security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

gpg: Fix printing of pubkey algo in --verbose signature verify.

Browse Source 
* g10/sig-check.c (check_signature2): Replace arg PK by R_PK and
change the semantics.  Also clear the other R_ args on function entry,
use gpg_error() and change retturn type to gpg_error_t.
* g10/mainproc.c (do_check_sig): Add arg R_PK.
(list_node): Pass NULL for new arg.
(check_sig_and_print): Rework to make use of the returned PK.
--

The output

gpg: textmode signature, digest algorithm SHA256, key algorithm rsa2048

showed the pubkey algo of the primary key which was surprising.
Changed to print the algo of the subkey used for verification.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2016-09-01 16:00:06 +02:00
parent 44690befad
commit 37e3c89725
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 111 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
g10/mainproc.c
View File

@ -839,12 +839,13 @@ proc_compressed (CTX c, PACKET *pkt)
/* /*
* check the signature * Check the signature. If R_PK is not NULL a copy of the public key
* Returns: 0 = valid signature or an error code * used to verify the signature will be stored tehre, or NULL if not
* found. Returns: 0 = valid signature or an error code
*/ */
static int static int
do_check_sig (CTX c, kbnode_t node, int *is_selfsig, do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
int *is_expkey, int *is_revkey) int *is_expkey, int *is_revkey, PKT_public_key **r_pk)
{ {
PKT_signature *sig; PKT_signature *sig;
gcry_md_hd_t md = NULL; gcry_md_hd_t md = NULL;
@ -852,6 +853,9 @@ do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
gcry_md_hd_t md_good = NULL; gcry_md_hd_t md_good = NULL;
int algo, rc; int algo, rc;
if (r_pk)
*r_pk = NULL;
log_assert (node->pkt->pkttype == PKT_SIGNATURE); log_assert (node->pkt->pkttype == PKT_SIGNATURE);
if (is_selfsig) if (is_selfsig)
*is_selfsig = 0; *is_selfsig = 0;
@ -926,14 +930,24 @@ do_check_sig (CTX c, kbnode_t node, int *is_selfsig,
/* We only get here if we are checking the signature of a binary /* We only get here if we are checking the signature of a binary
(0x00) or text document (0x01). */ (0x00) or text document (0x01). */
rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, NULL); rc = check_signature2 (sig, md, NULL, is_expkey, is_revkey, r_pk);
if (! rc) if (! rc)
md_good = md; md_good = md;
else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2) else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
{ {
rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey, NULL); PKT_public_key *pk2;
rc = check_signature2 (sig, md2, NULL, is_expkey, is_revkey,
r_pk? &pk2 : NULL);
if (!rc) if (!rc)
{
md_good = md2; md_good = md2;
if (r_pk)
{
free_public_key (*r_pk);
*r_pk = pk2;
}
}
} }
if (md_good) if (md_good)
@ -1096,7 +1110,7 @@ list_node (CTX c, kbnode_t node)
if (opt.check_sigs) if (opt.check_sigs)
{ {
fflush (stdout); fflush (stdout);
rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL); rc2 = do_check_sig (c, node, &is_selfsig, NULL, NULL, NULL);
switch (gpg_err_code (rc2)) switch (gpg_err_code (rc2))
{ {
case 0: sigrc = '!'; break; case 0: sigrc = '!'; break;
@ -1603,10 +1617,8 @@ check_sig_and_print (CTX c, kbnode_t node)
int rc; int rc;
int is_expkey = 0; int is_expkey = 0;
int is_revkey = 0; int is_revkey = 0;
char pkstrbuf[PUBKEY_STRING_SIZE];
char *issuer_fpr; char *issuer_fpr;
PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
*pkstrbuf = 0;
