diff --git a/common/compliance.c b/common/compliance.c
index 951172415..49aada144 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -1,595 +1,590 @@
/* compliance.c - Functions for compliance modi
* Copyright (C) 2017 g10 Code GmbH
* Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
*
* This file is part of GnuPG.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of either
*
* - the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 3 of the License, or (at
* your option) any later version.
*
* or
*
* - the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* or both in parallel, as here.
*
* This file is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include "openpgpdefs.h"
#include "logging.h"
#include "util.h"
#include "i18n.h"
#include "compliance.h"
static int initialized;
static int module;
/* Initializes the module. Must be called with the current
* GNUPG_MODULE_NAME. Checks a few invariants, and tunes the policies
* for the given module. */
void
gnupg_initialize_compliance (int gnupg_module_name)
{
log_assert (! initialized);
/* We accept both OpenPGP-style and gcrypt-style algorithm ids.
* Assert that they are compatible. */
log_assert ((int) GCRY_PK_RSA == (int) PUBKEY_ALGO_RSA);
log_assert ((int) GCRY_PK_RSA_E == (int) PUBKEY_ALGO_RSA_E);
log_assert ((int) GCRY_PK_RSA_S == (int) PUBKEY_ALGO_RSA_S);
log_assert ((int) GCRY_PK_ELG_E == (int) PUBKEY_ALGO_ELGAMAL_E);
log_assert ((int) GCRY_PK_DSA == (int) PUBKEY_ALGO_DSA);
log_assert ((int) GCRY_PK_ECC == (int) PUBKEY_ALGO_ECDH);
log_assert ((int) GCRY_PK_ELG == (int) PUBKEY_ALGO_ELGAMAL);
log_assert ((int) GCRY_CIPHER_NONE == (int) CIPHER_ALGO_NONE);
log_assert ((int) GCRY_CIPHER_IDEA == (int) CIPHER_ALGO_IDEA);
log_assert ((int) GCRY_CIPHER_3DES == (int) CIPHER_ALGO_3DES);
log_assert ((int) GCRY_CIPHER_CAST5 == (int) CIPHER_ALGO_CAST5);
log_assert ((int) GCRY_CIPHER_BLOWFISH == (int) CIPHER_ALGO_BLOWFISH);
log_assert ((int) GCRY_CIPHER_AES == (int) CIPHER_ALGO_AES);
log_assert ((int) GCRY_CIPHER_AES192 == (int) CIPHER_ALGO_AES192);
log_assert ((int) GCRY_CIPHER_AES256 == (int) CIPHER_ALGO_AES256);
log_assert ((int) GCRY_CIPHER_TWOFISH == (int) CIPHER_ALGO_TWOFISH);
log_assert ((int) GCRY_MD_MD5 == (int) DIGEST_ALGO_MD5);
log_assert ((int) GCRY_MD_SHA1 == (int) DIGEST_ALGO_SHA1);
log_assert ((int) GCRY_MD_RMD160 == (int) DIGEST_ALGO_RMD160);
log_assert ((int) GCRY_MD_SHA256 == (int) DIGEST_ALGO_SHA256);
log_assert ((int) GCRY_MD_SHA384 == (int) DIGEST_ALGO_SHA384);
log_assert ((int) GCRY_MD_SHA512 == (int) DIGEST_ALGO_SHA512);
log_assert ((int) GCRY_MD_SHA224 == (int) DIGEST_ALGO_SHA224);
switch (gnupg_module_name)
{
case GNUPG_MODULE_NAME_GPGSM:
case GNUPG_MODULE_NAME_GPG:
break;
default:
log_assert (!"no policies for this module");
}
module = gnupg_module_name;
initialized = 1;
}
/* Return true if ALGO with a key of KEYLENGTH is compliant to the
* given COMPLIANCE mode. If KEY is not NULL, various bits of
* information will be extracted from it. If CURVENAME is not NULL, it
* is assumed to be the already computed. ALGO may be either an
* OpenPGP-style pubkey_algo_t, or a gcrypt-style enum gcry_pk_algos,
* both are compatible from the point of view of this function. */
int
gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
gcry_mpi_t key[], unsigned int keylength,
const char *curvename)
{
enum { is_rsa, is_dsa, is_elg, is_ecc } algotype;
int result = 0;
if (! initialized)
return 0;
switch (algo)
{
case PUBKEY_ALGO_RSA:
case PUBKEY_ALGO_RSA_E:
case PUBKEY_ALGO_RSA_S:
algotype = is_rsa;
break;
case PUBKEY_ALGO_DSA:
algotype = is_dsa;
break;
case PUBKEY_ALGO_ELGAMAL_E:
algotype = is_elg;
break;
case PUBKEY_ALGO_ECDH:
case PUBKEY_ALGO_ECDSA:
case PUBKEY_ALGO_EDDSA:
algotype = is_ecc;
break;
case PUBKEY_ALGO_ELGAMAL:
return 0; /* Signing with Elgamal is not at all supported. */
default: /* Unknown. */
return 0;
}
if (compliance == CO_DE_VS)
{
char *curve = NULL;
switch (algotype)
{
case is_elg:
result = 0;
break;
case is_rsa:
result = (keylength == 2048
|| keylength == 3072
|| keylength == 4096);
break;
case is_dsa:
if (key)
{
size_t P = gcry_mpi_get_nbits (key[0]);
size_t Q = gcry_mpi_get_nbits (key[1]);
result = (Q == 256
&& (P == 2048 || P == 3072));
}
break;
case is_ecc:
if (!curvename && key)
{
curve = openpgp_oid_to_str (key[0]);
curvename = openpgp_oid_to_curve (curve, 0);
if (!curvename)
curvename = curve;
}
result = (curvename
&& (algo == PUBKEY_ALGO_ECDH
|| algo == PUBKEY_ALGO_ECDSA)
&& (!strcmp (curvename, "brainpoolP256r1")
|| !strcmp (curvename, "brainpoolP384r1")
|| !strcmp (curvename, "brainpoolP512r1")));
break;
default:
result = 0;
}
xfree (curve);
}
else
{
result = 1; /* Assume compliance. */
}
return result;
}
/* Return true if ALGO with the given KEYLENGTH is allowed in the
* given COMPLIANCE mode. USE specifies for which use case the
* predicate is evaluated. This way policies can be strict in what
* they produce, and liberal in what they accept. */
int
gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
enum pk_use_case use, int algo, gcry_mpi_t key[],
unsigned int keylength, const char *curvename)
{
+ int result = 0;
+
if (! initialized)
return 1;
switch (compliance)
{
case CO_DE_VS:
switch (algo)
{
case PUBKEY_ALGO_RSA:
case PUBKEY_ALGO_RSA_E:
case PUBKEY_ALGO_RSA_S:
switch (use)
{
case PK_USE_DECRYPTION:
- return 1;
+ case PK_USE_VERIFICATION:
+ result = 1;
+ break;
case PK_USE_ENCRYPTION:
case PK_USE_SIGNING:
- return (keylength == 2048
- || keylength == 3072
- || keylength == 4096);
- case PK_USE_VERIFICATION:
- return (keylength == 2048
- || keylength == 3072
- || keylength == 4096
- || keylength < 2048);
+ result = (keylength == 2048
+ || keylength == 3072
+ || keylength == 4096);
+ break;
default:
log_assert (!"reached");
}
- log_assert (!"reached");
+ break;
case PUBKEY_ALGO_DSA:
- if (key)
+ if (use == PK_USE_VERIFICATION)
+ result = 1;
+ else if (use == PK_USE_SIGNING && key)
{
size_t P = gcry_mpi_get_nbits (key[0]);
size_t Q = gcry_mpi_get_nbits (key[1]);
- return ((use == PK_USE_SIGNING
- && Q == 256
- && (P == 2048 || P == 3072))
- || (use == PK_USE_VERIFICATION
- && P < 2048));
- }
- else
- return 0;
- log_assert (!"reached");
+ result = (Q == 256 && (P == 2048 || P == 3072));
+ }
+ break;
case PUBKEY_ALGO_ELGAMAL:
case PUBKEY_ALGO_ELGAMAL_E:
- return use == PK_USE_DECRYPTION;
+ result = (use == PK_USE_DECRYPTION);
+ break;
case PUBKEY_ALGO_ECDH:
if (use == PK_USE_DECRYPTION)
- return 1;
+ result = 1;
else if (use == PK_USE_ENCRYPTION)
{
- int result = 0;
char *curve = NULL;
if (!curvename && key)
{
curve = openpgp_oid_to_str (key[0]);
curvename = openpgp_oid_to_curve (curve, 0);
if (!curvename)
curvename = curve;
}
result = (curvename
&& (!strcmp (curvename, "brainpoolP256r1")
|| !strcmp (curvename, "brainpoolP384r1")
|| !strcmp (curvename, "brainpoolP512r1")));
xfree (curve);
- return result;
}
- else
- return 0;
+ break;
case PUBKEY_ALGO_ECDSA:
- {
- int result = 0;
- char *curve = NULL;
+ if (use == PK_USE_VERIFICATION)
+ result = 1;
+ else
+ {
+ char *curve = NULL;
- if (! curvename && key)
+ if (! curvename && key)
{
curve = openpgp_oid_to_str (key[0]);
curvename = openpgp_oid_to_curve (curve, 0);
if (!curvename)
curvename = curve;
}
- result = ((use == PK_USE_SIGNING
- && curvename
- && (!strcmp (curvename, "brainpoolP256r1")
- || !strcmp (curvename, "brainpoolP384r1")
- || !strcmp (curvename, "brainpoolP512r1")))
- || use == PK_USE_VERIFICATION);
+ result = (use == PK_USE_SIGNING
+ && curvename
+ && (!strcmp (curvename, "brainpoolP256r1")
+ || !strcmp (curvename, "brainpoolP384r1")
+ || !strcmp (curvename, "brainpoolP512r1")));
+ xfree (curve);
+ }
+ break;
- xfree (curve);
- return result;
- }
case PUBKEY_ALGO_EDDSA:
- return 0;
+ break;
default:
- return 0;
+ break;
}
- log_assert (!"reached");
+ break;
default:
/* The default policy is to allow all algorithms. */
- return 1;
+ result = 1;
}
- log_assert (!"reached");
+ return result;
}
/* Return true if (CIPHER, MODE) is compliant to the given COMPLIANCE mode. */
int
gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
cipher_algo_t cipher,
enum gcry_cipher_modes mode)
{
if (! initialized)
return 0;
switch (compliance)
{
case CO_DE_VS:
switch (cipher)
{
case CIPHER_ALGO_AES:
case CIPHER_ALGO_AES192:
case CIPHER_ALGO_AES256:
case CIPHER_ALGO_3DES:
switch (module)
{
case GNUPG_MODULE_NAME_GPG:
return mode == GCRY_CIPHER_MODE_CFB;
case GNUPG_MODULE_NAME_GPGSM:
return mode == GCRY_CIPHER_MODE_CBC;
}
log_assert (!"reached");
default:
return 0;
}
log_assert (!"reached");
default:
return 0;
}
log_assert (!"reached");
}
/* Return true if CIPHER is allowed in the given COMPLIANCE mode. If
* PRODUCER is true, the predicate is evaluated for the producer, if
* false for the consumer. This way policies can be strict in what
* they produce, and liberal in what they accept. */
int
gnupg_cipher_is_allowed (enum gnupg_compliance_mode compliance, int producer,
cipher_algo_t cipher,
enum gcry_cipher_modes mode)
{
if (! initialized)
return 1;
switch (compliance)
{
case CO_DE_VS:
switch (cipher)
{
case CIPHER_ALGO_AES:
case CIPHER_ALGO_AES192:
case CIPHER_ALGO_AES256:
case CIPHER_ALGO_3DES:
switch (module)
{
case GNUPG_MODULE_NAME_GPG:
return (mode == GCRY_CIPHER_MODE_NONE
|| mode == GCRY_CIPHER_MODE_CFB);
case GNUPG_MODULE_NAME_GPGSM:
return (mode == GCRY_CIPHER_MODE_NONE
|| mode == GCRY_CIPHER_MODE_CBC);
}
log_assert (!"reached");
case CIPHER_ALGO_BLOWFISH:
case CIPHER_ALGO_CAMELLIA128:
case CIPHER_ALGO_CAMELLIA192:
case CIPHER_ALGO_CAMELLIA256:
case CIPHER_ALGO_CAST5:
case CIPHER_ALGO_IDEA:
case CIPHER_ALGO_TWOFISH:
return (module == GNUPG_MODULE_NAME_GPG
&& (mode == GCRY_CIPHER_MODE_NONE
|| mode == GCRY_CIPHER_MODE_CFB)
&& ! producer);
default:
return 0;
}
log_assert (!"reached");
default:
/* The default policy is to allow all algorithms. */
return 1;
}
log_assert (!"reached");
}
/* Return true if DIGEST is compliant to the given COMPLIANCE mode. */
int
gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance,
digest_algo_t digest)
{
if (! initialized)
return 0;
switch (compliance)
{
case CO_DE_VS:
switch (digest)
{
case DIGEST_ALGO_SHA256:
case DIGEST_ALGO_SHA384:
case DIGEST_ALGO_SHA512:
return 1;
default:
return 0;
}
log_assert (!"reached");
default:
return 0;
}
log_assert (!"reached");
}
/* Return true if DIGEST is allowed in the given COMPLIANCE mode. If
* PRODUCER is true, the predicate is evaluated for the producer, if
* false for the consumer. This way policies can be strict in what
* they produce, and liberal in what they accept. */
int
gnupg_digest_is_allowed (enum gnupg_compliance_mode compliance, int producer,
digest_algo_t digest)
{
if (! initialized)
return 1;
switch (compliance)
{
case CO_DE_VS:
switch (digest)
{
case DIGEST_ALGO_SHA256:
case DIGEST_ALGO_SHA384:
case DIGEST_ALGO_SHA512:
return 1;
case DIGEST_ALGO_SHA1:
case DIGEST_ALGO_SHA224:
case DIGEST_ALGO_RMD160:
return ! producer;
case DIGEST_ALGO_MD5:
return ! producer && module == GNUPG_MODULE_NAME_GPGSM;
default:
return 0;
}
log_assert (!"reached");
default:
/* The default policy is to allow all algorithms. */
return 1;
}
log_assert (!"reached");
}
/* Return True if the random number generator is compliant in
* COMPLIANCE mode. */
int
gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
{
static int result = -1;
if (result != -1)
; /* Use cached result. */
else if (compliance == CO_DE_VS)
{
/* In DE_VS mode under Windows we require that the JENT RNG
* is active. */
#ifdef HAVE_W32_SYSTEM
# if GCRYPT_VERSION_NUMBER >= 0x010800
char *buf;
char *fields[5];
buf = gcry_get_config (0, "rng-type");
if (buf
&& split_fields_colon (buf, fields, DIM (fields)) >= 5
&& atoi (fields[4]) > 0)
result = 1;
else
result = 0;
gcry_free (buf);
# else
result = 0; /* No JENT - can't be compliant. */
# endif
#else /*!HAVE_W32_SYSTEM*/
result = 1; /* Not Windows - RNG is good. */
#endif /*!HAVE_W32_SYSTEM*/
}
else
result = 1;
return result;
}
const char *
gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
{
switch (compliance)
{
case CO_GNUPG:
return "8";
case CO_RFC4880:
case CO_RFC2440:
case CO_PGP6:
case CO_PGP7:
case CO_PGP8:
log_assert (!"no status code assigned for this compliance mode");
case CO_DE_VS:
return "23";
}
log_assert (!"invalid compliance mode");
}
/* Parse the value of --compliance. Returns the value corresponding
* to the given STRING according to OPTIONS of size LENGTH, or -1
* indicating that the lookup was unsuccessful, or the list of options
* was printed. If quiet is false, an additional hint to use 'help'
* is printed on unsuccessful lookups. */
int
gnupg_parse_compliance_option (const char *string,
struct gnupg_compliance_option options[],
size_t length,
int quiet)
{
size_t i;
if (! ascii_strcasecmp (string, "help"))
{
log_info (_("valid values for option '%s':\n"), "--compliance");
for (i = 0; i < length; i++)
log_info (" %s\n", options[i].keyword);
return -1;
}
for (i = 0; i < length; i++)
if (! ascii_strcasecmp (string, options[i].keyword))
return options[i].value;
log_error (_("invalid value for option '%s'\n"), "--compliance");
if (! quiet)
log_info (_("(use \"help\" to list choices)\n"));
return -1;
}
/* Return the command line option for the given COMPLIANCE mode. */
const char *
gnupg_compliance_option_string (enum gnupg_compliance_mode compliance)
{
switch (compliance)
{
case CO_GNUPG: return "--compliance=gnupg";
case CO_RFC4880: return "--compliance=openpgp";
case CO_RFC2440: return "--compliance=rfc2440";
case CO_PGP6: return "--compliance=pgp6";
case CO_PGP7: return "--compliance=pgp7";
case CO_PGP8: return "--compliance=pgp8";
case CO_DE_VS: return "--compliance=de-vs";
}
log_assert (!"invalid compliance mode");
}
diff --git a/g10/mainproc.c b/g10/mainproc.c
index d0584d39a..b712e6048 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1,2534 +1,2544 @@
/* mainproc.c - handle packets
* Copyright (C) 1998-2009 Free Software Foundation, Inc.
