* sig-check.c (check_revocation_keys): Comments.

* getkey.c (merge_selfsigs_main): Don't bother to check designated revoker sigs if the key is already revoked. * packet.h, getkey.c (merge_selfsigs_main): New "maybe_revoked" flag on PKs. It is set when there is a revocation signature from a valid revocation key, but the revocation key is not present to verify the signature. * pkclist.c (check_signatures_trust): Use it here to give a warning when showing key trust. * compress-bz2.c: Include stdio.h. Solaris 9 has a very old bzip2 library and we can at least guarantee that it won't fail because of the lack of stdio.h.
2025-02-01 16:33:02 +01:00 · 2003-12-29 03:40:21 +00:00 · 2003-12-29 03:40:21 +00:00 · 727171a6c1
commit 727171a6c1
parent f77e485241
6 changed files with 59 additions and 20 deletions
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,3 +1,22 @@
+2003-12-28  David Shaw  <dshaw@jabberwocky.com>
+
+	* sig-check.c (check_revocation_keys): Comments.
+
+	* getkey.c (merge_selfsigs_main): Don't bother to check designated
+	revoker sigs if the key is already revoked.
+
+	* packet.h, getkey.c (merge_selfsigs_main): New "maybe_revoked"
+	flag on PKs.  It is set when there is a revocation signature from
+	a valid revocation key, but the revocation key is not present to
+	verify the signature.
+
+	* pkclist.c (check_signatures_trust): Use it here to give a
+	warning when showing key trust.
+	
+	* compress-bz2.c: Include stdio.h.  Solaris 9 has a very old bzip2
+	library and we can at least guarantee that it won't fail because
+	of the lack of stdio.h.
+
 2003-12-23  Werner Koch  <wk@gnupg.org>

 	* tdbio.c: Fixed format string bugs related to the sue of
--- a/g10/compress-bz2.c
+++ b/g10/compress-bz2.c
@ -20,6 +20,7 @@

 #include <config.h>
 #include <string.h>
+#include <stdio.h> /* Early versions of bzlib (1.0) require stdio.h */
 #include <bzlib.h>

 #include "util.h"
--- a/g10/getkey.c
+++ b/g10/getkey.c
@ -1506,9 +1506,9 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked )
    /* pass 1.5: look for key revocation signatures that were not made
       by the key (i.e. did a revocation key issue a revocation for
       us?).  Only bother to do this if there is a revocation key in
-       the first place. */
+       the first place and we're not revoked already. */

-    if(pk->revkey)
+    if(!*r_revoked && pk->revkey)
      for(k=keyblock; k && k->pkt->pkttype != PKT_USER_ID; k = k->next )
 	{
 	  if ( k->pkt->pkttype == PKT_SIGNATURE )
@ -1518,15 +1518,25 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked )
 	      if(IS_KEY_REV(sig) &&
 		 (sig->keyid[0]!=kid[0] || sig->keyid[1]!=kid[1]))
 		{ 
-		  /* Failure here means the sig did not verify, is was
-		     not issued by a revocation key, or a revocation
-		     key loop was broken. */
-
-		  if(check_revocation_keys(pk,sig)==0)
+		  int rc=check_revocation_keys(pk,sig);
+		  if(rc==0)
+		    {
 		      *r_revoked=1;
+		      /* don't continue checking since we can't be any
+			 more revoked than this */
+		      break;
+		    }
+		  else if(rc==G10ERR_NO_PUBKEY)
+		    pk->maybe_revoked=1;

-		  /* In the future handle subkey and cert revocations?
-                     PGP doesn't, but it's in 2440. */
+		  /* A failure here means the sig did not verify, was
+		     not issued by a revocation key, or a revocation
+		     key loop was broken.  If a revocation key isn't
+		     findable, however, the key might be revoked and
+		     we don't know it. */
+
+		  /* TODO: In the future handle subkey and cert
+                     revocations?  PGP doesn't, but it's in 2440. */
 		}
 	    }
 	}
--- a/g10/packet.h
+++ b/g10/packet.h
@ -1,5 +1,6 @@
 /* packet.h - packet definitions
- * Copyright (C) 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002,
+ *               2003 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -199,6 +200,8 @@ typedef struct {
    byte    req_algo;       /* Ditto */
    u32     has_expired;    /* set to the expiration date if expired */ 
    int     is_revoked;     /* key has been revoked */
+    int     maybe_revoked;  /* a designated revocation is present, but
+			       without the key to check it */
    int     is_valid;       /* key (especially subkey) is valid */
    int     dont_cache;     /* do not cache this */
    ulong   local_id;	    /* internal use, valid if > 0 */
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@ -588,7 +588,7 @@ check_signatures_trust( PKT_signature *sig )
      goto leave;
    }

-  if ( opt.always_trust)
+  if ( opt.always_trust )
    {
      if( !opt.quiet )
        log_info(_("WARNING: Using untrusted key!\n"));
@ -597,6 +597,10 @@ check_signatures_trust( PKT_signature *sig )
      goto leave;
    }

+  if(pk->maybe_revoked && !pk->is_revoked)
+    log_info(_("WARNING: this key might be revoked (revocation key"
+	       " not present)\n"));
+
  trustlevel = get_validity (pk, NULL);

  if ( (trustlevel & TRUST_FLAG_REVOKED) ) 
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@ -1,6 +1,6 @@
 /* sig-check.c -  Check a signature
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
- *               Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002,
+ *               200 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -406,20 +406,22 @@ cache_sig_result ( PKT_signature *sig, int result )
    }
 }

-
 /* Check the revocation keys to see if any of them have revoked our
   pk.  sig is the revocation sig.  pk is the key it is on.  This code
   will need to be modified if gpg ever becomes multi-threaded.  Note
   that this guarantees that a designated revocation sig will never be
   considered valid unless it is actually valid, as well as being
-   issued by a revocation key in a valid direct signature.  Note that
-   this is written so that a revoked revoker can still issue
+   issued by a revocation key in a valid direct signature.  Note also
+   that this is written so that a revoked revoker can still issue
   revocations: i.e. If A revokes B, but A is revoked, B is still
   revoked.  I'm not completely convinced this is the proper behavior,
   but it matches how PGP does it. -dms */

 /* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
-   revoked */
+   revoked.  It is important that G10ERR_NO_PUBKEY is only returned
+   when a revocation signature is from a valid revocation key
+   designated in a revkey subpacket, but the revocation key itself
+   isn't present. */
 int
 check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
 {
@ -431,9 +433,9 @@ check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)

  if(busy)
    {
-      /* return -1 (i.e. not revoked), but mark the pk as uncacheable
-         as we don't really know its revocation status until it is
-         checked directly. */
+      /* return an error (i.e. not revoked), but mark the pk as
+         uncacheable as we don't really know its revocation status
+         until it is checked directly. */

      pk->dont_cache=1;
      return rc;