Coverage Report

Created: 2026-07-16 06:11

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/gnupg/g10/mainproc.c
Line
Count
Source
1
/* mainproc.c - handle packets
2
 * Copyright (C) 1998-2009 Free Software Foundation, Inc.
3
 * Copyright (C) 2013-2014 Werner Koch
4
 * Copyright (C) 2020, 2024 g10 Code GmbH
5
 *
6
 * This file is part of GnuPG.
7
 *
8
 * GnuPG is free software; you can redistribute it and/or modify
9
 * it under the terms of the GNU General Public License as published by
10
 * the Free Software Foundation; either version 3 of the License, or
11
 * (at your option) any later version.
12
 *
13
 * GnuPG is distributed in the hope that it will be useful,
14
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
 * GNU General Public License for more details.
17
 *
18
 * You should have received a copy of the GNU General Public License
19
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
20
 */
21
22
#include <config.h>
23
#include <stdio.h>
24
#include <stdlib.h>
25
#include <string.h>
26
#include <time.h>
27
28
#include "gpg.h"
29
#include "../common/util.h"
30
#include "packet.h"
31
#include "../common/iobuf.h"
32
#include "options.h"
33
#include "keydb.h"
34
#include "filter.h"
35
#include "main.h"
36
#include "../common/status.h"
37
#include "../common/i18n.h"
38
#include "trustdb.h"
39
#include "keyserver-internal.h"
40
#include "photoid.h"
41
#include "../common/mbox-util.h"
42
#include "call-dirmngr.h"
43
#include "../common/compliance.h"
44
45
/* Put an upper limit on nested packets.  The 32 is an arbitrary
46
   value, a much lower should actually be sufficient.  */
47
59.6k
#define MAX_NESTING_DEPTH 32
48
49
50
/* An object to build a list of symkey packet info.  */
51
struct symlist_item
52
{
53
  struct symlist_item *next;
54
  int cipher_algo;
55
  enum gcry_cipher_modes cipher_mode;
56
  int other_error;
57
};
58
59
60
/*
61
 * Object to hold the processing context.
62
 */
63
typedef struct mainproc_context *CTX;
64
struct mainproc_context
65
{
66
  ctrl_t ctrl;
67
  struct mainproc_context *anchor;  /* May be useful in the future. */
68
  PKT_public_key *last_pubkey;
69
  PKT_user_id     *last_user_id;
70
  md_filter_context_t mfx;
71
  int sigs_only;    /* Process only signatures and reject all other stuff. */
72
  int encrypt_only; /* Process only encryption messages. */
73
74
  /* Name of the file with the complete signature or the file with the
75
     detached signature.  This is currently only used to deduce the
76
     file name of the data file if that has not been given. */
77
  const char *sigfilename;
78
79
  /* A structure to describe the signed data in case of a detached
80
     signature. */
81
  struct
82
  {
83
    /* A file descriptor of the signed data.  Only used if not -1. */
84
    gnupg_fd_t data_fd;
85
    /* A list of filenames with the data files or NULL. This is only
86
       used if DATA_FD is -1. */
87
    strlist_t data_names;
88
    /* Flag to indicated that either one of the next previous fields
89
       is used.  This is only needed for better readability. */
90
    int used;
91
  } signed_data;
92
93
  DEK *dek;
94
  int last_was_session_key;
95
  kbnode_t list;    /* The current list of packets. */
96
  iobuf_t iobuf;    /* Used to get the filename etc. */
97
  int trustletter;  /* Temporary usage in list_node. */
98
  ulong symkeys;    /* Number of symmetrically encrypted session keys.  */
99
  struct seskey_enc_list *sesenc_list; /* List of encryption packets. */
100
  struct symlist_item *symenc_list;   /* List of sym. encryption packets. */
101
  int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */
102
  int seen_pkt_encrypted_mdc;  /* PKT_ENCRYPTED_MDC packet seen. */
103
  struct {
104
    unsigned int sig_seen:1;      /* Set to true if a signature packet
105
                                     has been seen. */
106
    unsigned int data:1;          /* Any data packet seen */
107
    unsigned int uncompress_failed:1;
108
  } any;
109
};
110
111
112
/* Counter with the number of literal data packets seen.  Note that
113
 * this is also bumped at the end of an encryption.  This counter is
114
 * used for a basic consistency check of a received PGP message.  */
115
static int literals_seen;
116
117
118
/*** Local prototypes.  ***/
119
static int do_proc_packets (CTX c, iobuf_t a, int keep_dek_and_list);
120
static void list_node (CTX c, kbnode_t node);
121
static void proc_tree (CTX c, kbnode_t node);
122
123
124
/*** Functions.  ***/
125
126
/* Reset the literal data counter.  This is required to setup a new
127
 * decryption or verification context.  */
128
void
129
reset_literals_seen(void)
130
0
{
131
0
  literals_seen = 0;
132
0
}
133
134
135
static void
136
release_list( CTX c )
137
87.0k
{
138
87.0k
  proc_tree (c, c->list);
139
87.0k
  release_kbnode (c->list);
140
87.0k
  free_seskey_enc_list (c->sesenc_list);
141
87.0k
  c->sesenc_list = NULL;
142
103k
  while (c->symenc_list)
143
16.2k
    {
144
16.2k
      struct symlist_item *tmp = c->symenc_list->next;
145
16.2k
      xfree (c->symenc_list);
146
16.2k
      c->symenc_list = tmp;
147
16.2k
    }
148
87.0k
  c->symenc_list = NULL;
149
87.0k
  c->list = NULL;
150
87.0k
  c->any.data = 0;
151
87.0k
  c->any.uncompress_failed = 0;
152
87.0k
  c->last_was_session_key = 0;
153
87.0k
  c->seen_pkt_encrypted_aead = 0;
154
87.0k
  c->seen_pkt_encrypted_mdc = 0;
155
87.0k
  xfree (c->dek);
156
87.0k
  c->dek = NULL;
157
87.0k
}
158
159
160
static int
161
add_onepass_sig (CTX c, PACKET *pkt)
162
2.25k
{
163
2.25k
  kbnode_t node;
164
165
2.25k
  if (c->list) /* Add another packet. */
166
2.15k
    add_kbnode (c->list, new_kbnode (pkt));
167
95
  else /* Insert the first one.  */
168
95
    c->list = node = new_kbnode (pkt);
169
170
2.25k
  return 1;
171
2.25k
}
172
173
174
static int
175
add_gpg_control (CTX c, PACKET *pkt)
176
3.57k
{
177
3.57k
  if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
178
3.57k
    {
179
      /* New clear text signature.
180
       * Process the last one and reset everything */
181
3.57k
      release_list(c);
182
3.57k
    }
183
184
3.57k
  if (c->list)  /* Add another packet.  */
185
0
    add_kbnode (c->list, new_kbnode (pkt));
186
3.57k
  else /* Insert the first one. */
187
3.57k
    c->list = new_kbnode (pkt);
188
189
3.57k
  return 1;
190
3.57k
}
191
192
193
static int
194
add_user_id (CTX c, PACKET *pkt)
195
48.2k
{
196
48.2k
  if (!c->list)
197
7.71k
    {
198
7.71k
      log_error ("orphaned user ID\n");
199
7.71k
      return 0;
200
7.71k
    }
201
40.5k
  add_kbnode (c->list, new_kbnode (pkt));
202
40.5k
  return 1;
203
48.2k
}
204
205
206
static int
207
add_subkey (CTX c, PACKET *pkt)
208
14.7k
{
209
14.7k
  if (!c->list)
210
6.95k
    {
211
6.95k
      log_error ("subkey w/o mainkey\n");
212
6.95k
      return 0;
213
6.95k
    }
214
7.77k
  add_kbnode (c->list, new_kbnode (pkt));
215
7.77k
  return 1;
216
14.7k
}
217
218
219
static int
220
add_ring_trust (CTX c, PACKET *pkt)
221
0
{
222
0
  if (!c->list)
223
0
    {
224
0
      log_error ("ring trust w/o key\n");
225
0
      return 0;
226
0
    }
227
0
  add_kbnode (c->list, new_kbnode (pkt));
228
0
  return 1;
229
0
}
230
231
232
static int
233
add_signature (CTX c, PACKET *pkt)
234
56.6k
{
235
56.6k
  kbnode_t node;
236
237
56.6k
  c->any.sig_seen = 1;
238
56.6k
  if (pkt->pkttype == PKT_SIGNATURE && !c->list)
239
21.3k
    {
240
      /* This is the first signature for the following datafile.
241
       * GPG does not write such packets; instead it always uses
242
       * onepass-sig packets.  The drawback of PGP's method
243
       * of prepending the signature to the data is
244
       * that it is not possible to make a signature from data read
245
       * from stdin.  (GPG is able to read PGP stuff anyway.) */
246
21.3k
      node = new_kbnode (pkt);
247
21.3k
      c->list = node;
248
21.3k
      return 1;
249
21.3k
    }
250
35.3k
  else if (!c->list)
251
0
    return 0; /* oops (invalid packet sequence)*/
252
35.3k
  else if (!c->list->pkt)
253
0
    BUG();    /* so nicht */
254
255
  /* Add a new signature node item at the end. */
256
35.3k
  node = new_kbnode (pkt);
257
35.3k
  add_kbnode (c->list, node);
258
259
35.3k
  return 1;
260
56.6k
}
261
262
static gpg_error_t
263
symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
264
0
{
265
0
  gpg_error_t err;
266
0
  gcry_cipher_hd_t hd;
267
0
  unsigned int noncelen, keylen;
268
0
  enum gcry_cipher_modes ciphermode;
269
270
0
  if (dek->use_aead)
271
0
    {
272
0
      err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen);
273
0
      if (err)
274
0
        return err;
275
0
    }
276
0
  else
277
0
    {
278
0
      ciphermode = GCRY_CIPHER_MODE_CFB;
279
0
      noncelen = 0;
280
0
    }
281
282
  /* Check that the session key has a size of 16 to 32 bytes.  */
283
0
  if ((dek->use_aead && (slen < (noncelen + 16 + 16)
284
0
                         || slen > (noncelen + 32 + 16)))
285
0
      || (!dek->use_aead && (slen < 17 || slen > 33)))
286
0
    {
287
0
      log_error ( _("weird size for an encrypted session key (%d)\n"),
288
0
      (int)slen);
289
0
      return gpg_error (GPG_ERR_BAD_KEY);
290
0
    }
291
292
0
  err = openpgp_cipher_open (&hd, dek->algo, ciphermode, GCRY_CIPHER_SECURE);
293
0
  if (!err)
294
0
    err = gcry_cipher_setkey (hd, dek->key, dek->keylen);
295
0
  if (!err)
296
0
    err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen);
297
0
  if (err)
298
0
    goto leave;
299
300
0
  if (dek->use_aead)
301
0
    {
302
0
      byte ad[4];
303
304
0
      ad[0] = (0xc0 | PKT_SYMKEY_ENC);
305
0
      ad[1] = 5;
306
0
      ad[2] = dek->algo;
307
0
      ad[3] = dek->use_aead;
308
0
      err = gcry_cipher_authenticate (hd, ad, 4);
309
0
      if (err)
310
0
        goto leave;
311
0
      gcry_cipher_final (hd);
312
0
      keylen = slen - noncelen - 16;
313
0
      err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0);
314
0
      if (err)
315
0
        goto leave;
316
0
      err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16);
317
0
      if (err)
318
0
        goto leave;
319
      /* Now we replace the dek components with the real session key to
320
       * decrypt the contents of the sequencing packet. */
321
0
      if (keylen > DIM(dek->key))
322
0
        {
323
0
          err = gpg_error (GPG_ERR_TOO_LARGE);
324
0
          goto leave;
325
0
        }
326
0
      dek->keylen = keylen;
327
0
      memcpy (dek->key, seskey + noncelen, dek->keylen);
328
0
    }
329
0
  else
330
0
    {
331
0
      gcry_cipher_decrypt (hd, seskey, slen, NULL, 0 );
332
      /* Here we can only test whether the algo given in decrypted
333
       * session key is a valid OpenPGP algo.  With 11 defined
334
       * symmetric algorithms we will miss 4.3% of wrong passphrases
335
       * here.  The actual checking is done later during bulk
336
       * decryption; we can't bring this check forward easily.  We
337
       * need to use the GPG_ERR_CHECKSUM so that we won't run into
338
       * the gnupg < 2.2 bug compatible case which would terminate the
339
       * process on GPG_ERR_CIPHER_ALGO.  Note that with AEAD (above)
340
       * we will have a reliable test here.  */
341
0
      if (openpgp_cipher_test_algo (seskey[0])
342
0
          || openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1)
343
0
        {
344
0
          err = gpg_error (GPG_ERR_CHECKSUM);
345
0
          goto leave;
346
0
        }
347
348
      /* Now we replace the dek components with the real session key to
349
       * decrypt the contents of the sequencing packet. */
350
0
      keylen = slen-1;
351
0
      if (keylen > DIM(dek->key))
352
0
        {
353
0
          err = gpg_error (GPG_ERR_TOO_LARGE);
354
0
          goto leave;
355
0
        }
356
0
      dek->algo = seskey[0];
357
0
      dek->keylen = keylen;
358
0
      memcpy (dek->key, seskey + 1, dek->keylen);
359
0
    }
360
361
  /*log_hexdump( "thekey", dek->key, dek->keylen );*/
362
363
0
 leave:
364
0
  gcry_cipher_close (hd);
365
0
  return err;
366
0
}
367
368
369
static void
370
proc_symkey_enc (CTX c, PACKET *pkt)
371
16.2k
{
372
16.2k
  gpg_error_t err;
373
16.2k
  PKT_symkey_enc *enc;
374
375
16.2k
  enc = pkt->pkt.symkey_enc;
376
16.2k
  if (!enc)
377
16.2k
    log_error ("invalid symkey encrypted packet\n");
378
13.3k
  else if(!c->dek)
379
13.3k
    {
380
13.3k
      int algo = enc->cipher_algo;
381
13.3k
      const char *s = openpgp_cipher_algo_name (algo);
382
13.3k
      const char *a = (enc->aead_algo ? openpgp_aead_algo_name (enc->aead_algo)
383
13.3k
                       /**/           : "CFB");
384
385
13.3k
      if (!openpgp_cipher_test_algo (algo))
386
10.7k
        {
387
10.7k
          if (!opt.quiet)
388
10.7k
            {
389
10.7k
              if (enc->seskeylen)
390
10.7k
                log_info (_("%s.%s encrypted session key\n"), s, a );
391
10.1k
              else
392
10.7k
                log_info (_("%s.%s encrypted data\n"), s, a );
393
10.7k
            }
394
10.7k
        }
395
2.62k
      else
396
2.62k
        {
397
2.62k
          log_error (_("encrypted with unknown algorithm %d.%s\n"), algo, a);
398
2.62k
          s = NULL; /* Force a goto leave.  */
399
2.62k
        }
400
401
13.3k
      if (openpgp_md_test_algo (enc->s2k.hash_algo))
402
10.6k
        {
403
10.6k
          log_error(_("passphrase generated with unknown digest"
404
10.6k
                      " algorithm %d\n"),enc->s2k.hash_algo);
405
10.6k
          s = NULL;
406
10.6k
        }
407
408
13.3k
      c->last_was_session_key = 2;
409
13.3k
      if (!s || opt.list_only)
410
11.1k
        goto leave;
411
412
2.17k
      if (opt.override_session_key)
413
0
        {
414
0
          c->dek = xmalloc_clear (sizeof *c->dek);
