core: New flags GPGME_DECRYPT_UNWRAP and GPGME_ENCRYPT_WRAP.

* src/gpgme.h.in (GPGME_ENCRYPT_WRAP): New const. (gpgme_decrypt_flags_t): New enum. (GPGME_DECRYPT_VERIFY): New const (GPGME_DECRYPT_UNWRAP): New const (gpgme_op_decrypt_ext_start): New func. (gpgme_op_decrypt_ext): New func. * src/decrypt-verify.c (gpgme_op_decrypt_ext_start): New. (gpgme_op_decrypt_ext): New. (decrypt_verify_start): Add arg FLAGS. Replace call to engine_op_decrypt_verify by the plain decrypt with the flag set. (gpgme_op_decrypt_verify_start): Pass the flag. (gpgme_op_decrypt_verify): Pass the flag. * src/decrypt.c (decrypt_start): Rename to ... (_gpgme_decrypt_start): this. Add arg FLAGS. Pass FLAGS to engine_op_decrypt. (gpgme_op_decrypt_start): Adjust for chnage pass 0 for FLAG. (gpgme_op_decrypt_start): Ditto. * src/engine.c (_gpgme_engine_op_decrypt_verify): Remove. (_gpgme_engine_op_decrypt): Add arg FLAGS. * src/gpgme.def, src/libgpgme.vers: Add new functions. * src/engine-backend.h (struct engine_ops): Remove member 'decrypt_verify'. Add FLAGS to 'decrypt'. Adjust all initialization. * src/engine-uiserver.c (uiserver_decrypt): Remove. (uiserver_decrypt_verify): Remove. (_uiserver_decrypt): Rename to ... (uiserver_decrypt): this. Replace arg VERIFY by new arg FLAGS. * src/engine-gpg.c (gpg_decrypt): Support GPGME_DECRYPT_UNWRAP. (gpg_encrypt): Support GPGME_ENCRYPT_WRAP. * tests/run-decrypt.c (main): New option --unwrap. * tests/run-encrypt.c (main): New option --wrap. -- Manual testing of that wrap/unwrap feature can be done this way: ./run-encrypt --verbose --key Alice /etc/motd > x ./run-decrypt --verbose --unwrap x > y ./run-encrypt --verbose --key Bob --wrap y > z 1. The message was first encrypted to Alice. 2. Alice decrypts the message receiving a valid OpenPGP message. 3. Alice encrypt that message to Bob This will also work with encrypted and signed messages; the signature will be kept intact during re-encryption. Requires GnuPG 2.1.12. Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-24 14:36:54 +01:00 · 2017-03-24 14:36:54 +01:00 · 6ac1f2cded
commit 6ac1f2cded
parent 66c334650b
20 changed files with 227 additions and 75 deletions
--- a/5
+++ b/5
@ -14,7 +14,12 @@ Noteworthy changes in version 1.8.1 (unreleased)
 gpgme_op_keylist_from_data_start NEW.
 gpgme_op_set_uid_flag_start      NEW.
 gpgme_op_set_uid_flag            NEW.
+ gpgme_op_decrypt_ext_start       NEW.
+ gpgme_op_decrypt_ext             NEW.
 GPGME_ENCRYPT_THROW_KEYIDS       NEW.
+ GPGME_ENCRYPT_WRAP               NEW.
+ GPGME_DECRYPT_VERIFY             NEW.
+ GPGME_DECRYPT_UNWRAP             NEW.
 gpgme_data_rewind                UN-DEPRECATE.
 cpp: Context::revUid(const Key&, const char*)      NEW.
 cpp: Context::startRevUid(const Key&, const char*) NEW.
--- a/doc/gpgme.texi
+++ b/doc/gpgme.texi
@ -4890,6 +4890,53 @@ operation could be started successfully, and @code{GPG_ERR_INV_VALUE}
 if @var{cipher} or @var{plain} is not a valid pointer.
@end deftypefun

