Verify created signatures.

11 files changed, 73 insertions, 8 deletions

diff --git a/TODO b/TODO
index c29e13b9b..c970ce2d5 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,7 @@
 
+  * Check that no secret temporary results are stored in the result parameter
+    of the mpi functions.  We have already done this for mpi-mul.c 
+
   * Dlopen does not yet work under W32.
 
   * check whether we can remove all the expire stuff in trustdb because this
@@ -42,6 +45,8 @@
 
   * Add an is_valid flag to each user ID.
 
+  * Make --pipemode work.
+
 Scheduled for 1.1
 -----------------
   * David C Niemi pointed out that the code for --no-default-keyring does not
diff --git a/doc/ChangeLog b/doc/ChangeLog
index b121f95d3..f54d5df23 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,7 @@
+2001-03-23  Werner Koch  <[email protected]>
+
+	* DETAILS: New status UNEXPECTED.
+
 2001-03-13  Werner Koch  <[email protected]>
 
 	* gpg.sgml: Described --fixed-list-mode.
diff --git a/doc/DETAILS b/doc/DETAILS
index 902faf94c..45a677410 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -119,6 +119,11 @@ more arguments in future versions.
 	    3 - Invalid packet found, this may indicate a non OpenPGP message.
 	You may see more than one of these status lines.
 
+    UNEXPECTED <what>
+        Unexpected data has been encountered
+            0 - not further specified               1       
+  
+
     TRUST_UNDEFINED
     TRUST_NEVER
     TRUST_MARGINAL
diff --git a/g10/ChangeLog b/g10/ChangeLog
index dd94799ce..adaabc9b9 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,12 @@
+2001-03-24  Werner Koch  <[email protected]>
+
+	* sign.c (do_sign): Verify the signature right after creation.
+
+2001-03-23  Werner Koch  <[email protected]>
+
+	* status.c, status.h (STATUS_UNEXPECTED): New.
+	* mainproc.c (do_proc_packets): And emit it here.
+
 2001-03-21  Werner Koch  <[email protected]>
 
 	* status.c: Add sys/types.h so that it runs on Ultrix.  Reported
diff --git a/g10/mainproc.c b/g10/mainproc.c
index c307b2702..40d6258b1 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1067,6 +1067,7 @@ do_proc_packets( CTX c, IOBUF a )
 	      case PKT_PUBKEY_ENC:
 	      case PKT_ENCRYPTED:
 	      case PKT_ENCRYPTED_MDC:
+                write_status_text( STATUS_UNEXPECTED, "0" );
 		rc = G10ERR_UNEXPECTED;
 		goto leave;
 	      case PKT_SIGNATURE:   newpkt = add_signature( c, pkt ); break;
@@ -1082,6 +1083,7 @@ do_proc_packets( CTX c, IOBUF a )
 	      case PKT_PUBLIC_KEY:
 	      case PKT_SECRET_KEY:
 	      case PKT_USER_ID:
+                write_status_text( STATUS_UNEXPECTED, "0" );
 		rc = G10ERR_UNEXPECTED;
 		goto leave;
 	      case PKT_SIGNATURE:   newpkt = add_signature( c, pkt ); break;
diff --git a/g10/pipemode.c b/g10/pipemode.c
index e2a318e29..54e461f46 100644
--- a/g10/pipemode.c
+++ b/g10/pipemode.c
@@ -108,7 +108,7 @@ pipemode_filter( void *opaque, int control,
             /* FIXME: we have to make sure that we have a large enough
              * buffer for a control packet even after we already read 
              * something. The easest way to do this is probably by ungetting
-             * the control sequenceand and returning the buffer we have
+             * the control sequence and returning the buffer we have
              * already assembled */
             int c = iobuf_get (a);
             if (c == -1) {
diff --git a/g10/sign.c b/g10/sign.c
index 6b603ebf7..4388a56a2 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -132,6 +132,27 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
 			     digest_algo, mpi_get_nbits(sk->skey[0]), 0 );
     rc = pubkey_sign( sk->pubkey_algo, sig->data, frame, sk->skey );
     mpi_free(frame);
+    if (!rc) {
+        /* check that the signature verification worked and nothing is
+         * fooling us e.g. by a bug in the signature create
+         * code or by deliberately introduced faults. */
+        PKT_public_key *pk = m_alloc_clear (sizeof *pk);
+
+        if( get_pubkey( pk, sig->keyid ) )
+            rc = G10ERR_NO_PUBKEY;
+        else {
+            frame = encode_md_value (pk->pubkey_algo, md,
+                                     sig->digest_algo,
+                                     mpi_get_nbits(pk->pkey[0]), 0);
+            rc = pubkey_verify (pk->pubkey_algo, frame, sig->data, pk->pkey,
+                                NULL, NULL );
+            mpi_free (frame);
+        }
+        if (rc)
+            log_error (_("checking created signature failed: %s\n"),
+                         g10_errstr (rc));
+        free_public_key (pk);
+    }
     if( rc )
 	log_error(_("signing failed: %s\n"), g10_errstr(rc) );
     else {
@@ -154,10 +175,6 @@ complete_sig( PKT_signature *sig, PKT_secret_key *sk, MD_HANDLE md )
 
