/src/gnupg/g10/mainproc.c
Line | Count | Source |
1 | | /* mainproc.c - handle packets |
2 | | * Copyright (C) 1998-2009 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013-2014 Werner Koch |
4 | | * Copyright (C) 2020, 2024 g10 Code GmbH |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <config.h> |
23 | | #include <stdio.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | #include <time.h> |
27 | | |
28 | | #include "gpg.h" |
29 | | #include "../common/util.h" |
30 | | #include "packet.h" |
31 | | #include "../common/iobuf.h" |
32 | | #include "options.h" |
33 | | #include "keydb.h" |
34 | | #include "filter.h" |
35 | | #include "main.h" |
36 | | #include "../common/status.h" |
37 | | #include "../common/i18n.h" |
38 | | #include "trustdb.h" |
39 | | #include "keyserver-internal.h" |
40 | | #include "photoid.h" |
41 | | #include "../common/mbox-util.h" |
42 | | #include "call-dirmngr.h" |
43 | | #include "../common/compliance.h" |
44 | | |
45 | | /* Put an upper limit on nested packets. The 32 is an arbitrary |
46 | | value, a much lower should actually be sufficient. */ |
47 | 12 | #define MAX_NESTING_DEPTH 32 |
48 | | |
49 | | |
50 | | /* An object to build a list of symkey packet info. */ |
51 | | struct symlist_item |
52 | | { |
53 | | struct symlist_item *next; |
54 | | int cipher_algo; |
55 | | enum gcry_cipher_modes cipher_mode; |
56 | | int other_error; |
57 | | }; |
58 | | |
59 | | |
60 | | /* |
61 | | * Object to hold the processing context. |
62 | | */ |
63 | | typedef struct mainproc_context *CTX; |
64 | | struct mainproc_context |
65 | | { |
66 | | ctrl_t ctrl; |
67 | | struct mainproc_context *anchor; /* May be useful in the future. */ |
68 | | PKT_public_key *last_pubkey; |
69 | | PKT_user_id *last_user_id; |
70 | | md_filter_context_t mfx; |
71 | | int sigs_only; /* Process only signatures and reject all other stuff. */ |
72 | | int encrypt_only; /* Process only encryption messages. */ |
73 | | |
74 | | /* Name of the file with the complete signature or the file with the |
75 | | detached signature. This is currently only used to deduce the |
76 | | file name of the data file if that has not been given. */ |
77 | | const char *sigfilename; |
78 | | |
79 | | /* A structure to describe the signed data in case of a detached |
80 | | signature. */ |
81 | | struct |
82 | | { |
83 | | /* A file descriptor of the signed data. Only used if not -1. */ |
84 | | gnupg_fd_t data_fd; |
85 | | /* A list of filenames with the data files or NULL. This is only |
86 | | used if DATA_FD is -1. */ |
87 | | strlist_t data_names; |
88 | | /* Flag to indicated that either one of the next previous fields |
89 | | is used. This is only needed for better readability. */ |
90 | | int used; |
91 | | } signed_data; |
92 | | |
93 | | DEK *dek; |
94 | | int last_was_session_key; |
95 | | kbnode_t list; /* The current list of packets. */ |
96 | | iobuf_t iobuf; /* Used to get the filename etc. */ |
97 | | int trustletter; /* Temporary usage in list_node. */ |
98 | | ulong symkeys; /* Number of symmetrically encrypted session keys. */ |
99 | | struct seskey_enc_list *sesenc_list; /* List of encryption packets. */ |
100 | | struct symlist_item *symenc_list; /* List of sym. encryption packets. */ |
101 | | int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */ |
102 | | int seen_pkt_encrypted_mdc; /* PKT_ENCRYPTED_MDC packet seen. */ |
103 | | struct { |
104 | | unsigned int sig_seen:1; /* Set to true if a signature packet |
105 | | has been seen. */ |
106 | | unsigned int data:1; /* Any data packet seen */ |
107 | | unsigned int uncompress_failed:1; |
108 | | } any; |
109 | | }; |
110 | | |
111 | | |
112 | | /* Counter with the number of literal data packets seen. Note that |
113 | | * this is also bumped at the end of an encryption. This counter is |
114 | | * used for a basic consistency check of a received PGP message. */ |
115 | | static int literals_seen; |
116 | | |
117 | | |
118 | | /*** Local prototypes. ***/ |
119 | | static int do_proc_packets (CTX c, iobuf_t a, int keep_dek_and_list); |
120 | | static void list_node (CTX c, kbnode_t node); |
121 | | static void proc_tree (CTX c, kbnode_t node); |
122 | | |
123 | | |
124 | | /*** Functions. ***/ |
125 | | |
126 | | /* Reset the literal data counter. This is required to setup a new |
127 | | * decryption or verification context. */ |
128 | | void |
129 | | reset_literals_seen(void) |
130 | 6 | { |
131 | 6 | literals_seen = 0; |
132 | 6 | } |
133 | | |
134 | | |
135 | | static void |
136 | | release_list( CTX c ) |
137 | 13 | { |
138 | 13 | proc_tree (c, c->list); |
139 | 13 | release_kbnode (c->list); |
140 | 13 | free_seskey_enc_list (c->sesenc_list); |
141 | 13 | c->sesenc_list = NULL; |
142 | 13 | while (c->symenc_list) |
143 | 0 | { |
144 | 0 | struct symlist_item *tmp = c->symenc_list->next; |
145 | 0 | xfree (c->symenc_list); |
146 | 0 | c->symenc_list = tmp; |
147 | 0 | } |
148 | 13 | c->symenc_list = NULL; |
149 | 13 | c->list = NULL; |
150 | 13 | c->any.data = 0; |
151 | 13 | c->any.uncompress_failed = 0; |
152 | 13 | c->last_was_session_key = 0; |
153 | 13 | c->seen_pkt_encrypted_aead = 0; |
154 | 13 | c->seen_pkt_encrypted_mdc = 0; |
155 | 13 | xfree (c->dek); |
156 | 13 | c->dek = NULL; |
157 | 13 | } |
158 | | |
159 | | |
160 | | static int |
161 | | add_onepass_sig (CTX c, PACKET *pkt) |
162 | 0 | { |
163 | 0 | kbnode_t node; |
164 | |
|
165 | 0 | if (c->list) /* Add another packet. */ |
166 | 0 | add_kbnode (c->list, new_kbnode (pkt)); |
167 | 0 | else /* Insert the first one. */ |
168 | 0 | c->list = node = new_kbnode (pkt); |
169 | |
|
170 | 0 | return 1; |
171 | 0 | } |
172 | | |
173 | | |
174 | | static int |
175 | | add_gpg_control (CTX c, PACKET *pkt) |
176 | 0 | { |
177 | 0 | if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START ) |
178 | 0 | { |
179 | | /* New clear text signature. |
180 | | * Process the last one and reset everything */ |
181 | 0 | release_list(c); |
182 | 0 | } |
183 | |
|
184 | 0 | if (c->list) /* Add another packet. */ |
185 | 0 | add_kbnode (c->list, new_kbnode (pkt)); |
186 | 0 | else /* Insert the first one. */ |
187 | 0 | c->list = new_kbnode (pkt); |
188 | |
|
189 | 0 | return 1; |
190 | 0 | } |
191 | | |
192 | | |
193 | | static int |
194 | | add_user_id (CTX c, PACKET *pkt) |
195 | 0 | { |
196 | 0 | if (!c->list) |
197 | 0 | { |
198 | 0 | log_error ("orphaned user ID\n"); |
199 | 0 | return 0; |
200 | 0 | } |
201 | 0 | add_kbnode (c->list, new_kbnode (pkt)); |
202 | 0 | return 1; |
203 | 0 | } |
204 | | |
205 | | |
206 | | static int |
207 | | add_subkey (CTX c, PACKET *pkt) |
208 | 0 | { |
209 | 0 | if (!c->list) |
210 | 0 | { |
211 | 0 | log_error ("subkey w/o mainkey\n"); |
212 | 0 | return 0; |
213 | 0 | } |
214 | 0 | add_kbnode (c->list, new_kbnode (pkt)); |
215 | 0 | return 1; |
216 | 0 | } |
217 | | |
218 | | |
219 | | static int |
220 | | add_ring_trust (CTX c, PACKET *pkt) |
221 | 0 | { |
222 | 0 | if (!c->list) |
223 | 0 | { |
224 | 0 | log_error ("ring trust w/o key\n"); |
225 | 0 | return 0; |
226 | 0 | } |
227 | 0 | add_kbnode (c->list, new_kbnode (pkt)); |
228 | 0 | return 1; |
229 | 0 | } |
230 | | |
231 | | |
232 | | static int |
233 | | add_signature (CTX c, PACKET *pkt) |
234 | 1 | { |
235 | 1 | kbnode_t node; |
236 | | |
237 | 1 | c->any.sig_seen = 1; |
238 | 1 | if (pkt->pkttype == PKT_SIGNATURE && !c->list) |
239 | 0 | { |
240 | | /* This is the first signature for the following datafile. |
241 | | * GPG does not write such packets; instead it always uses |
242 | | * onepass-sig packets. The drawback of PGP's method |
243 | | * of prepending the signature to the data is |
244 | | * that it is not possible to make a signature from data read |
245 | | * from stdin. (GPG is able to read PGP stuff anyway.) */ |
246 | 0 | node = new_kbnode (pkt); |
247 | 0 | c->list = node; |
248 | 0 | return 1; |
249 | 0 | } |
250 | 1 | else if (!c->list) |
251 | 0 | return 0; /* oops (invalid packet sequence)*/ |
252 | 1 | else if (!c->list->pkt) |
253 | 0 | BUG(); /* so nicht */ |
254 | | |
255 | | /* Add a new signature node item at the end. */ |
256 | 1 | node = new_kbnode (pkt); |
257 | 1 | add_kbnode (c->list, node); |
258 | | |
259 | 1 | return 1; |
260 | 1 | } |
261 | | |
262 | | static gpg_error_t |
263 | | symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen) |
264 | 0 | { |
265 | 0 | gpg_error_t err; |
266 | 0 | gcry_cipher_hd_t hd; |
267 | 0 | unsigned int noncelen, keylen; |
268 | 0 | enum gcry_cipher_modes ciphermode; |
269 | |
|
270 | 0 | if (dek->use_aead) |
271 | 0 | { |
272 | 0 | err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen); |
273 | 0 | if (err) |
274 | 0 | return err; |
275 | 0 | } |
276 | 0 | else |
277 | 0 | { |
278 | 0 | ciphermode = GCRY_CIPHER_MODE_CFB; |
279 | 0 | noncelen = 0; |
280 | 0 | } |
281 | | |
282 | | /* Check that the session key has a size of 16 to 32 bytes. */ |
283 | 0 | if ((dek->use_aead && (slen < (noncelen + 16 + 16) |
284 | 0 | || slen > (noncelen + 32 + 16))) |
285 | 0 | || (!dek->use_aead && (slen < 17 || slen > 33))) |
286 | 0 | { |
287 | 0 | log_error ( _("weird size for an encrypted session key (%d)\n"), |
288 | 0 | (int)slen); |
289 | 0 | return gpg_error (GPG_ERR_BAD_KEY); |
290 | 0 | } |
291 | | |
292 | 0 | err = openpgp_cipher_open (&hd, dek->algo, ciphermode, GCRY_CIPHER_SECURE); |
293 | 0 | if (!err) |
294 | 0 | err = gcry_cipher_setkey (hd, dek->key, dek->keylen); |
295 | 0 | if (!err) |
296 | 0 | err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen); |
297 | 0 | if (err) |
298 | 0 | goto leave; |
299 | | |
300 | 0 | if (dek->use_aead) |
301 | 0 | { |
302 | 0 | byte ad[4]; |
303 | |
|
304 | 0 | ad[0] = (0xc0 | PKT_SYMKEY_ENC); |
305 | 0 | ad[1] = 5; |
306 | 0 | ad[2] = dek->algo; |
307 | 0 | ad[3] = dek->use_aead; |
308 | 0 | err = gcry_cipher_authenticate (hd, ad, 4); |
309 | 0 | if (err) |
310 | 0 | goto leave; |
311 | 0 | gcry_cipher_final (hd); |
312 | 0 | keylen = slen - noncelen - 16; |
313 | 0 | err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0); |
314 | 0 | if (err) |
315 | 0 | goto leave; |
316 | 0 | err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16); |
317 | 0 | if (err) |
318 | 0 | goto leave; |
319 | | /* Now we replace the dek components with the real session key to |
320 | | * decrypt the contents of the sequencing packet. */ |
321 | 0 | if (keylen > DIM(dek->key)) |
322 | 0 | { |
323 | 0 | err = gpg_error (GPG_ERR_TOO_LARGE); |
324 | 0 | goto leave; |
325 | 0 | } |
326 | 0 | dek->keylen = keylen; |
327 | 0 | memcpy (dek->key, seskey + noncelen, dek->keylen); |
328 | 0 | } |
329 | 0 | else |
330 | 0 | { |
331 | 0 | gcry_cipher_decrypt (hd, seskey, slen, NULL, 0 ); |
332 | | /* Here we can only test whether the algo given in decrypted |
333 | | * session key is a valid OpenPGP algo. With 11 defined |
334 | | * symmetric algorithms we will miss 4.3% of wrong passphrases |
335 | | * here. The actual checking is done later during bulk |
336 | | * decryption; we can't bring this check forward easily. We |
337 | | * need to use the GPG_ERR_CHECKSUM so that we won't run into |
338 | | * the gnupg < 2.2 bug compatible case which would terminate the |
339 | | * process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above) |
340 | | * we will have a reliable test here. */ |
341 | 0 | if (openpgp_cipher_test_algo (seskey[0]) |
342 | 0 | || openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1) |
343 | 0 | { |
344 | 0 | err = gpg_error (GPG_ERR_CHECKSUM); |
345 | 0 | goto leave; |
346 | 0 | } |
347 | | |
348 | | /* Now we replace the dek components with the real session key to |
349 | | * decrypt the contents of the sequencing packet. */ |
350 | 0 | keylen = slen-1; |
351 | 0 | if (keylen > DIM(dek->key)) |
352 | 0 | { |
353 | 0 | err = gpg_error (GPG_ERR_TOO_LARGE); |
354 | 0 | goto leave; |
355 | 0 | } |
356 | 0 | dek->algo = seskey[0]; |
357 | 0 | dek->keylen = keylen; |
358 | 0 | memcpy (dek->key, seskey + 1, dek->keylen); |
359 | 0 | } |
360 | | |
361 | | /*log_hexdump( "thekey", dek->key, dek->keylen );*/ |
362 | | |
363 | 0 | leave: |
364 | 0 | gcry_cipher_close (hd); |
365 | 0 | return err; |
366 | 0 | } |
367 | | |
368 | | |
369 | | static void |
370 | | proc_symkey_enc (CTX c, PACKET *pkt) |
371 | 0 | { |
372 | 0 | gpg_error_t err; |
373 | 0 | PKT_symkey_enc *enc; |
374 | |
|
375 | 0 | enc = pkt->pkt.symkey_enc; |
376 | 0 | if (!enc) |
377 | 0 | log_error ("invalid symkey encrypted packet\n"); |
378 | 0 | else if(!c->dek) |
379 | 0 | { |
380 | 0 | int algo = enc->cipher_algo; |
381 | 0 | const char *s = openpgp_cipher_algo_name (algo); |
382 | 0 | const char *a = (enc->aead_algo ? openpgp_aead_algo_name (enc->aead_algo) |
383 | 0 | /**/ : "CFB"); |
384 | |
|
385 | 0 | if (!openpgp_cipher_test_algo (algo)) |
386 | 0 | { |
387 | 0 | if (!opt.quiet) |
388 | 0 | { |
389 | 0 | if (enc->seskeylen) |
390 | 0 | log_info (_("%s.%s encrypted session key\n"), s, a ); |
391 | 0 | else |
392 | 0 | log_info (_("%s.%s encrypted data\n"), s, a ); |
393 | 0 | } |
394 | 0 | } |
395 | 0 | else |
396 | 0 | { |
397 | 0 | log_error (_("encrypted with unknown algorithm %d.%s\n"), algo, a); |
398 | 0 | s = NULL; /* Force a goto leave. */ |
399 | 0 | } |
400 | |
|
401 | 0 | if (openpgp_md_test_algo (enc->s2k.hash_algo)) |
402 | 0 | { |
403 | 0 | log_error(_("passphrase generated with unknown digest" |
404 | 0 | " algorithm %d\n"),enc->s2k.hash_algo); |
405 | 0 | s = NULL; |
406 | 0 | } |