if (opt.skip_verify) if (opt.skip_verify)
{ {
@ -1754,7 +1766,7 @@ check_sig_and_print (CTX c, kbnode_t node)
if (sig->signers_uid) if (sig->signers_uid)
log_info (_(" issuer \"%s\"\n"), sig->signers_uid); log_info (_(" issuer \"%s\"\n"), sig->signers_uid);
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
/* If the key isn't found, check for a preferred keyserver. */ /* If the key isn't found, check for a preferred keyserver. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks) if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
@ -1783,11 +1795,14 @@ check_sig_and_print (CTX c, kbnode_t node)
{ {
int res; int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid,spec); res = keyserver_import_keyid (c->ctrl, sig->keyid,spec);
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
if (!res) if (!res)
rc = do_check_sig(c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL,
&is_expkey, &is_revkey, &pk);
free_keyserver_spec (spec); free_keyserver_spec (spec);
if (!rc) if (!rc)
@ -1815,12 +1830,14 @@ check_sig_and_print (CTX c, kbnode_t node)
spec = parse_keyserver_uri (uri, 1); spec = parse_keyserver_uri (uri, 1);
if (spec) if (spec)
{ {
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid, spec); res = keyserver_import_keyid (c->ctrl, sig->keyid, spec);
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
free_keyserver_spec (spec); free_keyserver_spec (spec);
if (!res) if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
} }
} }
} }
@ -1844,11 +1861,13 @@ check_sig_and_print (CTX c, kbnode_t node)
if (p && n == 21 && p[0] == 4) if (p && n == 21 && p[0] == 4)
{ {
/* v4 packet with a SHA-1 fingerprint. */ /* v4 packet with a SHA-1 fingerprint. */
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver); res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver);
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
if (!res) if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
} }
} }
@ -1862,13 +1881,15 @@ check_sig_and_print (CTX c, kbnode_t node)
{ {
int res; int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_wkd (c->ctrl, sig->signers_uid, NULL, NULL); res = keyserver_import_wkd (c->ctrl, sig->signers_uid, NULL, NULL);
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
/* Fixme: If the fingerprint is embedded in the signature, /* Fixme: If the fingerprint is embedded in the signature,
* compare it to the fingerprint of the returned key. */ * compare it to the fingerprint of the returned key. */
if (!res) if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
} }
/* If the above methods did't work, our next try is to use a /* If the above methods did't work, our next try is to use a
@ -1879,11 +1900,13 @@ check_sig_and_print (CTX c, kbnode_t node)
{ {
int res; int res;
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver ); res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver );
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
if (!res) if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey ); rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
} }
if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE) if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
@ -1892,7 +1915,7 @@ check_sig_and_print (CTX c, kbnode_t node)
int count = 0; int count = 0;
int statno; int statno;
char keyid_str[50]; char keyid_str[50];
PKT_public_key *pk = NULL; PKT_public_key *mainpk = NULL;
if (rc) if (rc)
statno = STATUS_BADSIG; statno = STATUS_BADSIG;