     if( !(rc=check_secret_key( sk, 0 )) )
 	rc = do_sign( sk, sig, md, 0 );
-
-    /* fixme: should we check whether the signature is okay?
-     * maybe by using an option */
-
     return rc;
 }
 
diff --git a/g10/status.c b/g10/status.c
index 44b858761..5bbdb19b8 100644
--- a/g10/status.c
+++ b/g10/status.c
@@ -139,6 +139,7 @@ get_status_string ( int no )
       case STATUS_END_STREAM     : s = "END_STREAM"; break;
       case STATUS_KEY_CREATED    : s = "KEY_CREATED"; break;
       case STATUS_USERID_HINT    : s = "USERID_HINT"; break;
+      case STATUS_UNEXPECTED     : s = "UNEXPECTED"; break;
       default: s = "?"; break;
     }
     return s;
diff --git a/g10/status.h b/g10/status.h
index 0da063ff1..51a39f0a7 100644
--- a/g10/status.h
+++ b/g10/status.h
@@ -89,7 +89,7 @@
 #define STATUS_END_STREAM       57
 #define STATUS_KEY_CREATED      58
 #define STATUS_USERID_HINT      59
-
+#define STATUS_UNEXPECTED       60
 
 /*-- status.c --*/
 void set_status_fd ( int fd );
diff --git a/mpi/ChangeLog b/mpi/ChangeLog
index b867f0252..a69de0cff 100644
--- a/mpi/ChangeLog
+++ b/mpi/ChangeLog
@@ -1,3 +1,8 @@
+2001-03-24  Werner Koch  <[email protected]>
+
+	* mpi-mul.c (mpi_mul): Make sure that secret temporary results are
+	not stored in w.  Suggested by Florian Weimer.
+
 2001-03-18  Werner Koch  <[email protected]>
 
 	* config.links (mpi_sflags): Use i386 code for i386.  According to
diff --git a/mpi/mpi-mul.c b/mpi/mpi-mul.c
index df8eb2586..e19ef5c6d 100644
--- a/mpi/mpi-mul.c
+++ b/mpi/mpi-mul.c
@@ -120,6 +120,7 @@ mpi_mul( MPI w, MPI u, MPI v)
     int assign_wp=0;
     mpi_ptr_t tmp_limb=NULL;
 
+
     if( u->nlimbs < v->nlimbs ) { /* Swap U and V. */
 	usize = v->nlimbs;
 	usign = v->sign;
@@ -145,7 +146,15 @@ mpi_mul( MPI w, MPI u, MPI v)
 
     /* Ensure W has space enough to store the result.  */
     wsize = usize + vsize;
-    if( w->alloced < wsize ) {
+    if ( !mpi_is_secure (w) && (mpi_is_secure (u) || mpi_is_secure (v)) ) {
+        /* w is not allocated in secure space but u or v is.  To make sure
+         * that no temporray results are stored in w, we temporary use 
+         * a newly allocated limb space for w */
+        wp = mpi_alloc_limb_space( wsize, 1 );
+        assign_wp = 2; /* mark it as 2 so that we can later copy it back to
+                        * mormal memory */
+    }
+    else if( w->alloced < wsize ) {
 	if( wp == up || wp == vp ) {
 	    wp = mpi_alloc_limb_space( wsize, mpi_is_secure(w) );
 	    assign_wp = 1;
@@ -180,8 +189,16 @@ mpi_mul( MPI w, MPI u, MPI v)
 	wsize -= cy? 0:1;
     }
 
-    if( assign_wp )
+    if( assign_wp ) {
+        if (assign_wp == 2) {
+            /* copy the temp wp from secure memory back to normal memory */
+	    mpi_ptr_t tmp_wp = mpi_alloc_limb_space (wsize, 0);
+	    MPN_COPY (tmp_wp, wp, wsize);
+            mpi_free_limb_space (wp);
+            wp = tmp_wp;
+        }
 	mpi_assign_limb_space( w, wp, wsize );
+    }
     w->nlimbs = wsize;
     w->sign = sign_product;
     if( tmp_limb )