415
0
          if (get_override_session_key (c->dek, opt.override_session_key))
416
0
            {
417
0
              xfree (c->dek);
418
0
              c->dek = NULL;
419
0
            }
420
0
        }
421
2.17k
      else
422
2.17k
        {
423
2.17k
          c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL,
424
2.17k
                                      GETPASSWORD_FLAG_SYMDECRYPT, NULL);
425
2.17k
          if (c->dek)
426
0
            {
427
0
              c->dek->symmetric = 1;
428
0
              c->dek->use_aead = enc->aead_algo;
429
430
              /* FIXME: This doesn't work perfectly if a symmetric key
431
                 comes before a public key in the message - if the
432
                 user doesn't know the passphrase, then there is a
433
                 chance that the "decrypted" algorithm will happen to
434
                 be a valid one, which will make the returned dek
435
                 appear valid, so we won't try any public keys that
436
                 come later. */
437
0
              if (enc->seskeylen)
438
0
                {
439
0
                  err = symkey_decrypt_seskey (c->dek,
440
0
                                               enc->seskey, enc->seskeylen);
441
0
                  if (err)
442
0
                    {
443
0
                      log_info ("decryption of the symmetrically encrypted"
444
0
                                 " session key failed: %s\n",
445
0
                                 gpg_strerror (err));
446
0
                      if (gpg_err_code (err) != GPG_ERR_BAD_KEY
447
0
                          && gpg_err_code (err) != GPG_ERR_CHECKSUM)
448
0
                        log_fatal ("process terminated to be bug compatible"
449
0
                                   " with GnuPG <= 2.2\n");
450
0
                      else
451
0
                        write_status_text (STATUS_ERROR,
452
0
                                           "symkey_decrypt.maybe_error"
453
0
                                           " 11_BAD_PASSPHRASE");
454
455
0
                      if (c->dek->s2k_cacheid[0])
456
0
                        {
457
0
                          if (opt.debug)
458
0
                            log_debug ("cleared passphrase cached with ID:"
459
0
                                       " %s\n", c->dek->s2k_cacheid);
460
0
                          passphrase_clear_cache (c->dek->s2k_cacheid);
461
0
                        }
462
0
                      xfree (c->dek);
463
0
                      c->dek = NULL;
464
0
                    }
465
0
                }
466
0
              else
467
0
                c->dek->algo_info_printed = 1;
468
0
            }
469
2.17k
        }
470
2.17k
    }
471
472
16.2k
 leave:
473
  /* Record infos from the packet.  */
474
16.2k
  {
475
16.2k
    struct symlist_item  *symitem;
476
16.2k
    symitem = xcalloc (1, sizeof *symitem);
477
16.2k
    if (enc)
478
13.3k
      {
479
13.3k
        symitem->cipher_algo = enc->cipher_algo;
480
13.3k
        symitem->cipher_mode = !enc->aead_algo;
481
13.3k
        symitem->cipher_mode
482
13.3k
          = (enc->aead_algo == AEAD_ALGO_NONE? GCRY_CIPHER_MODE_CFB :
483
13.3k
             enc->aead_algo == AEAD_ALGO_OCB?  GCRY_CIPHER_MODE_OCB :
484
1.33k
             GCRY_CIPHER_MODE_NONE);
485
13.3k
      }
486
2.87k
    else
487
2.87k
      symitem->other_error = 1;
488
16.2k
    symitem->next = c->symenc_list;
489
16.2k
    c->symenc_list = symitem;
490
16.2k
  }
491
16.2k
  c->symkeys++;
492
16.2k
  free_packet (pkt, NULL);
493
16.2k
}
494
495
496
static void
497
proc_pubkey_enc (CTX c, PACKET *pkt)
498
14.5k
{
499
14.5k
  PKT_pubkey_enc *enc;
500
501
  /* Check whether the secret key is available and store in this case.  */
502
14.5k
  c->last_was_session_key = 1;
503
14.5k
  enc = pkt->pkt.pubkey_enc;
504
  /*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
505
  /* Hmmm: why do I have this algo check here - anyway there is
506
   * function to check it. */
507
14.5k
  if (opt.verbose)
508
14.5k
    log_info (_("public key is %s\n"), keystr (enc->keyid));
509
510
14.5k
  if (is_status_enabled ())
511
0
    {
512
0
      char buf[50];
513
0
      snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
514
0
                (ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
515
0
      write_status_text (STATUS_ENC_TO, buf);
516
0
    }
517
518
14.5k
  if (!opt.list_only && !opt.override_session_key)
519
14.5k
    {
520
14.5k
      struct seskey_enc_list *x = xcalloc (1, sizeof *x);
521
522
14.5k
      copy_pubkey_enc_parts (&x->u.pub, enc);
523
14.5k
      x->result = -1;
524
14.5k
      x->next = c->sesenc_list;
525
14.5k
      c->sesenc_list = x;
526
14.5k
    }
527
528
14.5k
  free_packet(pkt, NULL);
529
14.5k
}
530
531
532
/*
533
 * Print the list of public key encrypted packets which we could
534
 * not decrypt.
535
 */
536
static void
537
print_sesenc_list (ctrl_t ctrl, struct seskey_enc_list *list)
538
43.7k
{
539
1.47M
  for (; list; list = list->next)
540
1.43M
    {
541
1.43M
      PKT_public_key *pk;
542
1.43M
      char pkstrbuf[PUBKEY_STRING_SIZE];
543
1.43M
      char *p;
544
545
1.43M
      if (list->u_sym)
546
0
        continue;
547
548
1.43M
      pk = xmalloc_clear (sizeof *pk);
549
550
1.43M
      pk->pubkey_algo = list->u.pub.pubkey_algo;
551
1.43M
      if (!get_pubkey (ctrl, pk, list->u.pub.keyid))
552
0
        {
553
0
          pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
554
555
0
          log_info (_("encrypted with %s key, ID %s, created %s\n"),
556
0
                    pkstrbuf, keystr_from_pk (pk),
557
0
                    strtimestamp (pk->timestamp));
558
0
          p = get_user_id_native (ctrl, list->u.pub.keyid);
559
0
          log_printf (_("      \"%s\"\n"), p);
560
0
          xfree (p);
561
0
        }
562
1.43M
      else
563
1.43M
        log_info (_("encrypted with %s key, ID %s\n"),
564
1.43M
                  openpgp_pk_algo_name (list->u.pub.pubkey_algo),
565
1.43M
                  keystr (list->u.pub.keyid));
566
567
1.43M
      if (opt.flags.require_pqc_encryption
568
0
          && pk->pubkey_algo != PUBKEY_ALGO_KYBER)
569
1.43M
        log_info (_("WARNING: key is not quantum-resistant\n"));
570
571
1.43M
      free_public_key (pk);
572
1.43M
    }
573
43.7k
}
574
575
576
static void
577
proc_encrypted (CTX c, PACKET *pkt)
578
43.7k
{
579
43.7k
  int result = 0;
580
43.7k
  int early_plaintext = literals_seen;
581
43.7k
  unsigned int compliance_de_vs = 0;
582
43.7k
  enum gcry_cipher_modes ciphermode;
583
43.7k
  int unknown_ciphermode;
584
585
43.7k
  if (pkt)
586
43.7k
    {
587
43.7k
      if (pkt->pkttype == PKT_ENCRYPTED_AEAD)
588
17.4k
        c->seen_pkt_encrypted_aead = 1;
589
43.7k
      if (pkt->pkttype == PKT_ENCRYPTED_MDC)
590
1.37k
        c->seen_pkt_encrypted_mdc = 1;
591
43.7k
    }
592
0
  else /* No PKT indicates the add-recipients mode.  */
593
43.7k
    log_assert (c->ctrl->modify_recipients);
594
595
43.7k
  if (early_plaintext)
596
43.7k
    {
597
43.7k
      log_info (_("WARNING: multiple plaintexts seen\n"));
598
43.7k
      write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA);
599
      /* We fail only later so that we can print some more info first.  */
600
43.7k
    }
601
602
43.7k
  if (!opt.quiet)
603
43.7k
    {
604
43.7k
      if (c->symkeys>1)
605
43.7k
        log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
606
34.8k
      else if (c->symkeys == 1)
607
34.8k
        log_info (_("encrypted with 1 passphrase\n"));
608
43.7k
      print_sesenc_list (c->ctrl, c->sesenc_list);
609
43.7k
    }
610
611
  /* Figure out the session key by looking at all pkenc packets. */
612
43.7k
  if (opt.list_only || c->dek)
613
0
    ;
614
43.7k
  else if (opt.override_session_key)
615
0
    {
616
0
      c->dek = xmalloc_clear (sizeof *c->dek);
617
0
      result = get_override_session_key (c->dek, opt.override_session_key);
618
0
      if (result)
619
0
        {
620
0
          xfree (c->dek);
621
0
          c->dek = NULL;
622
0
          log_info (_("public key decryption failed: %s\n"),
623
0
                    gpg_strerror (result));
624
0
          write_status_error ("pkdecrypt_failed", result);
625
0
        }
626
0
    }
627
43.7k
  else if (c->sesenc_list)
628
13.3k
    {
629
13.3k
      c->dek = xmalloc_secure_clear (sizeof *c->dek);
630
13.3k
      result = get_session_key (c->ctrl, c->sesenc_list, c->dek);
631
13.3k
      if (is_status_enabled ())
632
0
        {
633
0
          struct seskey_enc_list *list;
634
635
0
          for (list = c->sesenc_list; list; list = list->next)
636
0
            if (list->result && !list->u_sym)
637
0
              { /* Key was not tried or it caused an error.  */
638
0
                char buf[20];
639
0
                snprintf (buf, sizeof buf, "%08lX%08lX",
640
0
                          (ulong)list->u.pub.keyid[0],
641
0
                          (ulong)list->u.pub.keyid[1]);
642
0
                write_status_text (STATUS_NO_SECKEY, buf);
643
0
              }
644
0
        }
645
646
13.3k
      if (result)
647
13.3k
        {
648
13.3k
          log_info (_("public key decryption failed: %s\n"),
649
13.3k
                    gpg_strerror (result));
650
13.3k
          write_status_error ("pkdecrypt_failed", result);
651
652
          /* Error: Delete the DEK. */
653
13.3k
          xfree (c->dek);
654
13.3k
          c->dek = NULL;
655
13.3k
        }
656
13.3k
    }
657
658
43.7k
  if (c->dek && opt.verbose > 1)
659
43.7k
    log_info (_("public key encrypted data: good DEK\n"));
660
661
43.7k
  if (c->ctrl->modify_recipients)
662
0
    {
663
0
      if (c->anchor)
664
0
        {
665
0
          log_error ("command not possible with nested data\n");
666
0
          write_status_errcode ("decryption.mod_recp", GPG_ERR_BAD_DATA);
667
0
          xfree (c->dek);
668
0
          c->dek = NULL;
669
0
          return;
670
0
        }
671
0
      literals_seen++;
672
      /* Simply return here.  Our caller will then test for DEK and
673
       * the PK_list to decide whether decryption worked.  */
674
0
      return;
675
0
    }
676
677
43.7k
  if (!opt.show_only_session_key)
678
43.7k
    write_status (STATUS_BEGIN_DECRYPTION);
679
680
  /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
681
43.7k
  if (opt.list_only)
682
0
    result = -1;
683
43.7k
  else if (!c->dek && !c->last_was_session_key)
684
31.0k
    {
685
31.0k
      int algo;
686
31.0k
      STRING2KEY s2kbuf;
687
31.0k
      STRING2KEY *s2k = NULL;
688
31.0k
      int canceled;
689
690
31.0k
      if (opt.override_session_key)
691
0
        {
692
0
          c->dek = xmalloc_clear (sizeof *c->dek);
693
0
          result = get_override_session_key (c->dek, opt.override_session_key);
694
0
          if (result)
695
0
            {
696
0
              xfree (c->dek);
697
0
              c->dek = NULL;
698
0
            }
699
0
        }
700
31.0k
      else
701
31.0k
        {
702
          /* Assume this is old style conventional encrypted data. */
703
31.0k
          algo = opt.def_cipher_algo;
704
31.0k
          if (algo)
705
31.0k
            log_info (_("assuming %s encrypted data\n"),
706
0
                      openpgp_cipher_algo_name (algo));
707
31.0k
          else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
708
0
            {
709
0
              algo = opt.def_cipher_algo;
710
0
              if (!algo)
711
0
                algo = opt.s2k_cipher_algo;
712
0
              log_info (_("IDEA cipher unavailable, "
713
0
                          "optimistically attempting to use %s instead\n"),
714
0
                        openpgp_cipher_algo_name (algo));
715
0
            }
716
31.0k
          else
717
31.0k
            {
718
31.0k
              algo = CIPHER_ALGO_IDEA;
719
31.0k
              if (!opt.s2k_digest_algo)
720
31.0k
                {
721
                  /* If no digest is given we assume SHA-1. */
722
31.0k
                  s2kbuf.mode = 0;
723
31.0k
                  s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
724
31.0k
                  s2k = &s2kbuf;
725
31.0k
                }
726
31.0k
              log_info (_("assuming %s encrypted data\n"), "IDEA");
727
31.0k
            }
728
729
31.0k
          c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL,
730
31.0k
                                      GETPASSWORD_FLAG_SYMDECRYPT, &canceled);
731
31.0k
          if (c->dek)
732
0
            c->dek->algo_info_printed = 1;
733
31.0k
          else if (canceled)
734
31.0k
            result = gpg_error (GPG_ERR_CANCELED);
735
0
          else
736
0
            result = gpg_error (GPG_ERR_INV_PASSPHRASE);
737
31.0k
        }
738
31.0k
    }
739
12.6k
  else if (!c->dek)
740
12.6k
    {
741
12.6k
      if (c->symkeys && !c->sesenc_list)
742
8.84k
        result = gpg_error (GPG_ERR_BAD_KEY);
743
744
12.6k
      if (!result)
745
0
        result = gpg_error (GPG_ERR_NO_SECKEY);
746
12.6k
    }
747
748
  /* We need to know the ciphermode for gnupg_cipher_is_compliant.  */
749
43.7k
  unknown_ciphermode = 0;
750
43.7k
  if (pkt->pkt.encrypted->aead_algo)
751
4.89k
    {
752
4.89k
      unsigned int dummy;
753
4.89k
      if (openpgp_aead_algo_info (pkt->pkt.encrypted->aead_algo,
754
4.89k
                                  &ciphermode, &dummy))
755
2.01k
        unknown_ciphermode = 1;  /* error -> unknown mode */
756
4.89k
    }
757
38.8k
  else
758
38.8k
    ciphermode = GCRY_CIPHER_MODE_CFB;
759
760
  /* Compute compliance with CO_DE_VS.  */
761
43.7k
  if (!result && (is_status_enabled () || opt.flags.require_compliance)
762
      /* Overriding session key voids compliance.  */
763
0
      && !opt.override_session_key
764
      /* Check symmetric cipher.  */
765
0