@ -1905,6 +1928,10 @@ check_sig_and_print (CTX c, kbnode_t node)
else else
statno = STATUS_GOODSIG; statno = STATUS_GOODSIG;
/* FIXME: We should have the public key in PK and thus the
* keyboock has already been fetched. Thus we could use the
* fingerprint or PK itself to lookup the entire keyblock. That
* would best be done with a cache. */
keyblock = get_pubkeyblock (sig->keyid); keyblock = get_pubkeyblock (sig->keyid);
snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ", snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ",
@ -1918,7 +1945,7 @@ check_sig_and_print (CTX c, kbnode_t node)
if (un->pkt->pkttype==PKT_PUBLIC_KEY) if (un->pkt->pkttype==PKT_PUBLIC_KEY)
{ {
pk=un->pkt->pkt.public_key; mainpk = un->pkt->pkt.public_key;
continue; continue;
} }
if (un->pkt->pkttype != PKT_USER_ID) if (un->pkt->pkttype != PKT_USER_ID)
@ -1935,7 +1962,7 @@ check_sig_and_print (CTX c, kbnode_t node)
if (un->pkt->pkt.user_id->attrib_data) if (un->pkt->pkt.user_id->attrib_data)
continue; continue;
log_assert (pk); log_assert (mainpk);
/* Since this is just informational, don't actually ask the /* Since this is just informational, don't actually ask the
user to update any trust information. (Note: we register user to update any trust information. (Note: we register
@ -1943,7 +1970,8 @@ check_sig_and_print (CTX c, kbnode_t node)
does not print a LF we need to compute the validity does not print a LF we need to compute the validity
before calling that function. */ before calling that function. */
if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY)) if ((opt.verify_options & VERIFY_SHOW_UID_VALIDITY))
valid = get_validity (c->ctrl, pk, un->pkt->pkt.user_id, sig, 0); valid = get_validity (c->ctrl, mainpk, un->pkt->pkt.user_id,
sig, 0);
else else
valid = 0; /* Not used. */ valid = 0; /* Not used. */
@ -1956,13 +1984,11 @@ check_sig_and_print (CTX c, kbnode_t node)
else else
log_printf ("\n"); log_printf ("\n");
/* Get a string description of the algo for informational
output we want to print later. It is convenient to do it
here because we already have the right public key. */
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
count++; count++;
} }
log_assert (mainpk);
/* In case we did not found a valid valid textual userid above /* In case we did not found a valid valid textual userid above
we print the first user id packet or a "[?]" instead along we print the first user id packet or a "[?]" instead along
with the "Good|Expired|Bad signature" line. */ with the "Good|Expired|Bad signature" line. */
@ -2019,13 +2045,13 @@ check_sig_and_print (CTX c, kbnode_t node)
/* If this user id has attribute data, print that. */ /* If this user id has attribute data, print that. */
if (un->pkt->pkt.user_id->attrib_data) if (un->pkt->pkt.user_id->attrib_data)
{ {
dump_attribs (un->pkt->pkt.user_id, pk); dump_attribs (un->pkt->pkt.user_id, mainpk);
if (opt.verify_options&VERIFY_SHOW_PHOTOS) if (opt.verify_options&VERIFY_SHOW_PHOTOS)
show_photos (c->ctrl, show_photos (c->ctrl,
un->pkt->pkt.user_id->attribs, un->pkt->pkt.user_id->attribs,
un->pkt->pkt.user_id->numattribs, un->pkt->pkt.user_id->numattribs,
pk ,un->pkt->pkt.user_id); mainpk ,un->pkt->pkt.user_id);
} }
p = utf8_to_native (un->pkt->pkt.user_id->name, p = utf8_to_native (un->pkt->pkt.user_id->name,
@ -2046,7 +2072,7 @@ check_sig_and_print (CTX c, kbnode_t node)
actually ask the user to update any trust actually ask the user to update any trust
information. */ information. */