+
+@deftypefun gpgme_error_t gpgme_op_decrypt_ext ( @
+            @w{gpgme_ctx_t @var{ctx}}, @
+            @w{gpgme_decrypt_flags_t @var{flags}}, @
+            @w{gpgme_data_t @var{cipher}}, @
+            @w{gpgme_data_t @var{plain}})
+
+The function @code{gpgme_op_decrypt_ext} is the same as
+@code{gpgme_op_decrypt_ext} but has an additional argument
+@var{flags}.  If @var{flags} is 0 both function behave identically.
+
+The value in @var{flags} is a bitwise-or combination of one or
+multiple of the following bit values:
+
+@table @code
+@item GPGME_DECRYPT_VERIFY
+The @code{GPGME_DECRYPT_VERIFY} symbol specifies that this function
+shall exacty act as @code{gpgme_op_decrypt_verify}.
+
+@item GPGME_DECRYPT_UNWRAP
+The @code{GPGME_DECRYPT_UNWRAP} symbol specifies that the output shall
+be an OpenPGP message with only the encryption layer removed.  This
+requires GnuPG 2.1.12 and works only for OpenPGP.  This is the
+counterpart to @code{GPGME_ENCRYPT_WRAP}.
+
+@end table
+
+The function returns the error codes as descriped for
+@code{gpgme_op_decrypt} respective @code{gpgme_op_encrypt}.
+@end deftypefun
+
+@deftypefun gpgme_error_t gpgme_op_decrypt_ext_start ( @
+            @w{gpgme_ctx_t @var{ctx}}, @
+            @w{gpgme_decrypt_flags_t @var{flags}}, @
+            @w{gpgme_data_t @var{cipher}}, @
+            @w{gpgme_data_t @var{plain}})
+
+The function @code{gpgme_op_decrypt_ext_start} initiates a
+@code{gpgme_op_decrypt_ext} operation.  It can be completed by calling
+@code{gpgme_wait} on the context.  @xref{Waiting For Completion}.
+
+The function returns the error code @code{GPG_ERR_NO_ERROR} if the
+operation could be started successfully, and @code{GPG_ERR_INV_VALUE}
+if @var{cipher} or @var{plain} is not a valid pointer.
+@end deftypefun
+
+
@deftp {Data type} {gpgme_recipient_t}
 This is a pointer to a structure used to store information about the
 recipient of an encrypted text which is decrypted in a
@ -5634,6 +5681,11 @@ On the receiving side, the use of this flag may slow down the
 decryption process because all available secret keys must be tried.
 This flag is only honored for OpenPGP encryption.

+@item GPGME_ENCRYPT_WRAP
+The @code{GPGME_ENCRYPT_WRAP} symbol specifies that the input is an
+OpenPGP message and not a plain data.  This is the counterpart to
+@code{GPGME_DECRYPT_UNWRAP}.
+
@end table

 If @code{GPG_ERR_UNUSABLE_PUBKEY} is returned, some recipients in
--- a/src/decrypt-verify.c
+++ b/src/decrypt-verify.c
@ -23,6 +23,8 @@
 #include <config.h>
 #endif

+#include <assert.h>
+
 #include "debug.h"
 #include "gpgme.h"
 #include "ops.h"
@ -45,10 +47,13 @@ decrypt_verify_status_handler (void *priv, gpgme_status_code_t code,

 static gpgme_error_t
 decrypt_verify_start (gpgme_ctx_t ctx, int synchronous,
+                      gpgme_decrypt_flags_t flags,
 		      gpgme_data_t cipher, gpgme_data_t plain)
 {
  gpgme_error_t err;

+  assert ((flags & GPGME_DECRYPT_VERIFY));
+
  err = _gpgme_op_reset (ctx, synchronous);
  if (err)
    return err;
@ -77,9 +82,11 @@ decrypt_verify_start (gpgme_ctx_t ctx, int synchronous,
  _gpgme_engine_set_status_handler (ctx->engine,
 				    decrypt_verify_status_handler, ctx);

-  return _gpgme_engine_op_decrypt_verify (ctx->engine, cipher, plain,
-                                          ctx->export_session_keys,
-                                          ctx->override_session_key);
+  return _gpgme_engine_op_decrypt (ctx->engine,
+                                   flags,
+                                   cipher, plain,
+                                   ctx->export_session_keys,
+                                   ctx->override_session_key);
 }


@ -97,7 +104,7 @@ gpgme_op_decrypt_verify_start (gpgme_ctx_t ctx, gpgme_data_t cipher,
  if (!ctx)
    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));

-  err = decrypt_verify_start (ctx, 0, cipher, plain);
+  err = decrypt_verify_start (ctx, 0, GPGME_DECRYPT_VERIFY, cipher, plain);
  return TRACE_ERR (err);
 }