* Copyright (C) 2013-2014 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "gpg.h"
#include "../common/util.h"
#include "packet.h"
#include "../common/iobuf.h"
#include "options.h"
#include "keydb.h"
#include "filter.h"
#include "main.h"
#include "../common/status.h"
#include "../common/i18n.h"
#include "trustdb.h"
#include "keyserver-internal.h"
#include "photoid.h"
#include "../common/mbox-util.h"
#include "call-dirmngr.h"
#include "../common/compliance.h"
/* Put an upper limit on nested packets. The 32 is an arbitrary
value, a much lower should actually be sufficient. */
#define MAX_NESTING_DEPTH 32
/* An object to build a list of keyid related info. */
struct kidlist_item
{
struct kidlist_item *next;
u32 kid[2];
int pubkey_algo;
int reason;
};
/*
* Object to hold the processing context.
*/
typedef struct mainproc_context *CTX;
struct mainproc_context
{
ctrl_t ctrl;
struct mainproc_context *anchor; /* May be useful in the future. */
PKT_public_key *last_pubkey;
PKT_user_id *last_user_id;
md_filter_context_t mfx;
int sigs_only; /* Process only signatures and reject all other stuff. */
int encrypt_only; /* Process only encryption messages. */
/* Name of the file with the complete signature or the file with the
detached signature. This is currently only used to deduce the
file name of the data file if that has not been given. */
const char *sigfilename;
/* A structure to describe the signed data in case of a detached
signature. */
struct
{
/* A file descriptor of the signed data. Only used if not -1. */
int data_fd;
/* A list of filenames with the data files or NULL. This is only
used if DATA_FD is -1. */
strlist_t data_names;
/* Flag to indicated that either one of the next previous fields
is used. This is only needed for better readability. */
int used;
} signed_data;
DEK *dek;
int last_was_session_key;
kbnode_t list; /* The current list of packets. */
iobuf_t iobuf; /* Used to get the filename etc. */
int trustletter; /* Temporary usage in list_node. */
ulong symkeys; /* Number of symmetrically encrypted session keys. */
struct kidlist_item *pkenc_list; /* List of encryption packets. */
struct {
unsigned int sig_seen:1; /* Set to true if a signature packet
has been seen. */
unsigned int data:1; /* Any data packet seen */
unsigned int uncompress_failed:1;
} any;
};
/*** Local prototypes. ***/
static int do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a);
static void list_node (CTX c, kbnode_t node);
static void proc_tree (CTX c, kbnode_t node);
static int literals_seen;
/*** Functions. ***/
void
reset_literals_seen(void)
{
literals_seen = 0;
}
static void
release_list( CTX c )
{
proc_tree (c, c->list);
release_kbnode (c->list);
while (c->pkenc_list)
{
struct kidlist_item *tmp = c->pkenc_list->next;
xfree (c->pkenc_list);
c->pkenc_list = tmp;
}
c->pkenc_list = NULL;
c->list = NULL;
c->any.data = 0;
c->any.uncompress_failed = 0;
c->last_was_session_key = 0;
xfree (c->dek);
c->dek = NULL;
}
static int
add_onepass_sig (CTX c, PACKET *pkt)
{
kbnode_t node;
if (c->list) /* Add another packet. */
add_kbnode (c->list, new_kbnode (pkt));
else /* Insert the first one. */
c->list = node = new_kbnode (pkt);
return 1;
}
static int
add_gpg_control (CTX c, PACKET *pkt)
{
if ( pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
{
/* New clear text signature.
* Process the last one and reset everything */
release_list(c);
}
if (c->list) /* Add another packet. */
add_kbnode (c->list, new_kbnode (pkt));
else /* Insert the first one. */
c->list = new_kbnode (pkt);
return 1;
}
static int
add_user_id (CTX c, PACKET *pkt)
{
if (!c->list)
{
log_error ("orphaned user ID\n");
return 0;
}
add_kbnode (c->list, new_kbnode (pkt));
return 1;
}
static int
add_subkey (CTX c, PACKET *pkt)
{
if (!c->list)
{
log_error ("subkey w/o mainkey\n");
return 0;
}
add_kbnode (c->list, new_kbnode (pkt));
return 1;
}
static int
add_ring_trust (CTX c, PACKET *pkt)
{
if (!c->list)
{
log_error ("ring trust w/o key\n");
return 0;
}
add_kbnode (c->list, new_kbnode (pkt));
return 1;
}
static int
add_signature (CTX c, PACKET *pkt)
{
kbnode_t node;
c->any.sig_seen = 1;
if (pkt->pkttype == PKT_SIGNATURE && !c->list)
{
/* This is the first signature for the following datafile.
* GPG does not write such packets; instead it always uses
* onepass-sig packets. The drawback of PGP's method
* of prepending the signature to the data is
* that it is not possible to make a signature from data read
* from stdin. (GPG is able to read PGP stuff anyway.) */
node = new_kbnode (pkt);
c->list = node;
return 1;
}
else if (!c->list)
return 0; /* oops (invalid packet sequence)*/
else if (!c->list->pkt)
BUG(); /* so nicht */
/* Add a new signature node item at the end. */
node = new_kbnode (pkt);
add_kbnode (c->list, node);
return 1;
}
static int
symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
{
gcry_cipher_hd_t hd;
if(slen < 17 || slen > 33)
{
log_error ( _("weird size for an encrypted session key (%d)\n"),
(int)slen);
return GPG_ERR_BAD_KEY;
}
if (openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1))
BUG ();
if (gcry_cipher_setkey ( hd, dek->key, dek->keylen ))
BUG ();
gcry_cipher_setiv ( hd, NULL, 0 );
gcry_cipher_decrypt ( hd, seskey, slen, NULL, 0 );
gcry_cipher_close ( hd );
/* Now we replace the dek components with the real session key to
decrypt the contents of the sequencing packet. */
dek->keylen=slen-1;
dek->algo=seskey[0];
if(dek->keylen > DIM(dek->key))
BUG ();
memcpy(dek->key, seskey + 1, dek->keylen);
/*log_hexdump( "thekey", dek->key, dek->keylen );*/
return 0;
}
static void
proc_symkey_enc (CTX c, PACKET *pkt)
{
PKT_symkey_enc *enc;
enc = pkt->pkt.symkey_enc;
if (!enc)
log_error ("invalid symkey encrypted packet\n");
else if(!c->dek)
{
int algo = enc->cipher_algo;
const char *s = openpgp_cipher_algo_name (algo);
if (!openpgp_cipher_test_algo (algo))
{
if (!opt.quiet)
{
if (enc->seskeylen)
log_info (_("%s encrypted session key\n"), s );
else
log_info (_("%s encrypted data\n"), s );
}
}
else
log_error (_("encrypted with unknown algorithm %d\n"), algo);
if (openpgp_md_test_algo (enc->s2k.hash_algo))
{
log_error(_("passphrase generated with unknown digest"
" algorithm %d\n"),enc->s2k.hash_algo);
s = NULL;
}
c->last_was_session_key = 2;
if (!s || opt.list_only)
goto leave;
if (opt.override_session_key)
{
c->dek = xmalloc_clear (sizeof *c->dek);
if (get_override_session_key (c->dek, opt.override_session_key))
{
xfree (c->dek);
c->dek = NULL;
}
}
else
{
c->dek = passphrase_to_dek (algo, &enc->s2k, 0, 0, NULL, NULL);
if (c->dek)
{
c->dek->symmetric = 1;
/* FIXME: This doesn't work perfectly if a symmetric key
comes before a public key in the message - if the
user doesn't know the passphrase, then there is a
chance that the "decrypted" algorithm will happen to
be a valid one, which will make the returned dek
appear valid, so we won't try any public keys that
come later. */
if (enc->seskeylen)
{
if (symkey_decrypt_seskey (c->dek,
enc->seskey, enc->seskeylen))
{
xfree (c->dek);
c->dek = NULL;
}
}
else
c->dek->algo_info_printed = 1;
}
}
}
leave:
c->symkeys++;
free_packet (pkt, NULL);
}
static void
proc_pubkey_enc (ctrl_t ctrl, CTX c, PACKET *pkt)
{
PKT_pubkey_enc *enc;
int result = 0;
/* Check whether the secret key is available and store in this case. */
c->last_was_session_key = 1;
enc = pkt->pkt.pubkey_enc;
/*printf("enc: encrypted by a pubkey with keyid %08lX\n", enc->keyid[1] );*/
/* Hmmm: why do I have this algo check here - anyway there is
* function to check it. */
if (opt.verbose)
log_info (_("public key is %s\n"), keystr (enc->keyid));
if (is_status_enabled())
{
char buf[50];
/* FIXME: For ECC support we need to map the OpenPGP algo number
to the Libgcrypt defined one. This is due a chicken-egg
problem: We need to have code in Libgcrypt for a new
algorithm so to implement a proposed new algorithm before the
IANA will finally assign an OpenPGP identifier. */
snprintf (buf, sizeof buf, "%08lX%08lX %d 0",
(ulong)enc->keyid[0], (ulong)enc->keyid[1], enc->pubkey_algo);
write_status_text (STATUS_ENC_TO, buf);
}
if (!opt.list_only && opt.override_session_key)
{
/* It does not make much sense to store the session key in
* secure memory because it has already been passed on the
* command line and the GCHQ knows about it. */
c->dek = xmalloc_clear (sizeof *c->dek);
result = get_override_session_key (c->dek, opt.override_session_key);
if (result)
{
xfree (c->dek);
c->dek = NULL;
}
}
else if (enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E
|| enc->pubkey_algo == PUBKEY_ALGO_ECDH
|| enc->pubkey_algo == PUBKEY_ALGO_RSA
|| enc->pubkey_algo == PUBKEY_ALGO_RSA_E
|| enc->pubkey_algo == PUBKEY_ALGO_ELGAMAL)
{
/* Note that we also allow type 20 Elgamal keys for decryption.
There are still a couple of those keys in active use as a
subkey. */
/* FIXME: Store this all in a list and process it later so that
we can prioritize what key to use. This gives a better user
experience if wildcard keyids are used. */
if (!c->dek && ((!enc->keyid[0] && !enc->keyid[1])
|| opt.try_all_secrets
|| have_secret_key_with_kid (enc->keyid)))
{
if(opt.list_only)
result = -1;
else
{
c->dek = xmalloc_secure_clear (sizeof *c->dek);
if ((result = get_session_key (ctrl, enc, c->dek)))
{
/* Error: Delete the DEK. */
xfree (c->dek);
c->dek = NULL;
}
}
}
else
result = GPG_ERR_NO_SECKEY;
}
else
result = GPG_ERR_PUBKEY_ALGO;
if (result == -1)
;
else
{
/* Store it for later display. */
struct kidlist_item *x = xmalloc (sizeof *x);
x->kid[0] = enc->keyid[0];
x->kid[1] = enc->keyid[1];
x->pubkey_algo = enc->pubkey_algo;
x->reason = result;
x->next = c->pkenc_list;
c->pkenc_list = x;
if (!result && opt.verbose > 1)
log_info (_("public key encrypted data: good DEK\n"));
}
free_packet(pkt, NULL);
}
/*
* Print the list of public key encrypted packets which we could
* not decrypt.