407 | |
|
408 | 0 | c->last_was_session_key = 2; |
409 | 0 | if (!s || opt.list_only) |
410 | 0 | goto leave; |
411 | | |
412 | 0 | if (opt.override_session_key) |
413 | 0 | { |
414 | 0 | c->dek = xmalloc_clear (sizeof *c->dek); |
415 | 0 | if (get_override_session_key (c->dek, opt.override_session_key)) |
416 | 0 | { |
417 | 0 | xfree (c->dek); |
418 | 0 | c->dek = NULL; |
419 | 0 | } |
420 | 0 | } |
421 | 0 | else |
422 | 0 | { |
423 | 0 | c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, |
424 | 0 | GETPASSWORD_FLAG_SYMDECRYPT, NULL); |
425 | 0 | if (c->dek) |
426 | 0 | { |
427 | 0 | c->dek->symmetric = 1; |
428 | 0 | c->dek->use_aead = enc->aead_algo; |
429 | | |
430 | | /* FIXME: This doesn't work perfectly if a symmetric key |
431 | | comes before a public key in the message - if the |
432 | | user doesn't know the passphrase, then there is a |
433 | | chance that the "decrypted" algorithm will happen to |
434 | | be a valid one, which will make the returned dek |
435 | | appear valid, so we won't try any public keys that |
436 | | come later. */ |
437 | 0 | if (enc->seskeylen) |
438 | 0 | { |
439 | 0 | err = symkey_decrypt_seskey (c->dek, |
440 | 0 | enc->seskey, enc->seskeylen); |
441 | 0 | if (err) |
442 | 0 | { |
443 | 0 | log_info ("decryption of the symmetrically encrypted" |
444 | 0 | " session key failed: %s\n", |
445 | 0 | gpg_strerror (err)); |
446 | 0 | if (gpg_err_code (err) != GPG_ERR_BAD_KEY |
447 | 0 | && gpg_err_code (err) != GPG_ERR_CHECKSUM) |
448 | 0 | log_fatal ("process terminated to be bug compatible" |
449 | 0 | " with GnuPG <= 2.2\n"); |
450 | 0 | else |
451 | 0 | write_status_text (STATUS_ERROR, |
452 | 0 | "symkey_decrypt.maybe_error" |
453 | 0 | " 11_BAD_PASSPHRASE"); |
454 | | |
455 | 0 | if (c->dek->s2k_cacheid[0]) |
456 | 0 | { |
457 | 0 | if (opt.debug) |
458 | 0 | log_debug ("cleared passphrase cached with ID:" |
459 | 0 | " %s\n", c->dek->s2k_cacheid); |
460 | 0 | passphrase_clear_cache (c->dek->s2k_cacheid); |
461 | 0 | } |
462 | 0 | xfree (c->dek); |
463 | 0 | c->dek = NULL; |
464 | 0 | } |
465 | 0 | } |
466 | 0 | else |
467 | 0 | c->dek->algo_info_printed = 1; |
468 | 0 | } |
469 | 0 | } |
470 | 0 | } |
471 | | |
472 | 0 | leave: |
473 | | /* Record infos from the packet. */ |
474 | 0 | { |
475 | 0 | struct symlist_item *symitem; |
476 | 0 | symitem = xcalloc (1, sizeof *symitem); |
477 | 0 | if (enc) |
478 | 0 | { |
479 | 0 | symitem->cipher_algo = enc->cipher_algo; |
480 | 0 | symitem->cipher_mode = !enc->aead_algo; |
481 | 0 | symitem->cipher_mode |
482 | 0 | = (enc->aead_algo == AEAD_ALGO_NONE? GCRY_CIPHER_MODE_CFB : |
483 | 0 | enc->aead_algo == AEAD_ALGO_OCB? GCRY_CIPHER_MODE_OCB : |
484 | 0 | GCRY_CIPHER_MODE_NONE); |
485 | 0 | } |
486 | 0 | else |
487 | 0 | symitem->other_error = 1; |
488 | 0 | symitem->next = c->symenc_list; |
489 | 0 | c->symenc_list = symitem; |
490 | 0 | } |
491 | 0 | c->symkeys++; |
492 | 0 | free_packet (pkt, NULL); |
493 | 0 | } |
494 | | |
495 | | |
496 | | static void |
497 | | proc_pubkey_enc (CTX c, PACKET *pkt) |
498 | 0 | { |
499 | 0 | PKT_pubkey_enc *enc; |
500 | | |
501 | | /* Check whether the secret key is available and store in this case. */ |
502 | 0 | c->last_was_session_key = 1; |
503 | 0 | enc = pkt->pkt.pubkey_enc; |
504 | | /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/ |
505 | | /* Hmmm: why do I have this algo check here - anyway there is |
506 | | * function to check it. */ |
507 | 0 | if (opt.verbose) |
508 | 0 | log_info (_("public key is %s\n"), keystr (enc->keyid)); |
509 | |
|
510 | 0 | if (is_status_enabled ()) |
511 | 0 | { |
512 | 0 | char buf[50]; |
513 | 0 | snprintf (buf, sizeof buf, "%08lX%08lX %d 0", |
514 | 0 | (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo); |
515 | 0 | write_status_text (STATUS_ENC_TO, buf); |
516 | 0 | } |
517 | |
|
518 | 0 | if (!opt.list_only && !opt.override_session_key) |
519 | 0 | { |
520 | 0 | struct seskey_enc_list *x = xcalloc (1, sizeof *x); |
521 | |
|
522 | 0 | copy_pubkey_enc_parts (&x->u.pub, enc); |
523 | 0 | x->result = -1; |
524 | 0 | x->next = c->sesenc_list; |
525 | 0 | c->sesenc_list = x; |
526 | 0 | } |
527 | |
|
528 | 0 | free_packet(pkt, NULL); |
529 | 0 | } |
530 | | |
531 | | |
532 | | /* |
533 | | * Print the list of public key encrypted packets which we could |
534 | | * not decrypt. |
535 | | */ |
536 | | static void |
537 | | print_sesenc_list (ctrl_t ctrl, struct seskey_enc_list *list) |
538 | 0 | { |
539 | 0 | for (; list; list = list->next) |
540 | 0 | { |
541 | 0 | PKT_public_key *pk; |
542 | 0 | char pkstrbuf[PUBKEY_STRING_SIZE]; |
543 | 0 | char *p; |
544 | |
|
545 | 0 | if (list->u_sym) |
546 | 0 | continue; |
547 | | |
548 | 0 | pk = xmalloc_clear (sizeof *pk); |
549 | |
|
550 | 0 | pk->pubkey_algo = list->u.pub.pubkey_algo; |
551 | 0 | if (!get_pubkey (ctrl, pk, list->u.pub.keyid)) |
552 | 0 | { |
553 | 0 | pubkey_string (pk, pkstrbuf, sizeof pkstrbuf); |
554 | |
|
555 | 0 | log_info (_("encrypted with %s key, ID %s, created %s\n"), |
556 | 0 | pkstrbuf, keystr_from_pk (pk), |
557 | 0 | strtimestamp (pk->timestamp)); |
558 | 0 | p = get_user_id_native (ctrl, list->u.pub.keyid); |
559 | 0 | log_printf (_(" \"%s\"\n"), p); |
560 | 0 | xfree (p); |
561 | 0 | } |
562 | 0 | else |
563 | 0 | log_info (_("encrypted with %s key, ID %s\n"), |
564 | 0 | openpgp_pk_algo_name (list->u.pub.pubkey_algo), |
565 | 0 | keystr (list->u.pub.keyid)); |
566 | |
|
567 | 0 | if (opt.flags.require_pqc_encryption |
568 | 0 | && pk->pubkey_algo != PUBKEY_ALGO_KYBER) |
569 | 0 | log_info (_("WARNING: key is not quantum-resistant\n")); |
570 | |
|
571 | 0 | free_public_key (pk); |
572 | 0 | } |
573 | 0 | } |
574 | | |
575 | | |
576 | | static void |
577 | | proc_encrypted (CTX c, PACKET *pkt) |
578 | 0 | { |
579 | 0 | int result = 0; |
580 | 0 | int early_plaintext = literals_seen; |
581 | 0 | unsigned int compliance_de_vs = 0; |
582 | 0 | enum gcry_cipher_modes ciphermode; |
583 | 0 | int unknown_ciphermode; |
584 | |
|
585 | 0 | if (pkt) |
586 | 0 | { |
587 | 0 | if (pkt->pkttype == PKT_ENCRYPTED_AEAD) |
588 | 0 | c->seen_pkt_encrypted_aead = 1; |
589 | 0 | if (pkt->pkttype == PKT_ENCRYPTED_MDC) |
590 | 0 | c->seen_pkt_encrypted_mdc = 1; |
591 | 0 | } |
592 | 0 | else /* No PKT indicates the add-recipients mode. */ |
593 | 0 | log_assert (c->ctrl->modify_recipients); |
594 | | |
595 | 0 | if (early_plaintext) |
596 | 0 | { |
597 | 0 | log_info (_("WARNING: multiple plaintexts seen\n")); |
598 | 0 | write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA); |
599 | | /* We fail only later so that we can print some more info first. */ |
600 | 0 | } |
601 | |
|
602 | 0 | if (!opt.quiet) |
603 | 0 | { |
604 | 0 | if (c->symkeys>1) |
605 | 0 | log_info (_("encrypted with %lu passphrases\n"), c->symkeys); |
606 | 0 | else if (c->symkeys == 1) |
607 | 0 | log_info (_("encrypted with 1 passphrase\n")); |
608 | 0 | print_sesenc_list (c->ctrl, c->sesenc_list); |
609 | 0 | } |
610 | | |
611 | | /* Figure out the session key by looking at all pkenc packets. */ |
612 | 0 | if (opt.list_only || c->dek) |
613 | 0 | ; |
614 | 0 | else if (opt.override_session_key) |
615 | 0 | { |
616 | 0 | c->dek = xmalloc_clear (sizeof *c->dek); |
617 | 0 | result = get_override_session_key (c->dek, opt.override_session_key); |
618 | 0 | if (result) |
619 | 0 | { |
620 | 0 | xfree (c->dek); |
621 | 0 | c->dek = NULL; |
622 | 0 | log_info (_("public key decryption failed: %s\n"), |
623 | 0 | gpg_strerror (result)); |
624 | 0 | write_status_error ("pkdecrypt_failed", result); |
625 | 0 | } |
626 | 0 | } |
627 | 0 | else if (c->sesenc_list) |
628 | 0 | { |
629 | 0 | c->dek = xmalloc_secure_clear (sizeof *c->dek); |
630 | 0 | result = get_session_key (c->ctrl, c->sesenc_list, c->dek); |
631 | 0 | if (is_status_enabled ()) |
632 | 0 | { |
633 | 0 | struct seskey_enc_list *list; |
634 | |
|
635 | 0 | for (list = c->sesenc_list; list; list = list->next) |
636 | 0 | if (list->result && !list->u_sym) |
637 | 0 | { /* Key was not tried or it caused an error. */ |
638 | 0 | char buf[20]; |
639 | 0 | snprintf (buf, sizeof buf, "%08lX%08lX", |
640 | 0 | (ulong)list->u.pub.keyid[0], |
641 | 0 | (ulong)list->u.pub.keyid[1]); |
642 | 0 | write_status_text (STATUS_NO_SECKEY, buf); |
643 | 0 | } |
644 | 0 | } |
645 | |
|
646 | 0 | if (result) |
647 | 0 | { |
648 | 0 | log_info (_("public key decryption failed: %s\n"), |
649 | 0 | gpg_strerror (result)); |
650 | 0 | write_status_error ("pkdecrypt_failed", result); |
651 | | |
652 | | /* Error: Delete the DEK. */ |
653 | 0 | xfree (c->dek); |
654 | 0 | c->dek = NULL; |
655 | 0 | } |
656 | 0 | } |
657 | |
|
658 | 0 | if (c->dek && opt.verbose > 1) |
659 | 0 | log_info (_("public key encrypted data: good DEK\n")); |
660 | |
|
661 | 0 | if (c->ctrl->modify_recipients) |
662 | 0 | { |
663 | 0 | if (c->anchor) |
664 | 0 | { |
665 | 0 | log_error ("command not possible with nested data\n"); |
666 | 0 | write_status_errcode ("decryption.mod_recp", GPG_ERR_BAD_DATA); |
667 | 0 | xfree (c->dek); |
668 | 0 | c->dek = NULL; |
669 | 0 | return; |
670 | 0 | } |
671 | 0 | literals_seen++; |
672 | | /* Simply return here. Our caller will then test for DEK and |
673 | | * the PK_list to decide whether decryption worked. */ |
674 | 0 | return; |
675 | 0 | } |
676 | | |
677 | 0 | if (!opt.show_only_session_key) |
678 | 0 | write_status (STATUS_BEGIN_DECRYPTION); |
679 | | |
680 | | /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/ |
681 | 0 | if (opt.list_only) |
682 | 0 | result = -1; |
683 | 0 | else if (!c->dek && !c->last_was_session_key) |
684 | 0 | { |
685 | 0 | int algo; |
686 | 0 | STRING2KEY s2kbuf; |
687 | 0 | STRING2KEY *s2k = NULL; |
688 | 0 | int canceled; |
689 | |
|
690 | 0 | if (opt.override_session_key) |
691 | 0 | { |
692 | 0 | c->dek = xmalloc_clear (sizeof *c->dek); |
693 | 0 | result = get_override_session_key (c->dek, opt.override_session_key); |
694 | 0 | if (result) |
695 | 0 | { |
696 | 0 | xfree (c->dek); |
697 | 0 | c->dek = NULL; |
698 | 0 | } |
699 | 0 | } |
700 | 0 | else |
701 | 0 | { |
702 | | /* Assume this is old style conventional encrypted data. */ |
703 | 0 | algo = opt.def_cipher_algo; |
704 | 0 | if (algo) |
705 | 0 | log_info (_("assuming %s encrypted data\n"), |
706 | 0 | openpgp_cipher_algo_name (algo)); |
707 | 0 | else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA)) |
708 | 0 | { |
709 | 0 | algo = opt.def_cipher_algo; |
710 | 0 | if (!algo) |
711 | 0 | algo = opt.s2k_cipher_algo; |
712 | 0 | log_info (_("IDEA cipher unavailable, " |
713 | 0 | "optimistically attempting to use %s instead\n"), |
714 | 0 | openpgp_cipher_algo_name (algo)); |
715 | 0 | } |
716 | 0 | else |
717 | 0 | { |
718 | 0 | algo = CIPHER_ALGO_IDEA; |
719 | 0 | if (!opt.s2k_digest_algo) |
720 | 0 | { |
721 | | /* If no digest is given we assume SHA-1. */ |
722 | 0 | s2kbuf.mode = 0; |
723 | 0 | s2kbuf.hash_algo = DIGEST_ALGO_SHA1; |
724 | 0 | s2k = &s2kbuf; |
725 | 0 | } |
726 | 0 | log_info (_("assuming %s encrypted data\n"), "IDEA"); |
727 | 0 | } |
728 | |
|
729 | 0 | c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, |
730 | 0 | GETPASSWORD_FLAG_SYMDECRYPT, &canceled); |
731 | 0 | if (c->dek) |
732 | 0 | c->dek->algo_info_printed = 1; |
733 | 0 | else if (canceled) |
734 | 0 | result = gpg_error (GPG_ERR_CANCELED); |
735 | 0 | else |
736 | 0 | result = gpg_error (GPG_ERR_INV_PASSPHRASE); |
737 | 0 | } |
738 | 0 | } |
739 | 0 | else if (!c->dek) |
740 | 0 | { |
741 | 0 | if (c->symkeys && !c->sesenc_list) |
742 | 0 | result = gpg_error (GPG_ERR_BAD_KEY); |
743 | |
|
744 | 0 | if (!result) |
745 | 0 | result = gpg_error (GPG_ERR_NO_SECKEY); |
746 | 0 | } |
747 | | |
748 | | /* We need to know the ciphermode for gnupg_cipher_is_compliant. */ |
749 | 0 | unknown_ciphermode = 0; |
750 | 0 | if (pkt->pkt.encrypted->aead_algo) |
751 | 0 | { |
752 | 0 | unsigned int dummy; |
753 | 0 | if (openpgp_aead_algo_info (pkt->pkt.encrypted->aead_algo, |
754 | 0 | &ciphermode, &dummy)) |
755 | 0 | unknown_ciphermode = 1; /* error -> unknown mode */ |
756 | 0 | } |
757 | 0 | else |
758 | 0 | ciphermode = GCRY_CIPHER_MODE_CFB; |
759 | | |
760 | | /* Compute compliance with CO_DE_VS. */ |
761 | 0 | if (!result && (is_status_enabled () || opt.flags.require_compliance) |
762 | | /* Overriding session key voids compliance. */ |
763 | 0 | && !opt.override_session_key |
764 | | /* Check symmetric cipher. */ |
765 | 0 | && gnupg_gcrypt_is_compliant (CO_DE_VS) |
766 | 0 | && !unknown_ciphermode |
767 | 0 | && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, ciphermode)) |
768 | 0 | { |
769 | 0 | struct seskey_enc_list *i; |
770 | 0 | struct symlist_item *si; |
771 | 0 | int compliant = 1; |
772 | 0 | PKT_public_key *pk = xmalloc (sizeof *pk); |
773 | |
|
774 | 0 | if ( !(c->sesenc_list || c->symkeys) ) |
775 | 0 | log_debug ("%s: where else did the session key come from?\n", __func__); |
776 | | |
777 | | /* Check that all seen symmetric key packets use compliant |
778 | | * algos. This is so that no non-compliant encrypted session |
779 | | * key can be sneaked in. */ |
780 | 0 | for (si = c->symenc_list; si && compliant; si = si->next) |
781 | 0 | { |
782 | 0 | if (si->cipher_mode == GCRY_CIPHER_MODE_NONE |
783 | 0 | || !gnupg_cipher_is_compliant (CO_DE_VS, si->cipher_algo, |
784 | 0 | si->cipher_mode)) |
785 | 0 | compliant = 0; |
786 | 0 | } |
787 | | |
788 | | /* Check that every known public key used to encrypt the session key |