@ -116,7 +123,57 @@ gpgme_op_decrypt_verify (gpgme_ctx_t ctx, gpgme_data_t cipher,
  if (!ctx)
    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));

-  err = decrypt_verify_start (ctx, 1, cipher, plain);
+  err = decrypt_verify_start (ctx, 1, GPGME_DECRYPT_VERIFY, cipher, plain);
+  if (!err)
+    err = _gpgme_wait_one (ctx);
+  return TRACE_ERR (err);
+}
+
+
+/* Decrypt ciphertext CIPHER within CTX and store the resulting
+   plaintext in PLAIN.  */
+gpgme_error_t
+gpgme_op_decrypt_ext_start (gpgme_ctx_t ctx,
+                            gpgme_decrypt_flags_t flags,
+                            gpgme_data_t cipher,
+                            gpgme_data_t plain)
+{
+  gpgme_error_t err;
+
+  TRACE_BEG2 (DEBUG_CTX, "gpgme_op_decrypt_ext_start", ctx,
+	      "cipher=%p, plain=%p", cipher, plain);
+
+  if (!ctx)
+    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));
+
+  if ((flags & GPGME_DECRYPT_VERIFY))
+    err = decrypt_verify_start (ctx, 0, flags, cipher, plain);
+  else
+    err = _gpgme_decrypt_start (ctx, 0, flags, cipher, plain);
+  return TRACE_ERR (err);
+}
+
+
+/* Decrypt ciphertext CIPHER within CTX and store the resulting
+   plaintext in PLAIN.  */
+gpgme_error_t
+gpgme_op_decrypt_ext (gpgme_ctx_t ctx,
+                      gpgme_decrypt_flags_t flags,
+                      gpgme_data_t cipher,
+                      gpgme_data_t plain)
+{
+  gpgme_error_t err;
+
+  TRACE_BEG2 (DEBUG_CTX, "gpgme_op_decrypt_ext", ctx,
+	      "cipher=%p, plain=%p", cipher, plain);
+
+  if (!ctx)
+    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));
+
+  if ((flags & GPGME_DECRYPT_VERIFY))
+    err = decrypt_verify_start (ctx, 1, flags, cipher, plain);
+  else
+    err = _gpgme_decrypt_start (ctx, 1, flags, cipher, plain);
  if (!err)
    err = _gpgme_wait_one (ctx);
  return TRACE_ERR (err);
--- a/src/decrypt.c
+++ b/src/decrypt.c
@ -25,6 +25,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <assert.h>

 #include "debug.h"
 #include "gpgme.h"
@ -358,12 +359,15 @@ _gpgme_op_decrypt_init_result (gpgme_ctx_t ctx)
 }


-static gpgme_error_t
-decrypt_start (gpgme_ctx_t ctx, int synchronous,
-               gpgme_data_t cipher, gpgme_data_t plain)
+gpgme_error_t
+_gpgme_decrypt_start (gpgme_ctx_t ctx, int synchronous,
+                      gpgme_decrypt_flags_t flags,
+                      gpgme_data_t cipher, gpgme_data_t plain)
 {
  gpgme_error_t err;

+  assert (!(flags & GPGME_DECRYPT_VERIFY));
+
  err = _gpgme_op_reset (ctx, synchronous);
  if (err)
    return err;
@ -390,7 +394,9 @@ decrypt_start (gpgme_ctx_t ctx, int synchronous,

  _gpgme_engine_set_status_handler (ctx->engine, decrypt_status_handler, ctx);

-  return _gpgme_engine_op_decrypt (ctx->engine, cipher, plain,
+  return _gpgme_engine_op_decrypt (ctx->engine,
+                                   flags,
+                                   cipher, plain,
                                   ctx->export_session_keys,
                                   ctx->override_session_key);
 }
@ -408,7 +414,7 @@ gpgme_op_decrypt_start (gpgme_ctx_t ctx, gpgme_data_t cipher,
  if (!ctx)
    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));

-  err = decrypt_start (ctx, 0, cipher, plain);
+  err = _gpgme_decrypt_start (ctx, 0, 0, cipher, plain);
  return TRACE_ERR (err);
 }

@ -426,7 +432,7 @@ gpgme_op_decrypt (gpgme_ctx_t ctx, gpgme_data_t cipher, gpgme_data_t plain)
  if (!ctx)
    return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE));

