Fixed the detached signature bug.

Minor modifications for W32.

13 files changed, 136 insertions, 27 deletions

diff --git a/NEWS b/NEWS
index de5455ab8..a6c34bf83 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,13 @@
 
+    * WARNING: The semantics of --verify have changed to address a problem
+      with detached signature detection. --verify now ignores signed material
+      given on stdin unless this is requested by using a "-" as the name for
+      the file with the signed material.  
+        
+      !  Please check all your detached signature handling applications   !
+      !  and make sure that they don't pipe the signed material to stdin  !
+      !  without using a filename and "-" on the the command line.        !
+
     * Support for the gpg-agent from gpg 1.1
 
     * Better LFS support.
diff --git a/doc/ChangeLog b/doc/ChangeLog
index a50ab8090..f824d243a 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,8 @@
+2000-11-30  Werner Koch  <[email protected]>
+
+	* gpg.sgml: Fixed the description of --verify.  Add a short note
+	the warnings sections.
+
 2000-10-19  Werner Koch  <[email protected]>
 
 	* gpg.sgml: Fixed doc for --allow-non-selfsigned-uid.
diff --git a/doc/gpg.sgml b/doc/gpg.sgml
index ec8abffd8..342ee580b 100644
--- a/doc/gpg.sgml
+++ b/doc/gpg.sgml
@@ -150,24 +150,25 @@ message.
 <listitem><para>
 Assume that <parameter/sigfile/ is a signature and verify it
 without generating any output.	With no arguments,
-the signature packet is read from stdin (it may be a
-detached signature when not used in batch mode). If
+the signature packet is read from stdin.  If
 only a sigfile is given, it may be a complete
 signature or a detached signature, in which case
 the signed stuff is expected in a file without the
-".sig" or ".asc" extension (if such a file does
-not exist it is expected at stdin; use a single dash ("-") as
-filename to force a read from stdin). With more than
+".sig" or ".asc" extension. 
+With more than
 1 argument, the first should be a detached signature
-and the remaining files are the signed stuff.
+and the remaining files are the signed stuff.  To read the signed
+stuff from stdin, use <literal>-</literal> as the second filename.
+For security reasons a detached signature cannot read the signed
+material from stdin without denoting it in the above way.
 </para></listitem></varlistentry>
 
 <varlistentry>
 <term>--verify-files <optional><parameter/files/</optional></term>
 <listitem><para>
 This is a special version of the --verify command which does not work with
-detached signatures.  The command expects the files to bee verified either
-on the commandline or reads the filenames from stdin;  each anem muts be on
+detached signatures.  The command expects the files to be verified either
+on the commandline or reads the filenames from stdin;  each name must be on
 separate line. The command is intended for quick checking of many files.
 </para></listitem></varlistentry>
 
@@ -1664,6 +1665,11 @@ directory very well.
 Keep in mind that, if this program is used over a network (telnet), it
 is *very* easy to spy out your passphrase!
 </para>
+<para>
+If you are going to verify detached signatures, make sure that the
+program nows about it; either be giving both filenames on the
+commandline or using <literal>-</literal> to specify stdin.
+</para>
 </refsect1>
 
 
diff --git a/g10/ChangeLog b/g10/ChangeLog
index 536c34f38..5b3587b07 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,18 @@
+2000-11-30  Werner Koch  <[email protected]>
+
+	* g10.c (main): Use iobuf_translate_file_handle for all options
+	with filehandles as arguments.  This is function does some magic
+	some for the W32 API.
+
+	* verify.c (verify_signatures): Add a comment rant about the
+	detached signature problem.
+	* mainproc.c (proc_tree): Issue an error if a detached signature
+	is assumed but a standard one was found.
+	* plaintext.c (hash_datafiles): Don't fall back to read signature
+	from stdin.
+	* openfile.c (open_sigfile): Print verbose message only if the
+	file could be accessed.
+
 2000-11-24  Werner Koch  <[email protected]>
 
 	* passphrase.c [HAVE_DOSISH_SYSTEM]: Disabled all the agent stuff.
diff --git a/g10/g10.c b/g10/g10.c
index 785ec9cfa..955a8d946 100644
--- a/g10/g10.c
+++ b/g10/g10.c
@@ -47,7 +47,6 @@
 #include "g10defs.h"
 #include "hkp.h"
 