      && gnupg_gcrypt_is_compliant (CO_DE_VS)
766
0
      && !unknown_ciphermode
767
0
      && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, ciphermode))
768
0
    {
769
0
      struct seskey_enc_list *i;
770
0
      struct symlist_item *si;
771
0
      int compliant = 1;
772
0
      PKT_public_key *pk = xmalloc (sizeof *pk);
773
774
0
      if ( !(c->sesenc_list || c->symkeys) )
775
0
        log_debug ("%s: where else did the session key come from?\n", __func__);
776
777
      /* Check that all seen symmetric key packets use compliant
778
       * algos.  This is so that no non-compliant encrypted session
779
       * key can be sneaked in.  */
780
0
      for (si = c->symenc_list; si && compliant; si = si->next)
781
0
        {
782
0
          if (si->cipher_mode == GCRY_CIPHER_MODE_NONE
783
0
              || !gnupg_cipher_is_compliant (CO_DE_VS, si->cipher_algo,
784
0
                                             si->cipher_mode))
785
0
            compliant = 0;
786
0
        }
787
788
      /* Check that every known public key used to encrypt the session key
789
       * is compliant.  */
790
0
      for (i = c->sesenc_list; i && compliant; i = i->next)
791
0
        {
792
0
          if (i->u_sym)
793
0
            continue;
794
0
          memset (pk, 0, sizeof *pk);
795
0
          pk->pubkey_algo = i->u.pub.pubkey_algo;
796
0
          if (!get_pubkey (c->ctrl, pk, i->u.pub.keyid)
797
0
              && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0,
798
0
                                         pk->pkey, nbits_from_pk (pk), NULL))
799
0
            compliant = 0;
800
0
          release_public_key_parts (pk);
801
0
        }
802
803
0
      xfree (pk);
804
805
0
      if (compliant)
806
0
        compliance_de_vs |= 1;
807
0
    }
808
809
43.7k
  if (!result)
810
0
    {
811
0
      int compl_error;
812
0
      result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek,
813
0
                             &compl_error);
814
0
      if (!result && !compl_error)
815
0
        compliance_de_vs |= 2;
816
0
    }
817
818
  /* Trigger the deferred error.  */
819
43.7k
  if (!result && early_plaintext)
820
0
    result = gpg_error (GPG_ERR_BAD_DATA);
821
43.7k
  else if (!result && opt.show_only_session_key)
822
0
    result = -1;
823
824
825
43.7k
  if (result == -1)
826
0
    ;
827
43.7k
  else if (!result
828
0
           && !opt.ignore_mdc_error
829
0
           && !pkt->pkt.encrypted->mdc_method
830
0
           && !pkt->pkt.encrypted->aead_algo)
831
0
    {
832
      /* The message has been decrypted but does not carry an MDC or
833
       * uses AEAD encryption.  --ignore-mdc-error has also not been
834
       * used.  To avoid attacks changing an MDC message to a non-MDC
835
       * message, we fail here.  */
836
0
      log_error (_("WARNING: message was not integrity protected\n"));
837
0
      if (!pkt->pkt.encrypted->mdc_method
838
0
          && (openpgp_cipher_get_algo_blklen (c->dek->algo) == 8
839
0
              || c->dek->algo == CIPHER_ALGO_TWOFISH))
840
0
        {
841
          /* Before 2.2.8 we did not fail hard for a missing MDC if
842
           * one of the old ciphers where used.  Although these cases
843
           * are rare in practice we print a hint on how to decrypt
844
           * such messages.  */
845
0
          log_string
846
0
            (GPGRT_LOGLVL_INFO,
847
0
             _("Hint: If this message was created before the year 2003 it is\n"
848
0
               "likely that this message is legitimate.  This is because back\n"
849
0
               "then integrity protection was not widely used.\n"));
850
0
          log_info (_("Use the option '%s' to decrypt anyway.\n"),
851
0
                     "--ignore-mdc-error");
852
0
          write_status_errcode ("nomdc_with_legacy_cipher",
853
0
                                GPG_ERR_DECRYPT_FAILED);
854
0
        }
855
0
      log_info (_("decryption forced to fail!\n"));
856
0
      write_status (STATUS_DECRYPTION_FAILED);
857
0
    }
858
43.7k
  else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
859
0
                       && !pkt->pkt.encrypted->aead_algo
860
0
                       && opt.ignore_mdc_error))
861
0
    {
862
      /* All is fine or for an MDC message the MDC failed but the
863
       * --ignore-mdc-error option is active.  For compatibility
864
       * reasons we issue GOODMDC also for AEAD messages.  */
865
0
      write_status (STATUS_DECRYPTION_OKAY);
866
0
      if (opt.verbose > 1)
867
0
        log_info(_("decryption okay\n"));
868
869
0
      if (pkt->pkt.encrypted->aead_algo)
870
0
        {
871
0
          write_status (STATUS_GOODMDC);
872
0
          compliance_de_vs |= 4;
873
0
        }
874
0
      else if (pkt->pkt.encrypted->mdc_method && !result)
875
0
        {
876
0
          write_status (STATUS_GOODMDC);
877
0
          compliance_de_vs |= 4;
878
0
        }
879
0
      else
880
0
        log_info (_("WARNING: message was not integrity protected\n"));
881
0
    }
882
43.7k
  else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
883
43.7k
           || gpg_err_code (result) == GPG_ERR_TRUNCATED)
884
0
    {
885
0
      glo_ctrl.lasterr = result;
886
0
      log_error (_("WARNING: encrypted message has been manipulated!\n"));
887
0
      write_status (STATUS_BADMDC);
888
0
      write_status (STATUS_DECRYPTION_FAILED);
889
0
    }
890
43.7k
  else
891
43.7k
    {
892
43.7k
      if (gpg_err_code (result) == GPG_ERR_BAD_KEY
893
34.9k
          || gpg_err_code (result) == GPG_ERR_CHECKSUM
894
34.9k
          || gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
895
8.84k
        {
896
8.84k
          if (c->symkeys)
897
8.84k
            write_status_text (STATUS_ERROR,
898
8.84k
                               "symkey_decrypt.maybe_error"
899
8.84k
                               " 11_BAD_PASSPHRASE");
900
901
8.84k
          if (c->dek && *c->dek->s2k_cacheid != '\0')
902
0
            {
903
0
              if (opt.debug)
904
0
                log_debug ("cleared passphrase cached with ID: %s\n",
905
0
                           c->dek->s2k_cacheid);
906
0
              passphrase_clear_cache (c->dek->s2k_cacheid);
907
0
            }
908
8.84k
        }
909
43.7k
      glo_ctrl.lasterr = result;
910
43.7k
      write_status (STATUS_DECRYPTION_FAILED);
911
43.7k
      log_error (_("decryption failed: %s\n"), gpg_strerror (result));
912
      /* Hmmm: does this work when we have encrypted using multiple
913
       * ways to specify the session key (symmmetric and PK). */
914
43.7k
    }
915
916
917
  /* If we concluded that the decryption was compliant, issue a
918
   * compliance status before the end of the decryption status.  */
919
43.7k
  if (compliance_de_vs == (4|2|1))
920
0
    {
921
0
      write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
922
0
                            gnupg_status_compliance_flag (CO_DE_VS),
923
0
                            NULL);
924
0
    }
925
926
43.7k
  xfree (c->dek);
927
43.7k
  c->dek = NULL;
928
43.7k
  free_packet (pkt, NULL);
929
43.7k
  c->last_was_session_key = 0;
930
931
43.7k
  if (!opt.show_only_session_key)
932
43.7k
    write_status (STATUS_END_DECRYPTION);
933
934
  /* Bump the counter even if we have not seen a literal data packet
935
   * inside an encryption container.  This acts as a sentinel in case
936
   * a misplace extra literal data packets follows after this
937
   * encrypted packet.  */
938
43.7k
  literals_seen++;
939
940
  /* The --require-compliance option allows one to simplify decryption in
941
   * de-vs compliance mode by just looking at the exit status.  */
942
43.7k
  if (opt.flags.require_compliance
943
0
      && opt.compliance == CO_DE_VS
944
0
      && compliance_de_vs != (4|2|1)
945
0
      && !opt.show_only_session_key)
946
0
    {
947
0
      log_error (_("operation forced to fail due to"
948
0
                   " unfulfilled compliance rules\n"));
949
0
      g10_errors_seen = 1;
950
0
    }
951
43.7k
}
952
953
954
static int
955
have_seen_pkt_encrypted_aead_or_mdc( CTX c )
956
5.50k
{
957
5.50k
  CTX cc;
958
959
14.8k
  for (cc = c; cc; cc = cc->anchor)
960
10.2k
    {
961
10.2k
      if (cc->seen_pkt_encrypted_aead)
962
505
  return 1;
963
9.72k
      if (cc->seen_pkt_encrypted_mdc)
964
345
  return 1;
965
9.72k
    }
966
967
4.65k
  return 0;
968
5.50k
}
969
970
971
static void
972
proc_plaintext( CTX c, PACKET *pkt )
973
10.5k
{
974
10.5k
  PKT_plaintext *pt = pkt->pkt.plaintext;
975
10.5k
  int any, clearsig, rc;
976
10.5k
  kbnode_t n;
977
10.5k
  unsigned char *extrahash;
978
10.5k
  size_t extrahashlen;
979
980
  /* This is a literal data packet.  Bump a counter for later checks.  */
981
10.5k
  literals_seen++;
982
983
10.5k
  if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
984
10.5k
    log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
985
10.5k
  else if (opt.verbose)
986
0
    {
987
      /* We don't use print_utf8_buffer because that would require a
988
       * string change which we don't want in 2.2.  It is also not
989
       * clear whether the filename is always utf-8 encoded.  */
990
0
      char *tmp = make_printable_string (pt->name, pt->namelen, 0);
991
0
      log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
992
0
      xfree (tmp);
993
0
    }
994
995
10.5k
  free_md_filter_context (&c->mfx);
996
10.5k
  if (gcry_md_open (&c->mfx.md, 0, 0))
997
0
    BUG ();
998
  /* fixme: we may need to push the textfilter if we have sigclass 1
999
   * and no armoring - Not yet tested
1000
   * Hmmm, why don't we need it at all if we have sigclass 1
1001
   * Should we assume that plaintext in mode 't' has always sigclass 1??
1002
   * See: Russ Allbery's mail 1999-02-09
1003
   */
1004
10.5k
  any = clearsig = 0;
1005
4.19M
  for (n=c->list; n; n = n->next )
1006
4.18M
    {
1007
4.18M
      if (n->pkt->pkttype == PKT_ONEPASS_SIG)
1008
16.1k
        {
1009
          /* The onepass signature case. */
1010
16.1k
          if (n->pkt->pkt.onepass_sig->digest_algo)
1011
15.4k
            {
1012
15.4k
              if (!opt.skip_verify)
1013
15.4k
                gcry_md_enable (c->mfx.md,
1014
15.4k
                                n->pkt->pkt.onepass_sig->digest_algo);
1015
1016
15.4k
              any = 1;
1017
15.4k
            }
1018
16.1k
        }
1019
4.17M
      else if (n->pkt->pkttype == PKT_GPG_CONTROL
1020
4.08M
               && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
1021
3.26k
        {
1022
          /* The clearsigned message case. */
1023
3.26k
          size_t datalen = n->pkt->pkt.gpg_control->datalen;
1024
3.26k
          const byte *data = n->pkt->pkt.gpg_control->data;
1025
1026
          /* Check that we have at least the sigclass and one hash.  */
1027
3.26k
          if  (datalen < 2)
1028
3.26k
            log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
1029
          /* Note that we don't set the clearsig flag for not-dash-escaped
1030
           * documents.  */
1031
3.26k
          clearsig = (*data == 0x01);
1032
7.72k
          for (data++, datalen--; datalen; datalen--, data++)
1033
4.46k
            if (!opt.skip_verify)
1034
4.46k
              gcry_md_enable (c->mfx.md, *data);
1035
3.26k
          any = 1;
1036
3.26k
          break;  /* Stop here as one-pass signature packets are not
1037
                     expected.  */
1038
3.26k
        }
1039
4.16M
      else if (n->pkt->pkttype == PKT_SIGNATURE)
1040
22.2k
        {
1041
          /* The SIG+LITERAL case that PGP used to use.  */
1042
22.2k
          if (!opt.skip_verify)
1043
22.2k
            gcry_md_enable (c->mfx.md, n->pkt->pkt.signature->digest_algo);
1044
22.2k
          any = 1;
1045
22.2k
        }
1046
4.18M
    }
1047
1048
10.5k
  if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead_or_mdc(c))
1049
4.65k
    {
1050
      /* This is for the old GPG LITERAL+SIG case.  It's not legal
1051
         according to 2440, so hopefully it won't come up that often.
1052
         There is no good way to specify what algorithms to use in
1053
         that case, so these there are the historical answer. */
1054
4.65k
  gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
1055
4.65k
  gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
1056
4.65k
    }
1057
10.5k
  if (DBG_HASHING)
1058
0
    {
1059
0
      gcry_md_debug (c->mfx.md, "verify");
1060
0
      if (c->mfx.md2)
1061
0
        gcry_md_debug (c->mfx.md2, "verify2");
1062
0
    }
1063
1064
10.5k
  rc=0;
1065
1066
10.5k
  if (literals_seen > 1)
1067
10.5k
    {
1068
10.5k
      log_info (_("WARNING: multiple plaintexts seen\n"));
1069
1070
10.5k
      write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
1071
10.5k
      log_inc_errorcount ();
1072
10.5k
      rc = gpg_error (GPG_ERR_UNEXPECTED);
1073
10.5k
    }
1074
1075
10.5k
  if (!rc)
1076
0
    {
1077
      /* It we are in --verify mode, we do not want to output the
1078
       * signed text.  However, if --output is also used we do what
1079
       * has been requested and write out the signed data.  */
1080
0
      rc = handle_plaintext (pt, &c->mfx,
1081
0
                             (opt.outfp || opt.outfile)? 0 :  c->sigs_only,
1082
0
                             clearsig);
1083
0
      if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
1084
0
        {
1085
          /* Can't write output but we hash it anyway to check the
1086
             signature. */
1087
0
          rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
1088
0
        }
1089
0
    }
1090
1091
10.5k
  if (rc)
1092
10.5k
    log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
1093
1094
  /* We add a marker control packet instead of the plaintext packet.
1095
   * This is so that we can later detect invalid packet sequences.