-  err = decrypt_start (ctx, 1, cipher, plain);
+  err = _gpgme_decrypt_start (ctx, 1, 0, cipher, plain);
  if (!err)
    err = _gpgme_wait_one (ctx);
  return TRACE_ERR (err);
--- a/src/engine-assuan.c
+++ b/src/engine-assuan.c
@ -776,7 +776,6 @@ struct engine_ops _gpgme_engine_ops_assuan =
    llass_set_locale,
    NULL,		/* set_protocol */
    NULL,               /* decrypt */
-    NULL,               /* decrypt_verify */
    NULL,               /* delete */
    NULL,		/* edit */
    NULL,               /* encrypt */
--- a/src/engine-backend.h
+++ b/src/engine-backend.h
@ -61,12 +61,11 @@ struct engine_ops
 					   void *fnc_value);
  gpgme_error_t (*set_locale) (void *engine, int category, const char *value);
  gpgme_error_t (*set_protocol) (void *engine, gpgme_protocol_t protocol);
-  gpgme_error_t (*decrypt) (void *engine, gpgme_data_t ciph,
+  gpgme_error_t (*decrypt) (void *engine,
+                            gpgme_decrypt_flags_t flags,
+                            gpgme_data_t ciph,
 			    gpgme_data_t plain, int export_session_key,
                            const char *override_session_key);
-  gpgme_error_t (*decrypt_verify) (void *engine, gpgme_data_t ciph,
-				   gpgme_data_t plain, int export_session_key,
-                                   const char *override_session_key);
  gpgme_error_t (*delete) (void *engine, gpgme_key_t key, int allow_secret);
  gpgme_error_t (*edit) (void *engine, int type, gpgme_key_t key,
 			 gpgme_data_t out, gpgme_ctx_t ctx /* FIXME */);
--- a/src/engine-g13.c
+++ b/src/engine-g13.c
@ -791,7 +791,6 @@ struct engine_ops _gpgme_engine_ops_g13 =
    g13_set_locale,
    NULL,		/* set_protocol */
    NULL,               /* decrypt */
-    NULL,               /* decrypt_verify */
    NULL,               /* delete */
    NULL,		/* edit */
    NULL,               /* encrypt */
--- a/src/engine-gpg.c
+++ b/src/engine-gpg.c
@ -1559,7 +1559,9 @@ add_input_size_hint (engine_gpg_t gpg, gpgme_data_t data)


 static gpgme_error_t
-gpg_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
+gpg_decrypt (void *engine,
+             gpgme_decrypt_flags_t flags,
+             gpgme_data_t ciph, gpgme_data_t plain,
             int export_session_key, const char *override_session_key)
 {
  engine_gpg_t gpg = engine;
@ -1567,6 +1569,14 @@ gpg_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,

  err = add_arg (gpg, "--decrypt");

+  if (!err && (flags & GPGME_DECRYPT_UNWRAP))
+    {
+      if (!have_gpg_version (gpg, "2.1.12"))
+        err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      else
+        err = add_arg (gpg, "--unwrap");
+    }
+
  if (!err && export_session_key)
    err = add_arg (gpg, "--show-session-key");

@ -1857,6 +1867,17 @@ gpg_encrypt (void *engine, gpgme_key_t recp[], gpgme_encrypt_flags_t flags,
  if (!err && use_armor)
    err = add_arg (gpg, "--armor");

+  if (!err && (flags & GPGME_ENCRYPT_WRAP))
+    {
+      /* gpg is current not abale to detect already compressed
+       * packets.  Thus when using
+       *   gpg --unwrap -d | gpg --no-literal -e
+       * the encryption would add an additional compression layer.
+       * We better suppress that.  */
+      flags |= GPGME_ENCRYPT_NO_COMPRESS;
+      err = add_arg (gpg, "--no-literal");
+    }
+
  if (!err && (flags & GPGME_ENCRYPT_NO_COMPRESS))
    err = add_arg (gpg, "--compress-algo=none");