789 | | * is compliant. */ |
790 | 0 | for (i = c->sesenc_list; i && compliant; i = i->next) |
791 | 0 | { |
792 | 0 | if (i->u_sym) |
793 | 0 | continue; |
794 | 0 | memset (pk, 0, sizeof *pk); |
795 | 0 | pk->pubkey_algo = i->u.pub.pubkey_algo; |
796 | 0 | if (!get_pubkey (c->ctrl, pk, i->u.pub.keyid) |
797 | 0 | && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, |
798 | 0 | pk->pkey, nbits_from_pk (pk), NULL)) |
799 | 0 | compliant = 0; |
800 | 0 | release_public_key_parts (pk); |
801 | 0 | } |
802 | |
|
803 | 0 | xfree (pk); |
804 | |
|
805 | 0 | if (compliant) |
806 | 0 | compliance_de_vs |= 1; |
807 | 0 | } |
808 | |
|
809 | 0 | if (!result) |
810 | 0 | { |
811 | 0 | int compl_error; |
812 | 0 | result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek, |
813 | 0 | &compl_error); |
814 | 0 | if (!result && !compl_error) |
815 | 0 | compliance_de_vs |= 2; |
816 | 0 | } |
817 | | |
818 | | /* Trigger the deferred error. */ |
819 | 0 | if (!result && early_plaintext) |
820 | 0 | result = gpg_error (GPG_ERR_BAD_DATA); |
821 | 0 | else if (!result && opt.show_only_session_key) |
822 | 0 | result = -1; |
823 | | |
824 | |
|
825 | 0 | if (result == -1) |
826 | 0 | ; |
827 | 0 | else if (!result |
828 | 0 | && !opt.ignore_mdc_error |
829 | 0 | && !pkt->pkt.encrypted->mdc_method |
830 | 0 | && !pkt->pkt.encrypted->aead_algo) |
831 | 0 | { |
832 | | /* The message has been decrypted but does not carry an MDC or |
833 | | * uses AEAD encryption. --ignore-mdc-error has also not been |
834 | | * used. To avoid attacks changing an MDC message to a non-MDC |
835 | | * message, we fail here. */ |
836 | 0 | log_error (_("WARNING: message was not integrity protected\n")); |
837 | 0 | if (!pkt->pkt.encrypted->mdc_method |
838 | 0 | && (openpgp_cipher_get_algo_blklen (c->dek->algo) == 8 |
839 | 0 | || c->dek->algo == CIPHER_ALGO_TWOFISH)) |
840 | 0 | { |
841 | | /* Before 2.2.8 we did not fail hard for a missing MDC if |
842 | | * one of the old ciphers where used. Although these cases |
843 | | * are rare in practice we print a hint on how to decrypt |
844 | | * such messages. */ |
845 | 0 | log_string |
846 | 0 | (GPGRT_LOGLVL_INFO, |
847 | 0 | _("Hint: If this message was created before the year 2003 it is\n" |
848 | 0 | "likely that this message is legitimate. This is because back\n" |
849 | 0 | "then integrity protection was not widely used.\n")); |
850 | 0 | log_info (_("Use the option '%s' to decrypt anyway.\n"), |
851 | 0 | "--ignore-mdc-error"); |
852 | 0 | write_status_errcode ("nomdc_with_legacy_cipher", |
853 | 0 | GPG_ERR_DECRYPT_FAILED); |
854 | 0 | } |
855 | 0 | log_info (_("decryption forced to fail!\n")); |
856 | 0 | write_status (STATUS_DECRYPTION_FAILED); |
857 | 0 | } |
858 | 0 | else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE |
859 | 0 | && !pkt->pkt.encrypted->aead_algo |
860 | 0 | && opt.ignore_mdc_error)) |
861 | 0 | { |
862 | | /* All is fine or for an MDC message the MDC failed but the |
863 | | * --ignore-mdc-error option is active. For compatibility |
864 | | * reasons we issue GOODMDC also for AEAD messages. */ |
865 | 0 | write_status (STATUS_DECRYPTION_OKAY); |
866 | 0 | if (opt.verbose > 1) |
867 | 0 | log_info(_("decryption okay\n")); |
868 | |
|
869 | 0 | if (pkt->pkt.encrypted->aead_algo) |
870 | 0 | { |
871 | 0 | write_status (STATUS_GOODMDC); |
872 | 0 | compliance_de_vs |= 4; |
873 | 0 | } |
874 | 0 | else if (pkt->pkt.encrypted->mdc_method && !result) |
875 | 0 | { |
876 | 0 | write_status (STATUS_GOODMDC); |
877 | 0 | compliance_de_vs |= 4; |
878 | 0 | } |
879 | 0 | else |
880 | 0 | log_info (_("WARNING: message was not integrity protected\n")); |
881 | 0 | } |
882 | 0 | else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE |
883 | 0 | || gpg_err_code (result) == GPG_ERR_TRUNCATED) |
884 | 0 | { |
885 | 0 | glo_ctrl.lasterr = result; |
886 | 0 | log_error (_("WARNING: encrypted message has been manipulated!\n")); |
887 | 0 | write_status (STATUS_BADMDC); |
888 | 0 | write_status (STATUS_DECRYPTION_FAILED); |
889 | 0 | } |
890 | 0 | else |
891 | 0 | { |
892 | 0 | if (gpg_err_code (result) == GPG_ERR_BAD_KEY |
893 | 0 | || gpg_err_code (result) == GPG_ERR_CHECKSUM |
894 | 0 | || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO) |
895 | 0 | { |
896 | 0 | if (c->symkeys) |
897 | 0 | write_status_text (STATUS_ERROR, |
898 | 0 | "symkey_decrypt.maybe_error" |
899 | 0 | " 11_BAD_PASSPHRASE"); |
900 | |
|
901 | 0 | if (c->dek && *c->dek->s2k_cacheid != '\0') |
902 | 0 | { |
903 | 0 | if (opt.debug) |
904 | 0 | log_debug ("cleared passphrase cached with ID: %s\n", |
905 | 0 | c->dek->s2k_cacheid); |
906 | 0 | passphrase_clear_cache (c->dek->s2k_cacheid); |
907 | 0 | } |
908 | 0 | } |
909 | 0 | glo_ctrl.lasterr = result; |
910 | 0 | write_status (STATUS_DECRYPTION_FAILED); |
911 | 0 | log_error (_("decryption failed: %s\n"), gpg_strerror (result)); |
912 | | /* Hmmm: does this work when we have encrypted using multiple |
913 | | * ways to specify the session key (symmmetric and PK). */ |
914 | 0 | } |
915 | | |
916 | | |
917 | | /* If we concluded that the decryption was compliant, issue a |
918 | | * compliance status before the end of the decryption status. */ |
919 | 0 | if (compliance_de_vs == (4|2|1)) |
920 | 0 | { |
921 | 0 | write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE, |
922 | 0 | gnupg_status_compliance_flag (CO_DE_VS), |
923 | 0 | NULL); |
924 | 0 | } |
925 | |
|
926 | 0 | xfree (c->dek); |
927 | 0 | c->dek = NULL; |
928 | 0 | free_packet (pkt, NULL); |
929 | 0 | c->last_was_session_key = 0; |
930 | |
|
931 | 0 | if (!opt.show_only_session_key) |
932 | 0 | write_status (STATUS_END_DECRYPTION); |
933 | | |
934 | | /* Bump the counter even if we have not seen a literal data packet |
935 | | * inside an encryption container. This acts as a sentinel in case |
936 | | * a misplace extra literal data packets follows after this |
937 | | * encrypted packet. */ |
938 | 0 | literals_seen++; |
939 | | |
940 | | /* The --require-compliance option allows one to simplify decryption in |
941 | | * de-vs compliance mode by just looking at the exit status. */ |
942 | 0 | if (opt.flags.require_compliance |
943 | 0 | && opt.compliance == CO_DE_VS |
944 | 0 | && compliance_de_vs != (4|2|1) |
945 | 0 | && !opt.show_only_session_key) |
946 | 0 | { |
947 | 0 | log_error (_("operation forced to fail due to" |
948 | 0 | " unfulfilled compliance rules\n")); |
949 | 0 | g10_errors_seen = 1; |
950 | 0 | } |
951 | 0 | } |
952 | | |
953 | | |
954 | | static int |
955 | | have_seen_pkt_encrypted_aead_or_mdc( CTX c ) |
956 | 0 | { |
957 | 0 | CTX cc; |
958 | |
|
959 | 0 | for (cc = c; cc; cc = cc->anchor) |
960 | 0 | { |
961 | 0 | if (cc->seen_pkt_encrypted_aead) |
962 | 0 | return 1; |
963 | 0 | if (cc->seen_pkt_encrypted_mdc) |
964 | 0 | return 1; |
965 | 0 | } |
966 | | |
967 | 0 | return 0; |
968 | 0 | } |
969 | | |
970 | | |
971 | | static void |
972 | | proc_plaintext( CTX c, PACKET *pkt ) |
973 | 0 | { |
974 | 0 | PKT_plaintext *pt = pkt->pkt.plaintext; |
975 | 0 | int any, clearsig, rc; |
976 | 0 | kbnode_t n; |
977 | 0 | unsigned char *extrahash; |
978 | 0 | size_t extrahashlen; |
979 | | |
980 | | /* This is a literal data packet. Bump a counter for later checks. */ |
981 | 0 | literals_seen++; |
982 | |
|
983 | 0 | if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8)) |
984 | 0 | log_info (_("Note: sender requested \"for-your-eyes-only\"\n")); |
985 | 0 | else if (opt.verbose) |
986 | 0 | { |
987 | | /* We don't use print_utf8_buffer because that would require a |
988 | | * string change which we don't want in 2.2. It is also not |
989 | | * clear whether the filename is always utf-8 encoded. */ |
990 | 0 | char *tmp = make_printable_string (pt->name, pt->namelen, 0); |
991 | 0 | log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); |
992 | 0 | xfree (tmp); |
993 | 0 | } |
994 | |
|
995 | 0 | free_md_filter_context (&c->mfx); |
996 | 0 | if (gcry_md_open (&c->mfx.md, 0, 0)) |
997 | 0 | BUG (); |
998 | | /* fixme: we may need to push the textfilter if we have sigclass 1 |
999 | | * and no armoring - Not yet tested |
1000 | | * Hmmm, why don't we need it at all if we have sigclass 1 |
1001 | | * Should we assume that plaintext in mode 't' has always sigclass 1?? |
1002 | | * See: Russ Allbery's mail 1999-02-09 |
1003 | | */ |
1004 | 0 | any = clearsig = 0; |
1005 | 0 | for (n=c->list; n; n = n->next ) |
1006 | 0 | { |
1007 | 0 | if (n->pkt->pkttype == PKT_ONEPASS_SIG) |
1008 | 0 | { |
1009 | | /* The onepass signature case. */ |
1010 | 0 | if (n->pkt->pkt.onepass_sig->digest_algo) |
1011 | 0 | { |
1012 | 0 | if (!opt.skip_verify) |
1013 | 0 | gcry_md_enable (c->mfx.md, |
1014 | 0 | n->pkt->pkt.onepass_sig->digest_algo); |
1015 | |
|
1016 | 0 | any = 1; |
1017 | 0 | } |
1018 | 0 | } |
1019 | 0 | else if (n->pkt->pkttype == PKT_GPG_CONTROL |
1020 | 0 | && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START) |
1021 | 0 | { |
1022 | | /* The clearsigned message case. */ |
1023 | 0 | size_t datalen = n->pkt->pkt.gpg_control->datalen; |
1024 | 0 | const byte *data = n->pkt->pkt.gpg_control->data; |
1025 | | |
1026 | | /* Check that we have at least the sigclass and one hash. */ |
1027 | 0 | if (datalen < 2) |
1028 | 0 | log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n"); |
1029 | | /* Note that we don't set the clearsig flag for not-dash-escaped |
1030 | | * documents. */ |
1031 | 0 | clearsig = (*data == 0x01); |
1032 | 0 | for (data++, datalen--; datalen; datalen--, data++) |
1033 | 0 | if (!opt.skip_verify) |
1034 | 0 | gcry_md_enable (c->mfx.md, *data); |
1035 | 0 | any = 1; |
1036 | 0 | break; /* Stop here as one-pass signature packets are not |
1037 | | expected. */ |
1038 | 0 | } |
1039 | 0 | else if (n->pkt->pkttype == PKT_SIGNATURE) |
1040 | 0 | { |
1041 | | /* The SIG+LITERAL case that PGP used to use. */ |
1042 | 0 | if (!opt.skip_verify) |
1043 | 0 | gcry_md_enable (c->mfx.md, n->pkt->pkt.signature->digest_algo); |
1044 | 0 | any = 1; |
1045 | 0 | } |
1046 | 0 | } |
1047 | | |
1048 | 0 | if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead_or_mdc(c)) |
1049 | 0 | { |
1050 | | /* This is for the old GPG LITERAL+SIG case. It's not legal |
1051 | | according to 2440, so hopefully it won't come up that often. |
1052 | | There is no good way to specify what algorithms to use in |
1053 | | that case, so these there are the historical answer. */ |
1054 | 0 | gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); |
1055 | 0 | gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); |
1056 | 0 | } |
1057 | 0 | if (DBG_HASHING) |
1058 | 0 | { |
1059 | 0 | gcry_md_debug (c->mfx.md, "verify"); |
1060 | 0 | if (c->mfx.md2) |
1061 | 0 | gcry_md_debug (c->mfx.md2, "verify2"); |
1062 | 0 | } |
1063 | |
|
1064 | 0 | rc=0; |
1065 | |
|
1066 | 0 | if (literals_seen > 1) |
1067 | 0 | { |
1068 | 0 | log_info (_("WARNING: multiple plaintexts seen\n")); |
1069 | |
|
1070 | 0 | write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA"); |
1071 | 0 | log_inc_errorcount (); |
1072 | 0 | rc = gpg_error (GPG_ERR_UNEXPECTED); |
1073 | 0 | } |
1074 | |
|
1075 | 0 | if (!rc) |
1076 | 0 | { |
1077 | | /* It we are in --verify mode, we do not want to output the |
1078 | | * signed text. However, if --output is also used we do what |
1079 | | * has been requested and write out the signed data. */ |
1080 | 0 | rc = handle_plaintext (pt, &c->mfx, |
1081 | 0 | (opt.outfp || opt.outfile)? 0 : c->sigs_only, |
1082 | 0 | clearsig); |
1083 | 0 | if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only) |
1084 | 0 | { |
1085 | | /* Can't write output but we hash it anyway to check the |
1086 | | signature. */ |
1087 | 0 | rc = handle_plaintext( pt, &c->mfx, 1, clearsig ); |
1088 | 0 | } |
1089 | 0 | } |
1090 | |
|
1091 | 0 | if (rc) |
1092 | 0 | log_error ("handle plaintext failed: %s\n", gpg_strerror (rc)); |
1093 | | |
1094 | | /* We add a marker control packet instead of the plaintext packet. |
1095 | | * This is so that we can later detect invalid packet sequences. |
1096 | | * The packet is further used to convey extra data from the |
1097 | | * plaintext packet to the signature verification. */ |
1098 | 0 | extrahash = xtrymalloc (6 + pt->namelen); |
1099 | 0 | if (!extrahash) |
1100 | 0 | { |
1101 | | /* No way to return an error. */ |
1102 | 0 | rc = gpg_error_from_syserror (); |
1103 | 0 | log_error ("malloc failed in %s: %s\n", __func__, gpg_strerror (rc)); |
1104 | 0 | extrahashlen = 0; |
1105 | 0 | } |
1106 | 0 | else |
1107 | 0 | { |
1108 | 0 | extrahash[0] = pt->mode; |
1109 | 0 | extrahash[1] = pt->namelen; |
1110 | 0 | if (pt->namelen) |
1111 | 0 | memcpy (extrahash+2, pt->name, pt->namelen); |
1112 | 0 | extrahashlen = 2 + pt->namelen; |
1113 | 0 | extrahash[extrahashlen++] = pt->timestamp >> 24; |
1114 | 0 | extrahash[extrahashlen++] = pt->timestamp >> 16; |
1115 | 0 | extrahash[extrahashlen++] = pt->timestamp >> 8; |
1116 | 0 | extrahash[extrahashlen++] = pt->timestamp ; |
1117 | 0 | } |
1118 | |
|
1119 | 0 | free_packet (pkt, NULL); |
1120 | 0 | c->last_was_session_key = 0; |
1121 | |
|
1122 | 0 | n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, |
1123 | 0 | extrahash, extrahashlen)); |
1124 | 0 | xfree (extrahash); |
1125 | 0 | if (c->list) |
1126 | 0 | add_kbnode (c->list, n); |
1127 | 0 | else |
1128 | 0 | c->list = n; |
1129 | 0 | } |
1130 | | |
1131 | | |
1132 | | static int |
1133 | | proc_compressed_cb (iobuf_t a, void *info) |