1096
   * The packet is further used to convey extra data from the
1097
   * plaintext packet to the signature verification. */
1098
10.5k
  extrahash = xtrymalloc (6 + pt->namelen);
1099
10.5k
  if (!extrahash)
1100
0
    {
1101
      /* No way to return an error.  */
1102
0
      rc = gpg_error_from_syserror ();
1103
0
      log_error ("malloc failed in %s: %s\n", __func__, gpg_strerror (rc));
1104
0
      extrahashlen = 0;
1105
0
    }
1106
10.5k
  else
1107
10.5k
    {
1108
10.5k
      extrahash[0] = pt->mode;
1109
10.5k
      extrahash[1] = pt->namelen;
1110
10.5k
      if (pt->namelen)
1111
3.96k
        memcpy (extrahash+2, pt->name, pt->namelen);
1112
10.5k
      extrahashlen = 2 + pt->namelen;
1113
10.5k
      extrahash[extrahashlen++] = pt->timestamp >> 24;
1114
10.5k
      extrahash[extrahashlen++] = pt->timestamp >> 16;
1115
10.5k
      extrahash[extrahashlen++] = pt->timestamp >>  8;
1116
10.5k
      extrahash[extrahashlen++] = pt->timestamp      ;
1117
10.5k
    }
1118
1119
10.5k
  free_packet (pkt, NULL);
1120
10.5k
  c->last_was_session_key = 0;
1121
1122
10.5k
  n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK,
1123
10.5k
                                      extrahash, extrahashlen));
1124
10.5k
  xfree (extrahash);
1125
10.5k
  if (c->list)
1126
9.75k
    add_kbnode (c->list, n);
1127
800
  else
1128
800
    c->list = n;
1129
10.5k
}
1130
1131
1132
static int
1133
proc_compressed_cb (iobuf_t a, void *info)
1134
0
{
1135
0
  if ( ((CTX)info)->signed_data.used
1136
0
       && ((CTX)info)->signed_data.data_fd != GNUPG_INVALID_FD)
1137
0
    return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
1138
0
                                         ((CTX)info)->signed_data.data_fd);
1139
0
  else
1140
0
    return proc_signature_packets (((CTX)info)->ctrl, info, a,
1141
0
                                   ((CTX)info)->signed_data.data_names,
1142
0
                                   ((CTX)info)->sigfilename );
1143
0
}
1144
1145
1146
static int
1147
proc_encrypt_cb (iobuf_t a, void *info )
1148
0
{
1149
0
  CTX c = info;
1150
0
  return proc_encryption_packets (c->ctrl, info, a, NULL, NULL);
1151
0
}
1152
1153
1154
static int
1155
proc_compressed (CTX c, PACKET *pkt)
1156
51.1k
{
1157
51.1k
  PKT_compressed *zd = pkt->pkt.compressed;
1158
51.1k
  int rc;
1159
1160
  /*printf("zip: compressed data packet\n");*/
1161
51.1k
  if (c->sigs_only)
1162
0
    rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
1163
51.1k
  else if( c->encrypt_only )
1164
0
    rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
1165
51.1k
  else
1166
51.1k
    rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
1167
1168
51.1k
  if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
1169
352
    {
1170
352
      if  (!c->any.uncompress_failed)
1171
11
        {
1172
11
          CTX cc;
1173
1174
363
          for (cc=c; cc; cc = cc->anchor)
1175
352
            cc->any.uncompress_failed = 1;
1176
11
          log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1177
11
        }
1178
352
    }
1179
50.7k
  else if (rc)
1180
50.7k
    log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
1181
1182
51.1k
  free_packet (pkt, NULL);
1183
51.1k
  c->last_was_session_key = 0;
1184
51.1k
  return rc;
1185
51.1k
}
1186
1187
1188
/*
1189
 * Check the signature.  If R_PK is not NULL a copy of the public key
1190
 * used to verify the signature will be stored there, or NULL if not
1191
 * found.  If FORCED_PK is not NULL, this public key is used to verify
1192
 * _data signatures_ and no key lookup is done.  Returns: 0 = valid
1193
 * signature or an error code.  If R_KEYBLOCK is not NULL the keyblock
1194
 * carries the used PK is stored there.  The caller should always free
1195
 * the return value using release_kbnode.
1196
 */
1197
static int
1198
do_check_sig (CTX c, kbnode_t node, const void *extrahash, size_t extrahashlen,
1199
              PKT_public_key *forced_pk, int *is_selfsig,
1200
        int *is_expkey, int *is_revkey,
1201
              PKT_public_key **r_pk, kbnode_t *r_keyblock)
1202
14.7k
{
1203
14.7k
  PKT_signature *sig;
1204
14.7k
  gcry_md_hd_t md = NULL;
1205
14.7k
  gcry_md_hd_t md2 = NULL;
1206
14.7k
  gcry_md_hd_t md_good = NULL;
1207
14.7k
  int algo, rc;
1208
1209
14.7k
  if (r_pk)
1210
14.7k
    *r_pk = NULL;
1211
14.7k
  if (r_keyblock)
1212
14.7k
    *r_keyblock = NULL;
1213
1214
14.7k
  log_assert (node->pkt->pkttype == PKT_SIGNATURE);
1215
14.7k
  if (is_selfsig)
1216
0
    *is_selfsig = 0;
1217
14.7k
  sig = node->pkt->pkt.signature;
1218
1219
14.7k
  algo = sig->digest_algo;
1220
14.7k
  rc = openpgp_md_test_algo (algo);
1221
14.7k
  if (rc)
1222
13.6k
    return rc;
1223
1224
1.10k
  if (sig->sig_class == 0x00)
1225
446
    {
1226
446
      if (c->mfx.md)
1227
446
        {
1228
446
          if (gcry_md_copy (&md, c->mfx.md ))
1229
0
            BUG ();
1230
446
        }
1231
0
      else /* detached signature */
1232
0
        {
1233
          /* check_signature() will enable the md. */
1234
0
          if (gcry_md_open (&md, 0, 0 ))
1235
0
            BUG ();
1236
0
        }
1237
446
    }
1238
654
  else if (sig->sig_class == 0x01)
1239
0
    {
1240
      /* How do we know that we have to hash the (already hashed) text
1241
         in canonical mode ??? (calculating both modes???) */
1242
0
      if (c->mfx.md)
1243
0
        {
1244
0
          if (gcry_md_copy (&md, c->mfx.md ))
1245
0
            BUG ();
1246
0
          if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
1247
0
            BUG ();
1248
0
  }
1249
0
      else /* detached signature */
1250
0
        {
1251
0
          log_debug ("Do we really need this here?");
1252
          /* check_signature() will enable the md*/
1253
0
          if (gcry_md_open (&md, 0, 0 ))
1254
0
            BUG ();
1255
0
          if (gcry_md_open (&md2, 0, 0 ))
1256
0
            BUG ();
1257
0
  }
1258
0
    }
1259
654
  else if ((sig->sig_class&~3) == 0x10
1260
652
           ||   sig->sig_class == 0x18
1261
651
           ||   sig->sig_class == 0x1f
1262
599
     ||   sig->sig_class == 0x20
1263
525
     ||   sig->sig_class == 0x28
1264
524
           ||   sig->sig_class == 0x30)
1265
168
    {
1266
168
      if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1267
168
          || c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1268
0
        {
1269
0
          return check_key_signature (c->ctrl, c->list, node, is_selfsig);
1270
0
  }
1271
168
      else if (sig->sig_class == 0x20)
1272
74
        {
1273
74
          log_error (_("standalone revocation - "
1274
74
                       "use \"gpg --import\" to apply\n"));
1275
74
          return GPG_ERR_NOT_PROCESSED;
1276
74
  }
1277
94
      else
1278
94
        {
1279
94
          log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
1280
94
          return GPG_ERR_SIG_CLASS;
1281
94
  }
1282
168
    }
1283
486
  else
1284
486
    return GPG_ERR_SIG_CLASS;
1285
1286
  /* We only get here if we are checking the signature of a binary
1287
     (0x00) or text document (0x01).  */
1288
446
  rc = check_signature (c->ctrl, sig, md, extrahash, extrahashlen,
1289
446
                        forced_pk, NULL, is_expkey, is_revkey,
1290
446
                        r_pk, r_keyblock);
1291
446
  if (! rc)
1292
0
    md_good = md;
1293
446
  else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
1294
0
    {
1295
0
      PKT_public_key *pk2;
1296
1297
0
      if (r_keyblock)
1298
0
        release_kbnode (*r_keyblock);
1299
0
      rc = check_signature (c->ctrl, sig, md2, extrahash, extrahashlen,
1300
0
                            forced_pk, NULL, is_expkey, is_revkey,
1301
0
                            r_pk? &pk2 : NULL, r_keyblock);
1302
0
      if (!rc)
1303
0
        {
1304
0
          md_good = md2;
1305
0
          if (r_pk)
1306
0
            {
1307
0
              free_public_key (*r_pk);
1308
0
              *r_pk = pk2;
1309
0
            }
1310
0
        }
1311
0
    }
1312
1313
446
  if (md_good)
1314
0
    {
1315
0
      unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
1316
0
      sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
1317
0
      memcpy (sig->digest, buffer, sig->digest_len);
1318
0
    }
1319
1320
446
  gcry_md_close (md);
1321
446
  gcry_md_close (md2);
1322
1323
446
  return rc;
1324
1.10k
}
1325
1326
1327
static void
1328
print_userid (PACKET *pkt)
1329
36.3k
{
1330
36.3k
  if (!pkt)
1331
0
    BUG();
1332
1333
36.3k
  if (pkt->pkttype != PKT_USER_ID)
1334
0
    {
1335
0
      es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
1336
0
      return;
1337
0
    }
1338
36.3k
  if (opt.with_colons)
1339
0
    {
1340
0
      if (pkt->pkt.user_id->attrib_data)
1341
0
        es_printf("%u %lu",
1342
0
                  pkt->pkt.user_id->numattribs,
1343
0
                  pkt->pkt.user_id->attrib_len);
1344
0
      else
1345
0
        es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
1346
0
                            pkt->pkt.user_id->len, ":", NULL);
1347
0
    }
1348
36.3k
  else
1349
36.3k
    print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
1350
36.3k
                       pkt->pkt.user_id->len );
1351
36.3k
}
1352
1353
1354
/*
1355
 * List the keyblock in a user friendly way
1356
 */
1357
static void
1358
list_node (CTX c, kbnode_t node)
1359
53.0k
{
1360
53.0k
  if (!node)
1361
0
    ;
1362
53.0k
  else if (node->pkt->pkttype == PKT_PUBLIC_KEY
1363
30.2k
           || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1364
28.9k
    {
1365
28.9k
      PKT_public_key *pk = node->pkt->pkt.public_key;
1366
1367
28.9k
      if (opt.with_colons)
1368
0
        {
1369
0
          u32 keyid[2];
1370
1371
0
          keyid_from_pk( pk, keyid );
1372
0
          if (pk->flags.primary)
1373
0
            c->trustletter = (opt.fast_list_mode
1374
0
                              ? 0
1375
0
                              : get_validity_info
1376
0
                                  (c->ctrl,
1377
0
                                   node->pkt->pkttype == PKT_PUBLIC_KEY
1378
0
                                   ? node : NULL,
1379
0
                                   pk, NULL));
1380
0
          es_printf ("%s:", pk->flags.primary? "pub":"sub" );
1381
0
          if (c->trustletter)
1382
0
            es_putc (c->trustletter, es_stdout);
1383
0
          es_printf (":%u:%d:%08lX%08lX:%s:%s::",
1384
0
                     nbits_from_pk( pk ),
1385
0
                     pk->pubkey_algo,
1386
0
                     (ulong)keyid[0],(ulong)keyid[1],
1387
0
                     colon_datestr_from_pk( pk ),
1388
0
                     colon_strtime (pk->expiredate) );
1389
0
          if (pk->flags.primary && !opt.fast_list_mode)
1390
0
            es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
1391
0
          es_putc (':', es_stdout);
1392
0
          es_putc ('\n', es_stdout);
1393
0
        }
1394
28.9k
      else
1395
28.9k
        {
1396
28.9k
          print_key_line (c->ctrl, es_stdout, pk, 0);
1397
28.9k
        }
1398
1399
28.9k
      if (opt.keyid_format == KF_NONE && !opt.with_colons)
1400
0
        ; /* Already printed.  */
1401
28.9k
      else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
1402
0
        print_fingerprint (c->ctrl, NULL, pk, 0);
1403
1404
28.9k
      if (pk->flags.primary)
1405
22.8k
        {
1406
22.8k
          int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
1407
1408
          /* Now list all userids with their signatures. */
1409
89.1k
          for (node = node->next; node; node = node->next)
1410
66.3k
            {
1411
66.3k
              if (node->pkt->pkttype == PKT_SIGNATURE)
1412
23.0k
                {
1413
23.0k
                  list_node (c,  node );
1414
23.0k
                }
1415
43.3k
              else if (node->pkt->pkttype == PKT_USER_ID)
1416
36.3k
                {
1417
36.3k
                  if (opt.with_colons)
1418
36.3k
                    es_printf ("%s:::::::::",
1419
0
                               node->pkt->pkt.user_id->attrib_data?"uat":"uid");
1420
36.3k
                  else
1421
36.3k
                    es_printf ("uid%*s",
1422
36.3k
                               kl + (opt.legacy_list_mode? 9:11),
1423
36.3k
                               "" );
1424
36.3k
                  print_userid (node->pkt);
1425
36.3k
                  if (opt.with_colons)
1426
36.3k
                    es_putc (':', es_stdout);
1427
36.3k
                  es_putc ('\n', es_stdout);
1428
36.3k
    }
1429
6.93k
              else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1430
6.11k
                {
1431
6.11k
                  list_node(c,  node );
1432
6.11k
                }
1433
66.3k
            }
1434
22.8k
        }
1435
28.9k
    }
1436
24.0k
  else if (node->pkt->pkttype == PKT_SECRET_KEY
1437
23.0k
           || node->pkt->pkttype == PKT_SECRET_SUBKEY)
1438
1.06k
    {
1439
1440
1.06k
      log_debug ("FIXME: No way to print secret key packets here\n");
1441
      /* fixme: We may use a function to turn a secret key packet into
1442
         a public key one and use that here.  */
1443
1.06k
    }
1444
23.0k
  else if (node->pkt->pkttype == PKT_SIGNATURE)
1445
23.0k
    {
1446
23.0k
      PKT_signature *sig = node->pkt->pkt.signature;
1447
23.0k
      int is_selfsig = 0;
1448
23.0k
      int rc2 = 0;
1449
23.0k
      size_t n;
1450
23.0k
      char *p;
1451
23.0k
      int sigrc = ' ';
1452
1453
23.0k
      if (!opt.verbose)
1454
23.0k
        return;
1455
1456
0
      if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
1457
0
        es_fputs ("rev", es_stdout);
1458
0
      else
1459
0
        es_fputs ("sig", es_stdout);
1460
0
      if (opt.check_sigs)
1461
0
        {
1462
0
          fflush (stdout);
1463
0
          rc2 = do_check_sig (c, node, NULL, 0, NULL,
1464
0
                              &is_selfsig, NULL, NULL, NULL, NULL);
1465
0
          switch (gpg_err_code (rc2))
1466
0
            {
1467
0
            case 0:             sigrc = '!'; break;
1468
0
            case GPG_ERR_BAD_SIGNATURE:   sigrc = '-'; break;
1469
0
            case GPG_ERR_NO_PUBKEY:
1470
0
            case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
1471
0
            default:              sigrc = '%'; break;
1472
0
      }
1473
0
  }
1474
0
      else /* Check whether this is a self signature.  */
1475
0
        {
1476
0
          u32 keyid[2];
1477
1478
0
          if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
1479
0
              || c->list->pkt->pkttype == PKT_SECRET_KEY )
1480
0
            {
1481
0
              keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
1482
1483
0
              if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
1484
0
                is_selfsig = 1;
1485
0
            }
1486
0
  }
1487
1488
0
      if (opt.with_colons)
1489
0
        {
1490
0
          es_putc (':', es_stdout);
1491
0
          if (sigrc != ' ')
1492
0
            es_putc (sigrc, es_stdout);
1493
0
          es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
1494
0
                     (ulong)sig->keyid[0], (ulong)sig->keyid[1],
1495
0
                     colon_datestr_from_sig (sig),
1496
0
                     colon_expirestr_from_sig (sig));
1497
1498
0
          if (sig->trust_depth || sig->trust_value)
1499
0
            es_printf ("%d %d",sig->trust_depth,sig->trust_value);
1500
0
          es_putc (':', es_stdout);
1501
1502
0
          if (sig->trust_regexp)
1503
0
            es_write_sanitized (es_stdout, sig->trust_regexp,
1504
0
                                strlen (sig->trust_regexp), ":", NULL);
1505
0
          es_putc (':', es_stdout);
1506
0
  }
1507
0
      else
1508
0
        es_printf ("%c       %s %s   ",
1509
0
                   sigrc, keystr (sig->keyid), datestr_from_sig(sig));
1510
0
      if (sigrc == '%')
1511
0
        es_printf ("[%s] ", gpg_strerror (rc2) );
1512
0
      else if (sigrc == '?')
