security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

Flush keyserver search output.

Browse Source 
Add trustdb chnages from 1.4.
Check algo usage for batch key generation.
This commit is contained in:
Werner Koch 2008-12-09 10:46:29 +00:00
parent 382d2f8efb
commit 9874c62a10
4 changed files with 119 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
g10/ChangeLog
View File

@ -1,5 +1,19 @@
2008-12-09 Werner Koch <wk@g10code.com>
* keygen.c (proc_parameter_file): Check that key and subkey usages
are allowed.
2008-12-09 David Shaw <dshaw@jabberwocky.com> (wk)
* trustdb.c (validate_one_keyblock): Fix the trust signature
calculations so that we lower the trust depth of signatures to fit
within the current chain, rather than discarding any signature
that does not fit within the trust depth.
2008-12-09 Werner Koch <wk@g10code.com>
* keyserver.c (show_prompt): Flush stdout.
* gpg.c (open_info_file): Add arg BINARY and adjust callers.
* gpg.c (main): Call i18n_init before init_common_subsystems.

28
g10/keygen.c
View File

@ -2287,7 +2287,8 @@ get_parameter_algo( struct para_data_s *para, enum para_name key )
}
/*
* parse the usage parameter and set the keyflags. Return true on error.
* Parse the usage parameter and set the keyflags. Returns -1 on
* error, 0 for no usage given or 1 for usage available.
*/
static int
parse_parameter_usage (const char *fname,
@ -2446,7 +2447,7 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
}
err = parse_parameter_usage (fname, para, pKEYUSAGE);
if(err==0)
if (!err)
{
/* Default to algo capabilities if key-usage is not provided */
r = xmalloc_clear(sizeof(*r));
@ -2457,6 +2458,16 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
}
else if (err == -1)
return -1;
else
{
r = get_parameter (para, pKEYUSAGE);
if (r && (r->u.usage & ~openpgp_pk_algo_usage (algo)))
{
log_error ("%s:%d: specified Key-Usage not allowed for algo %d\n",
fname, r->lnr, algo);
return -1;
}
}
r = get_parameter( para, pSUBKEYTYPE );
if(r)
@ -2469,7 +2480,7 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
}
err = parse_parameter_usage (fname, para, pSUBKEYUSAGE);
if(err==0)
if (!err)
{
/* Default to algo capabilities if subkey-usage is not
provided */
@ -2481,7 +2492,18 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
}
else if (err == -1)
return -1;
else
{
r = get_parameter (para, pSUBKEYUSAGE);
if (r && (r->u.usage & ~openpgp_pk_algo_usage (algo)))
{
log_error ("%s:%d: specified Subkey-Usage not allowed"
" for algo %d\n", fname, r->lnr, algo);
return -1;
}
}
}
if( get_parameter_value( para, pUSERID ) )
have_user_id=1;

2
g10/keyserver.c
View File

@ -731,6 +731,8 @@ show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
{
char *answer;
fflush (stdout);
if(count && opt.command_fd==-1)
{
static int from=1;

54
g10/trustdb.c
View File

@ -1,6 +1,6 @@
/* trustdb.c
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
* 2007 Free Software Foundation, Inc.
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
* 2008 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@ -1935,25 +1935,48 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
did not exist. This is safe for non-trust sigs as well
since we don't accept a regexp on the sig unless it's a
trust sig. */
if (kr && (kr->trust_regexp==NULL || opt.trust_model!=TM_PGP ||
(uidnode && check_regexp(kr->trust_regexp,
if (kr && (!kr->trust_regexp
|| opt.trust_model != TM_PGP
|| (uidnode
&& check_regexp(kr->trust_regexp,
uidnode->pkt->pkt.user_id->name))))
{
if(DBG_TRUST && opt.trust_model==TM_PGP && sig->trust_depth)
log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n",
uidnode->pkt->pkt.user_id->name,sig->trust_depth,
kr->trust_depth);
/* Are we part of a trust sig chain? We always favor
the latest trust sig, rather than the greater or
lesser trust sig or value. I could make a decent
argument for any of these cases, but this seems to be
what PGP does, and I'd like to be compatible. -dms */
if(opt.trust_model==TM_PGP && sig->trust_depth
&& pk->trust_timestamp<=sig->timestamp
&& (sig->trust_depth<=kr->trust_depth
|| kr->ownertrust==TRUST_ULTIMATE))
if (opt.trust_model == TM_PGP
&& sig->trust_depth
&& pk->trust_timestamp <= sig->timestamp)
{
unsigned char depth;
/* If the depth on the signature is less than the
chain currently has, then use the signature depth
so we don't increase the depth beyond what the
signer wanted. If the depth on the signature is
more than the chain currently has, then use the
chain depth so we use as much of the signature
depth as the chain will permit. An ultimately
trusted signature can restart the depth to
whatever level it likes. */
if (sig->trust_depth < kr->trust_depth
|| kr->ownertrust == TRUST_ULTIMATE)
depth = sig->trust_depth;
else
depth = kr->trust_depth;
if (depth)
{
if(DBG_TRUST)
log_debug ("trust sig on %s, sig depth is %d,"
" kr depth is %d\n",
uidnode->pkt->pkt.user_id->name,
sig->trust_depth,
kr->trust_depth);
/* If we got here, we know that:
this is a trust sig.
@ -1974,16 +1997,17 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
log_debug ("replacing trust value %d with %d and "
"depth %d with %d\n",
pk->trust_value,sig->trust_value,
pk->trust_depth,sig->trust_depth);
pk->trust_depth,depth);
pk->trust_value = sig->trust_value;
pk->trust_depth=sig->trust_depth-1;
pk->trust_depth = depth-1;
/* If the trust sig contains a regexp, record it
on the pk for the next round. */
if (sig->trust_regexp)
pk->trust_regexp = sig->trust_regexp;
}
}
if (kr->ownertrust == TRUST_ULTIMATE)
uid->help_full_count = opt.completes_needed;