-
 enum cmd_and_opt_values { aNull = 0,
     oArmor	  = 'a',
     aDetachedSign = 'b',
@@ -791,8 +790,13 @@ main( int argc, char **argv )
 	  case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break;
 	  case oDebug: opt.debug |= pargs.r.ret_ulong; break;
 	  case oDebugAll: opt.debug = ~0; break;
-	  case oStatusFD: set_status_fd( pargs.r.ret_int ); break;
-	  case oLoggerFD: log_set_logfile( NULL, pargs.r.ret_int ); break;
+	  case oStatusFD:
+            set_status_fd( iobuf_translate_file_handle (pargs.r.ret_int, 1) );
+            break;
+	  case oLoggerFD:
+            log_set_logfile( NULL,
+                             iobuf_translate_file_handle (pargs.r.ret_int, 1) );
+            break;
 	  case oWithFingerprint:
 		with_fpr=1; /*fall thru*/
 	  case oFingerprint: opt.fingerprint++; break;
@@ -905,8 +909,12 @@ main( int argc, char **argv )
 	    add_to_strlist2( &locusr, pargs.r.ret_str, utf8_strings );
 	    break;
 	  case oCompress: opt.compress = pargs.r.ret_int; break;
-	  case oPasswdFD: pwfd = pargs.r.ret_int; break;
-	  case oCommandFD: opt.command_fd = pargs.r.ret_int; break;
+	  case oPasswdFD:
+            pwfd = iobuf_translate_file_handle (pargs.r.ret_int, 0);
+            break;
+	  case oCommandFD:
+            opt.command_fd = iobuf_translate_file_handle (pargs.r.ret_int, 0);
+            break;
 	  case oCipherAlgo: def_cipher_string = m_strdup(pargs.r.ret_str); break;
 	  case oDigestAlgo: def_digest_string = m_strdup(pargs.r.ret_str); break;
 	  case oNoSecmemWarn: secmem_set_flags( secmem_get_flags() | 1 ); break;
@@ -1002,6 +1010,7 @@ main( int argc, char **argv )
     set_debug();
     g10_opt_homedir = opt.homedir;
 
+
     /* must do this after dropping setuid, because string_to...
      * may try to load an module */
     if( def_cipher_string ) {
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 1433ec860..e9ac0ddc6 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1299,6 +1299,10 @@ proc_tree( CTX c, KBNODE node )
 		return;
 	    }
 	}
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 
 	for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
 	    check_sig_and_print( c, n1 );
@@ -1310,6 +1314,10 @@ proc_tree( CTX c, KBNODE node )
             log_error("cleartext signature without data\n" );
             return;
         }
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 	
 	for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
 	    check_sig_and_print( c, n1 );
@@ -1368,6 +1376,10 @@ proc_tree( CTX c, KBNODE node )
 		return;
 	    }
 	}
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 	else
 	    log_info(_("old style (PGP 2.x) signature\n"));
 
diff --git a/g10/openfile.c b/g10/openfile.c
index 460b4449e..c43cbd7e9 100644
--- a/g10/openfile.c
+++ b/g10/openfile.c
@@ -257,7 +257,7 @@ open_sigfile( const char *iname )
 	    buf = m_strdup(iname);
 	    buf[len-4] = 0 ;
 	    a = iobuf_open( buf );
-	    if( opt.verbose )
+	    if( a && opt.verbose )
 		log_info(_("assuming signed data in `%s'\n"), buf );
 	    m_free(buf);
 	}
diff --git a/g10/plaintext.c b/g10/plaintext.c
index 1510ed70b..3361cd133 100644
--- a/g10/plaintext.c
+++ b/g10/plaintext.c
@@ -370,7 +370,7 @@ hash_datafiles( MD_HANDLE md, MD_HANDLE md2, STRLIST files,
 		const char *sigfilename, int textmode )
 {
     IOBUF fp;
-    STRLIST sl=NULL;
+    STRLIST sl;
 
     if( !files ) {
 	/* check whether we can open the signed material */
@@ -380,28 +380,26 @@ hash_datafiles( MD_HANDLE md, MD_HANDLE md2, STRLIST files,
 	    iobuf_close(fp);
 	    return 0;
 	}
-	/* no we can't (no sigfile) - read signed stuff from stdin */
-	add_to_strlist( &sl, "-");
+        log_error (_("no signed data\n"));
+        return G10ERR_OPEN_FILE;
     }
-    else
-	sl = files;
 