1513
0
        ;
1514
0
      else if (is_selfsig)
1515
0
        {
1516
0
          if (opt.with_colons)
1517
0
            es_putc (':', es_stdout);
1518
0
          es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
1519
0
          if (opt.with_colons)
1520
0
            es_putc (':', es_stdout);
1521
0
  }
1522
0
      else if (!opt.fast_list_mode)
1523
0
        {
1524
0
          p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
1525
0
          es_write_sanitized (es_stdout, p, n,
1526
0
                              opt.with_colons?":":NULL, NULL );
1527
0
          xfree (p);
1528
0
  }
1529
0
      if (opt.with_colons)
1530
0
        es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
1531
0
      es_putc ('\n', es_stdout);
1532
0
    }
1533
0
  else
1534
23.0k
    log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
1535
53.0k
}
1536
1537
1538
int
1539
proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
1540
59.6k
{
1541
59.6k
  int rc;
1542
59.6k
  CTX c = xmalloc_clear (sizeof *c);
1543
1544
59.6k
  c->ctrl = ctrl;
1545
59.6k
  c->anchor = anchor;
1546
59.6k
  rc = do_proc_packets (c, a, 0);
1547
59.6k
  xfree (c);
1548
1549
59.6k
  return rc;
1550
59.6k
}
1551
1552
1553
int
1554
proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1555
      strlist_t signedfiles, const char *sigfilename )
1556
0
{
1557
0
  CTX c = xmalloc_clear (sizeof *c);
1558
0
  int rc;
1559
1560
0
  c->ctrl = ctrl;
1561
0
  c->anchor = anchor;
1562
0
  c->sigs_only = 1;
1563
1564
0
  c->signed_data.data_fd = GNUPG_INVALID_FD;
1565
0
  c->signed_data.data_names = signedfiles;
1566
0
  c->signed_data.used = !!signedfiles;
1567
1568
0
  c->sigfilename = sigfilename;
1569
0
  rc = do_proc_packets (c, a, 0);
1570
1571
  /* If we have not encountered any signature we print an error
1572
     messages, send a NODATA status back and return an error code.
1573
     Using log_error is required because verify_files does not check
1574
     error codes for each file but we want to terminate the process
1575
     with an error. */
1576
0
  if (!rc && !c->any.sig_seen)
1577
0
    {
1578
0
      write_status_text (STATUS_NODATA, "4");
1579
0
      log_error (_("no signature found\n"));
1580
0
      rc = GPG_ERR_NO_DATA;
1581
0
    }
1582
1583
  /* Propagate the signature seen flag upward. Do this only on success
1584
     so that we won't issue the nodata status several times.  */
1585
0
  if (!rc && c->anchor && c->any.sig_seen)
1586
0
    c->anchor->any.sig_seen = 1;
1587
1588
0
  xfree (c);
1589
0
  return rc;
1590
0
}
1591
1592
1593
int
1594
proc_signature_packets_by_fd (ctrl_t ctrl, void *anchor, iobuf_t a,
1595
                              gnupg_fd_t signed_data_fd)
1596
0
{
1597
0
  int rc;
1598
0
  CTX c;
1599
1600
0
  c = xtrycalloc (1, sizeof *c);
1601
0
  if (!c)
1602
0
    return gpg_error_from_syserror ();
1603
1604
0
  c->ctrl = ctrl;
1605
0
  c->anchor = anchor;
1606
0
  c->sigs_only = 1;
1607
1608
0
  c->signed_data.data_fd = signed_data_fd;
1609
0
  c->signed_data.data_names = NULL;
1610
0
  c->signed_data.used = (signed_data_fd != GNUPG_INVALID_FD);
1611
1612
0
  rc = do_proc_packets (c, a, 0);
1613
1614
  /* If we have not encountered any signature we print an error
1615
     messages, send a NODATA status back and return an error code.
1616
     Using log_error is required because verify_files does not check
1617
     error codes for each file but we want to terminate the process
1618
     with an error. */
1619
0
  if (!rc && !c->any.sig_seen)
1620
0
    {
1621
0
      write_status_text (STATUS_NODATA, "4");
1622
0
      log_error (_("no signature found\n"));
1623
0
      rc = gpg_error (GPG_ERR_NO_DATA);
1624
0
    }
1625
1626
  /* Propagate the signature seen flag upward. Do this only on success
1627
     so that we won't issue the nodata status several times. */
1628
0
  if (!rc && c->anchor && c->any.sig_seen)
1629
0
    c->anchor->any.sig_seen = 1;
1630
1631
0
  xfree ( c );
1632
0
  return rc;
1633
0
}
1634
1635
1636
/* Handle encryption packets.  If called recursively the caller's CTX
1637
 * should be given for ANCHOR.  If R_DEK and R_LIST are not NULL the
1638
 * DEK (or NULL) is returned there and the list at R_LIST; the caller
1639
 * needs to release them; even if the function returns an error. */
1640
gpg_error_t
1641
proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
1642
                         DEK **r_dek, struct seskey_enc_list **r_list)
1643
0
{
1644
0
  CTX c = xmalloc_clear (sizeof *c);
1645
0
  int rc;
1646
1647
0
  c->ctrl = ctrl;
1648
0
  c->anchor = anchor;
1649
0
  c->encrypt_only = 1;
1650
0
  if (r_dek && r_list)
1651
0
    {
1652
0
      rc = do_proc_packets (c, a, 1);
1653
0
      *r_dek = c->dek;
1654
0
      c->dek = NULL;
1655
0
      *r_list = c->sesenc_list;
1656
0
      c->sesenc_list = NULL;
1657
0
    }
1658
0
  else
1659
0
    rc = do_proc_packets (c, a, 0);
1660
0
  xfree (c);
1661
0
  return rc;
1662
0
}
1663
1664
1665
static int
1666
check_nesting (CTX c)
1667
59.6k
{
1668
59.6k
  int level;
1669
1670
582k
  for (level=0; c; c = c->anchor)
1671
523k
    level++;
1672
1673
59.6k
  if (level > MAX_NESTING_DEPTH)
1674
11
    {
1675
11
      log_error ("input data with too deeply nested packets\n");
1676
11
      write_status_text (STATUS_UNEXPECTED, "1");
1677
11
      return GPG_ERR_BAD_DATA;
1678
11
    }
1679
1680
59.6k
  return 0;
1681
59.6k
}
1682
1683
1684
/* Main processing loop.  If KEEP_DEK_AND_LIST is set the DEK and
1685
 * SESENC_LIST of the context C are not released at the end of the
1686
 * function.  The caller is then required to do this.  */
1687
static int
1688
do_proc_packets (CTX c, iobuf_t a, int keep_dek_and_list)
1689
59.6k
{
1690
59.6k
  PACKET *pkt;
1691
59.6k
  struct parse_packet_ctx_s parsectx;
1692
59.6k
  int rc = 0;
1693
59.6k
  int any_data = 0;
1694
59.6k
  int newpkt;
1695
1696
59.6k
  rc = check_nesting (c);
1697
59.6k
  if (rc)
1698
11
    return rc;
1699
1700
59.6k
  pkt = xmalloc( sizeof *pkt );
1701
59.6k
  c->iobuf = a;
1702
59.6k
  init_packet(pkt);
1703
59.6k
  init_parse_packet (&parsectx, a);
1704
357k
  while ((rc=parse_packet (&parsectx, pkt)) != -1)
1705
349k
    {
1706
349k
      any_data = 1;
1707
349k
      if (rc)
1708
57.7k
        {
1709
57.7k
          if (c->ctrl->modify_recipients && gpg_err_code (rc) == GPG_ERR_TRUE)
1710
0
            {
1711
              /* Save the last read CTB (which was the last byte
1712
               * actually read from the input) and get out of the
1713
               * loop.  */
1714
0
              c->ctrl->last_read_ctb = parsectx.last_ctb;
1715
              /* We need to call the first part of the encrypted data
1716
               * handler to get the DEK.  */
1717
0
              proc_encrypted (c, NULL);
1718
0
              rc = -1;
1719
0
              break;
1720
0
            }
1721
57.7k
          free_packet (pkt, &parsectx);
1722
          /* Stop processing when an invalid packet has been encountered
1723
           * but don't do so when we are doing a --list-packets.  */
1724
57.7k
          if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
1725
50.0k
              && opt.list_packets == 0)
1726
50.0k
            break;
1727
7.66k
          continue;
1728
57.7k
  }
1729
291k
      newpkt = -1;
1730
291k
      if (opt.list_packets)
1731
0
        {
1732
0
          switch (pkt->pkttype)
1733
0
            {
1734
0
            case PKT_PUBKEY_ENC:    proc_pubkey_enc (c, pkt); break;
1735
0
            case PKT_SYMKEY_ENC:    proc_symkey_enc (c, pkt); break;
1736
0
            case PKT_ENCRYPTED:
1737
0
            case PKT_ENCRYPTED_MDC:
1738
0
            case PKT_ENCRYPTED_AEAD:proc_encrypted (c, pkt); break;
1739
0
            case PKT_COMPRESSED:    rc = proc_compressed (c, pkt); break;
1740
0
            default: newpkt = 0; break;
1741
0
      }
1742
0
  }
1743
291k
      else if (c->sigs_only)
1744
0
        {
1745
0
          switch (pkt->pkttype)
1746
0
            {
1747
0
            case PKT_PUBLIC_KEY:
1748
0
            case PKT_SECRET_KEY:
1749
0
            case PKT_USER_ID:
1750
0
            case PKT_SYMKEY_ENC:
1751
0
            case PKT_PUBKEY_ENC:
1752
0
            case PKT_ENCRYPTED:
1753
0
            case PKT_ENCRYPTED_MDC:
1754
0
            case PKT_ENCRYPTED_AEAD:
1755
0
              write_status_text( STATUS_UNEXPECTED, "0" );
1756
0
              rc = GPG_ERR_UNEXPECTED;
1757
0
              goto leave;
1758
1759
0
            case PKT_SIGNATURE:   newpkt = add_signature (c, pkt); break;
1760
0
            case PKT_PLAINTEXT:   proc_plaintext (c, pkt); break;
1761
0
            case PKT_COMPRESSED:  rc = proc_compressed (c, pkt); break;
1762
0
            case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1763
0
            case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1764
0
            default: newpkt = 0; break;
1765
0
      }
1766
0
  }
1767
291k
      else if (c->encrypt_only)
1768
0
        {
1769
0
          switch (pkt->pkttype)
1770
0
            {
1771
0
            case PKT_PUBLIC_KEY:
1772
0
            case PKT_SECRET_KEY:
1773
0
            case PKT_USER_ID:
1774
0
              write_status_text (STATUS_UNEXPECTED, "0");
1775
0
              rc = GPG_ERR_UNEXPECTED;
1776
0
              goto leave;
1777
1778
0
            case PKT_SIGNATURE:   newpkt = add_signature (c, pkt); break;
1779
1780
0
            case PKT_SYMKEY_ENC:
1781
0
            case PKT_PUBKEY_ENC:
1782
              /* In --add-recipients mode set the stop flag as soon as
1783
               * we see the first of these packets.  */
1784
0
              if (c->ctrl->modify_recipients)
1785
0
                parsectx.only_fookey_enc = 1;
1786
0
              if (pkt->pkttype == PKT_SYMKEY_ENC)
1787
0
                proc_symkey_enc (c, pkt);
1788
0
              else
1789
0
                proc_pubkey_enc (c, pkt);
1790
0
              break;
1791
1792
0
            case PKT_ENCRYPTED:
1793
0
            case PKT_ENCRYPTED_MDC:
1794
0
            case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1795
0
            case PKT_PLAINTEXT:   proc_plaintext (c, pkt); break;
1796
0
            case PKT_COMPRESSED:  rc = proc_compressed (c, pkt); break;
1797
0
            case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1798
0
            case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
1799
0
            default: newpkt = 0; break;
1800
0
      }
1801
0
  }
1802
291k
      else
1803
291k
        {
1804
291k
          switch (pkt->pkttype)
1805
291k
            {
1806
22.8k
            case PKT_PUBLIC_KEY:
1807
23.8k
            case PKT_SECRET_KEY:
1808
23.8k
              release_list (c);
1809
23.8k
              c->list = new_kbnode (pkt);
1810
23.8k
              newpkt = 1;
1811
23.8k
              break;
1812
6.46k
            case PKT_PUBLIC_SUBKEY:
1813
14.7k
            case PKT_SECRET_SUBKEY:
1814
14.7k
              newpkt = add_subkey (c, pkt);
1815
14.7k
              break;
1816
48.2k
            case PKT_USER_ID:     newpkt = add_user_id (c, pkt); break;
1817
56.6k
            case PKT_SIGNATURE:   newpkt = add_signature (c, pkt); break;
1818
14.5k
            case PKT_PUBKEY_ENC:  proc_pubkey_enc (c, pkt); break;
1819
16.2k
            case PKT_SYMKEY_ENC:  proc_symkey_enc (c, pkt); break;
1820
24.9k
            case PKT_ENCRYPTED:
1821
26.3k
            case PKT_ENCRYPTED_MDC:
1822
43.7k
            case PKT_ENCRYPTED_AEAD: proc_encrypted (c, pkt); break;
1823
10.5k
            case PKT_PLAINTEXT:   proc_plaintext (c, pkt); break;
1824
51.1k
            case PKT_COMPRESSED:  rc = proc_compressed (c, pkt); break;
1825
2.25k
            case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
1826
3.57k
            case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
1827
0
            case PKT_RING_TRUST:  newpkt = add_ring_trust (c, pkt); break;
1828
5.99k
            default: newpkt = 0; break;
1829
291k
      }
1830
291k
  }
1831
1832
291k
      if (rc)
1833
1.11k
        goto leave;
1834
1835
      /* This is a very ugly construct and frankly, I don't remember why
1836
       * I used it.  Adding the MDC check here is a hack.