@ -3047,7 +3068,6 @@ struct engine_ops _gpgme_engine_ops_gpg =
    gpg_set_locale,
    NULL,				/* set_protocol */
    gpg_decrypt,
-    gpg_decrypt,			/* decrypt_verify */
    gpg_delete,
    gpg_edit,
    gpg_encrypt,
--- a/src/engine-gpgconf.c
+++ b/src/engine-gpgconf.c
@ -1233,7 +1233,6 @@ struct engine_ops _gpgme_engine_ops_gpgconf =
    NULL,		/* set_locale */
    NULL,		/* set_protocol */
    NULL,		/* decrypt */
-    NULL,		/* decrypt_verify */
    NULL,		/* delete */
    NULL,		/* edit */
    NULL,		/* encrypt */
--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
@ -1127,12 +1127,16 @@ gpgsm_reset (void *engine)


 static gpgme_error_t
-gpgsm_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
+gpgsm_decrypt (void *engine,
+               gpgme_decrypt_flags_t flags,
+               gpgme_data_t ciph, gpgme_data_t plain,
               int export_session_key, const char *override_session_key)
 {
  engine_gpgsm_t gpgsm = engine;
  gpgme_error_t err;

+  (void)flags;
+
  /* gpgsm is not capable of exporting session keys right now, so we
   * will ignore this if requested. */
  (void)export_session_key;
@ -2095,7 +2099,6 @@ struct engine_ops _gpgme_engine_ops_gpgsm =
    gpgsm_set_locale,
    NULL,		/* set_protocol */
    gpgsm_decrypt,
-    gpgsm_decrypt,
    gpgsm_delete,	/* decrypt_verify */
    NULL,		/* edit */
    gpgsm_encrypt,
--- a/src/engine-spawn.c
+++ b/src/engine-spawn.c
@ -449,7 +449,6 @@ struct engine_ops _gpgme_engine_ops_spawn =
    NULL,		/* set_locale */
    NULL,		/* set_protocol */
    NULL,		/* decrypt */
-    NULL,		/* decrypt_verify */
    NULL,		/* delete */
    NULL,		/* edit */
    NULL,		/* encrypt */
--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
@ -959,14 +959,16 @@ uiserver_reset (void *engine)


 static gpgme_error_t
-_uiserver_decrypt (void *engine, int verify,
-		   gpgme_data_t ciph, gpgme_data_t plain,
-                   int export_session_key, const char *override_session_key)
+uiserver_decrypt (void *engine,
+                  gpgme_decrypt_flags_t flags,
+                  gpgme_data_t ciph, gpgme_data_t plain,
+                  int export_session_key, const char *override_session_key)
 {
  engine_uiserver_t uiserver = engine;
  gpgme_error_t err;
  const char *protocol;
  char *cmd;
+  int verify = !!(flags & GPGME_DECRYPT_VERIFY);

  (void)override_session_key; /* Fixme: We need to see now to add this
                               * to the UI server protocol  */
@ -1010,25 +1012,6 @@ _uiserver_decrypt (void *engine, int verify,
 }


-static gpgme_error_t
-uiserver_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
-                  int export_session_key, const char *override_session_key)
-{
-  return _uiserver_decrypt (engine, 0, ciph, plain,
-                            export_session_key, override_session_key);
-}
-
-
-static gpgme_error_t
-uiserver_decrypt_verify (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
-                         int export_session_key,
-                         const char *override_session_key)
-{
-  return _uiserver_decrypt (engine, 1, ciph, plain,
-                            export_session_key, override_session_key);
-}
-
-
 static gpgme_error_t
 set_recipients (engine_uiserver_t uiserver, gpgme_key_t recp[])
 {
@ -1383,7 +1366,6 @@ struct engine_ops _gpgme_engine_ops_uiserver =
    uiserver_set_locale,
    uiserver_set_protocol,
    uiserver_decrypt,
-    uiserver_decrypt_verify,
    NULL,		/* delete */
    NULL,		/* edit */
    uiserver_encrypt,
--- a/src/engine.c
+++ b/src/engine.c
@ -652,7 +652,9 @@ _gpgme_engine_set_protocol (engine_t engine, gpgme_protocol_t protocol)


 gpgme_error_t
-_gpgme_engine_op_decrypt (engine_t engine, gpgme_data_t ciph,
+_gpgme_engine_op_decrypt (engine_t engine,
+                          gpgme_decrypt_flags_t flags,
+                          gpgme_data_t ciph,
 			  gpgme_data_t plain, int export_session_key,
                          const char *override_session_key)
 {
@ -662,28 +664,11 @@ _gpgme_engine_op_decrypt (engine_t engine, gpgme_data_t ciph,
  if (!engine->ops->decrypt)
    return gpg_error (GPG_ERR_NOT_IMPLEMENTED);