valid = (trust_value_to_string valid = (trust_value_to_string
(get_validity (c->ctrl, pk, (get_validity (c->ctrl, mainpk,
un->pkt->pkt.user_id, sig, 0))); un->pkt->pkt.user_id, sig, 0)));
log_printf (" [%s]\n",valid); log_printf (" [%s]\n",valid);
} }
@ -2054,7 +2080,6 @@ check_sig_and_print (CTX c, kbnode_t node)
log_printf ("\n"); log_printf ("\n");
} }
} }
release_kbnode( keyblock );
/* For good signatures print notation data. */ /* For good signatures print notation data. */
if (!rc) if (!rc)
@ -2081,16 +2106,14 @@ check_sig_and_print (CTX c, kbnode_t node)
/* For good signatures print the VALIDSIG status line. */ /* For good signatures print the VALIDSIG status line. */
if (!rc && is_status_enabled ()) if (!rc && is_status_enabled ())
{ {
PKT_public_key *vpk = xmalloc_clear (sizeof *vpk); if (pk)
if (!get_pubkey (vpk, sig->keyid))
{ {
byte array[MAX_FINGERPRINT_LEN], *p; byte array[MAX_FINGERPRINT_LEN], *p;
char buf[MAX_FINGERPRINT_LEN*4+90], *bufp; char buf[MAX_FINGERPRINT_LEN*4+90], *bufp;
size_t i, n; size_t i, n;
bufp = buf; bufp = buf;
fingerprint_from_pk (vpk, array, &n); fingerprint_from_pk (pk, array, &n);
p = array; p = array;
for(i=0; i < n ; i++, p++, bufp += 2) for(i=0; i < n ; i++, p++, bufp += 2)
sprintf (bufp, "%02X", *p ); sprintf (bufp, "%02X", *p );
@ -2103,29 +2126,13 @@ check_sig_and_print (CTX c, kbnode_t node)
sig->version,sig->pubkey_algo,sig->digest_algo, sig->version,sig->pubkey_algo,sig->digest_algo,
sig->sig_class); sig->sig_class);
bufp = bufp + strlen (bufp); bufp = bufp + strlen (bufp);
if (!vpk->flags.primary) if (!pk->flags.primary)
{ fingerprint_from_pk (mainpk, array, &n);
u32 akid[2];
akid[0] = vpk->main_keyid[0];
akid[1] = vpk->main_keyid[1];
free_public_key (vpk);
vpk = xmalloc_clear (sizeof *vpk);
if (get_pubkey (vpk, akid))
{
/* Impossible error, we simply return a zeroed out fpr */
n = MAX_FINGERPRINT_LEN < 20? MAX_FINGERPRINT_LEN : 20;
memset (array, 0, n);
}
else
fingerprint_from_pk( vpk, array, &n );
}
p = array; p = array;
for (i=0; i < n ; i++, p++, bufp += 2) for (i=0; i < n ; i++, p++, bufp += 2)
sprintf(bufp, "%02X", *p ); sprintf(bufp, "%02X", *p );
write_status_text (STATUS_VALIDSIG, buf); write_status_text (STATUS_VALIDSIG, buf);
} }
free_public_key (vpk);
} }
/* For good signatures compute and print the trust information. /* For good signatures compute and print the trust information.
@ -2148,12 +2155,20 @@ check_sig_and_print (CTX c, kbnode_t node)
log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate)); log_info (_("Signature expires %s\n"), asctimestamp(sig->expiredate));
if (opt.verbose) if (opt.verbose)
{
char pkstrbuf[PUBKEY_STRING_SIZE];
if (pk)
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
else
*pkstrbuf = 0;
log_info (_("%s signature, digest algorithm %s%s%s\n"), log_info (_("%s signature, digest algorithm %s%s%s\n"),
sig->sig_class==0x00?_("binary"): sig->sig_class==0x00?_("binary"):
sig->sig_class==0x01?_("textmode"):_("unknown"), sig->sig_class==0x01?_("textmode"):_("unknown"),
gcry_md_algo_name (sig->digest_algo), gcry_md_algo_name (sig->digest_algo),
*pkstrbuf?_(", key algorithm "):"", *pkstrbuf?_(", key algorithm "):"", pkstrbuf);
pkstrbuf); }
/* Print final warnings. */ /* Print final warnings. */
if (!rc && !c->signed_data.used) if (!rc && !c->signed_data.used)
@ -2194,6 +2209,7 @@ check_sig_and_print (CTX c, kbnode_t node)
} }
} }
release_kbnode( keyblock );
if (rc) if (rc)
g10_errors_seen = 1; g10_errors_seen = 1;
if (opt.batch && rc) if (opt.batch && rc)