1837
       * The right solution is to initiate another context for encrypted
1838
       * packet and not to reuse the current one ...  It works right
1839
       * when there is a compression packet between which adds just
1840
       * an extra layer.
1841
       *
1842
       * Note that we should not reset the any.data due to another
1843
       * packets.  Just set it once on seeing a plaintext.
1844
       *
1845
       * Hmmm: Rewrite this whole module here??
1846
       */
1847
290k
      if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
1848
233k
        c->any.data |= (pkt->pkttype == PKT_PLAINTEXT);
1849
1850
290k
      if (newpkt == -1)
1851
135k
        ;
1852
155k
      else if (newpkt)
1853
134k
        {
1854
134k
          pkt = xmalloc (sizeof *pkt);
1855
134k
          init_packet (pkt);
1856
134k
  }
1857
20.6k
      else
1858
20.6k
        free_packet (pkt, &parsectx);
1859
290k
    }
1860
1861
58.5k
  if (rc == GPG_ERR_INV_PACKET)
1862
50.0k
    write_status_text (STATUS_NODATA, "3");
1863
1864
58.5k
  if (any_data)
1865
57.5k
    rc = 0;
1866
1.02k
  else if (rc == -1)
1867
1.02k
    write_status_text (STATUS_NODATA, "2");
1868
1869
1870
59.6k
 leave:
1871
59.6k
  if (!keep_dek_and_list)
1872
59.6k
    release_list (c);
1873
59.6k
  free_packet (pkt, &parsectx);
1874
59.6k
  deinit_parse_packet (&parsectx);
1875
59.6k
  xfree (pkt);
1876
59.6k
  free_md_filter_context (&c->mfx);
1877
59.6k
  return rc;
1878
58.5k
}
1879
1880
1881
/* Return true if the AKL has the WKD method specified.  */
1882
static int
1883
akl_has_wkd_method (void)
1884
0
{
1885
0
  struct akl *akl;
1886
1887
0
  for (akl = opt.auto_key_locate; akl; akl = akl->next)
1888
0
    if (akl->type == AKL_WKD)
1889
0
      return 1;
1890
0
  return 0;
1891
0
}
1892
1893
1894
/* Return the ISSUER fingerprint buffer and its length at R_LEN.
1895
 * Returns NULL if not available.  The returned buffer is valid as
1896
 * long as SIG is not modified.  */
1897
const byte *
1898
issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
1899
15.1k
{
1900
15.1k
  const byte *p;
1901
15.1k
  size_t n;
1902
1903
15.1k
  p = parse_sig_subpkt (sig, 1, SIGSUBPKT_ISSUER_FPR, &n);
1904
15.1k
  if (p && ((n == 21 && p[0] == 4) || (n == 33 && p[0] == 5)))
1905
134
    {
1906
134
      *r_len = n - 1;
1907
134
      return p+1;
1908
134
    }
1909
15.0k
  *r_len = 0;
1910
15.0k
  return NULL;
1911
15.1k
}
1912
1913
1914
/* Return the ISSUER fingerprint string in human readable format if
1915
 * available.  Caller must release the string.  */
1916
/* FIXME: Move to another file.  */
1917
char *
1918
issuer_fpr_string (PKT_signature *sig)
1919
14.7k
{
1920
14.7k
  const byte *p;
1921
14.7k
  size_t n;
1922
1923
14.7k
  p = issuer_fpr_raw (sig, &n);
1924
14.7k
  return p? bin2hex (p, n, NULL) : NULL;
1925
14.7k
}
1926
1927
static void
1928
print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
1929
                          PKT_signature *sig, int rc)
1930
0
{
1931
0
  char *p;
1932
1933
0
  write_status_text_and_buffer (statno, keyid_str,
1934
0
                                un? un->pkt->pkt.user_id->name:"[?]",
1935
0
                                un? un->pkt->pkt.user_id->len:3,
1936
0
                                -1);
1937
1938
0
  if (un)
1939
0
    p = utf8_to_native (un->pkt->pkt.user_id->name,
1940
0
                        un->pkt->pkt.user_id->len, 0);
1941
0
  else
1942
0
    p = xstrdup ("[?]");
1943
1944
0
  if (rc)
1945
0
    log_info (_("BAD signature from \"%s\""), p);
1946
0
  else if (sig->flags.expired)
1947
0
    log_info (_("Expired signature from \"%s\""), p);
1948
0
  else
1949
0
    log_info (_("Good signature from \"%s\""), p);
1950
1951
0
  xfree (p);
1952
0
}
1953
1954
1955
static int
1956
check_sig_and_print (CTX c, kbnode_t node)
1957
15.5k
{
1958
15.5k
  PKT_signature *sig = node->pkt->pkt.signature;
1959
15.5k
  const char *astr;
1960
15.5k
  gpg_error_t rc;
1961
15.5k
  int is_expkey = 0;
1962
15.5k
  int is_revkey = 0;
1963
15.5k
  char *issuer_fpr = NULL;
1964
15.5k
  PKT_public_key *pk = NULL;  /* The public key for the signature or NULL. */
1965
15.5k
  const void *extrahash = NULL;
1966
15.5k
  size_t extrahashlen = 0;
1967
15.5k
  kbnode_t keyblock = NULL;
1968
15.5k
  char pkstrbuf[PUBKEY_STRING_SIZE] = { 0 };
1969
1970
1971
15.5k
  if (opt.skip_verify)
1972
0
    {
1973
0
      log_info(_("signature verification suppressed\n"));
1974
0
      return 0;
1975
0
    }
1976
1977
  /* Check that the message composition is valid.
1978
   *
1979
   * Per RFC-2440bis (-15) allowed:
1980
   *
1981
   * S{1,n}           -- detached signature.
1982
   * S{1,n} P         -- old style PGP2 signature
1983
   * O{1,n} P S{1,n}  -- standard OpenPGP signature.
1984
   * C P S{1,n}       -- cleartext signature.
1985
   *
1986
   *
1987
   *      O = One-Pass Signature packet.
1988
   *      S = Signature packet.
1989
   *      P = OpenPGP Message packet (Encrypted | Compressed | Literal)
1990
   *             (Note that the current rfc2440bis draft also allows
1991
   *              for a signed message but that does not work as it
1992
   *              introduces ambiguities.)
1993
   *          We keep track of these packages using the marker packet
1994
   *          CTRLPKT_PLAINTEXT_MARK.
1995
   *      C = Marker packet for cleartext signatures.
1996
   *
1997
   * We reject all other messages.
1998
   *
1999
   * Actually we are calling this too often, i.e. for verification of
2000
   * each message but better have some duplicate work than to silently
2001
   * introduce a bug here.
2002
   */
2003
15.5k
  {
2004
15.5k
    kbnode_t n;
2005
15.5k
    int n_onepass, n_sig;
2006
2007
/*     log_debug ("checking signature packet composition\n"); */
2008
/*     dump_kbnode (c->list); */
2009
2010
15.5k
    n = c->list;
2011
15.5k
    log_assert (n);
2012
15.5k
    if ( n->pkt->pkttype == PKT_SIGNATURE )
2013
14.8k
      {
2014
        /* This is either "S{1,n}" case (detached signature) or
2015
           "S{1,n} P" (old style PGP2 signature). */
2016
406k
        for (n = n->next; n; n = n->next)
2017
392k
          if (n->pkt->pkttype != PKT_SIGNATURE)
2018
847
            break;
2019
14.8k
        if (!n)
2020
14.0k
          ; /* Okay, this is a detached signature.  */
2021
847
        else if (n->pkt->pkttype == PKT_GPG_CONTROL
2022
630
                 && (n->pkt->pkt.gpg_control->control
2023
630
                     == CTRLPKT_PLAINTEXT_MARK) )
2024
630
          {
2025
630
            if (n->next)
2026
336
              goto ambiguous;  /* We only allow one P packet. */
2027
294
            extrahash = n->pkt->pkt.gpg_control->data;
2028
294
            extrahashlen = n->pkt->pkt.gpg_control->datalen;
2029
294
          }
2030
217
        else
2031
217
          goto ambiguous;
2032
14.8k
      }
2033
721
    else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
2034
634
      {
2035
        /* This is the "O{1,n} P S{1,n}" case (standard signature). */
2036
634
        for (n_onepass=1, n = n->next;
2037
1.34k
             n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
2038
710
          n_onepass++;
2039
634
        if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
2040
574
                    && (n->pkt->pkt.gpg_control->control
2041
574
                        == CTRLPKT_PLAINTEXT_MARK)))
2042
60
          goto ambiguous;
2043
574
        extrahash = n->pkt->pkt.gpg_control->data;
2044
574
        extrahashlen = n->pkt->pkt.gpg_control->datalen;
2045
2046
574
        for (n_sig=0, n = n->next;
2047
1.81k
             n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
2048
1.24k
          n_sig++;
2049
574
        if (!n_sig)
2050
0
          goto ambiguous;
2051
2052
  /* If we wanted to disallow multiple sig verification, we'd do
2053
   * something like this:
2054
         *
2055
   * if (n)
2056
         *   goto ambiguous;
2057
         *
2058
         * However, this can stay allowable as we can't get here.  */
2059
2060
574
        if (n_onepass != n_sig)
2061
124
          {
2062
124
            log_info ("number of one-pass packets does not match "
2063
124
                      "number of signature packets\n");
2064
124
            goto ambiguous;
2065
124
          }
2066
574
      }
2067
87
    else if (n->pkt->pkttype == PKT_GPG_CONTROL
2068
87
             && n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
2069
15
      {
2070
        /* This is the "C P S{1,n}" case (clear text signature). */
2071
15
        n = n->next;
2072
15
        if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
2073
15
                    && (n->pkt->pkt.gpg_control->control
2074
15
                        == CTRLPKT_PLAINTEXT_MARK)))
2075
0
          goto ambiguous;
2076
15
        extrahash = n->pkt->pkt.gpg_control->data;
2077
15
        extrahashlen = n->pkt->pkt.gpg_control->datalen;
2078
15
        for (n_sig=0, n = n->next;
2079
15
             n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
2080
0
          n_sig++;
2081
15
        if (n || !n_sig)
2082
15
          goto ambiguous;
2083
15
      }
2084
72
    else
2085
72
      {
2086
824
      ambiguous:
2087
824
        log_error(_("can't handle this ambiguous signature data\n"));
2088
824
        rc = 0;
2089
824
        goto leave;
2090
72
      }
2091
15.5k
  } /* End checking signature packet composition.  */
2092
2093
14.7k
  if (sig->signers_uid)
2094
2.29k
    write_status_buffer (STATUS_NEWSIG,
2095
2.29k
                         sig->signers_uid, strlen (sig->signers_uid), 0);
2096
12.4k
  else
2097
12.4k
    write_status_text (STATUS_NEWSIG, NULL);
2098
2099
14.7k
  astr = openpgp_pk_algo_name ( sig->pubkey_algo );
2100
14.7k
  issuer_fpr = issuer_fpr_string (sig);
2101
2102
14.7k
  if (issuer_fpr)
2103
134
    {
2104
134
      log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2105
134
      log_info (_("               using %s key %s\n"),
2106
134
                astr? astr: "?", issuer_fpr);
2107
2108
134
    }
2109
14.6k
  else if (!keystrlen () || keystrlen () > 8)
2110
14.6k
    {
2111
14.6k
      log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
2112
14.6k
      log_info (_("               using %s key %s\n"),
2113
14.6k
                astr? astr: "?", keystr(sig->keyid));
2114
14.6k
    }
2115
0
  else /* Legacy format.  */
2116
14.6k
    log_info (_("Signature made %s using %s key ID %s\n"),
2117
0
              asctimestamp(sig->timestamp), astr? astr: "?",
2118
0
              keystr(sig->keyid));
2119
2120
  /* In verbose mode print the signers UID.  */
2121
14.7k
  if (sig->signers_uid)
2122
14.7k
    log_info (_("               issuer \"%s\"\n"), sig->signers_uid);
2123
2124
14.7k
  rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2125
14.7k
                     NULL, &is_expkey, &is_revkey, &pk, &keyblock);
2126
2127
  /* If the key is not found but the signature includes a key block we
2128
   * use that key block for verification and on success import it.  */
2129
14.7k
  if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2130
445
      && sig->flags.key_block
2131
0
      && opt.flags.auto_key_import)
2132
0
    {
2133
0
      kbnode_t included_keyblock = NULL;
2134
0
      PKT_public_key *included_pk;
2135
0
      const byte *kblock;
2136
0
      size_t kblock_len;
2137
2138
0
      included_pk = xcalloc (1, sizeof *included_pk);
2139
0
      kblock = parse_sig_subpkt (sig, 1, SIGSUBPKT_KEY_BLOCK, &kblock_len);
2140
0
      if (kblock && kblock_len > 1
2141
0
          && !get_pubkey_from_buffer (c->ctrl, included_pk,
2142
0
                                      kblock+1, kblock_len-1,
2143
0
                                      sig->keyid, &included_keyblock))
2144
0
        {
2145
          /* Note: This is the only place where we use the forced_pk
2146
           *       arg (ie. included_pk) with do_check_sig.  */
2147
0
          rc = do_check_sig (c, node, extrahash, extrahashlen, included_pk,
2148
0
                             NULL, &is_expkey, &is_revkey, &pk, NULL);
2149
0
          if (opt.verbose)
2150
0
            log_info ("checked signature using included key block: %s\n",
2151
0
                       gpg_strerror (rc));
2152
0
          if (!rc)
2153
0
            {
2154
              /* The keyblock has been verified, we now import it.  */
2155
0
              rc = import_included_key_block (c->ctrl, included_keyblock);
2156
0
            }
2157
2158
0
        }
2159
0
      free_public_key (included_pk);
2160
0
      release_kbnode (included_keyblock);
2161
2162
      /* To make sure that nothing strange happened we check the
2163
       * signature again now using our own key store. This also
2164
       * returns the keyblock which we use later on.  */
2165
0
      if (!rc)
2166
0
        {
2167
0
          release_kbnode (keyblock);
2168
0
          keyblock = NULL;
2169
0
          rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2170
0
                             NULL, &is_expkey, &is_revkey, &pk, &keyblock);
2171
0
        }
2172
0
    }
2173
2174
  /* If the key isn't found, check for a preferred keyserver.  Note
2175
   * that this is only done if honor-keyserver-url has been set.  We
2176
   * test for this in the loop so that we can show info about the
2177
   * preferred keyservers.  */
2178
14.7k
  if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2179
445
      && sig->flags.pref_ks)
2180
0
    {
2181
0
      const byte *p;
2182
0
      int seq = 0;
2183
0
      size_t n;
2184
0
      int any_pref_ks = 0;
2185
2186
0
      while ((p=enum_sig_subpkt (sig, 1, SIGSUBPKT_PREF_KS, &n, &seq, NULL)))
2187
0
        {
2188
          /* According to my favorite copy editor, in English grammar,
2189
             you say "at" if the key is located on a web page, but
2190
             "from" if it is located on a keyserver.  I'm not going to
2191
             even try to make two strings here :) */
2192
0
          log_info(_("Key available at: ") );
2193
0
          print_utf8_buffer (log_get_stream(), p, n);
2194
0
          log_printf ("\n");
2195
0
          any_pref_ks = 1;
2196
2197
0
          if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2198
0
              && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2199
0
            {
2200
0
              struct keyserver_spec *spec;
2201
2202
0
              spec = parse_preferred_keyserver (sig);
2203
0
              if (spec)
2204
0
                {
2205
0
                  int res;
2206
2207
0
                  if (DBG_LOOKUP)
2208
0
                    log_debug ("trying auto-key-retrieve method %s\n",
2209
0
                               "Pref-KS");
2210
2211
0
                  free_public_key (pk);
2212
0
                  pk = NULL;
2213
0
                  glo_ctrl.in_auto_key_retrieve++;
2214
0
                  res = keyserver_import_keyid (c->ctrl, sig->keyid,spec,
2215
0
                                                KEYSERVER_IMPORT_FLAG_QUICK);
2216
0
                  glo_ctrl.in_auto_key_retrieve--;
2217
0
                  if (!res)
2218
0
                    {
2219
0
                      release_kbnode (keyblock);
2220
0
                      keyblock = NULL;
2221
0
                      rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2222