*/
static void
print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
{
for (; list; list = list->next)
{
PKT_public_key *pk;
const char *algstr;
if (failed && !list->reason)
continue;
if (!failed && list->reason)
continue;
algstr = openpgp_pk_algo_name (list->pubkey_algo);
pk = xmalloc_clear (sizeof *pk);
if (!algstr)
algstr = "[?]";
pk->pubkey_algo = list->pubkey_algo;
if (!get_pubkey (ctrl, pk, list->kid))
{
char *p;
log_info (_("encrypted with %u-bit %s key, ID %s, created %s\n"),
nbits_from_pk (pk), algstr, keystr_from_pk(pk),
strtimestamp (pk->timestamp));
p = get_user_id_native (ctrl, list->kid);
log_printf (_(" \"%s\"\n"), p);
xfree (p);
}
else
log_info (_("encrypted with %s key, ID %s\n"),
algstr, keystr(list->kid));
free_public_key (pk);
if (gpg_err_code (list->reason) == GPG_ERR_NO_SECKEY)
{
if (is_status_enabled())
{
char buf[20];
snprintf (buf, sizeof buf, "%08lX%08lX",
(ulong)list->kid[0], (ulong)list->kid[1]);
write_status_text (STATUS_NO_SECKEY, buf);
}
}
else if (list->reason)
{
log_info (_("public key decryption failed: %s\n"),
gpg_strerror (list->reason));
write_status_error ("pkdecrypt_failed", list->reason);
}
}
}
static void
proc_encrypted (CTX c, PACKET *pkt)
{
int result = 0;
if (!opt.quiet)
{
if (c->symkeys>1)
log_info (_("encrypted with %lu passphrases\n"), c->symkeys);
else if (c->symkeys == 1)
log_info (_("encrypted with 1 passphrase\n"));
print_pkenc_list (c->ctrl, c->pkenc_list, 1 );
print_pkenc_list (c->ctrl, c->pkenc_list, 0 );
}
/* FIXME: Figure out the session key by looking at all pkenc packets. */
write_status (STATUS_BEGIN_DECRYPTION);
/*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
if (opt.list_only)
result = -1;
else if (!c->dek && !c->last_was_session_key)
{
int algo;
STRING2KEY s2kbuf;
STRING2KEY *s2k = NULL;
int canceled;
if (opt.override_session_key)
{
c->dek = xmalloc_clear (sizeof *c->dek);
result = get_override_session_key (c->dek, opt.override_session_key);
if (result)
{
xfree (c->dek);
c->dek = NULL;
}
}
else
{
/* Assume this is old style conventional encrypted data. */
algo = opt.def_cipher_algo;
if (algo)
log_info (_("assuming %s encrypted data\n"),
openpgp_cipher_algo_name (algo));
else if (openpgp_cipher_test_algo (CIPHER_ALGO_IDEA))
{
algo = opt.def_cipher_algo;
if (!algo)
algo = opt.s2k_cipher_algo;
log_info (_("IDEA cipher unavailable, "
"optimistically attempting to use %s instead\n"),
openpgp_cipher_algo_name (algo));
}
else
{
algo = CIPHER_ALGO_IDEA;
if (!opt.s2k_digest_algo)
{
/* If no digest is given we assume SHA-1. */
s2kbuf.mode = 0;
s2kbuf.hash_algo = DIGEST_ALGO_SHA1;
s2k = &s2kbuf;
}
log_info (_("assuming %s encrypted data\n"), "IDEA");
}
c->dek = passphrase_to_dek (algo, s2k, 0, 0, NULL, &canceled);
if (c->dek)
c->dek->algo_info_printed = 1;
else if (canceled)
result = gpg_error (GPG_ERR_CANCELED);
else
result = gpg_error (GPG_ERR_INV_PASSPHRASE);
}
}
else if (!c->dek)
result = GPG_ERR_NO_SECKEY;
/* Compute compliance with CO_DE_VS. */
if (!result && is_status_enabled ()
/* Symmetric encryption and asymmetric encryption voids compliance. */
&& (c->symkeys != !!c->pkenc_list )
/* Overriding session key voids compliance. */
&& !opt.override_session_key
/* Check symmetric cipher. */
&& gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
GCRY_CIPHER_MODE_CFB))
{
struct kidlist_item *i;
int compliant = 1;
PKT_public_key *pk = xmalloc (sizeof *pk);
if ( !(c->pkenc_list || c->symkeys) )
log_debug ("%s: where else did the session key come from?\n", __func__);
/* Now check that every key used to encrypt the session key is
* compliant. */
for (i = c->pkenc_list; i && compliant; i = i->next)
{
memset (pk, 0, sizeof *pk);
pk->pubkey_algo = i->pubkey_algo;
if (get_pubkey (c->ctrl, pk, i->kid) != 0
|| ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
nbits_from_pk (pk), NULL))
compliant = 0;
release_public_key_parts (pk);
}
xfree (pk);
if (compliant)
write_status_strings (STATUS_DECRYPTION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS),
NULL);
}
if (!result)
result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek );
if (result == -1)
;
else if (!result
&& !opt.ignore_mdc_error
&& !pkt->pkt.encrypted->mdc_method
&& openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
&& c->dek->algo != CIPHER_ALGO_TWOFISH)
{
/* The message has been decrypted but has no MDC despite that a
modern cipher (blocklength != 64 bit, except for Twofish) is
used and the option to ignore MDC errors is not used: To
avoid attacks changing an MDC message to a non-MDC message,
we fail here. */
log_error (_("WARNING: message was not integrity protected\n"));
if (opt.verbose > 1)
log_info ("decryption forced to fail\n");
write_status (STATUS_DECRYPTION_FAILED);
}
else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
&& opt.ignore_mdc_error))
{
write_status (STATUS_DECRYPTION_OKAY);
if (opt.verbose > 1)
log_info(_("decryption okay\n"));
if (pkt->pkt.encrypted->mdc_method && !result)
write_status (STATUS_GOODMDC);
else if (!opt.no_mdc_warn)
log_info (_("WARNING: message was not integrity protected\n"));
}
else if (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE)
{
glo_ctrl.lasterr = result;
log_error (_("WARNING: encrypted message has been manipulated!\n"));
write_status (STATUS_BADMDC);
write_status (STATUS_DECRYPTION_FAILED);
}
else
{
if ((gpg_err_code (result) == GPG_ERR_BAD_KEY
|| gpg_err_code (result) == GPG_ERR_CIPHER_ALGO)
&& *c->dek->s2k_cacheid != '\0')
{
if (opt.debug)
log_debug ("cleared passphrase cached with ID: %s\n",
c->dek->s2k_cacheid);
passphrase_clear_cache (c->dek->s2k_cacheid);
}
glo_ctrl.lasterr = result;
write_status (STATUS_DECRYPTION_FAILED);
log_error (_("decryption failed: %s\n"), gpg_strerror (result));
/* Hmmm: does this work when we have encrypted using multiple
* ways to specify the session key (symmmetric and PK). */
}
xfree (c->dek);
c->dek = NULL;
free_packet (pkt, NULL);
c->last_was_session_key = 0;
write_status (STATUS_END_DECRYPTION);
}
static void
proc_plaintext( CTX c, PACKET *pkt )
{
PKT_plaintext *pt = pkt->pkt.plaintext;
int any, clearsig, rc;
kbnode_t n;
literals_seen++;
if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
else if (opt.verbose)
log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
free_md_filter_context (&c->mfx);
if (gcry_md_open (&c->mfx.md, 0, 0))
BUG ();
/* fixme: we may need to push the textfilter if we have sigclass 1
* and no armoring - Not yet tested
* Hmmm, why don't we need it at all if we have sigclass 1
* Should we assume that plaintext in mode 't' has always sigclass 1??
* See: Russ Allbery's mail 1999-02-09
*/
any = clearsig = 0;
for (n=c->list; n; n = n->next )
{
if (n->pkt->pkttype == PKT_ONEPASS_SIG)
{
/* The onepass signature case. */
if (n->pkt->pkt.onepass_sig->digest_algo)
{
gcry_md_enable (c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo);
any = 1;
}
}
else if (n->pkt->pkttype == PKT_GPG_CONTROL
&& n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
{
/* The clearsigned message case. */
size_t datalen = n->pkt->pkt.gpg_control->datalen;
const byte *data = n->pkt->pkt.gpg_control->data;
/* Check that we have at least the sigclass and one hash. */
if (datalen < 2)
log_fatal ("invalid control packet CTRLPKT_CLEARSIGN_START\n");
/* Note that we don't set the clearsig flag for not-dash-escaped
* documents. */
clearsig = (*data == 0x01);
for (data++, datalen--; datalen; datalen--, data++)
gcry_md_enable (c->mfx.md, *data);
any = 1;
break; /* Stop here as one-pass signature packets are not
expected. */
}
else if (n->pkt->pkttype == PKT_SIGNATURE)
{
/* The SIG+LITERAL case that PGP used to use. */
gcry_md_enable ( c->mfx.md, n->pkt->pkt.signature->digest_algo );
any = 1;
}
}
if (!any && !opt.skip_verify)
{
/* This is for the old GPG LITERAL+SIG case. It's not legal
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)
{
gcry_md_debug (c->mfx.md, "verify");
if (c->mfx.md2)
gcry_md_debug (c->mfx.md2, "verify2");
}
rc=0;
if (literals_seen > 1)
{
log_info (_("WARNING: multiple plaintexts seen\n"));
if (!opt.flags.allow_multiple_messages)
{
write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
log_inc_errorcount ();
rc = gpg_error (GPG_ERR_UNEXPECTED);
}
}
if (!rc)
{
/* It we are in --verify mode, we do not want to output the
* signed text. However, if --output is also used we do what
* has been requested and write out the signed data. */
rc = handle_plaintext (pt, &c->mfx,
(opt.outfp || opt.outfile)? 0 : c->sigs_only,
clearsig);
if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
{
/* Can't write output but we hash it anyway to check the
signature. */
rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
}
}
if (rc)
log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
free_packet (pkt, NULL);
c->last_was_session_key = 0;
/* We add a marker control packet instead of the plaintext packet.
* This is so that we can later detect invalid packet sequences. */
n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, NULL, 0));
if (c->list)
add_kbnode (c->list, n);
else
c->list = n;
}
static int
proc_compressed_cb (iobuf_t a, void *info)
{
if ( ((CTX)info)->signed_data.used
&& ((CTX)info)->signed_data.data_fd != -1)
return proc_signature_packets_by_fd (((CTX)info)->ctrl, info, a,
((CTX)info)->signed_data.data_fd);
else
return proc_signature_packets (((CTX)info)->ctrl, info, a,
((CTX)info)->signed_data.data_names,
((CTX)info)->sigfilename );
}
static int
proc_encrypt_cb (iobuf_t a, void *info )
{
CTX c = info;
return proc_encryption_packets (c->ctrl, info, a );
}
static int
proc_compressed (CTX c, PACKET *pkt)
{
PKT_compressed *zd = pkt->pkt.compressed;
int rc;
/*printf("zip: compressed data packet\n");*/
if (c->sigs_only)
rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
else if( c->encrypt_only )
rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
else
rc = handle_compressed (c->ctrl, c, zd, NULL, NULL);
if (gpg_err_code (rc) == GPG_ERR_BAD_DATA)
{
if (!c->any.uncompress_failed)
{
CTX cc;
for (cc=c; cc; cc = cc->anchor)
cc->any.uncompress_failed = 1;
log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
}
}
else if (rc)
log_error ("uncompressing failed: %s\n", gpg_strerror (rc));
free_packet (pkt, NULL);
c->last_was_session_key = 0;
return rc;
}
/*
* Check the signature. If R_PK is not NULL a copy of the public key
* used to verify the signature will be stored there, or NULL if not
* found. Returns: 0 = valid signature or an error code
*/
static int
do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
{
PKT_signature *sig;
gcry_md_hd_t md = NULL;
gcry_md_hd_t md2 = NULL;
gcry_md_hd_t md_good = NULL;
int algo, rc;
if (r_pk)
*r_pk = NULL;
log_assert (node->pkt->pkttype == PKT_SIGNATURE);
if (is_selfsig)
*is_selfsig = 0;
sig = node->pkt->pkt.signature;
algo = sig->digest_algo;
rc = openpgp_md_test_algo (algo);
if (rc)
return rc;
if (sig->sig_class == 0x00)
{
if (c->mfx.md)
{
if (gcry_md_copy (&md, c->mfx.md ))
BUG ();
}
else /* detached signature */
{
/* check_signature() will enable the md. */
if (gcry_md_open (&md, 0, 0 ))
BUG ();
}
}
else if (sig->sig_class == 0x01)
{
/* How do we know that we have to hash the (already hashed) text
in canonical mode ??? (calculating both modes???) */
if (c->mfx.md)
{
if (gcry_md_copy (&md, c->mfx.md ))
BUG ();
if (c->mfx.md2 && gcry_md_copy (&md2, c->mfx.md2))
BUG ();
}
else /* detached signature */
{
log_debug ("Do we really need this here?");
/* check_signature() will enable the md*/
if (gcry_md_open (&md, 0, 0 ))
BUG ();
if (gcry_md_open (&md2, 0, 0 ))
BUG ();
}
}
else if ((sig->sig_class&~3) == 0x10
