diff options
author | Werner Koch <wk@gnupg.org> | 2014-10-31 10:29:02 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2014-10-31 10:31:11 +0100 |
commit | 28ae8ad70b3b802e67344468a4765eee6e291c68 (patch) | |
tree | 4869d784c19ceab0c5354bc39a2d4f75bb073751 /g10/keyring.c | |
parent | gpg: Fix testing for secret key availability. (diff) | |
download | gnupg2-28ae8ad70b3b802e67344468a4765eee6e291c68.tar.xz gnupg2-28ae8ad70b3b802e67344468a4765eee6e291c68.zip |
gpg: Fix --rebuild-keydb-caches.
* g10/parse-packet.c (parse_key): Store even unsupported packet
versions.
* g10/keyring.c (keyring_rebuild_cache): Do not copy keys with
versions less than 4.
--
That function, which is implicitly called while checking the keydb, led
to corruption of v3 key packets in the keyring which would later spit
out "packet(6)too short" messages.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'g10/keyring.c')
-rw-r--r-- | g10/keyring.c | 65 |
1 files changed, 38 insertions, 27 deletions
diff --git a/g10/keyring.c b/g10/keyring.c index 6f75b6a78..a1936b3e0 100644 --- a/g10/keyring.c +++ b/g10/keyring.c @@ -1409,40 +1409,51 @@ keyring_rebuild_cache (void *token,int noisy) goto leave; } - /* check all signature to set the signature's cache flags */ - for (node=keyblock; node; node=node->next) + if (keyblock->pkt->pkt.public_key->version < 4) { - /* Note that this doesn't cache the result of a revocation - issued by a designated revoker. This is because the pk - in question does not carry the revkeys as we haven't - merged the key and selfsigs. It is questionable whether - this matters very much since there are very very few - designated revoker revocation packets out there. */ - - if (node->pkt->pkttype == PKT_SIGNATURE) + /* We do not copy/cache v3 keys or any other unknown + packets. It is better to remove them from the keyring. + The code required to keep them in the keyring would be + too complicated. Given that we do not touch the old + secring.gpg a suitable backup for decryption of v3 stuff + using an older gpg version will always be available. */ + } + else + { + /* Check all signature to set the signature's cache flags. */ + for (node=keyblock; node; node=node->next) { - PKT_signature *sig=node->pkt->pkt.signature; + /* Note that this doesn't cache the result of a + revocation issued by a designated revoker. This is + because the pk in question does not carry the revkeys + as we haven't merged the key and selfsigs. It is + questionable whether this matters very much since + there are very very few designated revoker revocation + packets out there. */ + if (node->pkt->pkttype == PKT_SIGNATURE) + { + PKT_signature *sig=node->pkt->pkt.signature; - if(!opt.no_sig_cache && sig->flags.checked && sig->flags.valid - && (openpgp_md_test_algo(sig->digest_algo) - || openpgp_pk_test_algo(sig->pubkey_algo))) - sig->flags.checked=sig->flags.valid=0; - else - check_key_signature (keyblock, node, NULL); + if(!opt.no_sig_cache && sig->flags.checked && sig->flags.valid + && (openpgp_md_test_algo(sig->digest_algo) + || openpgp_pk_test_algo(sig->pubkey_algo))) + sig->flags.checked=sig->flags.valid=0; + else + check_key_signature (keyblock, node, NULL); - sigcount++; + sigcount++; + } } - } - /* write the keyblock to the temporary file */ - rc = write_keyblock (tmpfp, keyblock); - if (rc) - goto leave; - - if ( !(++count % 50) && noisy && !opt.quiet) - log_info(_("%lu keys cached so far (%lu signatures)\n"), - count, sigcount ); + /* Write the keyblock to the temporary file. */ + rc = write_keyblock (tmpfp, keyblock); + if (rc) + goto leave; + if ( !(++count % 50) && noisy && !opt.quiet) + log_info(_("%lu keys cached so far (%lu signatures)\n"), + count, sigcount ); + } } /* end main loop */ if (rc == -1) rc = 0; |