12
g10/packet.h
View File

@ -802,13 +802,13 @@ int cmp_user_ids( PKT_user_id *a, PKT_user_id *b );
int check_signature (PKT_signature *sig, gcry_md_hd_t digest); int check_signature (PKT_signature *sig, gcry_md_hd_t digest);
/* Check a signature. Looks up the public key from the key db. (If /* Check a signature. Looks up the public key from the key db. (If
RET_PK is not NULL, it is returned in *RET_PK.) DIGEST contains a * R_PK is not NULL, it is stored at RET_PK.) DIGEST contains a
valid hash context that already includes the signed data. This * valid hash context that already includes the signed data. This
function adds the relevant meta-data to the hash before finalizing * function adds the relevant meta-data to the hash before finalizing
it and verifying the signature. */ * it and verifying the signature. */
int check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, gpg_error_t check_signature2 (PKT_signature *sig, gcry_md_hd_t digest,
u32 *r_expiredate, int *r_expired, int *r_revoked, u32 *r_expiredate, int *r_expired, int *r_revoked,
PKT_public_key *ret_pk); PKT_public_key **r_pk);
/*-- pubkey-enc.c --*/ /*-- pubkey-enc.c --*/

58
g10/sig-check.c
View File

@ -84,23 +84,29 @@ check_signature (PKT_signature *sig, gcry_md_hd_t digest)
* revoked (0 otherwise). Note: PK being revoked does not cause this * revoked (0 otherwise). Note: PK being revoked does not cause this
* function to fail. * function to fail.
* *
* If PK is not NULL, the public key is saved in *PK on success. * If R_PK is not NULL, the public key is stored at that address if it
* was found; other wise NULL is stored.
* *
* Returns 0 on success. An error code otherwise. */ * Returns 0 on success. An error code otherwise. */
int gpg_error_t
check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate, check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
int *r_expired, int *r_revoked, PKT_public_key *pk ) int *r_expired, int *r_revoked, PKT_public_key **r_pk)
{ {
int rc=0; int rc=0;
int pk_internal; PKT_public_key *pk;
if (pk) if (r_expiredate)
pk_internal = 0; *r_expiredate = 0;
else if (r_expired)
{ *r_expired = 0;
pk_internal = 1; if (r_revoked)
pk = xmalloc_clear( sizeof *pk ); *r_revoked = 0;
} if (r_pk)
*r_pk = NULL;
pk = xtrycalloc (1, sizeof *pk);
if (!pk)
return gpg_error_from_syserror ();
if ( (rc=openpgp_md_test_algo(sig->digest_algo)) ) if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
; /* We don't have this digest. */ ; /* We don't have this digest. */
@ -114,14 +120,14 @@ check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
header is missing or does not match the actual sig. */ header is missing or does not match the actual sig. */
log_info(_("WARNING: signature digest conflict in message\n")); log_info(_("WARNING: signature digest conflict in message\n"));
rc = GPG_ERR_GENERAL; rc = gpg_error (GPG_ERR_GENERAL);
} }
else if( get_pubkey( pk, sig->keyid ) ) else if( get_pubkey( pk, sig->keyid ) )
rc = GPG_ERR_NO_PUBKEY; rc = gpg_error (GPG_ERR_NO_PUBKEY);
else if(!pk->flags.valid) else if(!pk->flags.valid)
{ {
/* You cannot have a good sig from an invalid key. */ /* You cannot have a good sig from an invalid key. */
rc = GPG_ERR_BAD_PUBKEY; rc = gpg_error (GPG_ERR_BAD_PUBKEY);
} }
else else
{ {
@ -136,7 +142,7 @@ check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
them as their own. The attacker couldn't actually use the them as their own. The attacker couldn't actually use the
subkey, but they could try and claim ownership of any subkey, but they could try and claim ownership of any
signatures issued by it. */ signatures issued by it. */
if(rc==0 && !pk->flags.primary && pk->flags.backsig < 2) if (!rc && !pk->flags.primary && pk->flags.backsig < 2)
{ {
if (!pk->flags.backsig) if (!pk->flags.backsig)
{ {
@ -148,27 +154,17 @@ check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
error. TODO: change the default to require this error. TODO: change the default to require this
after more keys have backsigs. */ after more keys have backsigs. */
if(opt.flags.require_cross_cert) if(opt.flags.require_cross_cert)
rc = GPG_ERR_GENERAL; rc = gpg_error (GPG_ERR_GENERAL);
} }
else if(pk->flags.backsig == 1) else if(pk->flags.backsig == 1)
{ {
log_info(_("WARNING: signing subkey %s has an invalid" log_info(_("WARNING: signing subkey %s has an invalid"
" cross-certification\n"),keystr_from_pk(pk)); " cross-certification\n"),keystr_from_pk(pk));
rc = GPG_ERR_GENERAL; rc = gpg_error (GPG_ERR_GENERAL);
} }
} }
} }
if (pk_internal || rc)
{
release_public_key_parts (pk);
if (pk_internal)
xfree (pk);
else
/* Be very sure that the caller doesn't try to use *PK. */
memset (pk, 0, sizeof (*pk));
}
if( !rc && sig->sig_class < 2 && is_status_enabled() ) { if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
/* This signature id works best with DLP algorithms because /* This signature id works best with DLP algorithms because
* they use a random parameter for every signature. Instead of * they use a random parameter for every signature. Instead of
@ -235,6 +231,14 @@ check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
xfree (buffer); xfree (buffer);
} }
if (r_pk)
*r_pk = pk;
else
{
release_public_key_parts (pk);
xfree (pk);
}
return rc; return rc;
} }