1134 | 0 | { |
1135 | 0 | if ( ((CTX)info)->signed_data.used |
1136 | 0 | && ((CTX)info)->signed_data.data_fd != GNUPG_INVALID_FD) |
1137 | 0 | return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a, |
1138 | 0 | ((CTX)info)->signed_data.data_fd); |
1139 | 0 | else |
1140 | 0 | return proc_signature_packets (((CTX)info)->ctrl, info, a, |
1141 | 0 | ((CTX)info)->signed_data.data_names, |
1142 | 0 | ((CTX)info)->sigfilename ); |
1143 | 0 | } |
1144 | | |
1145 | | |
1146 | | static int |
1147 | | proc_encrypt_cb (iobuf_t a, void *info ) |
1148 | 0 | { |
1149 | 0 | CTX c = info; |
1150 | 0 | return proc_encryption_packets (c->ctrl, info, a, NULL, NULL); |
1151 | 0 | } |
1152 | | |
1153 | | |
1154 | | static int |
1155 | | proc_compressed (CTX c, PACKET *pkt) |
1156 | 0 | { |
1157 | 0 | PKT_compressed *zd = pkt->pkt.compressed; |
1158 | 0 | int rc; |
1159 | | |
1160 | | /*printf("zip: compressed data packet\n");*/ |
1161 | 0 | if (c->sigs_only) |
1162 | 0 | rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c); |
1163 | 0 | else if( c->encrypt_only ) |
1164 | 0 | rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c); |
1165 | 0 | else |
1166 | 0 | rc = handle_compressed (c->ctrl, c, zd, NULL, NULL); |
1167 | |
|
1168 | 0 | if (gpg_err_code (rc) == GPG_ERR_BAD_DATA) |
1169 | 0 | { |
1170 | 0 | if (!c->any.uncompress_failed) |
1171 | 0 | { |
1172 | 0 | CTX cc; |
1173 | |
|
1174 | 0 | for (cc=c; cc; cc = cc->anchor) |
1175 | 0 | cc->any.uncompress_failed = 1; |
1176 | 0 | log_error ("uncompressing failed: %s\n", gpg_strerror (rc)); |
1177 | 0 | } |
1178 | 0 | } |
1179 | 0 | else if (rc) |
1180 | 0 | log_error ("uncompressing failed: %s\n", gpg_strerror (rc)); |
1181 | |
|
1182 | 0 | free_packet (pkt, NULL); |
1183 | 0 | c->last_was_session_key = 0; |
1184 | 0 | return rc; |
1185 | 0 | } |
1186 | | |
1187 | | |
1188 | | /* |
1189 | | * Check the signature. If R_PK is not NULL a copy of the public key |
1190 | | * used to verify the signature will be stored there, or NULL if not |
1191 | | * found. If FORCED_PK is not NULL, this public key is used to verify |
1192 | | * _data signatures_ and no key lookup is done. Returns: 0 = valid |
1193 | | * signature or an error code. If R_KEYBLOCK is not NULL the keyblock |
1194 | | * carries the used PK is stored there. The caller should always free |
1195 | | * the return value using release_kbnode. |
1196 | | */ |
1197 | | static int |
1198 | | do_check_sig (CTX c, kbnode_t node, const void *extrahash, size_t extrahashlen, |
1199 | | PKT_public_key *forced_pk, int *is_selfsig, |
1200 | | int *is_expkey, int *is_revkey, |
1201 | | PKT_public_key **r_pk, kbnode_t *r_keyblock) |
1202 | 0 | { |
1203 | 0 | PKT_signature *sig; |
1204 | 0 | gcry_md_hd_t md = NULL; |
1205 | 0 | gcry_md_hd_t md2 = NULL; |
1206 | 0 | gcry_md_hd_t md_good = NULL; |
1207 | 0 | int algo, rc; |
1208 | |
|
1209 | 0 | if (r_pk) |
1210 | 0 | *r_pk = NULL; |
1211 | 0 | if (r_keyblock) |
1212 | 0 | *r_keyblock = NULL; |
1213 | |
|
1214 | 0 | log_assert (node->pkt->pkttype == PKT_SIGNATURE); |
1215 | 0 | if (is_selfsig) |
1216 | 0 | *is_selfsig = 0; |
1217 | 0 | sig = node->pkt->pkt.signature; |
1218 | |
|
1219 | 0 | algo = sig->digest_algo; |
1220 | 0 | rc = openpgp_md_test_algo (algo); |
1221 | 0 | if (rc) |
1222 | 0 | return rc; |
1223 | | |
1224 | 0 | if (sig->sig_class == 0x00) |
1225 | 0 | { |
1226 | 0 | if (c->mfx.md) |
1227 | 0 | { |
1228 | 0 | if (gcry_md_copy (&md, c->mfx.md )) |
1229 | 0 | BUG (); |
1230 | 0 | } |
1231 | 0 | else /* detached signature */ |
1232 | 0 | { |
1233 | | /* check_signature() will enable the md. */ |
1234 | 0 | if (gcry_md_open (&md, 0, 0 )) |
1235 | 0 | BUG (); |
1236 | 0 | } |
1237 | 0 | } |
1238 | 0 | else if (sig->sig_class == 0x01) |
1239 | 0 | { |
1240 | | /* How do we know that we have to hash the (already hashed) text |
1241 | | in canonical mode ??? (calculating both modes???) */ |
1242 | 0 | if (c->mfx.md) |
1243 | 0 | { |
1244 | 0 | if (gcry_md_copy (&md, c->mfx.md )) |
1245 | 0 | BUG (); |
1246 | 0 | if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2)) |
1247 | 0 | BUG (); |
1248 | 0 | } |
1249 | 0 | else /* detached signature */ |
1250 | 0 | { |
1251 | 0 | log_debug ("Do we really need this here?"); |
1252 | | /* check_signature() will enable the md*/ |
1253 | 0 | if (gcry_md_open (&md, 0, 0 )) |
1254 | 0 | BUG (); |
1255 | 0 | if (gcry_md_open (&md2, 0, 0 )) |
1256 | 0 | BUG (); |
1257 | 0 | } |
1258 | 0 | } |
1259 | 0 | else if ((sig->sig_class&~3) == 0x10 |
1260 | 0 | || sig->sig_class == 0x18 |
1261 | 0 | || sig->sig_class == 0x1f |
1262 | 0 | || sig->sig_class == 0x20 |
1263 | 0 | || sig->sig_class == 0x28 |
1264 | 0 | || sig->sig_class == 0x30) |
1265 | 0 | { |
1266 | 0 | if (c->list->pkt->pkttype == PKT_PUBLIC_KEY |
1267 | 0 | || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY) |
1268 | 0 | { |
1269 | 0 | return check_key_signature (c->ctrl, c->list, node, is_selfsig); |
1270 | 0 | } |
1271 | 0 | else if (sig->sig_class == 0x20) |
1272 | 0 | { |
1273 | 0 | log_error (_("standalone revocation - " |
1274 | 0 | "use \"gpg --import\" to apply\n")); |
1275 | 0 | return GPG_ERR_NOT_PROCESSED; |
1276 | 0 | } |
1277 | 0 | else |
1278 | 0 | { |
1279 | 0 | log_error ("invalid root packet for sigclass %02x\n", sig->sig_class); |
1280 | 0 | return GPG_ERR_SIG_CLASS; |
1281 | 0 | } |
1282 | 0 | } |
1283 | 0 | else |
1284 | 0 | return GPG_ERR_SIG_CLASS; |
1285 | | |
1286 | | /* We only get here if we are checking the signature of a binary |
1287 | | (0x00) or text document (0x01). */ |
1288 | 0 | rc = check_signature (c->ctrl, sig, md, extrahash, extrahashlen, |
1289 | 0 | forced_pk, NULL, is_expkey, is_revkey, |
1290 | 0 | r_pk, r_keyblock); |
1291 | 0 | if (! rc) |
1292 | 0 | md_good = md; |
1293 | 0 | else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2) |
1294 | 0 | { |
1295 | 0 | PKT_public_key *pk2; |
1296 | |
|
1297 | 0 | if (r_keyblock) |
1298 | 0 | release_kbnode (*r_keyblock); |
1299 | 0 | rc = check_signature (c->ctrl, sig, md2, extrahash, extrahashlen, |
1300 | 0 | forced_pk, NULL, is_expkey, is_revkey, |
1301 | 0 | r_pk? &pk2 : NULL, r_keyblock); |
1302 | 0 | if (!rc) |
1303 | 0 | { |
1304 | 0 | md_good = md2; |
1305 | 0 | if (r_pk) |
1306 | 0 | { |
1307 | 0 | free_public_key (*r_pk); |
1308 | 0 | *r_pk = pk2; |
1309 | 0 | } |
1310 | 0 | } |
1311 | 0 | } |
1312 | |
|
1313 | 0 | if (md_good) |
1314 | 0 | { |
1315 | 0 | unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo); |
1316 | 0 | sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo)); |
1317 | 0 | memcpy (sig->digest, buffer, sig->digest_len); |
1318 | 0 | } |
1319 | |
|
1320 | 0 | gcry_md_close (md); |
1321 | 0 | gcry_md_close (md2); |
1322 | |
|
1323 | 0 | return rc; |
1324 | 0 | } |
1325 | | |
1326 | | |
1327 | | static void |
1328 | | print_userid (PACKET *pkt) |
1329 | 0 | { |
1330 | 0 | if (!pkt) |
1331 | 0 | BUG(); |
1332 | | |
1333 | 0 | if (pkt->pkttype != PKT_USER_ID) |
1334 | 0 | { |
1335 | 0 | es_printf ("ERROR: unexpected packet type %d", pkt->pkttype ); |
1336 | 0 | return; |
1337 | 0 | } |
1338 | 0 | if (opt.with_colons) |
1339 | 0 | { |
1340 | 0 | if (pkt->pkt.user_id->attrib_data) |
1341 | 0 | es_printf("%u %lu", |
1342 | 0 | pkt->pkt.user_id->numattribs, |
1343 | 0 | pkt->pkt.user_id->attrib_len); |
1344 | 0 | else |
1345 | 0 | es_write_sanitized (es_stdout, pkt->pkt.user_id->name, |
1346 | 0 | pkt->pkt.user_id->len, ":", NULL); |
1347 | 0 | } |
1348 | 0 | else |
1349 | 0 | print_utf8_buffer (es_stdout, pkt->pkt.user_id->name, |
1350 | 0 | pkt->pkt.user_id->len ); |
1351 | 0 | } |
1352 | | |
1353 | | |
1354 | | /* |
1355 | | * List the keyblock in a user friendly way |
1356 | | */ |
1357 | | static void |
1358 | | list_node (CTX c, kbnode_t node) |
1359 | 2 | { |
1360 | 2 | if (!node) |
1361 | 0 | ; |
1362 | 2 | else if (node->pkt->pkttype == PKT_PUBLIC_KEY |
1363 | 1 | || node->pkt->pkttype == PKT_PUBLIC_SUBKEY) |
1364 | 1 | { |
1365 | 1 | PKT_public_key *pk = node->pkt->pkt.public_key; |
1366 | | |
1367 | 1 | if (opt.with_colons) |
1368 | 0 | { |
1369 | 0 | u32 keyid[2]; |
1370 | |
|
1371 | 0 | keyid_from_pk( pk, keyid ); |
1372 | 0 | if (pk->flags.primary) |
1373 | 0 | c->trustletter = (opt.fast_list_mode |
1374 | 0 | ? 0 |
1375 | 0 | : get_validity_info |
1376 | 0 | (c->ctrl, |
1377 | 0 | node->pkt->pkttype == PKT_PUBLIC_KEY |
1378 | 0 | ? node : NULL, |
1379 | 0 | pk, NULL)); |
1380 | 0 | es_printf ("%s:", pk->flags.primary? "pub":"sub" ); |
1381 | 0 | if (c->trustletter) |
1382 | 0 | es_putc (c->trustletter, es_stdout); |
1383 | 0 | es_printf (":%u:%d:%08lX%08lX:%s:%s::", |
1384 | 0 | nbits_from_pk( pk ), |
1385 | 0 | pk->pubkey_algo, |
1386 | 0 | (ulong)keyid[0],(ulong)keyid[1], |
1387 | 0 | colon_datestr_from_pk( pk ), |
1388 | 0 | colon_strtime (pk->expiredate) ); |
1389 | 0 | if (pk->flags.primary && !opt.fast_list_mode) |
1390 | 0 | es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout); |
1391 | 0 | es_putc (':', es_stdout); |
1392 | 0 | es_putc ('\n', es_stdout); |
1393 | 0 | } |
1394 | 1 | else |
1395 | 1 | { |
1396 | 1 | print_key_line (c->ctrl, es_stdout, pk, 0); |
1397 | 1 | } |
1398 | | |
1399 | 1 | if (opt.keyid_format == KF_NONE && !opt.with_colons) |
1400 | 0 | ; /* Already printed. */ |
1401 | 1 | else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1) |
1402 | 0 | print_fingerprint (c->ctrl, NULL, pk, 0); |
1403 | | |
1404 | 1 | if (pk->flags.primary) |
1405 | 1 | { |
1406 | 1 | int kl = opt.keyid_format == KF_NONE? 0 : keystrlen (); |
1407 | | |
1408 | | /* Now list all userids with their signatures. */ |
1409 | 2 | for (node = node->next; node; node = node->next) |
1410 | 1 | { |
1411 | 1 | if (node->pkt->pkttype == PKT_SIGNATURE) |
1412 | 1 | { |
1413 | 1 | list_node (c, node ); |
1414 | 1 | } |
1415 | 0 | else if (node->pkt->pkttype == PKT_USER_ID) |
1416 | 0 | { |
1417 | 0 | if (opt.with_colons) |
1418 | 0 | es_printf ("%s:::::::::", |
1419 | 0 | node->pkt->pkt.user_id->attrib_data?"uat":"uid"); |
1420 | 0 | else |
1421 | 0 | es_printf ("uid%*s", |
1422 | 0 | kl + (opt.legacy_list_mode? 9:11), |
1423 | 0 | "" ); |
1424 | 0 | print_userid (node->pkt); |
1425 | 0 | if (opt.with_colons) |
1426 | 0 | es_putc (':', es_stdout); |
1427 | 0 | es_putc ('\n', es_stdout); |
1428 | 0 | } |
1429 | 0 | else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY) |
1430 | 0 | { |
1431 | 0 | list_node(c, node ); |
1432 | 0 | } |
1433 | 1 | } |
1434 | 1 | } |
1435 | 1 | } |
1436 | 1 | else if (node->pkt->pkttype == PKT_SECRET_KEY |
1437 | 1 | || node->pkt->pkttype == PKT_SECRET_SUBKEY) |
1438 | 0 | { |
1439 | |
|
1440 | 0 | log_debug ("FIXME: No way to print secret key packets here\n"); |
1441 | | /* fixme: We may use a function to turn a secret key packet into |
1442 | | a public key one and use that here. */ |
1443 | 0 | } |
1444 | 1 | else if (node->pkt->pkttype == PKT_SIGNATURE) |
1445 | 1 | { |
1446 | 1 | PKT_signature *sig = node->pkt->pkt.signature; |
1447 | 1 | int is_selfsig = 0; |
1448 | 1 | int rc2 = 0; |
1449 | 1 | size_t n; |
1450 | 1 | char *p; |
1451 | 1 | int sigrc = ' '; |
1452 | | |
1453 | 1 | if (!opt.verbose) |
1454 | 1 | return; |
1455 | | |
1456 | 0 | if (sig->sig_class == 0x20 || sig->sig_class == 0x30) |
1457 | 0 | es_fputs ("rev", es_stdout); |
1458 | 0 | else |
1459 | 0 | es_fputs ("sig", es_stdout); |
1460 | 0 | if (opt.check_sigs) |
1461 | 0 | { |
1462 | 0 | fflush (stdout); |
1463 | 0 | rc2 = do_check_sig (c, node, NULL, 0, NULL, |
1464 | 0 | &is_selfsig, NULL, NULL, NULL, NULL); |
1465 | 0 | switch (gpg_err_code (rc2)) |
1466 | 0 | { |
1467 | 0 | case 0: sigrc = '!'; break; |
1468 | 0 | case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break; |
1469 | 0 | case GPG_ERR_NO_PUBKEY: |
1470 | 0 | case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break; |
1471 | 0 | default: sigrc = '%'; break; |
1472 | 0 | } |
1473 | 0 | } |
1474 | 0 | else /* Check whether this is a self signature. */ |
1475 | 0 | { |
1476 | 0 | u32 keyid[2]; |
1477 | |
|
1478 | 0 | if (c->list->pkt->pkttype == PKT_PUBLIC_KEY |
1479 | 0 | || c->list->pkt->pkttype == PKT_SECRET_KEY ) |
1480 | 0 | { |
1481 | 0 | keyid_from_pk (c->list->pkt->pkt.public_key, keyid); |
1482 | |
|
1483 | 0 | if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]) |
1484 | 0 | is_selfsig = 1; |
1485 | 0 | } |
1486 | 0 | } |
1487 | | |
1488 | 0 | if (opt.with_colons) |
1489 | 0 | { |
1490 | 0 | es_putc (':', es_stdout); |
1491 | 0 | if (sigrc != ' ') |
1492 | 0 | es_putc (sigrc, es_stdout); |
1493 | 0 | es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo, |
1494 | 0 | (ulong)sig->keyid[0], (ulong)sig->keyid[1], |
1495 | 0 | colon_datestr_from_sig (sig), |
1496 | 0 | colon_expirestr_from_sig (sig)); |
1497 | |
|
1498 | 0 | if (sig->trust_depth || sig->trust_value) |
1499 | 0 | es_printf ("%d %d",sig->trust_depth,sig->trust_value); |
1500 | 0 | es_putc (':', es_stdout); |
1501 | |
|
1502 | 0 | if (sig->trust_regexp) |
1503 | 0 | es_write_sanitized (es_stdout, sig->trust_regexp, |
1504 | 0 | strlen (sig->trust_regexp), ":", NULL); |
1505 | 0 | es_putc (':', es_stdout); |
1506 | 0 | } |
1507 | 0 | else |
1508 | 0 | es_printf ("%c %s %s ", |
1509 | 0 | sigrc, keystr (sig->keyid), datestr_from_sig(sig)); |
1510 | 0 | if (sigrc == '%') |
1511 | 0 | es_printf ("[%s] ", gpg_strerror (rc2) ); |
1512 | 0 | else if (sigrc == '?') |
1513 | 0 | ; |
1514 | 0 | else if (is_selfsig) |
1515 | 0 | { |
1516 | 0 | if (opt.with_colons) |