0
                                         NULL, &is_expkey, &is_revkey, &pk,
2223
0
                                         &keyblock);
2224
0
                    }
2225
0
                  else if (DBG_LOOKUP)
2226
0
                    log_debug ("lookup via %s failed: %s\n", "Pref-KS",
2227
0
                               gpg_strerror (res));
2228
0
                  free_keyserver_spec (spec);
2229
2230
0
                  if (!rc)
2231
0
                    break;
2232
0
                }
2233
0
            }
2234
0
        }
2235
2236
0
      if (any_pref_ks
2237
0
          && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2238
0
          && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
2239
0
        log_info (_("Note: Use '%s' to make use of this info\n"),
2240
0
                  "--keyserver-option honor-keyserver-url");
2241
0
    }
2242
2243
  /* If the above methods didn't work, our next try is to retrieve the
2244
   * key from the WKD.  This requires that WKD is in the AKL and the
2245
   * Signer's UID is in the signature.  */
2246
14.7k
  if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2247
445
      && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
2248
0
      && !opt.flags.disable_signer_uid
2249
0
      && akl_has_wkd_method ()
2250
0
      && sig->signers_uid)
2251
0
    {
2252
0
      int res;
2253
2254
0
      if (DBG_LOOKUP)
2255
0
        log_debug ("trying auto-key-retrieve method %s\n", "WKD");
2256
0
      free_public_key (pk);
2257
0
      pk = NULL;
2258
0
      glo_ctrl.in_auto_key_retrieve++;
2259
0
      res = keyserver_import_wkd (c->ctrl, sig->signers_uid,
2260
0
                                  KEYSERVER_IMPORT_FLAG_QUICK, NULL, NULL);
2261
0
      glo_ctrl.in_auto_key_retrieve--;
2262
      /* Fixme: If the fingerprint is embedded in the signature,
2263
       * compare it to the fingerprint of the returned key.  */
2264
0
      if (!res)
2265
0
        {
2266
0
          release_kbnode (keyblock);
2267
0
          keyblock = NULL;
2268
0
          rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2269
0
                             NULL, &is_expkey, &is_revkey, &pk, &keyblock);
2270
0
        }
2271
0
      else if (DBG_LOOKUP)
2272
0
        log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res));
2273
0
    }
2274
2275
  /* If the above methods didn't work, our next try is to locate
2276
   * the key via its fingerprint from a keyserver.  This requires
2277
   * that the signers fingerprint is encoded in the signature.  */
2278
14.7k
  if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
2279
445
      && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
2280
0
      && keyserver_any_configured (c->ctrl))
2281
0
    {
2282
0
      int res;
2283
0
      const byte *p;
2284
0
      size_t n;
2285
2286
0
      p = issuer_fpr_raw (sig, &n);
2287
0
      if (p)
2288
0
        {
2289
0
          if (DBG_LOOKUP)
2290
0
            log_debug ("trying auto-key-retrieve method %s\n", "KS");
2291
2292
          /* v4 or v5 packet with a SHA-1/256 fingerprint.  */
2293
0
          free_public_key (pk);
2294
0
          pk = NULL;
2295
0
          glo_ctrl.in_auto_key_retrieve++;
2296
0
          res = keyserver_import_fpr (c->ctrl, p, n, opt.keyserver,
2297
0
                                      KEYSERVER_IMPORT_FLAG_QUICK);
2298
0
          glo_ctrl.in_auto_key_retrieve--;
2299
0
          if (!res)
2300
0
            {
2301
0
              release_kbnode (keyblock);
2302
0
              keyblock = NULL;
2303
0
              rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
2304
0
                                 NULL, &is_expkey, &is_revkey, &pk,
2305
0
                                 &keyblock);
2306
0
            }
2307
0
          else if (DBG_LOOKUP)
2308
0
            log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res));
2309
0
        }
2310
0
    }
2311
2312
  /* Do something with the result of the signature checking.  */
2313
14.7k
  if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
2314
0
    {
2315
      /* We have checked the signature and the result is either a good
2316
       * signature or a bad signature.  Further examination follows.  */
2317
0
      kbnode_t un;
2318
0
      int count = 0;
2319
0
      int keyblock_has_pk = 0;  /* For failsafe check.  */
2320
0
      int statno;
2321
0
      char keyid_str[50];
2322
0
      PKT_public_key *mainpk = NULL;
2323
2324
0
      if (rc)
2325
0
        statno = STATUS_BADSIG;
2326
0
      else if (sig->flags.expired)
2327
0
        statno = STATUS_EXPSIG;
2328
0
      else if (is_expkey)
2329
0
        statno = STATUS_EXPKEYSIG;
2330
0
      else if(is_revkey)
2331
0
        statno = STATUS_REVKEYSIG;
2332
0
      else
2333
0
        statno = STATUS_GOODSIG;
2334
2335
0
      snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
2336
0
                (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2337
2338
      /* Find and print the primary user ID along with the
2339
         "Good|Expired|Bad signature" line.  */
2340
0
      for (un=keyblock; un; un = un->next)
2341
0
        {
2342
0
          int valid;
2343
2344
0
          if (!keyblock_has_pk
2345
0
              && (un->pkt->pkttype == PKT_PUBLIC_KEY
2346
0
                  || un->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2347
0
              && !cmp_public_keys (un->pkt->pkt.public_key, pk))
2348
0
            {
2349
0
              keyblock_has_pk = 1;
2350
0
            }
2351
0
          if (un->pkt->pkttype == PKT_PUBLIC_KEY)
2352
0
            {
2353
0
              mainpk = un->pkt->pkt.public_key;
2354
0
              continue;
2355
0
            }
2356
0
          if (un->pkt->pkttype != PKT_USER_ID)
2357
0
            continue;
2358
0
          if (!un->pkt->pkt.user_id->created)
2359
0
            continue;
2360
0
          if (un->pkt->pkt.user_id->flags.revoked)
2361
0
            continue;
2362
0
          if (un->pkt->pkt.user_id->flags.expired)
2363
0
            continue;
2364
0
          if (!un->pkt->pkt.user_id->flags.primary)
2365
0
            continue;
2366
          /* We want the textual primary user ID here */
2367
0
          if (un->pkt->pkt.user_id->attrib_data)
2368
0
            continue;
2369
2370
0
          log_assert (mainpk);
2371
2372
    /* Since this is just informational, don't actually ask the
2373
       user to update any trust information.  (Note: we register
2374
       the signature later.)  Because print_good_bad_signature
2375
       does not print a LF we need to compute the validity
2376
       before calling that function.  */
2377
0
          if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2378
0
            valid = get_validity (c->ctrl, keyblock, mainpk,
2379
0
                                  un->pkt->pkt.user_id, NULL, 0);
2380
0
          else
2381
0
            valid = 0; /* Not used.  */
2382
2383
0
          keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2384
2385
0
          print_good_bad_signature (statno, keyid_str, un, sig, rc);
2386
2387
0
          if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2388
0
            log_printf (" [%s]\n",trust_value_to_string(valid));
2389
0
          else
2390
0
            log_printf ("\n");
2391
2392
0
          count++;
2393
          /* At this point we could in theory stop because the primary
2394
           * UID flag is never set for more than one User ID per
2395
           * keyblock.  However, we use this loop also for a failsafe
2396
           * check that the public key used to create the signature is
2397
           * contained in the keyring.*/
2398
0
  }
2399
2400
0
      if (!mainpk || !keyblock_has_pk)
2401
0
        {
2402
0
          log_error ("signature key lost from keyblock (%p,%p,%d)\n",
2403
0
                     keyblock, mainpk, keyblock_has_pk);
2404
0
          rc = gpg_error (GPG_ERR_INTERNAL);
2405
0
        }
2406
2407
      /* In case we did not found a valid textual userid above
2408
         we print the first user id packet or a "[?]" instead along
2409
         with the "Good|Expired|Bad signature" line.  */
2410
0
      if (!count)
2411
0
        {
2412
          /* Try for an invalid textual userid */
2413
0
          for (un=keyblock; un; un = un->next)
2414
0
            {
2415
0
              if (un->pkt->pkttype == PKT_USER_ID
2416
0
                  && !un->pkt->pkt.user_id->attrib_data)
2417
0
                break;
2418
0
            }
2419
2420
          /* Try for any userid at all */
2421
0
          if (!un)
2422
0
            {
2423
0
              for (un=keyblock; un; un = un->next)
2424
0
                {
2425
0
                  if (un->pkt->pkttype == PKT_USER_ID)
2426
0
                    break;
2427
0
    }
2428
0
      }
2429
2430
0
          if (opt.trust_model==TM_ALWAYS || !un)
2431
0
            keyid_str[17] = 0; /* cut off the "[uncertain]" part */
2432
2433
0
          print_good_bad_signature (statno, keyid_str, un, sig, rc);
2434
2435
0
          if (opt.trust_model != TM_ALWAYS && un)
2436
0
            log_printf (" %s",_("[uncertain]") );
2437
0
          log_printf ("\n");
2438
0
  }
2439
2440
      /* If we have a good signature and already printed
2441
       * the primary user ID, print all the other user IDs */
2442
0
      if (count
2443
0
          && !rc
2444
0
          && !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
2445
0
        {
2446
0
          char *p;
2447
0
          for( un=keyblock; un; un = un->next)
2448
0
            {
2449
0
              if (un->pkt->pkttype != PKT_USER_ID)
2450
0
                continue;
2451
0
              if ((un->pkt->pkt.user_id->flags.revoked
2452
0
                   || un->pkt->pkt.user_id->flags.expired)
2453
0
                  && !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
2454
0
                continue;
2455
              /* Skip textual primary user ids which we printed above. */
2456
0
              if (un->pkt->pkt.user_id->flags.primary
2457
0
                  && !un->pkt->pkt.user_id->attrib_data )
2458
0
                continue;
2459
2460
              /* If this user id has attribute data, print that.  */
2461
0
              if (un->pkt->pkt.user_id->attrib_data)
2462
0
                {
2463
0
                  dump_attribs (un->pkt->pkt.user_id, mainpk);
2464
2465
0
                  if (opt.verify_options&VERIFY_SHOW_PHOTOS)
2466
0
                    show_photos (c->ctrl,
2467
0
                                 un->pkt->pkt.user_id->attribs,
2468
0
                                 un->pkt->pkt.user_id->numattribs,
2469
0
                                 mainpk ,un->pkt->pkt.user_id);
2470
0
                }
2471
2472
0
              p = utf8_to_native (un->pkt->pkt.user_id->name,
2473
0
          un->pkt->pkt.user_id->len, 0);
2474
0
              log_info (_("                aka \"%s\""), p);
2475
0
              xfree (p);
2476
2477
0
              if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
2478
0
                {
2479
0
                  const char *valid;
2480
2481
0
                  if (un->pkt->pkt.user_id->flags.revoked)
2482
0
                    valid = _("revoked");
2483
0
                  else if (un->pkt->pkt.user_id->flags.expired)
2484
0
                    valid = _("expired");
2485
0
                  else
2486
        /* Since this is just informational, don't
2487
           actually ask the user to update any trust
2488
           information.  */
2489
0
                    valid = (trust_value_to_string
2490
0
                             (get_validity (c->ctrl, keyblock, mainpk,
2491
0
                                            un->pkt->pkt.user_id, NULL, 0)));
2492
0
                  log_printf (" [%s]\n",valid);
2493
0
                }
2494
0
              else
2495
0
                log_printf ("\n");
2496
0
            }
2497
0
  }
2498
2499
      /* For good signatures print notation data.  */
2500
0
      if (!rc)
2501
0
        {
2502
0
          if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
2503
0
            show_policy_url (sig, 0, 1);
2504
0
          else
2505
0
            show_policy_url (sig, 0, 2);
2506
2507
0
          if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
2508
0
            show_keyserver_url (sig, 0, 1);
2509
0
          else
2510
0
            show_keyserver_url (sig, 0, 2);
2511
2512
0
          if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
2513
0
            show_notation
2514
0
              (sig, 0, 1,
2515
0
               (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
2516
0
                + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)
2517
0
                + ((opt.verify_options &VERIFY_SHOW_HIDDEN_NOTATIONS)? 4:0)
2518
0
                ));
2519
0
          else
2520
0
            show_notation (sig, 0, 2, 0);
2521
0
          print_matching_notations (sig);
2522
0
        }
2523
2524
      /* Fill PKSTRBUF with the algostring in case we later need it.  */
2525
0
      if (pk)
2526
0
        pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
2527
2528
      /* For good signatures print the VALIDSIG status line.  */
2529
0
      if (!rc && (is_status_enabled ()
2530
0
                  || opt.assert_signer_list
2531
0
                  || opt.assert_pubkey_algos) && pk)
2532
0
        {
2533
0
          char pkhex[MAX_FINGERPRINT_LEN*2+1];
2534
0
          char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
2535
2536
0
          hexfingerprint (pk, pkhex, sizeof pkhex);
2537
0
          hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
2538
2539
          /* TODO: Replace the reserved '0' in the field below with
2540
             bits for status flags (policy url, notation, etc.).  */
2541
0
          write_status_printf (STATUS_VALIDSIG,
2542
0
                               "%s %s %lu %lu %d 0 %d %d %02X %s",
2543
0
                               pkhex,
2544
0
                               strtimestamp (sig->timestamp),
2545
0
                               (ulong)sig->timestamp,
2546
0
                               (ulong)sig->expiredate,
2547
0
                               sig->version, sig->pubkey_algo,
2548
0
                               sig->digest_algo,
2549
0
                               sig->sig_class,
2550
0
                               mainpkhex);
2551
          /* Handle the --assert-signer option.  */
2552
0
          check_assert_signer_list (mainpkhex, pkhex);
2553
          /* Handle the --assert-pubkey-algo option.  */
2554
0
          check_assert_pubkey_algo (pkstrbuf, pkhex);
2555
0
  }
2556
2557
      /* Print compliance warning for Good signatures.  */
2558
0
      if (!rc && pk && !opt.quiet
2559
0
          && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
2560
0
                                     pk->pkey, nbits_from_pk (pk), NULL))
2561
0
        {
2562
0
          log_info (_("WARNING: This key is not suitable for signing"
2563
0
                      " in %s mode\n"),
2564
0
                    gnupg_compliance_option_string (opt.compliance));
2565
0
        }
2566
2567
      /* For good signatures compute and print the trust information.