|| sig->sig_class == 0x18
|| sig->sig_class == 0x1f
|| sig->sig_class == 0x20
|| sig->sig_class == 0x28
|| sig->sig_class == 0x30)
{
if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
|| c->list->pkt->pkttype == PKT_PUBLIC_SUBKEY)
{
return check_key_signature (c->ctrl, c->list, node, is_selfsig);
}
else if (sig->sig_class == 0x20)
{
log_error (_("standalone revocation - "
"use \"gpg --import\" to apply\n"));
return GPG_ERR_NOT_PROCESSED;
}
else
{
log_error ("invalid root packet for sigclass %02x\n", sig->sig_class);
return GPG_ERR_SIG_CLASS;
}
}
else
return GPG_ERR_SIG_CLASS;
/* We only get here if we are checking the signature of a binary
(0x00) or text document (0x01). */
rc = check_signature2 (c->ctrl, sig, md, NULL, is_expkey, is_revkey, r_pk);
if (! rc)
md_good = md;
else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
{
PKT_public_key *pk2;
rc = check_signature2 (c->ctrl, sig, md2, NULL, is_expkey, is_revkey,
r_pk? &pk2 : NULL);
if (!rc)
{
md_good = md2;
if (r_pk)
{
free_public_key (*r_pk);
*r_pk = pk2;
}
}
}
if (md_good)
{
unsigned char *buffer = gcry_md_read (md_good, sig->digest_algo);
sig->digest_len = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (algo));
memcpy (sig->digest, buffer, sig->digest_len);
}
gcry_md_close (md);
gcry_md_close (md2);
return rc;
}
static void
print_userid (PACKET *pkt)
{
if (!pkt)
BUG();
if (pkt->pkttype != PKT_USER_ID)
{
es_printf ("ERROR: unexpected packet type %d", pkt->pkttype );
return;
}
if (opt.with_colons)
{
if (pkt->pkt.user_id->attrib_data)
es_printf("%u %lu",
pkt->pkt.user_id->numattribs,
pkt->pkt.user_id->attrib_len);
else
es_write_sanitized (es_stdout, pkt->pkt.user_id->name,
pkt->pkt.user_id->len, ":", NULL);
}
else
print_utf8_buffer (es_stdout, pkt->pkt.user_id->name,
pkt->pkt.user_id->len );
}
/*
* List the keyblock in a user friendly way
*/
static void
list_node (CTX c, kbnode_t node)
{
if (!node)
;
else if (node->pkt->pkttype == PKT_PUBLIC_KEY
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
{
PKT_public_key *pk = node->pkt->pkt.public_key;
if (opt.with_colons)
{
u32 keyid[2];
keyid_from_pk( pk, keyid );
if (pk->flags.primary)
c->trustletter = (opt.fast_list_mode
? 0
: get_validity_info
(c->ctrl,
node->pkt->pkttype == PKT_PUBLIC_KEY
? node : NULL,
pk, NULL));
es_printf ("%s:", pk->flags.primary? "pub":"sub" );
if (c->trustletter)
es_putc (c->trustletter, es_stdout);
es_printf (":%u:%d:%08lX%08lX:%s:%s::",
nbits_from_pk( pk ),
pk->pubkey_algo,
(ulong)keyid[0],(ulong)keyid[1],
colon_datestr_from_pk( pk ),
colon_strtime (pk->expiredate) );
if (pk->flags.primary && !opt.fast_list_mode)
es_putc (get_ownertrust_info (c->ctrl, pk, 1), es_stdout);
es_putc (':', es_stdout);
es_putc ('\n', es_stdout);
}
else
{
print_key_line (c->ctrl, es_stdout, pk, 0);
}
if (opt.keyid_format == KF_NONE && !opt.with_colons)
; /* Already printed. */
else if ((pk->flags.primary && opt.fingerprint) || opt.fingerprint > 1)
print_fingerprint (c->ctrl, NULL, pk, 0);
if (pk->flags.primary)
{
int kl = opt.keyid_format == KF_NONE? 0 : keystrlen ();
/* Now list all userids with their signatures. */
for (node = node->next; node; node = node->next)
{
if (node->pkt->pkttype == PKT_SIGNATURE)
{
list_node (c, node );
}
else if (node->pkt->pkttype == PKT_USER_ID)
{
if (opt.with_colons)
es_printf ("%s:::::::::",
node->pkt->pkt.user_id->attrib_data?"uat":"uid");
else
es_printf ("uid%*s",
kl + (opt.legacy_list_mode? 9:11),
"" );
print_userid (node->pkt);
if (opt.with_colons)
es_putc (':', es_stdout);
es_putc ('\n', es_stdout);
}
else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
{
list_node(c, node );
}
}
}
}
else if (node->pkt->pkttype == PKT_SECRET_KEY
|| node->pkt->pkttype == PKT_SECRET_SUBKEY)
{
log_debug ("FIXME: No way to print secret key packets here\n");
/* fixme: We may use a function to turn a secret key packet into
a public key one and use that here. */
}
else if (node->pkt->pkttype == PKT_SIGNATURE)
{
PKT_signature *sig = node->pkt->pkt.signature;
int is_selfsig = 0;
int rc2 = 0;
size_t n;
char *p;
int sigrc = ' ';
if (!opt.verbose)
return;
if (sig->sig_class == 0x20 || sig->sig_class == 0x30)
es_fputs ("rev", es_stdout);
else
es_fputs ("sig", es_stdout);
if (opt.check_sigs)
{
fflush (stdout);
rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
switch (gpg_err_code (rc2))
{
case 0: sigrc = '!'; break;
case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
case GPG_ERR_NO_PUBKEY:
case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
default: sigrc = '%'; break;
}
}
else /* Check whether this is a self signature. */
{
u32 keyid[2];
if (c->list->pkt->pkttype == PKT_PUBLIC_KEY
|| c->list->pkt->pkttype == PKT_SECRET_KEY )
{
keyid_from_pk (c->list->pkt->pkt.public_key, keyid);
if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
is_selfsig = 1;
}
}
if (opt.with_colons)
{
es_putc (':', es_stdout);
if (sigrc != ' ')
es_putc (sigrc, es_stdout);
es_printf ("::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
(ulong)sig->keyid[0], (ulong)sig->keyid[1],
colon_datestr_from_sig (sig),
colon_expirestr_from_sig (sig));
if (sig->trust_depth || sig->trust_value)
es_printf ("%d %d",sig->trust_depth,sig->trust_value);
es_putc (':', es_stdout);
if (sig->trust_regexp)
es_write_sanitized (es_stdout, sig->trust_regexp,
strlen (sig->trust_regexp), ":", NULL);
es_putc (':', es_stdout);
}
else
es_printf ("%c %s %s ",
sigrc, keystr (sig->keyid), datestr_from_sig(sig));
if (sigrc == '%')
es_printf ("[%s] ", gpg_strerror (rc2) );
else if (sigrc == '?')
;
else if (is_selfsig)
{
if (opt.with_colons)
es_putc (':', es_stdout);
es_fputs (sig->sig_class == 0x18? "[keybind]":"[selfsig]", es_stdout);
if (opt.with_colons)
es_putc (':', es_stdout);
}
else if (!opt.fast_list_mode)
{
p = get_user_id (c->ctrl, sig->keyid, &n);
es_write_sanitized (es_stdout, p, n,
opt.with_colons?":":NULL, NULL );
xfree (p);
}
if (opt.with_colons)
es_printf (":%02x%c:", sig->sig_class, sig->flags.exportable?'x':'l');
es_putc ('\n', es_stdout);
}
else
log_error ("invalid node with packet of type %d\n", node->pkt->pkttype);
}
int
proc_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
{
int rc;
CTX c = xmalloc_clear (sizeof *c);
c->ctrl = ctrl;
c->anchor = anchor;
rc = do_proc_packets (ctrl, c, a);
xfree (c);
return rc;
}
int
proc_signature_packets (ctrl_t ctrl, void *anchor, iobuf_t a,
strlist_t signedfiles, const char *sigfilename )
{
CTX c = xmalloc_clear (sizeof *c);
int rc;
c->ctrl = ctrl;
c->anchor = anchor;
c->sigs_only = 1;
c->signed_data.data_fd = -1;
c->signed_data.data_names = signedfiles;
c->signed_data.used = !!signedfiles;
c->sigfilename = sigfilename;
rc = do_proc_packets (ctrl, c, a);
/* If we have not encountered any signature we print an error
messages, send a NODATA status back and return an error code.
Using log_error is required because verify_files does not check
error codes for each file but we want to terminate the process
with an error. */
if (!rc && !c->any.sig_seen)
{
write_status_text (STATUS_NODATA, "4");
log_error (_("no signature found\n"));
rc = GPG_ERR_NO_DATA;
}
/* Propagate the signature seen flag upward. Do this only on success
so that we won't issue the nodata status several times. */
if (!rc && c->anchor && c->any.sig_seen)
c->anchor->any.sig_seen = 1;
xfree (c);
return rc;
}
int
proc_signature_packets_by_fd (ctrl_t ctrl,
void *anchor, iobuf_t a, int signed_data_fd )
{
int rc;
CTX c;
c = xtrycalloc (1, sizeof *c);
if (!c)
return gpg_error_from_syserror ();
c->ctrl = ctrl;
c->anchor = anchor;
c->sigs_only = 1;
c->signed_data.data_fd = signed_data_fd;
c->signed_data.data_names = NULL;
c->signed_data.used = (signed_data_fd != -1);
rc = do_proc_packets (ctrl, c, a);
/* If we have not encountered any signature we print an error
messages, send a NODATA status back and return an error code.
Using log_error is required because verify_files does not check
error codes for each file but we want to terminate the process
with an error. */
if (!rc && !c->any.sig_seen)
{
write_status_text (STATUS_NODATA, "4");
log_error (_("no signature found\n"));
rc = gpg_error (GPG_ERR_NO_DATA);
}
/* Propagate the signature seen flag upward. Do this only on success
so that we won't issue the nodata status several times. */
if (!rc && c->anchor && c->any.sig_seen)
c->anchor->any.sig_seen = 1;
xfree ( c );
return rc;
}
int
proc_encryption_packets (ctrl_t ctrl, void *anchor, iobuf_t a )
{
CTX c = xmalloc_clear (sizeof *c);
int rc;
c->ctrl = ctrl;
c->anchor = anchor;
c->encrypt_only = 1;
rc = do_proc_packets (ctrl, c, a);
xfree (c);
return rc;
}
static int
check_nesting (CTX c)
{
int level;
for (level=0; c; c = c->anchor)
level++;
if (level > MAX_NESTING_DEPTH)
{
log_error ("input data with too deeply nested packets\n");
write_status_text (STATUS_UNEXPECTED, "1");
return GPG_ERR_BAD_DATA;
}
return 0;
}
static int
do_proc_packets (ctrl_t ctrl, CTX c, iobuf_t a)
{
PACKET *pkt;
struct parse_packet_ctx_s parsectx;
int rc = 0;
int any_data = 0;
int newpkt;
rc = check_nesting (c);
if (rc)
return rc;
pkt = xmalloc( sizeof *pkt );
c->iobuf = a;
init_packet(pkt);
init_parse_packet (&parsectx, a);
while ((rc=parse_packet (&parsectx, pkt)) != -1)
{
any_data = 1;
if (rc)
{
free_packet (pkt, &parsectx);
/* Stop processing when an invalid packet has been encountered
* but don't do so when we are doing a --list-packets. */
if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
&& opt.list_packets == 0)
break;
continue;
}
newpkt = -1;
if (opt.list_packets)
{
switch (pkt->pkttype)
{
case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
case PKT_ENCRYPTED:
case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
default: newpkt = 0; break;
}
}
else if (c->sigs_only)
{
switch (pkt->pkttype)
{
case PKT_PUBLIC_KEY:
case PKT_SECRET_KEY:
case PKT_USER_ID:
case PKT_SYMKEY_ENC:
case PKT_PUBKEY_ENC:
case PKT_ENCRYPTED:
case PKT_ENCRYPTED_MDC:
write_status_text( STATUS_UNEXPECTED, "0" );
rc = GPG_ERR_UNEXPECTED;
goto leave;
case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
default: newpkt = 0; break;
}
}
else if (c->encrypt_only)
{
switch (pkt->pkttype)
{
case PKT_PUBLIC_KEY:
case PKT_SECRET_KEY:
case PKT_USER_ID:
write_status_text (STATUS_UNEXPECTED, "0");
rc = GPG_ERR_UNEXPECTED;
goto leave;
case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
case PKT_ENCRYPTED:
case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
default: newpkt = 0; break;
}
}
else
{
switch (pkt->pkttype)
{
case PKT_PUBLIC_KEY:
case PKT_SECRET_KEY:
release_list (c);
c->list = new_kbnode (pkt);
newpkt = 1;
break;
case PKT_PUBLIC_SUBKEY:
case PKT_SECRET_SUBKEY:
newpkt = add_subkey (c, pkt);
break;
case PKT_USER_ID: newpkt = add_user_id (c, pkt); break;
case PKT_SIGNATURE: newpkt = add_signature (c, pkt); break;
case PKT_PUBKEY_ENC: proc_pubkey_enc (ctrl, c, pkt); break;
case PKT_SYMKEY_ENC: proc_symkey_enc (c, pkt); break;
case PKT_ENCRYPTED:
case PKT_ENCRYPTED_MDC: proc_encrypted (c, pkt); break;
case PKT_PLAINTEXT: proc_plaintext (c, pkt); break;
case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break;
case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
case PKT_RING_TRUST: newpkt = add_ring_trust (c, pkt); break;
default: newpkt = 0; break;
}
}
if (rc)
goto leave;
/* This is a very ugly construct and frankly, I don't remember why
* I used it. Adding the MDC check here is a hack.
* The right solution is to initiate another context for encrypted
* packet and not to reuse the current one ... It works right
* when there is a compression packet between which adds just
* an extra layer.
* Hmmm: Rewrite this whole module here??