1517 | 0 | es_putc (':', es_stdout); |
1518 | 0 | es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout); |
1519 | 0 | if (opt.with_colons) |
1520 | 0 | es_putc (':', es_stdout); |
1521 | 0 | } |
1522 | 0 | else if (!opt.fast_list_mode) |
1523 | 0 | { |
1524 | 0 | p = get_user_id (c->ctrl, sig->keyid, &n, NULL); |
1525 | 0 | es_write_sanitized (es_stdout, p, n, |
1526 | 0 | opt.with_colons?":":NULL, NULL ); |
1527 | 0 | xfree (p); |
1528 | 0 | } |
1529 | 0 | if (opt.with_colons) |
1530 | 0 | es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l'); |
1531 | 0 | es_putc ('\n', es_stdout); |
1532 | 0 | } |
1533 | 0 | else |
1534 | 1 | log_error ("invalid node with packet of type %d\n", node->pkt->pkttype); |
1535 | 2 | } |
1536 | | |
1537 | | |
1538 | | int |
1539 | | proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a ) |
1540 | 6 | { |
1541 | 6 | int rc; |
1542 | 6 | CTX c = xmalloc_clear (sizeof *c); |
1543 | | |
1544 | 6 | c->ctrl = ctrl; |
1545 | 6 | c->anchor = anchor; |
1546 | 6 | rc = do_proc_packets (c, a, 0); |
1547 | 6 | xfree (c); |
1548 | | |
1549 | 6 | return rc; |
1550 | 6 | } |
1551 | | |
1552 | | |
1553 | | int |
1554 | | proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a, |
1555 | | strlist_t signedfiles, const char *sigfilename ) |
1556 | 0 | { |
1557 | 0 | CTX c = xmalloc_clear (sizeof *c); |
1558 | 0 | int rc; |
1559 | |
|
1560 | 0 | c->ctrl = ctrl; |
1561 | 0 | c->anchor = anchor; |
1562 | 0 | c->sigs_only = 1; |
1563 | |
|
1564 | 0 | c->signed_data.data_fd = GNUPG_INVALID_FD; |
1565 | 0 | c->signed_data.data_names = signedfiles; |
1566 | 0 | c->signed_data.used = !!signedfiles; |
1567 | |
|
1568 | 0 | c->sigfilename = sigfilename; |
1569 | 0 | rc = do_proc_packets (c, a, 0); |
1570 | | |
1571 | | /* If we have not encountered any signature we print an error |
1572 | | messages, send a NODATA status back and return an error code. |
1573 | | Using log_error is required because verify_files does not check |
1574 | | error codes for each file but we want to terminate the process |
1575 | | with an error. */ |
1576 | 0 | if (!rc && !c->any.sig_seen) |
1577 | 0 | { |
1578 | 0 | write_status_text (STATUS_NODATA, "4"); |
1579 | 0 | log_error (_("no signature found\n")); |
1580 | 0 | rc = GPG_ERR_NO_DATA; |
1581 | 0 | } |
1582 | | |
1583 | | /* Propagate the signature seen flag upward. Do this only on success |
1584 | | so that we won't issue the nodata status several times. */ |
1585 | 0 | if (!rc && c->anchor && c->any.sig_seen) |
1586 | 0 | c->anchor->any.sig_seen = 1; |
1587 | |
|
1588 | 0 | xfree (c); |
1589 | 0 | return rc; |
1590 | 0 | } |
1591 | | |
1592 | | |
1593 | | int |
1594 | | proc_signature_packets_by_fd (ctrl_t ctrl, void *anchor, iobuf_t a, |
1595 | | gnupg_fd_t signed_data_fd) |
1596 | 0 | { |
1597 | 0 | int rc; |
1598 | 0 | CTX c; |
1599 | |
|
1600 | 0 | c = xtrycalloc (1, sizeof *c); |
1601 | 0 | if (!c) |
1602 | 0 | return gpg_error_from_syserror (); |
1603 | | |
1604 | 0 | c->ctrl = ctrl; |
1605 | 0 | c->anchor = anchor; |
1606 | 0 | c->sigs_only = 1; |
1607 | |
|
1608 | 0 | c->signed_data.data_fd = signed_data_fd; |
1609 | 0 | c->signed_data.data_names = NULL; |
1610 | 0 | c->signed_data.used = (signed_data_fd != GNUPG_INVALID_FD); |
1611 | |
|
1612 | 0 | rc = do_proc_packets (c, a, 0); |
1613 | | |
1614 | | /* If we have not encountered any signature we print an error |
1615 | | messages, send a NODATA status back and return an error code. |
1616 | | Using log_error is required because verify_files does not check |
1617 | | error codes for each file but we want to terminate the process |
1618 | | with an error. */ |
1619 | 0 | if (!rc && !c->any.sig_seen) |
1620 | 0 | { |
1621 | 0 | write_status_text (STATUS_NODATA, "4"); |
1622 | 0 | log_error (_("no signature found\n")); |
1623 | 0 | rc = gpg_error (GPG_ERR_NO_DATA); |
1624 | 0 | } |
1625 | | |
1626 | | /* Propagate the signature seen flag upward. Do this only on success |
1627 | | so that we won't issue the nodata status several times. */ |
1628 | 0 | if (!rc && c->anchor && c->any.sig_seen) |
1629 | 0 | c->anchor->any.sig_seen = 1; |
1630 | |
|
1631 | 0 | xfree ( c ); |
1632 | 0 | return rc; |
1633 | 0 | } |
1634 | | |
1635 | | |
1636 | | /* Handle encryption packets. If called recursively the caller's CTX |
1637 | | * should be given for ANCHOR. If R_DEK and R_LIST are not NULL the |
1638 | | * DEK (or NULL) is returned there and the list at R_LIST; the caller |
1639 | | * needs to release them; even if the function returns an error. */ |
1640 | | gpg_error_t |
1641 | | proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a, |
1642 | | DEK **r_dek, struct seskey_enc_list **r_list) |
1643 | 6 | { |
1644 | 6 | CTX c = xmalloc_clear (sizeof *c); |
1645 | 6 | int rc; |
1646 | | |
1647 | 6 | c->ctrl = ctrl; |
1648 | 6 | c->anchor = anchor; |
1649 | 6 | c->encrypt_only = 1; |
1650 | 6 | if (r_dek && r_list) |
1651 | 0 | { |
1652 | 0 | rc = do_proc_packets (c, a, 1); |
1653 | 0 | *r_dek = c->dek; |
1654 | 0 | c->dek = NULL; |
1655 | 0 | *r_list = c->sesenc_list; |
1656 | 0 | c->sesenc_list = NULL; |
1657 | 0 | } |
1658 | 6 | else |
1659 | 6 | rc = do_proc_packets (c, a, 0); |
1660 | 6 | xfree (c); |
1661 | 6 | return rc; |
1662 | 6 | } |
1663 | | |
1664 | | |
1665 | | static int |
1666 | | check_nesting (CTX c) |
1667 | 12 | { |
1668 | 12 | int level; |
1669 | | |
1670 | 24 | for (level=0; c; c = c->anchor) |
1671 | 12 | level++; |
1672 | | |
1673 | 12 | if (level > MAX_NESTING_DEPTH) |
1674 | 0 | { |
1675 | 0 | log_error ("input data with too deeply nested packets\n"); |
1676 | 0 | write_status_text (STATUS_UNEXPECTED, "1"); |
1677 | 0 | return GPG_ERR_BAD_DATA; |
1678 | 0 | } |
1679 | | |
1680 | 12 | return 0; |
1681 | 12 | } |
1682 | | |
1683 | | |
1684 | | /* Main processing loop. If KEEP_DEK_AND_LIST is set the DEK and |
1685 | | * SESENC_LIST of the context C are not released at the end of the |
1686 | | * function. The caller is then required to do this. */ |
1687 | | static int |
1688 | | do_proc_packets (CTX c, iobuf_t a, int keep_dek_and_list) |
1689 | 12 | { |
1690 | 12 | PACKET *pkt; |
1691 | 12 | struct parse_packet_ctx_s parsectx; |
1692 | 12 | int rc = 0; |
1693 | 12 | int any_data = 0; |
1694 | 12 | int newpkt; |
1695 | | |
1696 | 12 | rc = check_nesting (c); |
1697 | 12 | if (rc) |
1698 | 0 | return rc; |
1699 | | |
1700 | 12 | pkt = xmalloc( sizeof *pkt ); |
1701 | 12 | c->iobuf = a; |
1702 | 12 | init_packet(pkt); |
1703 | 12 | init_parse_packet (&parsectx, a); |
1704 | 15 | while ((rc=parse_packet (&parsectx, pkt)) != -1) |
1705 | 11 | { |
1706 | 11 | any_data = 1; |
1707 | 11 | if (rc) |
1708 | 8 | { |
1709 | 8 | if (c->ctrl->modify_recipients && gpg_err_code (rc) == GPG_ERR_TRUE) |
1710 | 0 | { |
1711 | | /* Save the last read CTB (which was the last byte |
1712 | | * actually read from the input) and get out of the |
1713 | | * loop. */ |
1714 | 0 | c->ctrl->last_read_ctb = parsectx.last_ctb; |
1715 | | /* We need to call the first part of the encrypted data |
1716 | | * handler to get the DEK. */ |
1717 | 0 | proc_encrypted (c, NULL); |
1718 | 0 | rc = -1; |
1719 | 0 | break; |
1720 | 0 | } |
1721 | 8 | free_packet (pkt, &parsectx); |
1722 | | /* Stop processing when an invalid packet has been encountered |
1723 | | * but don't do so when we are doing a --list-packets. */ |
1724 | 8 | if (gpg_err_code (rc) == GPG_ERR_INV_PACKET |
1725 | 7 | && opt.list_packets == 0) |
1726 | 7 | break; |
1727 | 1 | continue; |
1728 | 8 | } |
1729 | 3 | newpkt = -1; |
1730 | 3 | if (opt.list_packets) |
1731 | 0 | { |
1732 | 0 | switch (pkt->pkttype) |
1733 | 0 | { |
1734 | 0 | case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break; |
1735 | 0 | case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break; |
1736 | 0 | case PKT_ENCRYPTED: |
1737 | 0 | case PKT_ENCRYPTED_MDC: |
1738 | 0 | case PKT_ENCRYPTED_AEAD:proc_encrypted (c, pkt); break; |
1739 | 0 | case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break; |
1740 | 0 | default: newpkt = 0; break; |
1741 | 0 | } |
1742 | 0 | } |
1743 | 3 | else if (c->sigs_only) |
1744 | 0 | { |
1745 | 0 | switch (pkt->pkttype) |
1746 | 0 | { |
1747 | 0 | case PKT_PUBLIC_KEY: |
1748 | 0 | case PKT_SECRET_KEY: |
1749 | 0 | case PKT_USER_ID: |
1750 | 0 | case PKT_SYMKEY_ENC: |
1751 | 0 | case PKT_PUBKEY_ENC: |
1752 | 0 | case PKT_ENCRYPTED: |
1753 | 0 | case PKT_ENCRYPTED_MDC: |
1754 | 0 | case PKT_ENCRYPTED_AEAD: |
1755 | 0 | write_status_text( STATUS_UNEXPECTED, "0" ); |
1756 | 0 | rc = GPG_ERR_UNEXPECTED; |
1757 | 0 | goto leave; |
1758 | | |
1759 | 0 | case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break; |
1760 | 0 | case PKT_PLAINTEXT: proc_plaintext (c, pkt); break; |
1761 | 0 | case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break; |
1762 | 0 | case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break; |
1763 | 0 | case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break; |
1764 | 0 | default: newpkt = 0; break; |
1765 | 0 | } |
1766 | 0 | } |
1767 | 3 | else if (c->encrypt_only) |
1768 | 1 | { |
1769 | 1 | switch (pkt->pkttype) |
1770 | 1 | { |
1771 | 1 | case PKT_PUBLIC_KEY: |
1772 | 1 | case PKT_SECRET_KEY: |
1773 | 1 | case PKT_USER_ID: |
1774 | 1 | write_status_text (STATUS_UNEXPECTED, "0"); |
1775 | 1 | rc = GPG_ERR_UNEXPECTED; |
1776 | 1 | goto leave; |
1777 | | |
1778 | 0 | case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break; |
1779 | | |
1780 | 0 | case PKT_SYMKEY_ENC: |
1781 | 0 | case PKT_PUBKEY_ENC: |
1782 | | /* In --add-recipients mode set the stop flag as soon as |
1783 | | * we see the first of these packets. */ |
1784 | 0 | if (c->ctrl->modify_recipients) |
1785 | 0 | parsectx.only_fookey_enc = 1; |
1786 | 0 | if (pkt->pkttype == PKT_SYMKEY_ENC) |
1787 | 0 | proc_symkey_enc (c, pkt); |
1788 | 0 | else |
1789 | 0 | proc_pubkey_enc (c, pkt); |
1790 | 0 | break; |
1791 | | |
1792 | 0 | case PKT_ENCRYPTED: |
1793 | 0 | case PKT_ENCRYPTED_MDC: |
1794 | 0 | case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break; |
1795 | 0 | case PKT_PLAINTEXT: proc_plaintext (c, pkt); break; |
1796 | 0 | case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break; |
1797 | 0 | case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break; |
1798 | 0 | case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break; |
1799 | 0 | default: newpkt = 0; break; |
1800 | 1 | } |
1801 | 1 | } |
1802 | 2 | else |
1803 | 2 | { |
1804 | 2 | switch (pkt->pkttype) |
1805 | 2 | { |
1806 | 1 | case PKT_PUBLIC_KEY: |
1807 | 1 | case PKT_SECRET_KEY: |
1808 | 1 | release_list (c); |
1809 | 1 | c->list = new_kbnode (pkt); |
1810 | 1 | newpkt = 1; |
1811 | 1 | break; |
1812 | 0 | case PKT_PUBLIC_SUBKEY: |
1813 | 0 | case PKT_SECRET_SUBKEY: |
1814 | 0 | newpkt = add_subkey (c, pkt); |
1815 | 0 | break; |
1816 | 0 | case PKT_USER_ID: newpkt = add_user_id (c, pkt); break; |
1817 | 1 | case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break; |
1818 | 0 | case PKT_PUBKEY_ENC: proc_pubkey_enc (c, pkt); break; |
1819 | 0 | case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break; |
1820 | 0 | case PKT_ENCRYPTED: |
1821 | 0 | case PKT_ENCRYPTED_MDC: |
1822 | 0 | case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break; |
1823 | 0 | case PKT_PLAINTEXT: proc_plaintext (c, pkt); break; |
1824 | 0 | case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break; |
1825 | 0 | case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break; |
1826 | 0 | case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; |
1827 | 0 | case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break; |
1828 | 0 | default: newpkt = 0; break; |
1829 | 2 | } |
1830 | 2 | } |
1831 | | |
1832 | 2 | if (rc) |
1833 | 0 | goto leave; |
1834 | | |
1835 | | /* This is a very ugly construct and frankly, I don't remember why |
1836 | | * I used it. Adding the MDC check here is a hack. |
1837 | | * The right solution is to initiate another context for encrypted |
1838 | | * packet and not to reuse the current one ... It works right |
1839 | | * when there is a compression packet between which adds just |
1840 | | * an extra layer. |
1841 | | * |
1842 | | * Note that we should not reset the any.data due to another |
1843 | | * packets. Just set it once on seeing a plaintext. |
1844 | | * |
1845 | | * Hmmm: Rewrite this whole module here?? |
1846 | | */ |
1847 | 2 | if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC) |
1848 | 1 | c->any.data |= (pkt->pkttype == PKT_PLAINTEXT); |
1849 | | |
1850 | 2 | if (newpkt == -1) |
1851 | 0 | ; |
1852 | 2 | else if (newpkt) |
1853 | 2 | { |
1854 | 2 | pkt = xmalloc (sizeof *pkt); |
1855 | 2 | init_packet (pkt); |
1856 | 2 | } |
1857 | 0 | else |
1858 | 0 | free_packet (pkt, &parsectx); |
1859 | 2 | } |
1860 | | |
1861 | 11 | if (rc == GPG_ERR_INV_PACKET) |
1862 | 7 | write_status_text (STATUS_NODATA, "3"); |
1863 | | |
1864 | 11 | if (any_data) |
1865 | 7 | rc = 0; |
1866 | 4 | else if (rc == -1) |
1867 | 4 | write_status_text (STATUS_NODATA, "2"); |
1868 | | |
1869 | | |
1870 | 12 | leave: |
1871 | 12 | if (!keep_dek_and_list) |
1872 | 12 | release_list (c); |
1873 | 12 | free_packet (pkt, &parsectx); |
1874 | 12 | deinit_parse_packet (&parsectx); |
1875 | 12 | xfree (pkt); |
1876 | 12 | free_md_filter_context (&c->mfx); |
1877 | 12 | return rc; |
1878 | 11 | } |
1879 | | |
1880 | | |
1881 | | /* Return true if the AKL has the WKD method specified. */ |
1882 | | static int |