2568
         Note that in the Tofu trust model this may ask the user on
2569
         how to resolve a conflict.  */
2570
0
      if (!rc)
2571
0
        {
2572
0
          rc = check_signatures_trust (c->ctrl, keyblock, pk, sig);
2573
0
        }
2574
2575
      /* Print extra information about the signature.  */
2576
0
      if (sig->flags.expired)
2577
0
        {
2578
0
          log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
2579
0
          if (!rc)
2580
0
            rc = gpg_error (GPG_ERR_GENERAL); /* Need a better error here?  */
2581
0
        }
2582
0
      else if (sig->expiredate)
2583
0
        log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
2584
2585
0
      if (opt.verbose)
2586
0
        {
2587
0
          log_info (_("%s signature, digest algorithm %s%s%s\n"),
2588
0
                    sig->sig_class==0x00?_("binary"):
2589
0
                    sig->sig_class==0x01?_("textmode"):_("unknown"),
2590
0
                    gcry_md_algo_name (sig->digest_algo),
2591
0
                    *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
2592
0
        }
2593
2594
      /* Print final warnings.  */
2595
0
      if (!rc && !c->signed_data.used)
2596
0
        {
2597
          /* Signature is basically good but we test whether the
2598
             deprecated command
2599
               gpg --verify FILE.sig
2600
             was used instead of
2601
               gpg --verify FILE.sig FILE
2602
             to verify a detached signature.  If we figure out that a
2603
             data file with a matching name exists, we print a warning.
2604
2605
             The problem is that the first form would also verify a
2606
             standard signature.  This behavior could be used to
2607
             create a made up .sig file for a tarball by creating a
2608
             standard signature from a valid detached signature packet
2609
             (for example from a signed git tag).  Then replace the
2610
             sig file on the FTP server along with a changed tarball.
2611
             Using the first form the verify command would correctly
2612
             verify the signature but don't even consider the tarball.  */
2613
0
          kbnode_t n;
2614
0
          char *dfile;
2615
2616
0
          dfile = get_matching_datafile (c->sigfilename);
2617
0
          if (dfile)
2618
0
            {
2619
0
              for (n = c->list; n; n = n->next)
2620
0
                if (n->pkt->pkttype != PKT_SIGNATURE)
2621
0
                  break;
2622
0
              if (n)
2623
0
                {
2624
                  /* Not only signature packets in the tree thus this
2625
                     is not a detached signature.  */
2626
0
                  log_info (_("WARNING: not a detached signature; "
2627
0
                              "file '%s' was NOT verified!\n"), dfile);
2628
0
                  assert_signer_true = 0;
2629
0
                }
2630
0
              xfree (dfile);
2631
0
            }
2632
0
        }
2633
2634
      /* Compute compliance with CO_DE_VS.  */
2635
0
      if (pk
2636
0
          && gnupg_gcrypt_is_compliant (CO_DE_VS)
2637
0
          && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
2638
0
                                    nbits_from_pk (pk), NULL)
2639
0
          && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
2640
0
        write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
2641
0
                              gnupg_status_compliance_flag (CO_DE_VS),
2642
0
                              NULL);
2643
0
      else if (opt.flags.require_compliance
2644
0
               && opt.compliance == CO_DE_VS)
2645
0
        {
2646
0
          log_error (_("operation forced to fail due to"
2647
0
                       " unfulfilled compliance rules\n"));
2648
0
          if (!rc)
2649
0
            rc = gpg_error (GPG_ERR_FORBIDDEN);
2650
0
        }
2651
2652
2653
0
      free_public_key (pk);
2654
0
      pk = NULL;
2655
0
      release_kbnode( keyblock );
2656
0
      if (rc)
2657
0
        g10_errors_seen = 1;
2658
0
    }
2659
14.7k
  else  /* Error checking the signature. (neither Good nor Bad).  */
2660
14.7k
    {
2661
14.7k
      write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
2662
14.7k
                           (ulong)sig->keyid[0], (ulong)sig->keyid[1],
2663
14.7k
                           sig->pubkey_algo, sig->digest_algo,
2664
14.7k
                           sig->sig_class, (ulong)sig->timestamp,
2665
14.7k
                           gpg_err_code (rc),
2666
14.7k
                           issuer_fpr? issuer_fpr:"-");
2667
14.7k
      if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
2668
445
        {
2669
445
          write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
2670
445
                               (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
2671
445
  }
2672
14.7k
      if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
2673
14.7k
        log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
2674
14.7k
    }
2675
2676
15.5k
 leave:
2677
15.5k
  free_public_key (pk);
2678
15.5k
  xfree (issuer_fpr);
2679
15.5k
  return rc;
2680
14.7k
}
2681
2682
2683
/*
2684
 * Process the tree which starts at node
2685
 */
2686
static void
2687
proc_tree (CTX c, kbnode_t node)
2688
87.0k
{
2689
87.0k
  kbnode_t n1;
2690
87.0k
  int rc;
2691
2692
87.0k
  if (opt.list_packets || opt.list_only)
2693
0
    return;
2694
2695
  /* We must skip our special plaintext marker packets here because
2696
     they may be the root packet.  These packets are only used in
2697
     additional checks and skipping them here doesn't matter.  */
2698
92.0k
  while (node
2699
53.8k
         && node->pkt->pkttype == PKT_GPG_CONTROL
2700
8.50k
          && node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
2701
4.92k
    {
2702
4.92k
      node = node->next;
2703
4.92k
    }
2704
87.0k
  if (!node)
2705
38.1k
    return;
2706
2707
48.9k
  c->trustletter = ' ';
2708
48.9k
  if (node->pkt->pkttype == PKT_PUBLIC_KEY
2709
26.1k
      || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
2710
22.8k
    {
2711
22.8k
      merge_keys_and_selfsig (c->ctrl, node);
2712
22.8k
      list_node (c, node);
2713
22.8k
    }
2714
26.1k
  else if (node->pkt->pkttype == PKT_SECRET_KEY)
2715
1.06k
    {
2716
1.06k
      merge_keys_and_selfsig (c->ctrl, node);
2717
1.06k
      list_node (c, node);
2718
1.06k
    }
2719
25.0k
  else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
2720
95
    {
2721
      /* Check all signatures.  */
2722
95
      if (!c->any.data)
2723
0
        {
2724
0
          int use_textmode = 0;
2725
2726
0
          free_md_filter_context (&c->mfx);
2727
          /* Prepare to create all requested message digests.  */
2728
0
          rc = gcry_md_open (&c->mfx.md, 0, 0);
2729
0
          if (rc)
2730
0
            goto hash_err;
2731
2732
          /* Fixme: why looking for the signature packet and not the
2733
             one-pass packet?  */
2734
0
          for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2735
0
            gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
2736
2737
0
          if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
2738
0
            use_textmode = 1;
2739
2740
          /* Ask for file and hash it. */
2741
0
          if (c->sigs_only)
2742
0
            {
2743
0
              if (c->signed_data.used
2744
0
                  && c->signed_data.data_fd != GNUPG_INVALID_FD)
2745
0
                rc = hash_datafile_by_fd (c->mfx.md, NULL,
2746
0
                                          c->signed_data.data_fd,
2747
0
                                          use_textmode);
2748
0
              else
2749
0
                rc = hash_datafiles (c->mfx.md, NULL,
2750
0
                                     c->signed_data.data_names,
2751
0
                                     c->sigfilename,
2752
0
                                     use_textmode);
2753
0
      }
2754
0
          else
2755
0
            {
2756
0
              rc = ask_for_detached_datafile (c->mfx.md, NULL,
2757
0
                                              iobuf_get_real_fname (c->iobuf),
2758
0
                                              use_textmode);
2759
0
      }
2760
2761
0
        hash_err:
2762
0
          if (rc)
2763
0
            {
2764
0
              log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2765
0
              return;
2766
0
      }
2767
0
  }
2768
95
      else if (c->signed_data.used)
2769
0
        {
2770
0
          log_error (_("not a detached signature\n"));
2771
0
          return;
2772
0
        }
2773
2774
729
      for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2775
634
        if (check_sig_and_print (c, n1) && opt.batch
2776
0
            && !opt.flags.proc_all_sigs)
2777
0
          break;
2778
2779
95
    }
2780
24.9k
  else if (node->pkt->pkttype == PKT_GPG_CONTROL
2781
3.57k
           && node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
2782
3.57k
    {
2783
      /* Clear text signed message.  */
2784
3.57k
      if (!c->any.data)
2785
333
        {
2786
333
          log_error ("cleartext signature without data\n");
2787
333
          return;
2788
333
        }
2789
3.24k
      else if (c->signed_data.used)
2790
0
        {
2791
0
          log_error (_("not a detached signature\n"));
2792
0
          return;
2793
0
        }
2794
2795
3.26k
      for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
2796
15
        if (check_sig_and_print (c, n1) && opt.batch
2797
0
            && !opt.flags.proc_all_sigs)
2798
0
          break;
2799
3.24k
    }
2800
21.3k
  else if (node->pkt->pkttype == PKT_SIGNATURE)
2801
21.3k
    {
2802
21.3k
      PKT_signature *sig = node->pkt->pkt.signature;
2803
21.3k
      int multiple_ok = 1;
2804
2805
21.3k
      n1 = find_next_kbnode (node, PKT_SIGNATURE);
2806
21.3k
      if (n1)
2807
1.52k
        {
2808
1.52k
          byte class = sig->sig_class;
2809
1.52k
          byte hash  = sig->digest_algo;
2810
2811
9.15k
          for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2812
8.32k
            {
2813
              /* We can't currently handle multiple signatures of
2814
               * different classes (we'd pretty much have to run a
2815
               * different hash context for each), but if they are all
2816
               * the same and it is detached signature, we make an
2817
               * exception.  Note that the old code also disallowed
2818
               * multiple signatures if the digest algorithms are
2819
               * different.  We softened this restriction only for
2820
               * detached signatures, to be on the safe side. */
2821
8.32k
              if (n1->pkt->pkt.signature->sig_class != class
2822
7.63k
                  || (c->any.data
2823
683
                      && n1->pkt->pkt.signature->digest_algo != hash))
2824
699
                {
2825
699
                  multiple_ok = 0;
2826
699
                  log_info (_("WARNING: multiple signatures detected.  "
2827
699
                              "Only the first will be checked.\n"));
2828
699
                  break;
2829
699
                }
2830
8.32k
            }
2831
1.52k
        }
2832
2833
21.3k
      if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
2834
8.24k
        {
2835
8.24k
          log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
2836
8.24k
        }
2837
13.0k
      else if (!c->any.data)
2838
13.0k
        {
2839
          /* Detached signature */
2840
13.0k
          free_md_filter_context (&c->mfx);
2841
13.0k
          rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
2842
13.0k
          if (rc)
2843
13.0k
            goto detached_hash_err;
2844
2845
0
          if (multiple_ok)
2846
0
            {
2847
              /* If we have and want to handle multiple signatures we
2848
               * need to enable all hash algorithms for the context.  */
2849
0
              for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
2850
0
                if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
2851
0
                  gcry_md_enable (c->mfx.md,
2852
0
                                  map_md_openpgp_to_gcry
2853
0
                                  (n1->pkt->pkt.signature->digest_algo));
2854
0
            }
2855
2856
0
          if (RFC2440 || RFC4880)
2857
0
            ; /* Strict RFC mode.  */
2858
0
          else if (sig->digest_algo == DIGEST_ALGO_SHA1
2859
0
                   && sig->pubkey_algo == PUBKEY_ALGO_DSA
2860
0
                   && sig->sig_class == 0x01)
2861
0
            {
2862
              /* Enable a workaround for a pgp5 bug when the detached
2863
               * signature has been created in textmode.  Note that we
2864
               * do not implement this for multiple signatures with
2865
               * different hash algorithms. */
2866
0
              rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
2867
0
              if (rc)
2868
0
                goto detached_hash_err;
2869
0
      }
2870
2871
          /* Here we used to have another hack to work around a pgp
2872
           * 2 bug: It worked by not using the textmode for detached
2873
           * signatures; this would let the first signature check
2874
           * (on md) fail but the second one (on md2), which adds an
2875
           * extra CR would then have produced the "correct" hash.
2876
           * This is very, very ugly hack but it may haved help in
2877
           * some cases (and break others).
2878
           *   c->mfx.md2? 0 :(sig->sig_class == 0x01)
2879
           */
2880
2881
0
          if (DBG_HASHING)
2882
0
            {
2883
0
              gcry_md_debug (c->mfx.md, "verify");
2884
0
              if (c->mfx.md2)
2885
0
                gcry_md_debug (c->mfx.md2, "verify2");
2886
0
            }
2887
2888
0
          if (c->sigs_only)
2889
0
            {
2890
0
              if (c->signed_data.used
2891
0
                  && c->signed_data.data_fd != GNUPG_INVALID_FD)
2892
0
                rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
2893
0
                                          c->signed_data.data_fd,
2894
0
                                          (sig->sig_class == 0x01));
2895
0
              else
2896
0
                rc = hash_datafiles (c->mfx.md, c->mfx.md2,
2897
0
                                     c->signed_data.data_names,
2898
0
                                     c->sigfilename,
2899
0
                                     (sig->sig_class == 0x01));
2900
0
      }
2901
0
          else
2902
0
            {
2903
0
              rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
2904
0
                                              iobuf_get_real_fname(c->iobuf),
2905
0
                                              (sig->sig_class == 0x01));
2906
0
      }
2907
2908
13.0k
        detached_hash_err:
2909
13.0k
          if (rc)
2910
13.0k
            {
2911
13.0k
              log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
2912
13.0k
              return;
2913
13.0k
      }
2914
13.0k
  }
2915
33
      else if (c->signed_data.used)
2916
0
        {
2917
0
          log_error (_("not a detached signature\n"));
2918
0
          return;
2919
0
        }
2920
33
      else if (!opt.quiet)
2921
33
        log_info (_("old style (PGP 2.x) signature\n"));
2922
2923
8.28k
      if (multiple_ok)
2924
7.79k
        {
2925
22.2k
          for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
2926
14.4k
      if (check_sig_and_print (c, n1) && opt.batch
2927
0
                && !opt.flags.proc_all_sigs)
2928
0
              break;
2929
7.79k
        }
2930
485
      else
2931
485
        check_sig_and_print (c, node);
2932
2933
8.28k
    }
2934
58
  else
2935
58
    {
2936
58
      dump_kbnode (c->list);
2937
      log_error ("invalid root packet detected in proc_tree()\n");
2938
58
      dump_kbnode (node);
2939
58
    }
2940
48.9k
}