*/
if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC)
c->any.data = (pkt->pkttype == PKT_PLAINTEXT);
if (newpkt == -1)
;
else if (newpkt)
{
pkt = xmalloc (sizeof *pkt);
init_packet (pkt);
}
else
free_packet (pkt, &parsectx);
}
if (rc == GPG_ERR_INV_PACKET)
write_status_text (STATUS_NODATA, "3");
if (any_data)
rc = 0;
else if (rc == -1)
write_status_text (STATUS_NODATA, "2");
leave:
release_list (c);
xfree(c->dek);
free_packet (pkt, &parsectx);
deinit_parse_packet (&parsectx);
xfree (pkt);
free_md_filter_context (&c->mfx);
return rc;
}
/* Helper for pka_uri_from_sig to parse the to-be-verified address out
of the notation data. */
static pka_info_t *
get_pka_address (PKT_signature *sig)
{
pka_info_t *pka = NULL;
struct notation *nd,*notation;
notation=sig_to_notation(sig);
for(nd=notation;nd;nd=nd->next)
{
if(strcmp(nd->name,"pka-address@gnupg.org")!=0)
continue; /* Not the notation we want. */
/* For now we only use the first valid PKA notation. In future
we might want to keep additional PKA notations in a linked
list. */
if (is_valid_mailbox (nd->value))
{
pka = xmalloc (sizeof *pka + strlen(nd->value));
pka->valid = 0;
pka->checked = 0;
pka->uri = NULL;
strcpy (pka->email, nd->value);
break;
}
}
free_notation(notation);
return pka;
}
/* Return the URI from a DNS PKA record. If this record has already
be retrieved for the signature we merely return it; if not we go
out and try to get that DNS record. */
static const char *
pka_uri_from_sig (CTX c, PKT_signature *sig)
{
if (!sig->flags.pka_tried)
{
log_assert (!sig->pka_info);
sig->flags.pka_tried = 1;
sig->pka_info = get_pka_address (sig);
if (sig->pka_info)
{
char *url;
unsigned char *fpr;
size_t fprlen;
if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email,
&fpr, &fprlen, &url))
{
if (fpr && fprlen == sizeof sig->pka_info->fpr)
{
memcpy (sig->pka_info->fpr, fpr, fprlen);
if (url)
{
sig->pka_info->valid = 1;
if (!*url)
xfree (url);
else
sig->pka_info->uri = url;
url = NULL;
}
}
xfree (fpr);
xfree (url);
}
}
}
return sig->pka_info? sig->pka_info->uri : NULL;
}
/* Return true if the AKL has the WKD method specified. */
static int
akl_has_wkd_method (void)
{
struct akl *akl;
for (akl = opt.auto_key_locate; akl; akl = akl->next)
if (akl->type == AKL_WKD)
return 1;
return 0;
}
/* Return the ISSUER fingerprint string in human readbale format if
* available. Caller must release the string. */
static char *
issuer_fpr_string (PKT_signature *sig)
{
const byte *p;
size_t n;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
if (p && n == 21 && p[0] == 4)
return bin2hex (p+1, n-1, NULL);
return NULL;
}
static void
print_good_bad_signature (int statno, const char *keyid_str, kbnode_t un,
PKT_signature *sig, int rc)
{
char *p;
write_status_text_and_buffer (statno, keyid_str,
un? un->pkt->pkt.user_id->name:"[?]",
un? un->pkt->pkt.user_id->len:3,
-1);
if (un)
p = utf8_to_native (un->pkt->pkt.user_id->name,
un->pkt->pkt.user_id->len, 0);
else
p = xstrdup ("[?]");
if (rc)
log_info (_("BAD signature from \"%s\""), p);
else if (sig->flags.expired)
log_info (_("Expired signature from \"%s\""), p);
else
log_info (_("Good signature from \"%s\""), p);
xfree (p);
}
static int
check_sig_and_print (CTX c, kbnode_t node)
{
PKT_signature *sig = node->pkt->pkt.signature;
const char *astr;
int rc;
int is_expkey = 0;
int is_revkey = 0;
char *issuer_fpr;
PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
int tried_ks_by_fpr;
if (opt.skip_verify)
{
log_info(_("signature verification suppressed\n"));
return 0;
}
/* Check that the message composition is valid.
*
* Per RFC-2440bis (-15) allowed:
*
* S{1,n} -- detached signature.
* S{1,n} P -- old style PGP2 signature
* O{1,n} P S{1,n} -- standard OpenPGP signature.
* C P S{1,n} -- cleartext signature.
*
*
* O = One-Pass Signature packet.
* S = Signature packet.
* P = OpenPGP Message packet (Encrypted | Compressed | Literal)
* (Note that the current rfc2440bis draft also allows
* for a signed message but that does not work as it
* introduces ambiguities.)
* We keep track of these packages using the marker packet
* CTRLPKT_PLAINTEXT_MARK.
* C = Marker packet for cleartext signatures.
*
* We reject all other messages.
*
* Actually we are calling this too often, i.e. for verification of
* each message but better have some duplicate work than to silently
* introduce a bug here.
*/
{
kbnode_t n;
int n_onepass, n_sig;
/* log_debug ("checking signature packet composition\n"); */
/* dump_kbnode (c->list); */
n = c->list;
log_assert (n);
if ( n->pkt->pkttype == PKT_SIGNATURE )
{
/* This is either "S{1,n}" case (detached signature) or
"S{1,n} P" (old style PGP2 signature). */
for (n = n->next; n; n = n->next)
if (n->pkt->pkttype != PKT_SIGNATURE)
break;
if (!n)
; /* Okay, this is a detached signature. */
else if (n->pkt->pkttype == PKT_GPG_CONTROL
&& (n->pkt->pkt.gpg_control->control
== CTRLPKT_PLAINTEXT_MARK) )
{
if (n->next)
goto ambiguous; /* We only allow one P packet. */
}
else
goto ambiguous;
}
else if (n->pkt->pkttype == PKT_ONEPASS_SIG)
{
/* This is the "O{1,n} P S{1,n}" case (standard signature). */
for (n_onepass=1, n = n->next;
n && n->pkt->pkttype == PKT_ONEPASS_SIG; n = n->next)
n_onepass++;
if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
&& (n->pkt->pkt.gpg_control->control
== CTRLPKT_PLAINTEXT_MARK)))
goto ambiguous;
for (n_sig=0, n = n->next;
n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
n_sig++;
if (!n_sig)
goto ambiguous;
/* If we wanted to disallow multiple sig verification, we'd do
something like this:
if (n && !opt.allow_multisig_verification)
goto ambiguous;
However, now that we have --allow-multiple-messages, this
can stay allowable as we can't get here unless multiple
messages (i.e. multiple literals) are allowed. */
if (n_onepass != n_sig)
{
log_info ("number of one-pass packets does not match "
"number of signature packets\n");
goto ambiguous;
}
}
else if (n->pkt->pkttype == PKT_GPG_CONTROL
&& n->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START )
{
/* This is the "C P S{1,n}" case (clear text signature). */
n = n->next;
if (!n || !(n->pkt->pkttype == PKT_GPG_CONTROL
&& (n->pkt->pkt.gpg_control->control
== CTRLPKT_PLAINTEXT_MARK)))
goto ambiguous;
for (n_sig=0, n = n->next;
n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
n_sig++;
if (n || !n_sig)
goto ambiguous;
}
else
{
ambiguous:
log_error(_("can't handle this ambiguous signature data\n"));
return 0;
}
}
if (sig->signers_uid)
write_status_buffer (STATUS_NEWSIG,
sig->signers_uid, strlen (sig->signers_uid), 0);
else
write_status_text (STATUS_NEWSIG, NULL);
astr = openpgp_pk_algo_name ( sig->pubkey_algo );
if ((issuer_fpr = issuer_fpr_string (sig)))
{
log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
log_info (_(" using %s key %s\n"),
astr? astr: "?", issuer_fpr);
xfree (issuer_fpr);
}
else if (!keystrlen () || keystrlen () > 8)
{
log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
log_info (_(" using %s key %s\n"),
astr? astr: "?", keystr(sig->keyid));
}
else /* Legacy format. */
log_info (_("Signature made %s using %s key ID %s\n"),
asctimestamp(sig->timestamp), astr? astr: "?",
keystr(sig->keyid));
/* In verbose mode print the signers UID. */
if (sig->signers_uid)
log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
/* If the key isn't found, check for a preferred keyserver. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
{
const byte *p;
int seq = 0;
size_t n;
while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
{
/* According to my favorite copy editor, in English grammar,
you say "at" if the key is located on a web page, but
"from" if it is located on a keyserver. I'm not going to
even try to make two strings here :) */
log_info(_("Key available at: ") );
print_utf8_buffer (log_get_stream(), p, n);
log_printf ("\n");
if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
&& opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
{
struct keyserver_spec *spec;
spec = parse_preferred_keyserver (sig);
if (spec)
{
int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid,spec, 1);
glo_ctrl.in_auto_key_retrieve--;
if (!res)
rc = do_check_sig (c, node, NULL,
&is_expkey, &is_revkey, &pk);
free_keyserver_spec (spec);
if (!rc)
break;
}
}
}
}
/* If the avove methods didn't work, our next try is to use the URI
* from a DNS PKA record. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
&& (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
{
const char *uri = pka_uri_from_sig (c, sig);
if (uri)
{
/* FIXME: We might want to locate the key using the
fingerprint instead of the keyid. */
int res;
struct keyserver_spec *spec;
spec = parse_keyserver_uri (uri, 1);
if (spec)
{
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1);
glo_ctrl.in_auto_key_retrieve--;
free_keyserver_spec (spec);
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
}
}
}
/* If the above methods didn't work, our next try is to locate
* the key via its fingerprint from a keyserver. This requires
* that the signers fingerprint is encoded in the signature. We
* favor this over the WKD method (to be tried next), because an
* arbitrary keyserver is less subject to web bug like monitoring. */
tried_ks_by_fpr = 0;
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
&& keyserver_any_configured (c->ctrl))
{
int res;
const byte *p;
size_t n;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
if (p && n == 21 && p[0] == 4)
{
/* v4 packet with a SHA-1 fingerprint. */
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
tried_ks_by_fpr = 1;
glo_ctrl.in_auto_key_retrieve--;
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
}
}
/* If the above methods didn't work, our next try is to retrieve the
* key from the WKD. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
&& !opt.flags.disable_signer_uid
&& akl_has_wkd_method ()
&& sig->signers_uid)
{
int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
glo_ctrl.in_auto_key_retrieve--;
/* Fixme: If the fingerprint is embedded in the signature,
* compare it to the fingerprint of the returned key. */
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
}
/* If the above methods did't work, our next try is to use a
* keyserver. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
&& !tried_ks_by_fpr
&& keyserver_any_configured (c->ctrl))
{
int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
glo_ctrl.in_auto_key_retrieve--;
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
}
if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
{
kbnode_t un, keyblock;
int count = 0;
int statno;
char keyid_str[50];
PKT_public_key *mainpk = NULL;
if (rc)
statno = STATUS_BADSIG;
else if (sig->flags.expired)
statno = STATUS_EXPSIG;
else if (is_expkey)
statno = STATUS_EXPKEYSIG;
else if(is_revkey)
statno = STATUS_REVKEYSIG;
else
statno = STATUS_GOODSIG;
/* FIXME: We should have the public key in PK and thus the
* keyblock has already been fetched. Thus we could use the
* fingerprint or PK itself to lookup the entire keyblock. That
* would best be done with a cache. */
keyblock = get_pubkeyblock (c->ctrl, sig->keyid);
snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
(ulong)sig->keyid[0], (ulong)sig->keyid[1]);
/* Find and print the primary user ID along with the
"Good|Expired|Bad signature" line. */
for (un=keyblock; un; un = un->next)
{
int valid;
if (un->pkt->pkttype==PKT_PUBLIC_KEY)
{
mainpk = un->pkt->pkt.public_key;
continue;
}
if (un->pkt->pkttype != PKT_USER_ID)
continue;
if (!un->pkt->pkt.user_id->created)
continue;
if (un->pkt->pkt.user_id->flags.revoked)
continue;
if (un->pkt->pkt.user_id->flags.expired)
continue;
if (!un->pkt->pkt.user_id->flags.primary)
continue;
/* We want the textual primary user ID here */
if (un->pkt->pkt.user_id->attrib_data)
continue;
log_assert (mainpk);
/* Since this is just informational, don't actually ask the
user to update any trust information. (Note: we register
the signature later.) Because print_good_bad_signature
does not print a LF we need to compute the validity
before calling that function. */
if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
valid = get_validity (c->ctrl, keyblock, mainpk,
un->pkt->pkt.user_id, NULL, 0);
else
valid = 0; /* Not used. */
keyid_str[17] = 0; /* cut off the "[uncertain]" part */
print_good_bad_signature (statno, keyid_str, un, sig, rc);
if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
log_printf (" [%s]\n",trust_value_to_string(valid));
else
log_printf ("\n");
count++;
}
log_assert (mainpk);
/* In case we did not found a valid textual userid above
we print the first user id packet or a "[?]" instead along
with the "Good|Expired|Bad signature" line. */
if (!count)
{
/* Try for an invalid textual userid */
for (un=keyblock; un; un = un->next)
{
if (un->pkt->pkttype == PKT_USER_ID
&& !un->pkt->pkt.user_id->attrib_data)
break;
}
/* Try for any userid at all */
if (!un)
{
for (un=keyblock; un; un = un->next)
{
if (un->pkt->pkttype == PKT_USER_ID)
break;
}
}
if (opt.trust_model==TM_ALWAYS || !un)
keyid_str[17] = 0; /* cut off the "[uncertain]" part */
print_good_bad_signature (statno, keyid_str, un, sig, rc);
if (opt.trust_model != TM_ALWAYS && un)
log_printf (" %s",_("[uncertain]") );
log_printf ("\n");
}
/* If we have a good signature and already printed
* the primary user ID, print all the other user IDs */
if (count
&& !rc
&& !(opt.verify_options & VERIFY_SHOW_PRIMARY_UID_ONLY))
{
char *p;
for( un=keyblock; un; un = un->next)
{
if (un->pkt->pkttype != PKT_USER_ID)
continue;
if ((un->pkt->pkt.user_id->flags.revoked
|| un->pkt->pkt.user_id->flags.expired)
&& !(opt.verify_options & VERIFY_SHOW_UNUSABLE_UIDS))
continue;
/* Skip textual primary user ids which we printed above. */
if (un->pkt->pkt.user_id->flags.primary
&& !un->pkt->pkt.user_id->attrib_data )
continue;
/* If this user id has attribute data, print that. */
if (un->pkt->pkt.user_id->attrib_data)
{
dump_attribs (un->pkt->pkt.user_id, mainpk);
if (opt.verify_options&VERIFY_SHOW_PHOTOS)
show_photos (c->ctrl,
un->pkt->pkt.user_id->attribs,
un->pkt->pkt.user_id->numattribs,
mainpk ,un->pkt->pkt.user_id);
}
p = utf8_to_native (un->pkt->pkt.user_id->name,
un->pkt->pkt.user_id->len, 0);
log_info (_(" aka \"%s\""), p);
xfree (p);
if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
{
const char *valid;
if (un->pkt->pkt.user_id->flags.revoked)
valid = _("revoked");
else if (un->pkt->pkt.user_id->flags.expired)
valid = _("expired");
else
/* Since this is just informational, don't
actually ask the user to update any trust
information. */
valid = (trust_value_to_string
(get_validity (c->ctrl, keyblock, mainpk,
un->pkt->pkt.user_id, NULL, 0)));
log_printf (" [%s]\n",valid);
}
else
log_printf ("\n");
}
}
/* For good signatures print notation data. */
if (!rc)
{
if ((opt.verify_options & VERIFY_SHOW_POLICY_URLS))
show_policy_url (sig, 0, 1);
else
show_policy_url (sig, 0, 2);
if ((opt.verify_options & VERIFY_SHOW_KEYSERVER_URLS))
show_keyserver_url (sig, 0, 1);
else
show_keyserver_url (sig, 0, 2);
if ((opt.verify_options & VERIFY_SHOW_NOTATIONS))
show_notation
(sig, 0, 1,
(((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0)
+ ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0)));
else
show_notation (sig, 0, 2, 0);
}
/* For good signatures print the VALIDSIG status line. */
if (!rc && is_status_enabled () && pk)
{
char pkhex[MAX_FINGERPRINT_LEN*2+1];
char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
hexfingerprint (pk, pkhex, sizeof pkhex);
hexfingerprint (mainpk, mainpkhex, sizeof mainpkhex);
/* TODO: Replace the reserved '0' in the field below with
bits for status flags (policy url, notation, etc.). */
write_status_printf (STATUS_VALIDSIG,
"%s %s %lu %lu %d 0 %d %d %02X %s",
pkhex,
strtimestamp (sig->timestamp),
(ulong)sig->timestamp,
(ulong)sig->expiredate,
sig->version, sig->pubkey_algo,
sig->digest_algo,
sig->sig_class,
mainpkhex);
}
+ /* Print compliance warning for Good signatures. */
+ if (!rc && pk && !opt.quiet
+ && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
+ pk->pkey, nbits_from_pk (pk), NULL))
+ {
+ log_info (_("WARNING: This key is not suitable for signing"
+ " in %s mode\n"),
+ gnupg_compliance_option_string (opt.compliance));
+ }
+
/* For good signatures compute and print the trust information.
