+ /* It is not in all cases possible to check multiple signatures:
+ * PGP 2 (which is also allowed by OpenPGP), does use the packet
+ * sequence: sig+data, OpenPGP does use onepas+data=sig and GnuPG
+ * sometimes uses (because I did'nt read the specs right) data+sig.
+ * Because it is possible to create multiple signatures with
+ * different packet sequence (e.g. data+sig and sig+data) it might
+ * not be possible to get it right: let's say we have:
+ * data+sig, sig+data,sig+data and we have not yet encountered the last
+ * data, we could also see this a one data with 2 signatures and then
+ * data+sig.
+ * To protect against this we check that all signatures follow
+ * without any intermediate packets. Note, that we won't get this
+ * error when we use onepass packets or cleartext signatures because
+ * we reset the list every time
+ *
+ * FIXME: Now that we have these marker packets, we should create a
+ * real grammar and check against this.
+ */
+ {
+ KBNODE n;
+ int n_sig=0;
+
+ for (n=c->list; n; n=n->next ) {
+ if ( n->pkt->pkttype == PKT_SIGNATURE )
+ n_sig++;
+ }
+ if (n_sig > 1) { /* more than one signature - check sequence */
+ int tmp, onepass;
+
+ for (tmp=onepass=0,n=c->list; n; n=n->next ) {
+ if (n->pkt->pkttype == PKT_ONEPASS_SIG)
+ onepass++;
+ else if (n->pkt->pkttype == PKT_GPG_CONTROL
+ && n->pkt->pkt.gpg_control->control
+ == CTRLPKT_CLEARSIGN_START ) {
+ onepass++; /* handle the same way as a onepass */
+ }
+ else if ( (tmp && n->pkt->pkttype != PKT_SIGNATURE) ) {
+ log_error(_("can't handle these multiple signatures\n"));
+ return 0;
+ }
+ else if ( n->pkt->pkttype == PKT_SIGNATURE )
+ tmp = 1;
+ else if (!tmp && !onepass
+ && n->pkt->pkttype == PKT_GPG_CONTROL
+ && n->pkt->pkt.gpg_control->control
+ == CTRLPKT_PLAINTEXT_MARK ) {
+ /* plaintext before signatures but no one-pass packets*/
+ log_error(_("can't handle these multiple signatures\n"));
+ return 0;
+ }
+ }
+ }
+ }
+
projects / gnupg.git / blobdiff