-  return (*engine->ops->decrypt) (engine->engine, ciph, plain,
+  return (*engine->ops->decrypt) (engine->engine, flags, ciph, plain,
                                  export_session_key, override_session_key);
 }


-gpgme_error_t
-_gpgme_engine_op_decrypt_verify (engine_t engine, gpgme_data_t ciph,
-				 gpgme_data_t plain, int export_session_key,
-                                 const char *override_session_key)
-{
-  if (!engine)
-    return gpg_error (GPG_ERR_INV_VALUE);
-
-  if (!engine->ops->decrypt_verify)
-    return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
-
-  return (*engine->ops->decrypt_verify) (engine->engine, ciph, plain,
-                                         export_session_key,
-                                         override_session_key);
-}
-
-
 gpgme_error_t
 _gpgme_engine_op_delete (engine_t engine, gpgme_key_t key,
 			 int allow_secret)
--- a/src/engine.h
+++ b/src/engine.h
@ -83,16 +83,12 @@ gpgme_error_t
 _gpgme_engine_set_colon_line_handler (engine_t engine,
 				      engine_colon_line_handler_t fnc,
 				      void *fnc_value);
-gpgme_error_t _gpgme_engine_op_decrypt (engine_t engine, gpgme_data_t ciph,
+gpgme_error_t _gpgme_engine_op_decrypt (engine_t engine,
+                                        gpgme_decrypt_flags_t flags,
+                                        gpgme_data_t ciph,
 					gpgme_data_t plain,
                                        int export_session_key,
                                        const char *override_session_key);
-gpgme_error_t _gpgme_engine_op_decrypt_verify (engine_t engine,
-					       gpgme_data_t ciph,
-					       gpgme_data_t plain,
-                                               int export_session_key,
-                                               const char *override_session_key
-                                               );
 gpgme_error_t _gpgme_engine_op_delete (engine_t engine, gpgme_key_t key,
 				       int allow_secret);
 gpgme_error_t _gpgme_engine_op_edit (engine_t engine, int type,
--- a/src/gpgme.def
+++ b/src/gpgme.def
@ -259,5 +259,8 @@ EXPORTS
    gpgme_op_set_uid_flag_start           @193
    gpgme_op_set_uid_flag                 @194

+    gpgme_op_decrypt_ext                  @195
+    gpgme_op_decrypt_ext_start            @196
+
 ; END

--- a/src/gpgme.h.in
+++ b/src/gpgme.h.in
@ -1238,7 +1238,8 @@ typedef enum
    GPGME_ENCRYPT_EXPECT_SIGN = 8,
    GPGME_ENCRYPT_NO_COMPRESS = 16,
    GPGME_ENCRYPT_SYMMETRIC = 32,
-    GPGME_ENCRYPT_THROW_KEYIDS = 64
+    GPGME_ENCRYPT_THROW_KEYIDS = 64,
+    GPGME_ENCRYPT_WRAP = 128
  }
 gpgme_encrypt_flags_t;

@ -1317,6 +1318,14 @@ typedef struct _gpgme_op_decrypt_result *gpgme_decrypt_result_t;
 /* Retrieve a pointer to the result of the decrypt operation.  */
 gpgme_decrypt_result_t gpgme_op_decrypt_result (gpgme_ctx_t ctx);

+/* The valid decryption flags.  */
+typedef enum
+  {
+    GPGME_DECRYPT_VERIFY = 1,
+    GPGME_DECRYPT_UNWRAP = 128
+  }
+gpgme_decrypt_flags_t;
+
 /* Decrypt ciphertext CIPHER within CTX and store the resulting
   plaintext in PLAIN.  */
 gpgme_error_t gpgme_op_decrypt_start (gpgme_ctx_t ctx, gpgme_data_t cipher,
@ -1332,6 +1341,19 @@ gpgme_error_t gpgme_op_decrypt_verify_start (gpgme_ctx_t ctx,
 gpgme_error_t gpgme_op_decrypt_verify (gpgme_ctx_t ctx, gpgme_data_t cipher,
 				       gpgme_data_t plain);

+/* Decrypt ciphertext CIPHER within CTX and store the resulting
+ * plaintext in PLAIN.  With the flag GPGME_DECRYPT_VERIFY also do a
+ * signature verification pn the plaintext.  */
+gpgme_error_t gpgme_op_decrypt_ext_start (gpgme_ctx_t ctx,
+                                          gpgme_decrypt_flags_t flags,
+                                          gpgme_data_t cipher,
+                                          gpgme_data_t plain);
+gpgme_error_t gpgme_op_decrypt_ext (gpgme_ctx_t ctx,
+                                    gpgme_decrypt_flags_t flags,
+                                    gpgme_data_t cipher,
+                                    gpgme_data_t plain);
+
+

