diff --git a/g10/ChangeLog b/g10/ChangeLog index 44ef547a3..afd02c926 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,22 @@ +2003-12-28 David Shaw + + * sig-check.c (check_revocation_keys): Comments. + + * getkey.c (merge_selfsigs_main): Don't bother to check designated + revoker sigs if the key is already revoked. + + * packet.h, getkey.c (merge_selfsigs_main): New "maybe_revoked" + flag on PKs. It is set when there is a revocation signature from + a valid revocation key, but the revocation key is not present to + verify the signature. + + * pkclist.c (check_signatures_trust): Use it here to give a + warning when showing key trust. + + * compress-bz2.c: Include stdio.h. Solaris 9 has a very old bzip2 + library and we can at least guarantee that it won't fail because + of the lack of stdio.h. + 2003-12-23 Werner Koch * tdbio.c: Fixed format string bugs related to the sue of diff --git a/g10/compress-bz2.c b/g10/compress-bz2.c index 1f2212878..9c9f4dcbd 100644 --- a/g10/compress-bz2.c +++ b/g10/compress-bz2.c @@ -20,6 +20,7 @@ #include #include +#include /* Early versions of bzlib (1.0) require stdio.h */ #include #include "util.h" diff --git a/g10/getkey.c b/g10/getkey.c index cfa65af3f..a1d0c515a 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1506,9 +1506,9 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked ) /* pass 1.5: look for key revocation signatures that were not made by the key (i.e. did a revocation key issue a revocation for us?). Only bother to do this if there is a revocation key in - the first place. */ + the first place and we're not revoked already. */ - if(pk->revkey) + if(!*r_revoked && pk->revkey) for(k=keyblock; k && k->pkt->pkttype != PKT_USER_ID; k = k->next ) { if ( k->pkt->pkttype == PKT_SIGNATURE ) @@ -1518,15 +1518,25 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked ) if(IS_KEY_REV(sig) && (sig->keyid[0]!=kid[0] || sig->keyid[1]!=kid[1])) { - /* Failure here means the sig did not verify, is was + int rc=check_revocation_keys(pk,sig); + if(rc==0) + { + *r_revoked=1; + /* don't continue checking since we can't be any + more revoked than this */ + break; + } + else if(rc==G10ERR_NO_PUBKEY) + pk->maybe_revoked=1; + + /* A failure here means the sig did not verify, was not issued by a revocation key, or a revocation - key loop was broken. */ + key loop was broken. If a revocation key isn't + findable, however, the key might be revoked and + we don't know it. */ - if(check_revocation_keys(pk,sig)==0) - *r_revoked=1; - - /* In the future handle subkey and cert revocations? - PGP doesn't, but it's in 2440. */ + /* TODO: In the future handle subkey and cert + revocations? PGP doesn't, but it's in 2440. */ } } } diff --git a/g10/packet.h b/g10/packet.h index 12319fdb4..7c6a27222 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -1,5 +1,6 @@ /* packet.h - packet definitions - * Copyright (C) 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, + * 2003 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -199,6 +200,8 @@ typedef struct { byte req_algo; /* Ditto */ u32 has_expired; /* set to the expiration date if expired */ int is_revoked; /* key has been revoked */ + int maybe_revoked; /* a designated revocation is present, but + without the key to check it */ int is_valid; /* key (especially subkey) is valid */ int dont_cache; /* do not cache this */ ulong local_id; /* internal use, valid if > 0 */ diff --git a/g10/pkclist.c b/g10/pkclist.c index 878695da7..96a373bb0 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -588,7 +588,7 @@ check_signatures_trust( PKT_signature *sig ) goto leave; } - if ( opt.always_trust) + if ( opt.always_trust ) { if( !opt.quiet ) log_info(_("WARNING: Using untrusted key!\n")); @@ -597,6 +597,10 @@ check_signatures_trust( PKT_signature *sig ) goto leave; } + if(pk->maybe_revoked && !pk->is_revoked) + log_info(_("WARNING: this key might be revoked (revocation key" + " not present)\n")); + trustlevel = get_validity (pk, NULL); if ( (trustlevel & TRUST_FLAG_REVOKED) ) diff --git a/g10/sig-check.c b/g10/sig-check.c index 05ebd85f7..1f05a6196 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -1,6 +1,6 @@ /* sig-check.c - Check a signature - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 - * Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, + * 200 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -406,20 +406,22 @@ cache_sig_result ( PKT_signature *sig, int result ) } } - /* Check the revocation keys to see if any of them have revoked our pk. sig is the revocation sig. pk is the key it is on. This code will need to be modified if gpg ever becomes multi-threaded. Note that this guarantees that a designated revocation sig will never be considered valid unless it is actually valid, as well as being - issued by a revocation key in a valid direct signature. Note that - this is written so that a revoked revoker can still issue + issued by a revocation key in a valid direct signature. Note also + that this is written so that a revoked revoker can still issue revocations: i.e. If A revokes B, but A is revoked, B is still revoked. I'm not completely convinced this is the proper behavior, but it matches how PGP does it. -dms */ /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not - revoked */ + revoked. It is important that G10ERR_NO_PUBKEY is only returned + when a revocation signature is from a valid revocation key + designated in a revkey subpacket, but the revocation key itself + isn't present. */ int check_revocation_keys(PKT_public_key *pk,PKT_signature *sig) { @@ -431,9 +433,9 @@ check_revocation_keys(PKT_public_key *pk,PKT_signature *sig) if(busy) { - /* return -1 (i.e. not revoked), but mark the pk as uncacheable - as we don't really know its revocation status until it is - checked directly. */ + /* return an error (i.e. not revoked), but mark the pk as + uncacheable as we don't really know its revocation status + until it is checked directly. */ pk->dont_cache=1; return rc;