1883 | | akl_has_wkd_method (void) |
1884 | 0 | { |
1885 | 0 | struct akl *akl; |
1886 | |
|
1887 | 0 | for (akl = opt.auto_key_locate; akl; akl = akl->next) |
1888 | 0 | if (akl->type == AKL_WKD) |
1889 | 0 | return 1; |
1890 | 0 | return 0; |
1891 | 0 | } |
1892 | | |
1893 | | |
1894 | | /* Return the ISSUER fingerprint buffer and its length at R_LEN. |
1895 | | * Returns NULL if not available. The returned buffer is valid as |
1896 | | * long as SIG is not modified. */ |
1897 | | const byte * |
1898 | | issuer_fpr_raw (PKT_signature *sig, size_t *r_len) |
1899 | 0 | { |
1900 | 0 | const byte *p; |
1901 | 0 | size_t n; |
1902 | |
|
1903 | 0 | p = parse_sig_subpkt (sig, 1, SIGSUBPKT_ISSUER_FPR, &n); |
1904 | 0 | if (p && ((n == 21 && p[0] == 4) || (n == 33 && p[0] == 5))) |
1905 | 0 | { |
1906 | 0 | *r_len = n - 1; |
1907 | 0 | return p+1; |
1908 | 0 | } |
1909 | 0 | *r_len = 0; |
1910 | 0 | return NULL; |
1911 | 0 | } |
1912 | | |
1913 | | |
1914 | | /* Return the ISSUER fingerprint string in human readable format if |
1915 | | * available. Caller must release the string. */ |
1916 | | /* FIXME: Move to another file. */ |
1917 | | char * |
1918 | | issuer_fpr_string (PKT_signature *sig) |
1919 | 0 | { |
1920 | 0 | const byte *p; |
1921 | 0 | size_t n; |
1922 | |
|
1923 | 0 | p = issuer_fpr_raw (sig, &n); |
1924 | 0 | return p? bin2hex (p, n, NULL) : NULL; |
1925 | 0 | } |
1926 | | |
1927 | | static void |
1928 | | print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un, |
1929 | | PKT_signature *sig, int rc) |
1930 | 0 | { |
1931 | 0 | char *p; |
1932 | |
|
1933 | 0 | write_status_text_and_buffer (statno, keyid_str, |
1934 | 0 | un? un->pkt->pkt.user_id->name:"[?]", |
1935 | 0 | un? un->pkt->pkt.user_id->len:3, |
1936 | 0 | -1); |
1937 | |
|
1938 | 0 | if (un) |
1939 | 0 | p = utf8_to_native (un->pkt->pkt.user_id->name, |
1940 | 0 | un->pkt->pkt.user_id->len, 0); |
1941 | 0 | else |
1942 | 0 | p = xstrdup ("[?]"); |
1943 | |
|
1944 | 0 | if (rc) |
1945 | 0 | log_info (_("BAD signature from \"%s\""), p); |
1946 | 0 | else if (sig->flags.expired) |
1947 | 0 | log_info (_("Expired signature from \"%s\""), p); |
1948 | 0 | else |
1949 | 0 | log_info (_("Good signature from \"%s\""), p); |
1950 | |
|
1951 | 0 | xfree (p); |
1952 | 0 | } |
1953 | | |
1954 | | |
1955 | | static int |
1956 | | check_sig_and_print (CTX c, kbnode_t node) |
1957 | 0 | { |
1958 | 0 | PKT_signature *sig = node->pkt->pkt.signature; |
1959 | 0 | const char *astr; |
1960 | 0 | gpg_error_t rc; |
1961 | 0 | int is_expkey = 0; |
1962 | 0 | int is_revkey = 0; |
1963 | 0 | char *issuer_fpr = NULL; |
1964 | 0 | PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */ |
1965 | 0 | const void *extrahash = NULL; |
1966 | 0 | size_t extrahashlen = 0; |
1967 | 0 | kbnode_t keyblock = NULL; |
1968 | 0 | char pkstrbuf[PUBKEY_STRING_SIZE] = { 0 }; |
1969 | | |
1970 | |
|
1971 | 0 | if (opt.skip_verify) |
1972 | 0 | { |
1973 | 0 | log_info(_("signature verification suppressed\n")); |
1974 | 0 | return 0; |
1975 | 0 | } |
1976 | | |
1977 | | /* Check that the message composition is valid. |
1978 | | * |
1979 | | * Per RFC-2440bis (-15) allowed: |
1980 | | * |
1981 | | * S{1,n} -- detached signature. |
1982 | | * S{1,n} P -- old style PGP2 signature |
1983 | | * O{1,n} P S{1,n} -- standard OpenPGP signature. |
1984 | | * C P S{1,n} -- cleartext signature. |
1985 | | * |
1986 | | * |
1987 | | * O = One-Pass Signature packet. |
1988 | | * S = Signature packet. |
1989 | | * P = OpenPGP Message packet (Encrypted | Compressed | Literal) |
1990 | | * (Note that the current rfc2440bis draft also allows |
1991 | | * for a signed message but that does not work as it |
1992 | | * introduces ambiguities.) |
1993 | | * We keep track of these packages using the marker packet |
1994 | | * CTRLPKT_PLAINTEXT_MARK. |
1995 | | * C = Marker packet for cleartext signatures. |
1996 | | * |
1997 | | * We reject all other messages. |
1998 | | * |
1999 | | * Actually we are calling this too often, i.e. for verification of |
2000 | | * each message but better have some duplicate work than to silently |
2001 | | * introduce a bug here. |
2002 | | */ |
2003 | 0 | { |
2004 | 0 | kbnode_t n; |
2005 | 0 | int n_onepass, n_sig; |
2006 | | |
2007 | | /* log_debug ("checking signature packet composition\n"); */ |
2008 | | /* dump_kbnode (c->list); */ |
2009 | |
|
2010 | 0 | n = c->list; |
2011 | 0 | log_assert (n); |
2012 | 0 | if ( n->pkt->pkttype == PKT_SIGNATURE ) |
2013 | 0 | { |
2014 | | /* This is either "S{1,n}" case (detached signature) or |
2015 | | "S{1,n} P" (old style PGP2 signature). */ |
2016 | 0 | for (n = n->next; n; n = n->next) |
2017 | 0 | if (n->pkt->pkttype != PKT_SIGNATURE) |
2018 | 0 | break; |
2019 | 0 | if (!n) |
2020 | 0 | ; /* Okay, this is a detached signature. */ |
2021 | 0 | else if (n->pkt->pkttype == PKT_GPG_CONTROL |
2022 | 0 | && (n->pkt->pkt.gpg_control->control |
2023 | 0 | == CTRLPKT_PLAINTEXT_MARK) ) |
2024 | 0 | { |
2025 | 0 | if (n->next) |
2026 | 0 | goto ambiguous; /* We only allow one P packet. */ |
2027 | 0 | extrahash = n->pkt->pkt.gpg_control->data; |
2028 | 0 | extrahashlen = n->pkt->pkt.gpg_control->datalen; |
2029 | 0 | } |
2030 | 0 | else |
2031 | 0 | goto ambiguous; |
2032 | 0 | } |
2033 | 0 | else if (n->pkt->pkttype == PKT_ONEPASS_SIG) |
2034 | 0 | { |
2035 | | /* This is the "O{1,n} P S{1,n}" case (standard signature). */ |
2036 | 0 | for (n_onepass=1, n = n->next; |
2037 | 0 | n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next) |
2038 | 0 | n_onepass++; |
2039 | 0 | if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL |
2040 | 0 | && (n->pkt->pkt.gpg_control->control |
2041 | 0 | == CTRLPKT_PLAINTEXT_MARK))) |
2042 | 0 | goto ambiguous; |
2043 | 0 | extrahash = n->pkt->pkt.gpg_control->data; |
2044 | 0 | extrahashlen = n->pkt->pkt.gpg_control->datalen; |
2045 | |
|
2046 | 0 | for (n_sig=0, n = n->next; |
2047 | 0 | n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) |
2048 | 0 | n_sig++; |
2049 | 0 | if (!n_sig) |
2050 | 0 | goto ambiguous; |
2051 | | |
2052 | | /* If we wanted to disallow multiple sig verification, we'd do |
2053 | | * something like this: |
2054 | | * |
2055 | | * if (n) |
2056 | | * goto ambiguous; |
2057 | | * |
2058 | | * However, this can stay allowable as we can't get here. */ |
2059 | | |
2060 | 0 | if (n_onepass != n_sig) |
2061 | 0 | { |
2062 | 0 | log_info ("number of one-pass packets does not match " |
2063 | 0 | "number of signature packets\n"); |
2064 | 0 | goto ambiguous; |
2065 | 0 | } |
2066 | 0 | } |
2067 | 0 | else if (n->pkt->pkttype == PKT_GPG_CONTROL |
2068 | 0 | && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START ) |
2069 | 0 | { |
2070 | | /* This is the "C P S{1,n}" case (clear text signature). */ |
2071 | 0 | n = n->next; |
2072 | 0 | if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL |
2073 | 0 | && (n->pkt->pkt.gpg_control->control |
2074 | 0 | == CTRLPKT_PLAINTEXT_MARK))) |
2075 | 0 | goto ambiguous; |
2076 | 0 | extrahash = n->pkt->pkt.gpg_control->data; |
2077 | 0 | extrahashlen = n->pkt->pkt.gpg_control->datalen; |
2078 | 0 | for (n_sig=0, n = n->next; |
2079 | 0 | n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) |
2080 | 0 | n_sig++; |
2081 | 0 | if (n || !n_sig) |
2082 | 0 | goto ambiguous; |
2083 | 0 | } |
2084 | 0 | else |
2085 | 0 | { |
2086 | 0 | ambiguous: |
2087 | 0 | log_error(_("can't handle this ambiguous signature data\n")); |
2088 | 0 | rc = 0; |
2089 | 0 | goto leave; |
2090 | 0 | } |
2091 | 0 | } /* End checking signature packet composition. */ |
2092 | | |
2093 | 0 | if (sig->signers_uid) |
2094 | 0 | write_status_buffer (STATUS_NEWSIG, |
2095 | 0 | sig->signers_uid, strlen (sig->signers_uid), 0); |
2096 | 0 | else |
2097 | 0 | write_status_text (STATUS_NEWSIG, NULL); |
2098 | |
|
2099 | 0 | astr = openpgp_pk_algo_name ( sig->pubkey_algo ); |
2100 | 0 | issuer_fpr = issuer_fpr_string (sig); |
2101 | |
|
2102 | 0 | if (issuer_fpr) |
2103 | 0 | { |
2104 | 0 | log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp)); |
2105 | 0 | log_info (_(" using %s key %s\n"), |
2106 | 0 | astr? astr: "?", issuer_fpr); |
2107 | |
|
2108 | 0 | } |
2109 | 0 | else if (!keystrlen () || keystrlen () > 8) |
2110 | 0 | { |
2111 | 0 | log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp)); |
2112 | 0 | log_info (_(" using %s key %s\n"), |
2113 | 0 | astr? astr: "?", keystr(sig->keyid)); |
2114 | 0 | } |
2115 | 0 | else /* Legacy format. */ |
2116 | 0 | log_info (_("Signature made %s using %s key ID %s\n"), |
2117 | 0 | asctimestamp(sig->timestamp), astr? astr: "?", |
2118 | 0 | keystr(sig->keyid)); |
2119 | | |
2120 | | /* In verbose mode print the signers UID. */ |
2121 | 0 | if (sig->signers_uid) |
2122 | 0 | log_info (_(" issuer \"%s\"\n"), sig->signers_uid); |
2123 | |
|
2124 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, |
2125 | 0 | NULL, &is_expkey, &is_revkey, &pk, &keyblock); |
2126 | | |
2127 | | /* If the key is not found but the signature includes a key block we |
2128 | | * use that key block for verification and on success import it. */ |
2129 | 0 | if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY |
2130 | 0 | && sig->flags.key_block |
2131 | 0 | && opt.flags.auto_key_import) |
2132 | 0 | { |
2133 | 0 | kbnode_t included_keyblock = NULL; |
2134 | 0 | PKT_public_key *included_pk; |
2135 | 0 | const byte *kblock; |
2136 | 0 | size_t kblock_len; |
2137 | |
|
2138 | 0 | included_pk = xcalloc (1, sizeof *included_pk); |
2139 | 0 | kblock = parse_sig_subpkt (sig, 1, SIGSUBPKT_KEY_BLOCK, &kblock_len); |
2140 | 0 | if (kblock && kblock_len > 1 |
2141 | 0 | && !get_pubkey_from_buffer (c->ctrl, included_pk, |
2142 | 0 | kblock+1, kblock_len-1, |
2143 | 0 | sig->keyid, &included_keyblock)) |
2144 | 0 | { |
2145 | | /* Note: This is the only place where we use the forced_pk |
2146 | | * arg (ie. included_pk) with do_check_sig. */ |
2147 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, included_pk, |
2148 | 0 | NULL, &is_expkey, &is_revkey, &pk, NULL); |
2149 | 0 | if (opt.verbose) |
2150 | 0 | log_info ("checked signature using included key block: %s\n", |
2151 | 0 | gpg_strerror (rc)); |
2152 | 0 | if (!rc) |
2153 | 0 | { |
2154 | | /* The keyblock has been verified, we now import it. */ |
2155 | 0 | rc = import_included_key_block (c->ctrl, included_keyblock); |
2156 | 0 | } |
2157 | |
|
2158 | 0 | } |
2159 | 0 | free_public_key (included_pk); |
2160 | 0 | release_kbnode (included_keyblock); |
2161 | | |
2162 | | /* To make sure that nothing strange happened we check the |
2163 | | * signature again now using our own key store. This also |
2164 | | * returns the keyblock which we use later on. */ |
2165 | 0 | if (!rc) |
2166 | 0 | { |
2167 | 0 | release_kbnode (keyblock); |
2168 | 0 | keyblock = NULL; |
2169 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, |
2170 | 0 | NULL, &is_expkey, &is_revkey, &pk, &keyblock); |
2171 | 0 | } |
2172 | 0 | } |
2173 | | |
2174 | | /* If the key isn't found, check for a preferred keyserver. Note |
2175 | | * that this is only done if honor-keyserver-url has been set. We |
2176 | | * test for this in the loop so that we can show info about the |
2177 | | * preferred keyservers. */ |
2178 | 0 | if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY |
2179 | 0 | && sig->flags.pref_ks) |
2180 | 0 | { |
2181 | 0 | const byte *p; |
2182 | 0 | int seq = 0; |
2183 | 0 | size_t n; |
2184 | 0 | int any_pref_ks = 0; |
2185 | |
|
2186 | 0 | while ((p=enum_sig_subpkt (sig, 1, SIGSUBPKT_PREF_KS, &n, &seq, NULL))) |
2187 | 0 | { |
2188 | | /* According to my favorite copy editor, in English grammar, |
2189 | | you say "at" if the key is located on a web page, but |
2190 | | "from" if it is located on a keyserver. I'm not going to |
2191 | | even try to make two strings here :) */ |
2192 | 0 | log_info(_("Key available at: ") ); |
2193 | 0 | print_utf8_buffer (log_get_stream(), p, n); |
2194 | 0 | log_printf ("\n"); |
2195 | 0 | any_pref_ks = 1; |
2196 | |
|
2197 | 0 | if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) |
2198 | 0 | && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)) |
2199 | 0 | { |
2200 | 0 | struct keyserver_spec *spec; |
2201 | |
|
2202 | 0 | spec = parse_preferred_keyserver (sig); |
2203 | 0 | if (spec) |
2204 | 0 | { |
2205 | 0 | int res; |
2206 | |
|
2207 | 0 | if (DBG_LOOKUP) |
2208 | 0 | log_debug ("trying auto-key-retrieve method %s\n", |
2209 | 0 | "Pref-KS"); |
2210 | |
|
2211 | 0 | free_public_key (pk); |
2212 | 0 | pk = NULL; |
2213 | 0 | glo_ctrl.in_auto_key_retrieve++; |
2214 | 0 | res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, |
2215 | 0 | KEYSERVER_IMPORT_FLAG_QUICK); |
2216 | 0 | glo_ctrl.in_auto_key_retrieve--; |
2217 | 0 | if (!res) |
2218 | 0 | { |
2219 | 0 | release_kbnode (keyblock); |
2220 | 0 | keyblock = NULL; |
2221 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, |
2222 | 0 | NULL, &is_expkey, &is_revkey, &pk, |
2223 | 0 | &keyblock); |
2224 | 0 | } |
2225 | 0 | else if (DBG_LOOKUP) |
2226 | 0 | log_debug ("lookup via %s failed: %s\n", "Pref-KS", |
2227 | 0 | gpg_strerror (res)); |
2228 | 0 | free_keyserver_spec (spec); |
2229 | |
|
2230 | 0 | if (!rc) |
2231 | 0 | break; |
2232 | 0 | } |
2233 | 0 | } |
2234 | 0 | } |
2235 | |
|
2236 | 0 | if (any_pref_ks |
2237 | 0 | && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) |
2238 | 0 | && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)) |
