Flush keyserver search output.

Add trustdb chnages from 1.4. Check algo usage for batch key generation.
2025-07-03 22:56:33 +02:00 · 2008-12-09 10:46:29 +00:00 · 2008-12-09 10:46:29 +00:00 · 9874c62a10
commit 9874c62a10
parent 382d2f8efb
4 changed files with 119 additions and 57 deletions
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@ -1,6 +1,6 @@
 /* trustdb.c
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
- *               2007 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+ *               2008 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -1935,54 +1935,78 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
             did not exist.  This is safe for non-trust sigs as well
             since we don't accept a regexp on the sig unless it's a
             trust sig. */
-          if (kr && (kr->trust_regexp==NULL || opt.trust_model!=TM_PGP ||
-		     (uidnode && check_regexp(kr->trust_regexp,
-					    uidnode->pkt->pkt.user_id->name))))
+          if (kr && (!kr->trust_regexp 
+                     || opt.trust_model != TM_PGP 
+                     || (uidnode 
+                         && check_regexp(kr->trust_regexp,
+                                         uidnode->pkt->pkt.user_id->name))))
            {
-	      if(DBG_TRUST && opt.trust_model==TM_PGP && sig->trust_depth)
-		log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n",
-			  uidnode->pkt->pkt.user_id->name,sig->trust_depth,
-			  kr->trust_depth);
-
 	      /* Are we part of a trust sig chain?  We always favor
                 the latest trust sig, rather than the greater or
                 lesser trust sig or value.  I could make a decent
                 argument for any of these cases, but this seems to be
                 what PGP does, and I'd like to be compatible. -dms */
-	      if(opt.trust_model==TM_PGP && sig->trust_depth
-		 && pk->trust_timestamp<=sig->timestamp
-		 && (sig->trust_depth<=kr->trust_depth
-		     || kr->ownertrust==TRUST_ULTIMATE))
+              if (opt.trust_model == TM_PGP
+                  && sig->trust_depth
+                  && pk->trust_timestamp <= sig->timestamp)
 		{
-		  /* If we got here, we know that:
+		  unsigned char depth;

-		     this is a trust sig.
+		  /* If the depth on the signature is less than the
+		     chain currently has, then use the signature depth
+		     so we don't increase the depth beyond what the
+		     signer wanted.  If the depth on the signature is
+		     more than the chain currently has, then use the
+		     chain depth so we use as much of the signature
+		     depth as the chain will permit.  An ultimately
+		     trusted signature can restart the depth to
+		     whatever level it likes. */

-		     it's a newer trust sig than any previous trust
-		     sig on this key (not uid).
+		  if (sig->trust_depth < kr->trust_depth
+                      || kr->ownertrust == TRUST_ULTIMATE)
+		    depth = sig->trust_depth;
+		  else
+		    depth = kr->trust_depth;

-		     it is legal in that it was either generated by an
-		     ultimate key, or a key that was part of a trust
-		     chain, and the depth does not violate the
-		     original trust sig.
+		  if (depth)
+		    {
+		      if(DBG_TRUST)
+			log_debug ("trust sig on %s, sig depth is %d,"
+                                   " kr depth is %d\n",
+                                   uidnode->pkt->pkt.user_id->name,
+                                   sig->trust_depth,
+                                   kr->trust_depth);

-		     if there is a regexp attached, it matched
-		     successfully.
-		  */
+		      /* If we got here, we know that:

-		  if(DBG_TRUST)
-		    log_debug("replacing trust value %d with %d and "
-			      "depth %d with %d\n",
-			      pk->trust_value,sig->trust_value,
-			      pk->trust_depth,sig->trust_depth);
+			 this is a trust sig.

-		  pk->trust_value=sig->trust_value;
-		  pk->trust_depth=sig->trust_depth-1;
+			 it's a newer trust sig than any previous trust
+			 sig on this key (not uid).

-		  /* If the trust sig contains a regexp, record it
-		     on the pk for the next round. */
-		  if(sig->trust_regexp)
-		    pk->trust_regexp=sig->trust_regexp;
+			 it is legal in that it was either generated by an
+			 ultimate key, or a key that was part of a trust
+			 chain, and the depth does not violate the
+			 original trust sig.
+
+			 if there is a regexp attached, it matched
+			 successfully.
+		      */
+
+		      if (DBG_TRUST)
+			log_debug ("replacing trust value %d with %d and "
+                                   "depth %d with %d\n",
+                                   pk->trust_value,sig->trust_value,
+                                   pk->trust_depth,depth);
+
+		      pk->trust_value = sig->trust_value;
+		      pk->trust_depth = depth-1;
+                      
+		      /* If the trust sig contains a regexp, record it
+			 on the pk for the next round. */
+		      if (sig->trust_regexp)
+			pk->trust_regexp = sig->trust_regexp;
+		    }
 		}

              if (kr->ownertrust == TRUST_ULTIMATE)