for (p=line; spacep (p); p++) |
378 | 0 | ; |
379 | 0 | if (!*p || *p == '#') |
380 | 0 | continue; |
381 | | |
382 | | /* Get the first token and ignore trailing stuff. */ |
383 | 0 | for (pend = p; *pend && !spacep (pend); pend++) |
384 | 0 | ; |
385 | 0 | *pend = 0; |
386 | 0 | ascii_strupr (p); |
387 | |
|
388 | 0 | if (!strcmp (p, mainpkhex) || !strcmp (p, pkhex)) |
389 | 0 | { |
390 | 0 | assert_signer_true = 1; |
391 | 0 | write_status_text (STATUS_ASSERT_SIGNER, p); |
392 | 0 | if (!opt.quiet) |
393 | 0 | log_info ("asserted signer '%s' (%s:%d)\n", |
394 | 0 | p, fname, lnr); |
395 | 0 | goto leave; |
396 | 0 | } |
397 | 0 | } |
398 | 0 | if (!err && !es_feof (fp)) |
399 | 0 | { |
400 | 0 | err = gpg_error_from_syserror (); |
401 | 0 | log_error (_("error reading '%s', line %d: %s\n"), |
402 | 0 | fname, lnr, gpg_strerror (err)); |
403 | 0 | } |
404 | 0 | } |
405 | 0 | } |
406 | | |
407 | 0 | leave: |
408 | 0 | es_fclose (fp); |
409 | 0 | } |
410 | | |
411 | | |
412 | | /* This function shall be called with the signer's public key |
413 | | * algorithm ALGOSTR iff a signature is fully valid. If the option |
414 | | * --assert-pubkey-algo is active the functions checks whether the |
415 | | * signing key's algo is valid according to that list; in this case a |
416 | | * global flag is set. */ |
417 | | void |
418 | | check_assert_pubkey_algo (const char *algostr, const char *pkhex) |
419 | 0 | { |
420 | 0 | if (!opt.assert_pubkey_algos) |
421 | 0 | return; /* Nothing to do. */ |
422 | | |
423 | 0 | if (compare_pubkey_string (algostr, opt.assert_pubkey_algos)) |
424 | 0 | { |
425 | 0 | write_status_strings (STATUS_ASSERT_PUBKEY_ALGO, |
426 | 0 | pkhex, " 1 ", algostr, NULL); |
427 | 0 | if (!opt.quiet) |
428 | 0 | log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr); |
429 | 0 | } |
430 | 0 | else |
431 | 0 | { |
432 | 0 | if (!opt.quiet) |
433 | 0 | log_info ("denied signer '%s' with algo %s\n", pkhex, algostr); |
434 | 0 | assert_pubkey_algo_false = 1; |
435 | 0 | write_status_strings (STATUS_ASSERT_PUBKEY_ALGO, |
436 | | pkhex, " 0 ", algostr, NULL); |
437 | 0 | } |
438 | 0 | } |