2239 | 0 | log_info (_("Note: Use '%s' to make use of this info\n"), |
2240 | 0 | "--keyserver-option honor-keyserver-url"); |
2241 | 0 | } |
2242 | | |
2243 | | /* If the above methods didn't work, our next try is to retrieve the |
2244 | | * key from the WKD. This requires that WKD is in the AKL and the |
2245 | | * Signer's UID is in the signature. */ |
2246 | 0 | if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY |
2247 | 0 | && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE) |
2248 | 0 | && !opt.flags.disable_signer_uid |
2249 | 0 | && akl_has_wkd_method () |
2250 | 0 | && sig->signers_uid) |
2251 | 0 | { |
2252 | 0 | int res; |
2253 | |
|
2254 | 0 | if (DBG_LOOKUP) |
2255 | 0 | log_debug ("trying auto-key-retrieve method %s\n", "WKD"); |
2256 | 0 | free_public_key (pk); |
2257 | 0 | pk = NULL; |
2258 | 0 | glo_ctrl.in_auto_key_retrieve++; |
2259 | 0 | res = keyserver_import_wkd (c->ctrl, sig->signers_uid, |
2260 | 0 | KEYSERVER_IMPORT_FLAG_QUICK, NULL, NULL); |
2261 | 0 | glo_ctrl.in_auto_key_retrieve--; |
2262 | | /* Fixme: If the fingerprint is embedded in the signature, |
2263 | | * compare it to the fingerprint of the returned key. */ |
2264 | 0 | if (!res) |
2265 | 0 | { |
2266 | 0 | release_kbnode (keyblock); |
2267 | 0 | keyblock = NULL; |
2268 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, |
2269 | 0 | NULL, &is_expkey, &is_revkey, &pk, &keyblock); |
2270 | 0 | } |
2271 | 0 | else if (DBG_LOOKUP) |
2272 | 0 | log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res)); |
2273 | 0 | } |
2274 | | |
2275 | | /* If the above methods didn't work, our next try is to locate |
2276 | | * the key via its fingerprint from a keyserver. This requires |
2277 | | * that the signers fingerprint is encoded in the signature. */ |
2278 | 0 | if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY |
2279 | 0 | && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) |
2280 | 0 | && keyserver_any_configured (c->ctrl)) |
2281 | 0 | { |
2282 | 0 | int res; |
2283 | 0 | const byte *p; |
2284 | 0 | size_t n; |
2285 | |
|
2286 | 0 | p = issuer_fpr_raw (sig, &n); |
2287 | 0 | if (p) |
2288 | 0 | { |
2289 | 0 | if (DBG_LOOKUP) |
2290 | 0 | log_debug ("trying auto-key-retrieve method %s\n", "KS"); |
2291 | | |
2292 | | /* v4 or v5 packet with a SHA-1/256 fingerprint. */ |
2293 | 0 | free_public_key (pk); |
2294 | 0 | pk = NULL; |
2295 | 0 | glo_ctrl.in_auto_key_retrieve++; |
2296 | 0 | res = keyserver_import_fpr (c->ctrl, p, n, opt.keyserver, |
2297 | 0 | KEYSERVER_IMPORT_FLAG_QUICK); |
2298 | 0 | glo_ctrl.in_auto_key_retrieve--; |
2299 | 0 | if (!res) |
2300 | 0 | { |
2301 | 0 | release_kbnode (keyblock); |
2302 | 0 | keyblock = NULL; |
2303 | 0 | rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, |
2304 | 0 | NULL, &is_expkey, &is_revkey, &pk, |
2305 | 0 | &keyblock); |
2306 | 0 | } |
2307 | 0 | else if (DBG_LOOKUP) |
2308 | 0 | log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res)); |
2309 | 0 | } |
2310 | 0 | } |
2311 | | |
2312 | | /* Do something with the result of the signature checking. */ |
2313 | 0 | if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE) |
2314 | 0 | { |
2315 | | /* We have checked the signature and the result is either a good |
2316 | | * signature or a bad signature. Further examination follows. */ |
2317 | 0 | kbnode_t un; |
2318 | 0 | int count = 0; |
2319 | 0 | int keyblock_has_pk = 0; /* For failsafe check. */ |
2320 | 0 | int statno; |
2321 | 0 | char keyid_str[50]; |
2322 | 0 | PKT_public_key *mainpk = NULL; |
2323 | |
|
2324 | 0 | if (rc) |
2325 | 0 | statno = STATUS_BADSIG; |
2326 | 0 | else if (sig->flags.expired) |
2327 | 0 | statno = STATUS_EXPSIG; |
2328 | 0 | else if (is_expkey) |
2329 | 0 | statno = STATUS_EXPKEYSIG; |
2330 | 0 | else if(is_revkey) |
2331 | 0 | statno = STATUS_REVKEYSIG; |
2332 | 0 | else |
2333 | 0 | statno = STATUS_GOODSIG; |
2334 | |
|
2335 | 0 | snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ", |
2336 | 0 | (ulong)sig->keyid[0], (ulong)sig->keyid[1]); |
2337 | | |
2338 | | /* Find and print the primary user ID along with the |
2339 | | "Good|Expired|Bad signature" line. */ |
2340 | 0 | for (un=keyblock; un; un = un->next) |
2341 | 0 | { |
2342 | 0 | int valid; |
2343 | |
|
2344 | 0 | if (!keyblock_has_pk |
2345 | 0 | && (un->pkt->pkttype == PKT_PUBLIC_KEY |
2346 | 0 | || un->pkt->pkttype == PKT_PUBLIC_SUBKEY) |
2347 | 0 | && !cmp_public_keys (un->pkt->pkt.public_key, pk)) |
2348 | 0 | { |
2349 | 0 | keyblock_has_pk = 1; |
2350 | 0 | } |
2351 | 0 | if (un->pkt->pkttype == PKT_PUBLIC_KEY) |
2352 | 0 | { |
2353 | 0 | mainpk = un->pkt->pkt.public_key; |
2354 | 0 | continue; |
2355 | 0 | } |
2356 | 0 | if (un->pkt->pkttype != PKT_USER_ID) |
2357 | 0 | continue; |
2358 | 0 | if (!un->pkt->pkt.user_id->created) |
2359 | 0 | continue; |
2360 | 0 | if (un->pkt->pkt.user_id->flags.revoked) |
2361 | 0 | continue; |
2362 | 0 | if (un->pkt->pkt.user_id->flags.expired) |
2363 | 0 | continue; |
2364 | 0 | if (!un->pkt->pkt.user_id->flags.primary) |
2365 | 0 | continue; |
2366 | | /* We want the textual primary user ID here */ |
2367 | 0 | if (un->pkt->pkt.user_id->attrib_data) |
2368 | 0 | continue; |
2369 | | |
2370 | 0 | log_assert (mainpk); |
2371 | | |
2372 | | /* Since this is just informational, don't actually ask the |
2373 | | user to update any trust information. (Note: we register |
2374 | | the signature later.) Because print_good_bad_signature |
2375 | | does not print a LF we need to compute the validity |
2376 | | before calling that function. */ |
2377 | 0 | if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY)) |
2378 | 0 | valid = get_validity (c->ctrl, keyblock, mainpk, |
2379 | 0 | un->pkt->pkt.user_id, NULL, 0); |
2380 | 0 | else |
2381 | 0 | valid = 0; /* Not used. */ |
2382 | |
|
2383 | 0 | keyid_str[17] = 0; /* cut off the "[uncertain]" part */ |
2384 | |
|
2385 | 0 | print_good_bad_signature (statno, keyid_str, un, sig, rc); |
2386 | |
|
2387 | 0 | if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY)) |
2388 | 0 | log_printf (" [%s]\n",trust_value_to_string(valid)); |
2389 | 0 | else |
2390 | 0 | log_printf ("\n"); |
2391 | |
|
2392 | 0 | count++; |
2393 | | /* At this point we could in theory stop because the primary |
2394 | | * UID flag is never set for more than one User ID per |
2395 | | * keyblock. However, we use this loop also for a failsafe |
2396 | | * check that the public key used to create the signature is |
2397 | | * contained in the keyring.*/ |
2398 | 0 | } |
2399 | | |
2400 | 0 | if (!mainpk || !keyblock_has_pk) |
2401 | 0 | { |
2402 | 0 | log_error ("signature key lost from keyblock (%p,%p,%d)\n", |
2403 | 0 | keyblock, mainpk, keyblock_has_pk); |
2404 | 0 | rc = gpg_error (GPG_ERR_INTERNAL); |
2405 | 0 | } |
2406 | | |
2407 | | /* In case we did not found a valid textual userid above |
2408 | | we print the first user id packet or a "[?]" instead along |
2409 | | with the "Good|Expired|Bad signature" line. */ |
2410 | 0 | if (!count) |
2411 | 0 | { |
2412 | | /* Try for an invalid textual userid */ |
2413 | 0 | for (un=keyblock; un; un = un->next) |
2414 | 0 | { |
2415 | 0 | if (un->pkt->pkttype == PKT_USER_ID |
2416 | 0 | && !un->pkt->pkt.user_id->attrib_data) |
2417 | 0 | break; |
2418 | 0 | } |
2419 | | |
2420 | | /* Try for any userid at all */ |
2421 | 0 | if (!un) |
2422 | 0 | { |
2423 | 0 | for (un=keyblock; un; un = un->next) |
2424 | 0 | { |
2425 | 0 | if (un->pkt->pkttype == PKT_USER_ID) |
2426 | 0 | break; |
2427 | 0 | } |
2428 | 0 | } |
2429 | |
|
2430 | 0 | if (opt.trust_model==TM_ALWAYS || !un) |
2431 | 0 | keyid_str[17] = 0; /* cut off the "[uncertain]" part */ |
2432 | |
|
2433 | 0 | print_good_bad_signature (statno, keyid_str, un, sig, rc); |
2434 | |
|
2435 | 0 | if (opt.trust_model != TM_ALWAYS && un) |
2436 | 0 | log_printf (" %s",_("[uncertain]") ); |
2437 | 0 | log_printf ("\n"); |
2438 | 0 | } |
2439 | | |
2440 | | /* If we have a good signature and already printed |
2441 | | * the primary user ID, print all the other user IDs */ |
2442 | 0 | if (count |
2443 | 0 | && !rc |
2444 | 0 | && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY)) |
2445 | 0 | { |
2446 | 0 | char *p; |
2447 | 0 | for( un=keyblock; un; un = un->next) |
2448 | 0 | { |
2449 | 0 | if (un->pkt->pkttype != PKT_USER_ID) |
2450 | 0 | continue; |
2451 | 0 | if ((un->pkt->pkt.user_id->flags.revoked |
2452 | 0 | || un->pkt->pkt.user_id->flags.expired) |
2453 | 0 | && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS)) |
2454 | 0 | continue; |
2455 | | /* Skip textual primary user ids which we printed above. */ |
2456 | 0 | if (un->pkt->pkt.user_id->flags.primary |
2457 | 0 | && !un->pkt->pkt.user_id->attrib_data ) |
2458 | 0 | continue; |
2459 | | |
2460 | | /* If this user id has attribute data, print that. */ |
2461 | 0 | if (un->pkt->pkt.user_id->attrib_data) |
2462 | 0 | { |
2463 | 0 | dump_attribs (un->pkt->pkt.user_id, mainpk); |
2464 | |
|
2465 | 0 | if (opt.verify_options&VERIFY_SHOW_PHOTOS) |
2466 | 0 | show_photos (c->ctrl, |
2467 | 0 | un->pkt->pkt.user_id->attribs, |
2468 | 0 | un->pkt->pkt.user_id->numattribs, |
2469 | 0 | mainpk ,un->pkt->pkt.user_id); |
2470 | 0 | } |
2471 | |
|
2472 | 0 | p = utf8_to_native (un->pkt->pkt.user_id->name, |
2473 | 0 | un->pkt->pkt.user_id->len, 0); |
2474 | 0 | log_info (_(" aka \"%s\""), p); |
2475 | 0 | xfree (p); |
2476 | |
|
2477 | 0 | if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY)) |
2478 | 0 | { |
2479 | 0 | const char *valid; |
2480 | |
|
2481 | 0 | if (un->pkt->pkt.user_id->flags.revoked) |
2482 | 0 | valid = _("revoked"); |
2483 | 0 | else if (un->pkt->pkt.user_id->flags.expired) |
2484 | 0 | valid = _("expired"); |
2485 | 0 | else |
2486 | | /* Since this is just informational, don't |
2487 | | actually ask the user to update any trust |
2488 | | information. */ |
2489 | 0 | valid = (trust_value_to_string |
2490 | 0 | (get_validity (c->ctrl, keyblock, mainpk, |
2491 | 0 | un->pkt->pkt.user_id, NULL, 0))); |
2492 | 0 | log_printf (" [%s]\n",valid); |
2493 | 0 | } |
2494 | 0 | else |
2495 | 0 | log_printf ("\n"); |
2496 | 0 | } |
2497 | 0 | } |
2498 | | |
2499 | | /* For good signatures print notation data. */ |
2500 | 0 | if (!rc) |
2501 | 0 | { |
2502 | 0 | if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS)) |
2503 | 0 | show_policy_url (sig, 0, 1); |
2504 | 0 | else |
2505 | 0 | show_policy_url (sig, 0, 2); |
2506 | |
|
2507 | 0 | if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS)) |
2508 | 0 | show_keyserver_url (sig, 0, 1); |
2509 | 0 | else |
2510 | 0 | show_keyserver_url (sig, 0, 2); |
2511 | |
|
2512 | 0 | if ((opt.verify_options & VERIFY_SHOW_NOTATIONS)) |
2513 | 0 | show_notation |
2514 | 0 | (sig, 0, 1, |
2515 | 0 | (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0) |
2516 | 0 | + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0) |
2517 | 0 | + ((opt.verify_options &VERIFY_SHOW_HIDDEN_NOTATIONS)? 4:0) |
2518 | 0 | )); |
2519 | 0 | else |
2520 | 0 | show_notation (sig, 0, 2, 0); |
2521 | 0 | print_matching_notations (sig); |
2522 | 0 | } |
2523 | | |
2524 | | /* Fill PKSTRBUF with the algostring in case we later need it. */ |
2525 | 0 | if (pk) |
2526 | 0 | pubkey_string (pk, pkstrbuf, sizeof pkstrbuf); |
2527 | | |
2528 | | /* For good signatures print the VALIDSIG status line. */ |
2529 | 0 | if (!rc && (is_status_enabled () |
2530 | 0 | || opt.assert_signer_list |
2531 | 0 | || opt.assert_pubkey_algos) && pk) |
2532 | 0 | { |
2533 | 0 | char pkhex[MAX_FINGERPRINT_LEN*2+1]; |
2534 | 0 | char mainpkhex[MAX_FINGERPRINT_LEN*2+1]; |
2535 | |
|
2536 | 0 | hexfingerprint (pk, pkhex, sizeof pkhex); |
2537 | 0 | hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex); |
2538 | | |
2539 | | /* TODO: Replace the reserved '0' in the field below with |
2540 | | bits for status flags (policy url, notation, etc.). */ |
2541 | 0 | write_status_printf (STATUS_VALIDSIG, |
2542 | 0 | "%s %s %lu %lu %d 0 %d %d %02X %s", |
2543 | 0 | pkhex, |
2544 | 0 | strtimestamp (sig->timestamp), |
2545 | 0 | (ulong)sig->timestamp, |
2546 | 0 | (ulong)sig->expiredate, |
2547 | 0 | sig->version, sig->pubkey_algo, |
2548 | 0 | sig->digest_algo, |
2549 | 0 | sig->sig_class, |
2550 | 0 | mainpkhex); |
2551 | | /* Handle the --assert-signer option. */ |
2552 | 0 | check_assert_signer_list (mainpkhex, pkhex); |
2553 | | /* Handle the --assert-pubkey-algo option. */ |
2554 | 0 | check_assert_pubkey_algo (pkstrbuf, pkhex); |
2555 | 0 | } |
2556 | | |
2557 | | /* Print compliance warning for Good signatures. */ |
2558 | 0 | if (!rc && pk && !opt.quiet |
2559 | 0 | && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0, |
2560 | 0 | pk->pkey, nbits_from_pk (pk), NULL)) |
2561 | 0 | { |
2562 | 0 | log_info (_("WARNING: This key is not suitable for signing" |
2563 | 0 | " in %s mode\n"), |
2564 | 0 | gnupg_compliance_option_string (opt.compliance)); |
2565 | 0 | } |
2566 | | |
2567 | | /* For good signatures compute and print the trust information. |
2568 | | Note that in the Tofu trust model this may ask the user on |
2569 | | how to resolve a conflict. */ |
2570 | 0 | if (!rc) |
2571 | 0 | { |
2572 | 0 | rc = check_signatures_trust (c->ctrl, keyblock, pk, sig); |
2573 | 0 | } |
2574 | | |
2575 | | /* Print extra information about the signature. */ |
2576 | 0 | if (sig->flags.expired) |
2577 | 0 | { |
2578 | 0 | log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate)); |
2579 | 0 | if (!rc) |