Note that in the Tofu trust model this may ask the user on
how to resolve a conflict. */
if (!rc)
{
if ((opt.verify_options & VERIFY_PKA_LOOKUPS))
pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */
rc = check_signatures_trust (c->ctrl, sig);
}
/* Print extra information about the signature. */
if (sig->flags.expired)
{
log_info (_("Signature expired %s\n"), asctimestamp(sig->expiredate));
rc = GPG_ERR_GENERAL; /* Need a better error here? */
}
else if (sig->expiredate)
log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
if (opt.verbose)
{
char pkstrbuf[PUBKEY_STRING_SIZE];
if (pk)
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
else
*pkstrbuf = 0;
log_info (_("%s signature, digest algorithm %s%s%s\n"),
sig->sig_class==0x00?_("binary"):
sig->sig_class==0x01?_("textmode"):_("unknown"),
gcry_md_algo_name (sig->digest_algo),
*pkstrbuf?_(", key algorithm "):"", pkstrbuf);
}
/* Print final warnings. */
if (!rc && !c->signed_data.used)
{
/* Signature is basically good but we test whether the
deprecated command
gpg --verify FILE.sig
was used instead of
gpg --verify FILE.sig FILE
to verify a detached signature. If we figure out that a
data file with a matching name exists, we print a warning.
The problem is that the first form would also verify a
standard signature. This behavior could be used to
create a made up .sig file for a tarball by creating a
standard signature from a valid detached signature packet
(for example from a signed git tag). Then replace the
sig file on the FTP server along with a changed tarball.
Using the first form the verify command would correctly
verify the signature but don't even consider the tarball. */
kbnode_t n;
char *dfile;
dfile = get_matching_datafile (c->sigfilename);
if (dfile)
{
for (n = c->list; n; n = n->next)
if (n->pkt->pkttype != PKT_SIGNATURE)
break;
if (n)
{
/* Not only signature packets in the tree thus this
is not a detached signature. */
log_info (_("WARNING: not a detached signature; "
"file '%s' was NOT verified!\n"), dfile);
}
xfree (dfile);
}
}
/* Compute compliance with CO_DE_VS. */
if (pk && is_status_enabled ()
&& gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
nbits_from_pk (pk), NULL)
&& gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS),
NULL);
free_public_key (pk);
pk = NULL;
release_kbnode( keyblock );
if (rc)
g10_errors_seen = 1;
if (opt.batch && rc)
g10_exit (1);
}
else
{
char buf[50];
snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
(ulong)sig->keyid[0], (ulong)sig->keyid[1],
sig->pubkey_algo, sig->digest_algo,
sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
write_status_text (STATUS_ERRSIG, buf);
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
{
buf[16] = 0;
write_status_text (STATUS_NO_PUBKEY, buf);
}
if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
}
return rc;
}
/*
* Process the tree which starts at node
*/
static void
proc_tree (CTX c, kbnode_t node)
{
kbnode_t n1;
int rc;
if (opt.list_packets || opt.list_only)
return;
/* We must skip our special plaintext marker packets here because
they may be the root packet. These packets are only used in
additional checks and skipping them here doesn't matter. */
while (node
&& node->pkt->pkttype == PKT_GPG_CONTROL
&& node->pkt->pkt.gpg_control->control == CTRLPKT_PLAINTEXT_MARK)
{
node = node->next;
}
if (!node)
return;
c->trustletter = ' ';
if (node->pkt->pkttype == PKT_PUBLIC_KEY
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
{
merge_keys_and_selfsig (c->ctrl, node);
list_node (c, node);
}
else if (node->pkt->pkttype == PKT_SECRET_KEY)
{
merge_keys_and_selfsig (c->ctrl, node);
list_node (c, node);
}
else if (node->pkt->pkttype == PKT_ONEPASS_SIG)
{
/* Check all signatures. */
if (!c->any.data)
{
int use_textmode = 0;
free_md_filter_context (&c->mfx);
/* Prepare to create all requested message digests. */
rc = gcry_md_open (&c->mfx.md, 0, 0);
if (rc)
goto hash_err;
/* Fixme: why looking for the signature packet and not the
one-pass packet? */
for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
gcry_md_enable (c->mfx.md, n1->pkt->pkt.signature->digest_algo);
if (n1 && n1->pkt->pkt.onepass_sig->sig_class == 0x01)
use_textmode = 1;
/* Ask for file and hash it. */
if (c->sigs_only)
{
if (c->signed_data.used && c->signed_data.data_fd != -1)
rc = hash_datafile_by_fd (c->mfx.md, NULL,
c->signed_data.data_fd,
use_textmode);
else
rc = hash_datafiles (c->mfx.md, NULL,
c->signed_data.data_names,
c->sigfilename,
use_textmode);
}
else
{
rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
iobuf_get_real_fname (c->iobuf),
use_textmode);
}
hash_err:
if (rc)
{
log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
return;
}
}
else if (c->signed_data.used)
{
log_error (_("not a detached signature\n"));
return;
}
for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
check_sig_and_print (c, n1);
}
else if (node->pkt->pkttype == PKT_GPG_CONTROL
&& node->pkt->pkt.gpg_control->control == CTRLPKT_CLEARSIGN_START)
{
/* Clear text signed message. */
if (!c->any.data)
{
log_error ("cleartext signature without data\n");
return;
}
else if (c->signed_data.used)
{
log_error (_("not a detached signature\n"));
return;
}
for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
check_sig_and_print (c, n1);
}
else if (node->pkt->pkttype == PKT_SIGNATURE)
{
PKT_signature *sig = node->pkt->pkt.signature;
int multiple_ok = 1;
n1 = find_next_kbnode (node, PKT_SIGNATURE);
if (n1)
{
byte class = sig->sig_class;
byte hash = sig->digest_algo;
for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
{
/* We can't currently handle multiple signatures of
* different classes (we'd pretty much have to run a
* different hash context for each), but if they are all
* the same and it is detached signature, we make an
* exception. Note that the old code also disallowed
* multiple signatures if the digest algorithms are
* different. We softened this restriction only for
* detached signatures, to be on the safe side. */
if (n1->pkt->pkt.signature->sig_class != class
|| (c->any.data
&& n1->pkt->pkt.signature->digest_algo != hash))
{
multiple_ok = 0;
log_info (_("WARNING: multiple signatures detected. "
"Only the first will be checked.\n"));
break;
}
}
}
if (sig->sig_class != 0x00 && sig->sig_class != 0x01)
{
log_info(_("standalone signature of class 0x%02x\n"), sig->sig_class);
}
else if (!c->any.data)
{
/* Detached signature */
free_md_filter_context (&c->mfx);
rc = gcry_md_open (&c->mfx.md, sig->digest_algo, 0);
if (rc)
goto detached_hash_err;
if (multiple_ok)
{
/* If we have and want to handle multiple signatures we
* need to enable all hash algorithms for the context. */
for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
gcry_md_enable (c->mfx.md,
map_md_openpgp_to_gcry
(n1->pkt->pkt.signature->digest_algo));
}
if (RFC2440 || RFC4880)
; /* Strict RFC mode. */
else if (sig->digest_algo == DIGEST_ALGO_SHA1
&& sig->pubkey_algo == PUBKEY_ALGO_DSA
&& sig->sig_class == 0x01)
{
/* Enable a workaround for a pgp5 bug when the detached
* signature has been created in textmode. Note that we
* do not implement this for multiple signatures with
* different hash algorithms. */
rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
if (rc)
goto detached_hash_err;
}
/* Here we used to have another hack to work around a pgp
* 2 bug: It worked by not using the textmode for detached
* signatures; this would let the first signature check
* (on md) fail but the second one (on md2), which adds an
* extra CR would then have produced the "correct" hash.
* This is very, very ugly hack but it may haved help in
* some cases (and break others).
* c->mfx.md2? 0 :(sig->sig_class == 0x01)
*/
if (DBG_HASHING)
{
gcry_md_debug (c->mfx.md, "verify");
if (c->mfx.md2)
gcry_md_debug (c->mfx.md2, "verify2");
}
if (c->sigs_only)
{
if (c->signed_data.used && c->signed_data.data_fd != -1)
rc = hash_datafile_by_fd (c->mfx.md, c->mfx.md2,
c->signed_data.data_fd,
(sig->sig_class == 0x01));
else
rc = hash_datafiles (c->mfx.md, c->mfx.md2,
c->signed_data.data_names,
c->sigfilename,
(sig->sig_class == 0x01));
}
else
{
rc = ask_for_detached_datafile (c->mfx.md, c->mfx.md2,
iobuf_get_real_fname(c->iobuf),
(sig->sig_class == 0x01));
}
detached_hash_err:
if (rc)
{
log_error ("can't hash datafile: %s\n", gpg_strerror (rc));
return;
}
}
else if (c->signed_data.used)
{
log_error (_("not a detached signature\n"));
return;
}
else if (!opt.quiet)
log_info (_("old style (PGP 2.x) signature\n"));
if (multiple_ok)
{
for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
check_sig_and_print (c, n1);
}
else
check_sig_and_print (c, node);
}
else
{
dump_kbnode (c->list);
log_error ("invalid root packet detected in proc_tree()\n");
dump_kbnode (node);
}
}
diff --git a/g10/sig-check.c b/g10/sig-check.c
index 912317998..2a3acc40b 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -1,1167 +1,1168 @@
/* sig-check.c - Check a signature
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
* 2004, 2006 Free Software Foundation, Inc.
* Copyright (C) 2015, 2016 g10 Code GmbH
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include
#include
#include "gpg.h"
#include "../common/util.h"
#include "packet.h"
#include "keydb.h"
#include "main.h"
#include "../common/status.h"
#include "../common/i18n.h"
#include "options.h"
#include "pkglue.h"
#include "../common/compliance.h"
static int check_signature_end (PKT_public_key *pk, PKT_signature *sig,
gcry_md_hd_t digest,
int *r_expired, int *r_revoked,
PKT_public_key *ret_pk);
static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
gcry_md_hd_t digest);
/* Statistics for signature verification. */
struct
{
unsigned int total; /* Total number of verifications. */
unsigned int cached; /* Number of seen cache entries. */
unsigned int goodsig;/* Number of good verifications from the cache. */
unsigned int badsig; /* Number of bad verifications from the cache. */
} cache_stats;
/* Dump verification stats. */
void
sig_check_dump_stats (void)
{
log_info ("sig_cache: total=%u cached=%u good=%u bad=%u\n",
cache_stats.total, cache_stats.cached,
cache_stats.goodsig, cache_stats.badsig);
}
/* Check a signature. This is shorthand for check_signature2 with
the unnamed arguments passed as NULL. */
int
check_signature (ctrl_t ctrl, PKT_signature *sig, gcry_md_hd_t digest)
{
return check_signature2 (ctrl, sig, digest, NULL, NULL, NULL, NULL);
}
/* Check a signature.
*
* Looks up the public key that created the signature (SIG->KEYID)
* from the key db. Makes sure that the signature is valid (it was
* not created prior to the key, the public key was created in the
* past, and the signature does not include any unsupported critical
* features), finishes computing the hash of the signature data, and
* checks that the signature verifies the digest. If the key that
* generated the signature is a subkey, this function also verifies
* that there is a valid backsig from the subkey to the primary key.
* Finally, if status fd is enabled and the signature class is 0x00 or
* 0x01, then a STATUS_SIG_ID is emitted on the status fd.
*
* SIG is the signature to check.
*
* DIGEST contains a valid hash context that already includes the
* signed data. This function adds the relevant meta-data from the
* signature packet to compute the final hash. (See Section 5.2 of
* RFC 4880: "The concatenation of the data being signed and the
* signature data from the version number through the hashed subpacket
* data (inclusive) is hashed.")
*
* If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's
* expiry.
*
* If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
* (0 otherwise). Note: PK being expired does not cause this function
* to fail.
*
* If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
* revoked (0 otherwise). Note: PK being revoked does not cause this
* function to fail.
*
* If R_PK is not NULL, the public key is stored at that address if it
* was found; other wise NULL is stored.