 /*
 * Signing.
--- a/src/libgpgme.vers
+++ b/src/libgpgme.vers
@ -129,6 +129,9 @@ GPGME_1.1 {

    gpgme_op_set_uid_flag_start;
    gpgme_op_set_uid_flag;
+
+    gpgme_op_decrypt_ext;
+    gpgme_op_decrypt_ext_start;
 };


--- a/src/ops.h
+++ b/src/ops.h
@ -89,6 +89,9 @@ gpgme_error_t _gpgme_op_decrypt_init_result (gpgme_ctx_t ctx);
 gpgme_error_t _gpgme_decrypt_status_handler (void *priv,
 					     gpgme_status_code_t code,
 					     char *args);
+gpgme_error_t _gpgme_decrypt_start (gpgme_ctx_t ctx, int synchronous,
+                                    gpgme_decrypt_flags_t flags,
+                                    gpgme_data_t cipher, gpgme_data_t plain);


 /* From signers.c.  */
--- a/tests/run-decrypt.c
+++ b/tests/run-decrypt.c
@ -80,6 +80,7 @@ show_usage (int ex)
         "  --cms            use the CMS protocol\n"
         "  --export-session-key            show the session key\n"
         "  --override-session-key STRING   use STRING as session key\n"
+         "  --unwrap         remove only the encryption layer\n"
         , stderr);
  exit (ex);
 }
@ -92,6 +93,7 @@ main (int argc, char **argv)
  gpgme_error_t err;
  gpgme_ctx_t ctx;
  gpgme_protocol_t protocol = GPGME_PROTOCOL_OpenPGP;
+  gpgme_decrypt_flags_t flags = 0;
  FILE *fp_in = NULL;
  gpgme_data_t in = NULL;
  gpgme_data_t out = NULL;
@ -99,6 +101,7 @@ main (int argc, char **argv)
  int print_status = 0;
  int export_session_key = 0;
  const char *override_session_key = NULL;
+  int raw_output = 0;

  if (argc)
    { argc--; argv++; }
@ -146,6 +149,12 @@ main (int argc, char **argv)
          override_session_key = *argv;
          argc--; argv++;
        }
+      else if (!strcmp (*argv, "--unwrap"))
+        {
+          flags |= GPGME_DECRYPT_UNWRAP;
+          raw_output = 1;
+          argc--; argv++;
+        }
      else if (!strncmp (*argv, "--", 2))
        show_usage (1);

@ -211,7 +220,7 @@ main (int argc, char **argv)
      exit (1);
    }

-  err = gpgme_op_decrypt (ctx, in, out);
+  err = gpgme_op_decrypt_ext (ctx, flags, in, out);
  result = gpgme_op_decrypt_result (ctx);
  if (err)
    {
@ -220,8 +229,13 @@ main (int argc, char **argv)
    }
  if (result)
    {
-      print_result (result);
+      if (!raw_output)
+        print_result (result);
+      if (!raw_output)
+        fputs ("Begin Output:\n", stdout);
      print_data (out);
+      if (!raw_output)
+        fputs ("End Output.\n", stdout);
    }

  gpgme_data_release (out);
--- a/tests/run-encrypt.c
+++ b/tests/run-encrypt.c
@ -89,6 +89,7 @@ show_usage (int ex)
         "  --loopback       use a loopback pinentry\n"
         "  --key NAME       encrypt to key NAME\n"
         "  --throw-keyids   use this option\n"
+         "  --wrap           assume input is valid OpenPGP message\n"
         "  --symmetric      encrypt symmetric (OpenPGP only)\n"
         , stderr);
  exit (ex);
@ -176,6 +177,11 @@ main (int argc, char **argv)
          flags |= GPGME_ENCRYPT_THROW_KEYIDS;
          argc--; argv++;
        }
+      else if (!strcmp (*argv, "--wrap"))
+        {
+          flags |= GPGME_ENCRYPT_WRAP;
+          argc--; argv++;
+        }
      else if (!strcmp (*argv, "--loopback"))
        {
          use_loopback = 1;