2580 | 0 | rc = gpg_error (GPG_ERR_GENERAL); /* Need a better error here? */ |
2581 | 0 | } |
2582 | 0 | else if (sig->expiredate) |
2583 | 0 | log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate)); |
2584 | |
|
2585 | 0 | if (opt.verbose) |
2586 | 0 | { |
2587 | 0 | log_info (_("%s signature, digest algorithm %s%s%s\n"), |
2588 | 0 | sig->sig_class==0x00?_("binary"): |
2589 | 0 | sig->sig_class==0x01?_("textmode"):_("unknown"), |
2590 | 0 | gcry_md_algo_name (sig->digest_algo), |
2591 | 0 | *pkstrbuf?_(", key algorithm "):"", pkstrbuf); |
2592 | 0 | } |
2593 | | |
2594 | | /* Print final warnings. */ |
2595 | 0 | if (!rc && !c->signed_data.used) |
2596 | 0 | { |
2597 | | /* Signature is basically good but we test whether the |
2598 | | deprecated command |
2599 | | gpg --verify FILE.sig |
2600 | | was used instead of |
2601 | | gpg --verify FILE.sig FILE |
2602 | | to verify a detached signature. If we figure out that a |
2603 | | data file with a matching name exists, we print a warning. |
2604 | | |
2605 | | The problem is that the first form would also verify a |
2606 | | standard signature. This behavior could be used to |
2607 | | create a made up .sig file for a tarball by creating a |
2608 | | standard signature from a valid detached signature packet |
2609 | | (for example from a signed git tag). Then replace the |
2610 | | sig file on the FTP server along with a changed tarball. |
2611 | | Using the first form the verify command would correctly |
2612 | | verify the signature but don't even consider the tarball. */ |
2613 | 0 | kbnode_t n; |
2614 | 0 | char *dfile; |
2615 | |
|
2616 | 0 | dfile = get_matching_datafile (c->sigfilename); |
2617 | 0 | if (dfile) |
2618 | 0 | { |
2619 | 0 | for (n = c->list; n; n = n->next) |
2620 | 0 | if (n->pkt->pkttype != PKT_SIGNATURE) |
2621 | 0 | break; |
2622 | 0 | if (n) |
2623 | 0 | { |
2624 | | /* Not only signature packets in the tree thus this |
2625 | | is not a detached signature. */ |
2626 | 0 | log_info (_("WARNING: not a detached signature; " |
2627 | 0 | "file '%s' was NOT verified!\n"), dfile); |
2628 | 0 | assert_signer_true = 0; |
2629 | 0 | } |
2630 | 0 | xfree (dfile); |
2631 | 0 | } |
2632 | 0 | } |
2633 | | |
2634 | | /* Compute compliance with CO_DE_VS. */ |
2635 | 0 | if (pk |
2636 | 0 | && gnupg_gcrypt_is_compliant (CO_DE_VS) |
2637 | 0 | && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey, |
2638 | 0 | nbits_from_pk (pk), NULL) |
2639 | 0 | && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo)) |
2640 | 0 | write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE, |
2641 | 0 | gnupg_status_compliance_flag (CO_DE_VS), |
2642 | 0 | NULL); |
2643 | 0 | else if (opt.flags.require_compliance |
2644 | 0 | && opt.compliance == CO_DE_VS) |
2645 | 0 | { |
2646 | 0 | log_error (_("operation forced to fail due to" |
2647 | 0 | " unfulfilled compliance rules\n")); |
2648 | 0 | if (!rc) |
2649 | 0 | rc = gpg_error (GPG_ERR_FORBIDDEN); |
2650 | 0 | } |
2651 | | |
2652 | |
|
2653 | 0 | free_public_key (pk); |
2654 | 0 | pk = NULL; |
2655 | 0 | release_kbnode( keyblock ); |
2656 | 0 | if (rc) |
2657 | 0 | g10_errors_seen = 1; |
2658 | 0 | } |
2659 | 0 | else /* Error checking the signature. (neither Good nor Bad). */ |
2660 | 0 | { |
2661 | 0 | write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s", |
2662 | 0 | (ulong)sig->keyid[0], (ulong)sig->keyid[1], |
2663 | 0 | sig->pubkey_algo, sig->digest_algo, |
2664 | 0 | sig->sig_class, (ulong)sig->timestamp, |
2665 | 0 | gpg_err_code (rc), |
2666 | 0 | issuer_fpr? issuer_fpr:"-"); |
2667 | 0 | if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY) |
2668 | 0 | { |
2669 | 0 | write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX", |
2670 | 0 | (ulong)sig->keyid[0], (ulong)sig->keyid[1]); |
2671 | 0 | } |
2672 | 0 | if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED) |
2673 | 0 | log_error (_("Can't check signature: %s\n"), gpg_strerror (rc)); |
2674 | 0 | } |
2675 | | |
2676 | 0 | leave: |
2677 | 0 | free_public_key (pk); |
2678 | 0 | xfree (issuer_fpr); |
2679 | 0 | return rc; |
2680 | 0 | } |
2681 | | |
2682 | | |
2683 | | /* |
2684 | | * Process the tree which starts at node |
2685 | | */ |
2686 | | static void |
2687 | | proc_tree (CTX c, kbnode_t node) |
2688 | 13 | { |
2689 | 13 | kbnode_t n1; |
2690 | 13 | int rc; |
2691 | | |
2692 | 13 | if (opt.list_packets || opt.list_only) |
2693 | 0 | return; |
2694 | | |
2695 | | /* We must skip our special plaintext marker packets here because |
2696 | | they may be the root packet. These packets are only used in |
2697 | | additional checks and skipping them here doesn't matter. */ |
2698 | 13 | while (node |
2699 | 1 | && node->pkt->pkttype == PKT_GPG_CONTROL |
2700 | 0 | && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK) |
2701 | 0 | { |
2702 | 0 | node = node->next; |
2703 | 0 | } |
2704 | 13 | if (!node) |
2705 | 12 | return; |
2706 | | |
2707 | 1 | c->trustletter = ' '; |
2708 | 1 | if (node->pkt->pkttype == PKT_PUBLIC_KEY |
2709 | 0 | || node->pkt->pkttype == PKT_PUBLIC_SUBKEY) |
2710 | 1 | { |
2711 | 1 | merge_keys_and_selfsig (c->ctrl, node); |
2712 | 1 | list_node (c, node); |
2713 | 1 | } |
2714 | 0 | else if (node->pkt->pkttype == PKT_SECRET_KEY) |
2715 | 0 | { |
2716 | 0 | merge_keys_and_selfsig (c->ctrl, node); |
2717 | 0 | list_node (c, node); |
2718 | 0 | } |
2719 | 0 | else if (node->pkt->pkttype == PKT_ONEPASS_SIG) |
2720 | 0 | { |
2721 | | /* Check all signatures. */ |
2722 | 0 | if (!c->any.data) |
2723 | 0 | { |
2724 | 0 | int use_textmode = 0; |
2725 | |
|
2726 | 0 | free_md_filter_context (&c->mfx); |
2727 | | /* Prepare to create all requested message digests. */ |
2728 | 0 | rc = gcry_md_open (&c->mfx.md, 0, 0); |
2729 | 0 | if (rc) |
2730 | 0 | goto hash_err; |
2731 | | |
2732 | | /* Fixme: why looking for the signature packet and not the |
2733 | | one-pass packet? */ |
2734 | 0 | for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));) |
2735 | 0 | gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo); |
2736 | |
|
2737 | 0 | if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01) |
2738 | 0 | use_textmode = 1; |
2739 | | |
2740 | | /* Ask for file and hash it. */ |
2741 | 0 | if (c->sigs_only) |
2742 | 0 | { |
2743 | 0 | if (c->signed_data.used |
2744 | 0 | && c->signed_data.data_fd != GNUPG_INVALID_FD) |
2745 | 0 | rc = hash_datafile_by_fd (c->mfx.md, NULL, |
2746 | 0 | c->signed_data.data_fd, |
2747 | 0 | use_textmode); |
2748 | 0 | else |
2749 | 0 | rc = hash_datafiles (c->mfx.md, NULL, |
2750 | 0 | c->signed_data.data_names, |
2751 | 0 | c->sigfilename, |
2752 | 0 | use_textmode); |
2753 | 0 | } |
2754 | 0 | else |
2755 | 0 | { |
2756 | 0 | rc = ask_for_detached_datafile (c->mfx.md, NULL, |
2757 | 0 | iobuf_get_real_fname (c->iobuf), |
2758 | 0 | use_textmode); |
2759 | 0 | } |
2760 | |
|
2761 | 0 | hash_err: |
2762 | 0 | if (rc) |
2763 | 0 | { |
2764 | 0 | log_error ("can't hash datafile: %s\n", gpg_strerror (rc)); |
2765 | 0 | return; |
2766 | 0 | } |
2767 | 0 | } |
2768 | 0 | else if (c->signed_data.used) |
2769 | 0 | { |
2770 | 0 | log_error (_("not a detached signature\n")); |
2771 | 0 | return; |
2772 | 0 | } |
2773 | | |
2774 | 0 | for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));) |
2775 | 0 | if (check_sig_and_print (c, n1) && opt.batch |
2776 | 0 | && !opt.flags.proc_all_sigs) |
2777 | 0 | break; |
2778 | |
|
2779 | 0 | } |
2780 | 0 | else if (node->pkt->pkttype == PKT_GPG_CONTROL |
2781 | 0 | && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START) |
2782 | 0 | { |
2783 | | /* Clear text signed message. */ |
2784 | 0 | if (!c->any.data) |
2785 | 0 | { |
2786 | 0 | log_error ("cleartext signature without data\n"); |
2787 | 0 | return; |
2788 | 0 | } |
2789 | 0 | else if (c->signed_data.used) |
2790 | 0 | { |
2791 | 0 | log_error (_("not a detached signature\n")); |
2792 | 0 | return; |
2793 | 0 | } |
2794 | | |
2795 | 0 | for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));) |
2796 | 0 | if (check_sig_and_print (c, n1) && opt.batch |
2797 | 0 | && !opt.flags.proc_all_sigs) |
2798 | 0 | break; |
2799 | 0 | } |
2800 | 0 | else if (node->pkt->pkttype == PKT_SIGNATURE) |
2801 | 0 | { |
2802 | 0 | PKT_signature *sig = node->pkt->pkt.signature; |
2803 | 0 | int multiple_ok = 1; |
2804 | |
|
2805 | 0 | n1 = find_next_kbnode (node, PKT_SIGNATURE); |
2806 | 0 | if (n1) |
2807 | 0 | { |
2808 | 0 | byte class = sig->sig_class; |
2809 | 0 | byte hash = sig->digest_algo; |
2810 | |
|
2811 | 0 | for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE))) |
2812 | 0 | { |
2813 | | /* We can't currently handle multiple signatures of |
2814 | | * different classes (we'd pretty much have to run a |
2815 | | * different hash context for each), but if they are all |
2816 | | * the same and it is detached signature, we make an |
2817 | | * exception. Note that the old code also disallowed |
2818 | | * multiple signatures if the digest algorithms are |
2819 | | * different. We softened this restriction only for |
2820 | | * detached signatures, to be on the safe side. */ |
2821 | 0 | if (n1->pkt->pkt.signature->sig_class != class |
2822 | 0 | || (c->any.data |
2823 | 0 | && n1->pkt->pkt.signature->digest_algo != hash)) |
2824 | 0 | { |
2825 | 0 | multiple_ok = 0; |
2826 | 0 | log_info (_("WARNING: multiple signatures detected. " |
2827 | 0 | "Only the first will be checked.\n")); |
2828 | 0 | break; |
2829 | 0 | } |
2830 | 0 | } |
2831 | 0 | } |
2832 | |
|
2833 | 0 | if (sig->sig_class != 0x00 && sig->sig_class != 0x01) |
2834 | 0 | { |
2835 | 0 | log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class); |
2836 | 0 | } |
2837 | 0 | else if (!c->any.data) |
2838 | 0 | { |
2839 | | /* Detached signature */ |
2840 | 0 | free_md_filter_context (&c->mfx); |
2841 | 0 | rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0); |
2842 | 0 | if (rc) |
2843 | 0 | goto detached_hash_err; |
2844 | | |
2845 | 0 | if (multiple_ok) |
2846 | 0 | { |
2847 | | /* If we have and want to handle multiple signatures we |
2848 | | * need to enable all hash algorithms for the context. */ |
2849 | 0 | for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); ) |
2850 | 0 | if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo)) |
2851 | 0 | gcry_md_enable (c->mfx.md, |
2852 | 0 | map_md_openpgp_to_gcry |
2853 | 0 | (n1->pkt->pkt.signature->digest_algo)); |
2854 | 0 | } |
2855 | |
|
2856 | 0 | if (RFC2440 || RFC4880) |
2857 | 0 | ; /* Strict RFC mode. */ |
2858 | 0 | else if (sig->digest_algo == DIGEST_ALGO_SHA1 |
2859 | 0 | && sig->pubkey_algo == PUBKEY_ALGO_DSA |
2860 | 0 | && sig->sig_class == 0x01) |
2861 | 0 | { |
2862 | | /* Enable a workaround for a pgp5 bug when the detached |
2863 | | * signature has been created in textmode. Note that we |
2864 | | * do not implement this for multiple signatures with |
2865 | | * different hash algorithms. */ |
2866 | 0 | rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0); |
2867 | 0 | if (rc) |
2868 | 0 | goto detached_hash_err; |
2869 | 0 | } |
2870 | | |
2871 | | /* Here we used to have another hack to work around a pgp |
2872 | | * 2 bug: It worked by not using the textmode for detached |
2873 | | * signatures; this would let the first signature check |
2874 | | * (on md) fail but the second one (on md2), which adds an |
2875 | | * extra CR would then have produced the "correct" hash. |
2876 | | * This is very, very ugly hack but it may haved help in |
2877 | | * some cases (and break others). |
2878 | | * c->mfx.md2? 0 :(sig->sig_class == 0x01) |
2879 | | */ |
2880 | | |
2881 | 0 | if (DBG_HASHING) |
2882 | 0 | { |
2883 | 0 | gcry_md_debug (c->mfx.md, "verify"); |
2884 | 0 | if (c->mfx.md2) |
2885 | 0 | gcry_md_debug (c->mfx.md2, "verify2"); |
2886 | 0 | } |
2887 | |
|
2888 | 0 | if (c->sigs_only) |
2889 | 0 | { |
2890 | 0 | if (c->signed_data.used |
2891 | 0 | && c->signed_data.data_fd != GNUPG_INVALID_FD) |
2892 | 0 | rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2, |
2893 | 0 | c->signed_data.data_fd, |
2894 | 0 | (sig->sig_class == 0x01)); |
2895 | 0 | else |
2896 | 0 | rc = hash_datafiles (c->mfx.md, c->mfx.md2, |
2897 | 0 | c->signed_data.data_names, |
2898 | 0 | c->sigfilename, |
2899 | 0 | (sig->sig_class == 0x01)); |
2900 | 0 | } |
2901 | 0 | else |
2902 | 0 | { |
2903 | 0 | rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2, |
2904 | 0 | iobuf_get_real_fname(c->iobuf), |
2905 | 0 | (sig->sig_class == 0x01)); |
2906 | 0 | } |
2907 | |
|
2908 | 0 | detached_hash_err: |
2909 | 0 | if (rc) |
2910 | 0 | { |
2911 | 0 | log_error ("can't hash datafile: %s\n", gpg_strerror (rc)); |
2912 | 0 | return; |
2913 | 0 | } |
2914 | 0 | } |
2915 | 0 | else if (c->signed_data.used) |
2916 | 0 | { |
2917 | 0 | log_error (_("not a detached signature\n")); |
2918 | 0 | return; |
2919 | 0 | } |
2920 | 0 | else if (!opt.quiet) |
2921 | 0 | log_info (_("old style (PGP 2.x) signature\n")); |
2922 | | |
2923 | 0 | if (multiple_ok) |
2924 | 0 | { |
2925 | 0 | for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE))) |
2926 | 0 | if (check_sig_and_print (c, n1) && opt.batch |
2927 | 0 | && !opt.flags.proc_all_sigs) |
2928 | 0 | break; |
2929 | 0 | } |
2930 | 0 | else |
2931 | 0 | check_sig_and_print (c, node); |
2932 | |
|
2933 | 0 | } |
2934 | 0 | else |
2935 | 0 | { |
2936 | 0 | dump_kbnode (c->list); |
2937 | | log_error ("invalid root packet detected in proc_tree()\n"); |
2938 | 0 | dump_kbnode (node); |
2939 | 0 | } |
2940 | 1 | } |