*
* Returns 0 on success. An error code otherwise. */
gpg_error_t
check_signature2 (ctrl_t ctrl,
PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
int *r_expired, int *r_revoked, PKT_public_key **r_pk)
{
int rc=0;
PKT_public_key *pk;
if (r_expiredate)
*r_expiredate = 0;
if (r_expired)
*r_expired = 0;
if (r_revoked)
*r_revoked = 0;
if (r_pk)
*r_pk = NULL;
pk = xtrycalloc (1, sizeof *pk);
if (!pk)
return gpg_error_from_syserror ();
if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
; /* We don't have this digest. */
else if (! gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo))
{
/* Compliance failure. */
log_info (_("you may not use digest algorithm '%s'"
" while in %s mode\n"),
gcry_md_algo_name (sig->digest_algo),
gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_DIGEST_ALGO);
}
else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
; /* We don't have this pubkey algo. */
else if (!gcry_md_is_enabled (digest,sig->digest_algo))
{
/* Sanity check that the md has a context for the hash that the
sig is expecting. This can happen if a onepass sig header does
not match the actual sig, and also if the clearsign "Hash:"
header is missing or does not match the actual sig. */
log_info(_("WARNING: signature digest conflict in message\n"));
rc = gpg_error (GPG_ERR_GENERAL);
}
else if( get_pubkey (ctrl, pk, sig->keyid ) )
rc = gpg_error (GPG_ERR_NO_PUBKEY);
else if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pk->pubkey_algo, pk->pkey,
nbits_from_pk (pk),
NULL))
{
/* Compliance failure. */
- log_info (_("key %s not suitable for signature verification"
- " while in %s mode\n"),
- keystr_from_pk (pk),
- gnupg_compliance_option_string (opt.compliance));
+ log_error (_("key %s is not suitable for signature verification"
+ " in %s mode\n"),
+ keystr_from_pk (pk),
+ gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
}
else if(!pk->flags.valid)
{
/* You cannot have a good sig from an invalid key. */
rc = gpg_error (GPG_ERR_BAD_PUBKEY);
}
else
{
if(r_expiredate)
*r_expiredate = pk->expiredate;
rc = check_signature_end (pk, sig, digest, r_expired, r_revoked, NULL);
/* Check the backsig. This is a 0x19 signature from the
subkey on the primary key. The idea here is that it should
not be possible for someone to "steal" subkeys and claim
them as their own. The attacker couldn't actually use the
subkey, but they could try and claim ownership of any
signatures issued by it. */
if (!rc && !pk->flags.primary && pk->flags.backsig < 2)
{
if (!pk->flags.backsig)
{
log_info(_("WARNING: signing subkey %s is not"
" cross-certified\n"),keystr_from_pk(pk));
log_info(_("please see %s for more information\n"),
"https://gnupg.org/faq/subkey-cross-certify.html");
/* --require-cross-certification makes this warning an
error. TODO: change the default to require this
after more keys have backsigs. */
if(opt.flags.require_cross_cert)
rc = gpg_error (GPG_ERR_GENERAL);
}
else if(pk->flags.backsig == 1)
{
log_info(_("WARNING: signing subkey %s has an invalid"
" cross-certification\n"),keystr_from_pk(pk));
rc = gpg_error (GPG_ERR_GENERAL);
}
}
+
}
if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
/* This signature id works best with DLP algorithms because
* they use a random parameter for every signature. Instead of
* this sig-id we could have also used the hash of the document
* and the timestamp, but the drawback of this is, that it is
* not possible to sign more than one identical document within
* one second. Some remote batch processing applications might
* like this feature here.
*
* Note that before 2.0.10, we used RIPE-MD160 for the hash
* and accidentally didn't include the timestamp and algorithm
* information in the hash. Given that this feature is not
* commonly used and that a replay attacks detection should
* not solely be based on this feature (because it does not
* work with RSA), we take the freedom and switch to SHA-1
* with 2.0.10 to take advantage of hardware supported SHA-1
* implementations. We also include the missing information
* in the hash. Note also the SIG_ID as computed by gpg 1.x
* and gpg 2.x didn't matched either because 2.x used to print
* MPIs not in PGP format. */
u32 a = sig->timestamp;
int nsig = pubkey_get_nsig( sig->pubkey_algo );
unsigned char *p, *buffer;
size_t n, nbytes;
int i;
char hashbuf[20];
nbytes = 6;
for (i=0; i < nsig; i++ )
{
if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i]))
BUG();
nbytes += n;
}
/* Make buffer large enough to be later used as output buffer. */
if (nbytes < 100)
nbytes = 100;
nbytes += 10; /* Safety margin. */
/* Fill and hash buffer. */
buffer = p = xmalloc (nbytes);
*p++ = sig->pubkey_algo;
*p++ = sig->digest_algo;
*p++ = (a >> 24) & 0xff;
*p++ = (a >> 16) & 0xff;
*p++ = (a >> 8) & 0xff;
*p++ = a & 0xff;
nbytes -= 6;
for (i=0; i < nsig; i++ )
{
if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i]))
BUG();
p += n;
nbytes -= n;
}
gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer);
p = make_radix64_string (hashbuf, 20);
sprintf (buffer, "%s %s %lu",
p, strtimestamp (sig->timestamp), (ulong)sig->timestamp);
xfree (p);
write_status_text (STATUS_SIG_ID, buffer);
xfree (buffer);
}
if (r_pk)
*r_pk = pk;
else
{
release_public_key_parts (pk);
xfree (pk);
}
return rc;
}
/* The signature SIG was generated with the public key PK. Check
* whether the signature is valid in the following sense:
*
* - Make sure the public key was created before the signature was
* generated.
*
* - Make sure the public key was created in the past
*
* - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0
* otherwise)
*
* - Check whether PK has been revoked (set *R_REVOKED to 1 if so
* and 0 otherwise).
*
* If either of the first two tests fail, returns an error code.
* Otherwise returns 0. (Thus, this function doesn't fail if the
* public key is expired or revoked.) */
static int
check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig,
int *r_expired, int *r_revoked)
{
u32 cur_time;
if(r_expired)
*r_expired = 0;
if(r_revoked)
*r_revoked = 0;
if( pk->timestamp > sig->timestamp )
{
ulong d = pk->timestamp - sig->timestamp;
if ( d < 86400 )
{
log_info
(ngettext
("public key %s is %lu second newer than the signature\n",
"public key %s is %lu seconds newer than the signature\n",
d), keystr_from_pk (pk), d);
}
else
{
d /= 86400;
log_info
(ngettext
("public key %s is %lu day newer than the signature\n",
"public key %s is %lu days newer than the signature\n",
d), keystr_from_pk (pk), d);
}
if (!opt.ignore_time_conflict)
return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */
}
cur_time = make_timestamp();
if( pk->timestamp > cur_time )
{
ulong d = pk->timestamp - cur_time;
if (d < 86400)
{
log_info (ngettext("key %s was created %lu second"
" in the future (time warp or clock problem)\n",
"key %s was created %lu seconds"
" in the future (time warp or clock problem)\n",
d), keystr_from_pk (pk), d);
}
else
{
d /= 86400;
log_info (ngettext("key %s was created %lu day"
" in the future (time warp or clock problem)\n",
"key %s was created %lu days"
" in the future (time warp or clock problem)\n",
d), keystr_from_pk (pk), d);
}
if (!opt.ignore_time_conflict)
return GPG_ERR_TIME_CONFLICT;
}
/* Check whether the key has expired. We check the has_expired
flag which is set after a full evaluation of the key (getkey.c)
as well as a simple compare to the current time in case the
merge has for whatever reasons not been done. */
if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
char buf[11];
if (opt.verbose)
log_info(_("Note: signature key %s expired %s\n"),
keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
sprintf(buf,"%lu",(ulong)pk->expiredate);
write_status_text(STATUS_KEYEXPIRED,buf);
if(r_expired)
*r_expired = 1;
}
if (pk->flags.revoked)
{
if (opt.verbose)
log_info (_("Note: signature key %s has been revoked\n"),
keystr_from_pk(pk));
if (r_revoked)
*r_revoked=1;
}
return 0;
}
/* Finish generating a signature and check it. Concretely: make sure
* that the signature is valid (it was not created prior to the key,
* the public key was created in the past, and the signature does not
* include any unsupported critical features), finish computing the
* digest by adding the relevant data from the signature packet, and
* check that the signature verifies the digest.
*
* DIGEST contains a hash context, which has already hashed the signed
* data. This function adds the relevant meta-data from the signature
* packet to compute the final hash. (See Section 5.2 of RFC 4880:
* "The concatenation of the data being signed and the signature data
* from the version number through the hashed subpacket data
* (inclusive) is hashed.")
*
* SIG is the signature to check.
*
* PK is the public key used to generate the signature.
*
* If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
* (0 otherwise). Note: PK being expired does not cause this function
* to fail.
*
* If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
* revoked (0 otherwise). Note: PK being revoked does not cause this
* function to fail.
*
* If RET_PK is not NULL, PK is copied into RET_PK on success.
*
* Returns 0 on success. An error code other. */
static int
check_signature_end (PKT_public_key *pk, PKT_signature *sig,
gcry_md_hd_t digest,
int *r_expired, int *r_revoked, PKT_public_key *ret_pk)
{
int rc = 0;
if ((rc = check_signature_metadata_validity (pk, sig,
r_expired, r_revoked)))
return rc;
if ((rc = check_signature_end_simple (pk, sig, digest)))
return rc;
if(!rc && ret_pk)
copy_public_key(ret_pk,pk);
return rc;
}
/* This function is similar to check_signature_end, but it only checks
whether the signature was generated by PK. It does not check
expiration, revocation, etc. */
static int
check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
gcry_md_hd_t digest)
{
gcry_mpi_t result = NULL;
int rc = 0;
const struct weakhash *weak;
if (!opt.flags.allow_weak_digest_algos)
for (weak = opt.weak_digests; weak; weak = weak->next)
if (sig->digest_algo == weak->algo)
{
print_digest_rejected_note(sig->digest_algo);
return GPG_ERR_DIGEST_ALGO;
}
/* Make sure the digest algo is enabled (in case of a detached
signature). */
gcry_md_enable (digest, sig->digest_algo);
/* Complete the digest. */
if( sig->version >= 4 )
gcry_md_putc( digest, sig->version );
gcry_md_putc( digest, sig->sig_class );
if( sig->version < 4 ) {
u32 a = sig->timestamp;
gcry_md_putc( digest, (a >> 24) & 0xff );
gcry_md_putc( digest, (a >> 16) & 0xff );
gcry_md_putc( digest, (a >> 8) & 0xff );
gcry_md_putc( digest, a & 0xff );
}
else {
byte buf[6];
size_t n;
gcry_md_putc( digest, sig->pubkey_algo );
gcry_md_putc( digest, sig->digest_algo );
if( sig->hashed ) {
n = sig->hashed->len;
gcry_md_putc (digest, (n >> 8) );
gcry_md_putc (digest, n );
gcry_md_write (digest, sig->hashed->data, n);
n += 6;
}
else {
/* Two octets for the (empty) length of the hashed
section. */
gcry_md_putc (digest, 0);
gcry_md_putc (digest, 0);
n = 6;
}
/* add some magic per Section 5.2.4 of RFC 4880. */
buf[0] = sig->version;
buf[1] = 0xff;
buf[2] = n >> 24;
buf[3] = n >> 16;
buf[4] = n >> 8;
buf[5] = n;
gcry_md_write( digest, buf, 6 );
}
gcry_md_final( digest );
/* Convert the digest to an MPI. */
result = encode_md_value (pk, digest, sig->digest_algo );
if (!result)
return GPG_ERR_GENERAL;
/* Verify the signature. */
rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
gcry_mpi_release (result);
if( !rc && sig->flags.unknown_critical )
{
log_info(_("assuming bad signature from key %s"
" due to an unknown critical bit\n"),keystr_from_pk(pk));
rc = GPG_ERR_BAD_SIGNATURE;
}
return rc;
}
/* Add a uid node to a hash context. See section 5.2.4, paragraph 4
of RFC 4880. */
static void
hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig )
{
if( uid->attrib_data ) {
if( sig->version >=4 ) {
byte buf[5];
buf[0] = 0xd1; /* packet of type 17 */
buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
buf[2] = uid->attrib_len >> 16;
buf[3] = uid->attrib_len >> 8;
buf[4] = uid->attrib_len;
gcry_md_write( md, buf, 5 );
}
gcry_md_write( md, uid->attrib_data, uid->attrib_len );
}
else {
if( sig->version >=4 ) {
byte buf[5];
buf[0] = 0xb4; /* indicates a userid packet */
buf[1] = uid->len >> 24; /* always use 4 length bytes */
buf[2] = uid->len >> 16;
buf[3] = uid->len >> 8;
buf[4] = uid->len;
gcry_md_write( md, buf, 5 );
}
gcry_md_write( md, uid->name, uid->len );
}
}
static void
cache_sig_result ( PKT_signature *sig, int result )
{
if ( !result ) {
sig->flags.checked = 1;
sig->flags.valid = 1;
}
else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
sig->flags.checked = 1;
sig->flags.valid = 0;
}
else {
sig->flags.checked = 0;
sig->flags.valid = 0;
}
}
/* SIG is a key revocation signature. Check if this signature was
* generated by any of the public key PK's designated revokers.
*
* PK is the public key that SIG allegedly revokes.
*
* SIG is the revocation signature to check.
*
* This function avoids infinite recursion, which can happen if two
* keys are designed revokers for each other and they revoke each
* other. This is done by observing that if a key A is revoked by key
* B we still consider the revocation to be valid even if B is
* revoked. Thus, we don't need to determine whether B is revoked to
* determine whether A has been revoked by B, we just need to check
* the signature.
*
* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
* revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is
* only returned when a revocation signature is from a valid
* revocation key designated in a revkey subpacket, but the revocation
* key itself isn't present.
*
* XXX: This code will need to be modified if gpg ever becomes
* multi-threaded. Note that this guarantees that a designated
* revocation sig will never be considered valid unless it is actually
* valid, as well as being issued by a revocation key in a valid
* direct signature. Note also that this is written so that a revoked
* revoker can still issue revocations: i.e. If A revokes B, but A is
* revoked, B is still revoked. I'm not completely convinced this is
* the proper behavior, but it matches how PGP does it. -dms */
int
check_revocation_keys (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig)
{
static int busy=0;
int i;
int rc = GPG_ERR_GENERAL;
log_assert (IS_KEY_REV(sig));
log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
/* Avoid infinite recursion. Consider the following:
*
* - We want to check if A is revoked.
*
* - C is a designated revoker for B and has revoked B.
*
* - B is a designated revoker for A and has revoked A.
*
* When checking if A is revoked (in merge_selfsigs_main), we
* observe that A has a designed revoker. As such, we call this
* function. This function sees that there is a valid revocation
* signature, which is signed by B. It then calls check_signature()
* to verify that the signature is good. To check the sig, we need
* to lookup B. Looking up B means calling merge_selfsigs_main,
* which checks whether B is revoked, which calls this function to
* see if B was revoked by some key.
*
* In this case, the added level of indirection doesn't hurt. It
* just means a bit more work. However, if C == A, then we'd end up
* in a loop. But, it doesn't make sense to look up C anyways: even
* if B is revoked, we conservatively consider a valid revocation
* signed by B to revoke A. Since this is the only place where this
* type of recursion can occur, we simply cause this function to
* fail if it is entered recursively. */
if (busy)
{
/* Return an error (i.e. not revoked), but mark the pk as
uncacheable as we don't really know its revocation status
until it is checked directly. */
pk->flags.dont_cache = 1;
return rc;
}
busy=1;
/* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
(ulong)sig->keyid[1]); */
/* is the issuer of the sig one of our revokers? */
if( !pk->revkey && pk->numrevkeys )
BUG();
else
for(i=0;inumrevkeys;i++)
{
/* The revoker's keyid. */
u32 keyid[2];
keyid_from_fingerprint (ctrl, pk->revkey[i].fpr,
MAX_FINGERPRINT_LEN, keyid);
if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
/* The signature was generated by a designated revoker.
Verify the signature. */
{
gcry_md_hd_t md;
if (gcry_md_open (&md, sig->digest_algo, 0))
BUG ();
hash_public_key(md,pk);
/* Note: check_signature only checks that the signature
is good. It does not fail if the key is revoked. */
rc = check_signature (ctrl, sig, md);
cache_sig_result(sig,rc);
gcry_md_close (md);
break;
}
}
busy=0;
return rc;
}
/* Check that the backsig BACKSIG from the subkey SUB_PK to its
primary key MAIN_PK is valid.
Backsigs (0x19) have the same format as binding sigs (0x18), but
this function is simpler than check_key_signature in a few ways.
For example, there is no support for expiring backsigs since it is
questionable what such a thing actually means. Note also that the
sig cache check here, unlike other sig caches in GnuPG, is not
persistent. */
int
check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk,
PKT_signature *backsig)
{
gcry_md_hd_t md;
int rc;
/* Always check whether the algorithm is available. Although
gcry_md_open would throw an error, some libgcrypt versions will
print a debug message in that case too. */
if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
return rc;
if(!opt.no_sig_cache && backsig->flags.checked)
return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
rc = gcry_md_open (&md, backsig->digest_algo,0);
if (!rc)
{
hash_public_key(md,main_pk);
hash_public_key(md,sub_pk);
rc = check_signature_end (sub_pk, backsig, md, NULL, NULL, NULL);
cache_sig_result(backsig,rc);
gcry_md_close(md);
}
return rc;
}
/* Check that a signature over a key is valid. This is a
* specialization of check_key_signature2 with the unnamed parameters
* passed as NULL. See the documentation for that function for more
* details. */
int
check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node,
int *is_selfsig)
{
return check_key_signature2 (ctrl, root, node, NULL, NULL,
is_selfsig, NULL, NULL);
}
/* Returns whether SIGNER generated the signature SIG over the packet
PACKET, which is a key, subkey or uid, and comes from the key block
KB. (KB is PACKET's corresponding keyblock; we don't assume that
SIG has been added to the keyblock.)
If SIGNER is set, then checks whether SIGNER generated the
signature. Otherwise, uses SIG->KEYID to find the alleged signer.
This parameter can be used to effectively override the alleged
signer that is stored in SIG.
KB may be NULL if SIGNER is set.
Unlike check_key_signature, this function ignores any cached
results! That is, it does not consider SIG->FLAGS.CHECKED and
SIG->FLAGS.VALID nor does it set them.
This doesn't check the signature's semantic mean. Concretely, it
doesn't check whether a non-self signed revocation signature was
created by a designated revoker. In fact, it doesn't return an
error for a binding generated by a completely different key!
Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if
this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if
the key that generated the signature (according to SIG) could not
be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad.
Other errors codes may be returned if something else goes wrong.
IF IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a
self-signature (by the key's primary key) or 0 if not.
If RET_PK is not NULL, returns a copy of the public key that
generated the signature (i.e., the signer) on success. This must
be released by the caller using release_public_key_parts (). */
gpg_error_t
check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
PKT_signature *sig, KBNODE kb, PACKET *packet,
int *is_selfsig, PKT_public_key *ret_pk)
{
int rc;
PKT_public_key *pripk = kb->pkt->pkt.public_key;
gcry_md_hd_t md;
int signer_alloced = 0;
rc = openpgp_pk_test_algo (sig->pubkey_algo);
if (rc)
return rc;
rc = openpgp_md_test_algo (sig->digest_algo);
if (rc)
return rc;
/* A signature's class indicates the type of packet that it
signs. */
if (/* Primary key binding (made by a subkey). */
sig->sig_class == 0x19
/* Direct key signature. */
|| sig->sig_class == 0x1f
/* Primary key revocation. */
|| sig->sig_class == 0x20)
{
if (packet->pkttype != PKT_PUBLIC_KEY)
/* Key revocations can only be over primary keys. */
return gpg_error (GPG_ERR_SIG_CLASS);
}
else if (/* Subkey binding. */
sig->sig_class == 0x18
/* Subkey revocation. */
|| sig->sig_class == 0x28)
{
if (packet->pkttype != PKT_PUBLIC_SUBKEY)
return gpg_error (GPG_ERR_SIG_CLASS);
}
else if (/* Certification. */
sig->sig_class == 0x10
|| sig->sig_class == 0x11
|| sig->sig_class == 0x12
|| sig->sig_class == 0x13
/* Certification revocation. */
|| sig->sig_class == 0x30)
{
if (packet->pkttype != PKT_USER_ID)
return gpg_error (GPG_ERR_SIG_CLASS);
}
else
return gpg_error (GPG_ERR_SIG_CLASS);
/* PACKET is the right type for SIG. */
if (signer)
{
if (is_selfsig)
{
if (signer->keyid[0] == pripk->keyid[0]
&& signer->keyid[1] == pripk->keyid[1])
*is_selfsig = 1;
else
*is_selfsig = 0;
}
}
else
{
/* Get the signer. If possible, avoid a look up. */
if (sig->keyid[0] == pripk->keyid[0]
&& sig->keyid[1] == pripk->keyid[1])
/* Issued by the primary key. */
{
signer = pripk;
if (is_selfsig)
*is_selfsig = 1;
}
else
{
kbnode_t ctx = NULL;
kbnode_t n;
/* See if one of the subkeys was the signer (although this
is extremely unlikely). */
while ((n = walk_kbnode (kb, &ctx, 0)))
{
PKT_public_key *subk;
if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY)
continue;
subk = n->pkt->pkt.public_key;
if (sig->keyid[0] == subk->keyid[0]
&& sig->keyid[1] == subk->keyid[1])
/* Issued by a subkey. */
{
signer = subk;
break;
}
}
if (! signer)
/* Signer by some other key. */
{
if (is_selfsig)
*is_selfsig = 0;
if (ret_pk)
{
signer = ret_pk;
memset (signer, 0, sizeof (*signer));
signer_alloced = 1;
}
else
{
signer = xmalloc_clear (sizeof (*signer));
signer_alloced = 2;
}
rc = get_pubkey (ctrl, signer, sig->keyid);
if (rc)
{
xfree (signer);
signer = NULL;
signer_alloced = 0;
goto out;
}
}
}
}
/* We checked above that we supported this algo, so an error here is
a bug. */
if (gcry_md_open (&md, sig->digest_algo, 0))
BUG ();
/* Hash the relevant data. */
if (/* Direct key signature. */
sig->sig_class == 0x1f
/* Primary key revocation. */
|| sig->sig_class == 0x20)
{
log_assert (packet->pkttype == PKT_PUBLIC_KEY);
hash_public_key (md, packet->pkt.public_key);
rc = check_signature_end_simple (signer, sig, md);
}
else if (/* Primary key binding (made by a subkey). */
sig->sig_class == 0x19)
{
log_assert (packet->pkttype == PKT_PUBLIC_KEY);
hash_public_key (md, packet->pkt.public_key);
hash_public_key (md, signer);
rc = check_signature_end_simple (signer, sig, md);
}
else if (/* Subkey binding. */
sig->sig_class == 0x18
/* Subkey revocation. */
|| sig->sig_class == 0x28)
{
log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY);
hash_public_key (md, pripk);
hash_public_key (md, packet->pkt.public_key);
rc = check_signature_end_simple (signer, sig, md);
}
else if (/* Certification. */
sig->sig_class == 0x10
|| sig->sig_class == 0x11
|| sig->sig_class == 0x12
|| sig->sig_class == 0x13
/* Certification revocation. */
|| sig->sig_class == 0x30)
{
log_assert (packet->pkttype == PKT_USER_ID);
hash_public_key (md, pripk);
hash_uid_packet (packet->pkt.user_id, md, sig);
rc = check_signature_end_simple (signer, sig, md);
}
else
/* We should never get here. (The first if above should have
already caught this error.) */
BUG ();
gcry_md_close (md);
out:
if (! rc && ret_pk && (signer_alloced == -1 || ret_pk != signer))
copy_public_key (ret_pk, signer);
if (signer_alloced == 1)
/* We looked up SIGNER; it is not a pointer into KB. */
{
release_public_key_parts (signer);
if (signer_alloced == 2)
/* We also allocated the memory. */
xfree (signer);
}
return rc;
}
/* Check that a signature over a key (e.g., a key revocation, key
* binding, user id certification, etc.) is valid. If the function
* detects a self-signature, it uses the public key from the specified
* key block and does not bother looking up the key specified in the
* signature packet.
*
* ROOT is a keyblock.
*
* NODE references a signature packet that appears in the keyblock
* that should be verified.
*
* If CHECK_PK is set, the specified key is sometimes preferred for
* verifying signatures. See the implementation for details.
*
* If RET_PK is not NULL, the public key that successfully verified
* the signature is copied into *RET_PK.
*
* If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a
* self-signature.
*
* If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry
* date.
*
* If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been
* expired (0 otherwise). Note: PK being revoked does not cause this
* function to fail.
*
*
* If OPT.NO_SIG_CACHE is not set, this function will first check if
* the result of a previous verification is already cached in the
* signature packet's data structure.
*
* TODO: add r_revoked here as well. It has the same problems as
* r_expiredate and r_expired and the cache. */
int
check_key_signature2 (ctrl_t ctrl,
kbnode_t root, kbnode_t node, PKT_public_key *check_pk,
PKT_public_key *ret_pk, int *is_selfsig,
u32 *r_expiredate, int *r_expired )
{
PKT_public_key *pk;
PKT_signature *sig;
int algo;
int rc;
if (is_selfsig)
*is_selfsig = 0;
if (r_expiredate)
*r_expiredate = 0;
if (r_expired)
*r_expired = 0;
log_assert (node->pkt->pkttype == PKT_SIGNATURE);
log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY);
pk = root->pkt->pkt.public_key;
sig = node->pkt->pkt.signature;
algo = sig->digest_algo;
/* Check whether we have cached the result of a previous signature
check. Note that we may no longer have the pubkey or hash
needed to verify a sig, but can still use the cached value. A
cache refresh detects and clears these cases. */
if ( !opt.no_sig_cache )
{
cache_stats.total++;
if (sig->flags.checked) /* Cached status available. */
{
cache_stats.cached++;
if (is_selfsig)
{
u32 keyid[2];
keyid_from_pk (pk, keyid);
if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
*is_selfsig = 1;
}
/* BUG: This is wrong for non-self-sigs... needs to be the
actual pk. */
rc = check_signature_metadata_validity (pk, sig, r_expired, NULL);
if (rc)
return rc;
if (sig->flags.valid)
{
cache_stats.goodsig++;
return 0;
}
cache_stats.badsig++;
return gpg_error (GPG_ERR_BAD_SIGNATURE);
}
}
rc = openpgp_pk_test_algo(sig->pubkey_algo);
if (rc)
return rc;
rc = openpgp_md_test_algo(algo);
if (rc)
return rc;
if (sig->sig_class == 0x20) /* key revocation */
{
u32 keyid[2];
keyid_from_pk( pk, keyid );
/* Is it a designated revoker? */
if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1])
rc = check_revocation_keys (ctrl, pk, sig);
else
{
rc = check_signature_metadata_validity (pk, sig,
r_expired, NULL);
if (! rc)
rc = check_signature_over_key_or_uid (ctrl, pk, sig,
root, root->pkt,
is_selfsig, ret_pk);
}
}
else if (sig->sig_class == 0x28 /* subkey revocation */
|| sig->sig_class == 0x18) /* key binding */
{
kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY);
if (snode)
{
rc = check_signature_metadata_validity (pk, sig,
r_expired, NULL);
if (! rc)
/* 0x28 must be a self-sig, but 0x18 needn't be. */
rc = check_signature_over_key_or_uid (ctrl,
sig->sig_class == 0x18
? NULL : pk,
sig, root, snode->pkt,
is_selfsig, ret_pk);
}
else
{
if (opt.verbose)
{
if (sig->sig_class == 0x28)
log_info (_("key %s: no subkey for subkey"
" revocation signature\n"), keystr_from_pk(pk));
else if (sig->sig_class == 0x18)
log_info(_("key %s: no subkey for subkey"
" binding signature\n"), keystr_from_pk(pk));
}
rc = GPG_ERR_SIG_CLASS;
}
}
else if (sig->sig_class == 0x1f) /* direct key signature */
{
rc = check_signature_metadata_validity (pk, sig,
r_expired, NULL);
if (! rc)
rc = check_signature_over_key_or_uid (ctrl, pk, sig, root, root->pkt,
is_selfsig, ret_pk);
}
else if (/* Certification. */
sig->sig_class == 0x10
|| sig->sig_class == 0x11
|| sig->sig_class == 0x12
|| sig->sig_class == 0x13
/* Certification revocation. */
|| sig->sig_class == 0x30)
{
kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID);
if (unode)
{
rc = check_signature_metadata_validity (pk, sig, r_expired, NULL);
if (! rc)
/* If this is a self-sig, ignore check_pk. */
rc = check_signature_over_key_or_uid
(ctrl,
keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk,
sig, root, unode->pkt, NULL, ret_pk);
}
else
{
if (!opt.quiet)
log_info ("key %s: no user ID for key signature packet"
" of class %02x\n",keystr_from_pk(pk),sig->sig_class);
rc = GPG_ERR_SIG_CLASS;
}
}
else
{
log_info ("sig issued by %s with class %d (digest: %02x %02x)"
" is not valid over a user id or a key id, ignoring.\n",
keystr (sig->keyid), sig->sig_class,
sig->digest_start[0], sig->digest_start[1]);
rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
}
cache_sig_result (sig, rc);
return rc;
}