-    for( ; sl; sl = sl->next ) {
+
+    for (sl=files; sl; sl = sl->next ) {
 	fp = iobuf_open( sl->d );
 	if( !fp ) {
 	    log_error(_("can't open signed data `%s'\n"),
 						print_fname_stdin(sl->d));
-	    if( !files )
-		free_strlist(sl);
 	    return G10ERR_OPEN_FILE;
 	}
 	do_hash( md, md2, fp, textmode );
 	iobuf_close(fp);
     }
 
-    if( !files )
-	free_strlist(sl);
     return 0;
 }
 
 
+
+
+
diff --git a/g10/verify.c b/g10/verify.c
index 924fc85ce..db7dd5e70 100644
--- a/g10/verify.c
+++ b/g10/verify.c
@@ -24,6 +24,7 @@
 #include <string.h>
 #include <errno.h>
 #include <assert.h>
+#include <unistd.h> /* for isatty() */
 
 #include "options.h"
 #include "packet.h"
@@ -60,6 +61,31 @@ verify_signatures( int nfiles, char **files )
     STRLIST sl;
 
     memset( &afx, 0, sizeof afx);
+    /* decide whether we should handle a detached or a normal signature,
+     * which is needed so that the code later can hash the correct data and
+     * not have a normal signature act as detached signature and ignoring the
+     * indended signed material from the 2nd file or stdin.
+     * 1. gpg <file        - normal
+     * 2. gpg file         - normal (or detached)
+     * 3. gpg file <file2  - detached
+     * 4. gpg file file2   - detached
+     * The question is how decide between case 2 and 3?  The only way
+     * we can do it is by reading one byte from stdin and the unget
+     * it; the problem here is that we may be reading from the
+     * terminal (which could be detected using isatty() but won't work
+     * when under contol of a pty using program (e.g. expect)) and
+     * might get us in trouble when stdin is used for another purpose
+     * (--passphrase-fd 0).  So we have to break with the behaviour
+     * prior to gpg 1.0.4 by assuming that case 3 is a normal
+     * signature (where file2 is ignored and require for a detached
+     * signature to indicate signed material comes from stdin by using
+     * case 4 with a file2 of "-".
+     *
+     * Actually we don't have to change anything here but can handle
+     * that all quite easily in mainproc.c 
+     */
+     
+
     sigfile = nfiles? *files : NULL;
 
     /* open the signature file */
diff --git a/include/ChangeLog b/include/ChangeLog
index de9b690f4..cfdcfa928 100644
--- a/include/ChangeLog
+++ b/include/ChangeLog
@@ -1,3 +1,7 @@
+2000-11-30  Werner Koch  <[email protected]>
+
+	* iobuf.h (iobuf_translate_file_handle): Add prototype.
+
 2000-11-11  Paul Eggert  <[email protected]>
 
         * iobuf.h (iobuf_get_filelength): Now returns off_t, not u32.
diff --git a/include/iobuf.h b/include/iobuf.h
index 3a6e4f09d..3c222689b 100644
--- a/include/iobuf.h
+++ b/include/iobuf.h
@@ -125,6 +125,9 @@ void iobuf_set_block_mode( IOBUF a, size_t n );
 void iobuf_set_partial_block_mode( IOBUF a, size_t len );
 int  iobuf_in_block_mode( IOBUF a );
 
+int iobuf_translate_file_handle ( int fd, int for_write );
+
+
 /* get a byte form the iobuf; must check for eof prior to this function
  * this function returns values in the range 0 .. 255 or -1 to indicate EOF
  * iobuf_get_noeof() does not return -1 to indicate EOF, but masks the
diff --git a/util/ChangeLog b/util/ChangeLog
index 3b9be0161..2f5609d84 100644
--- a/util/ChangeLog
+++ b/util/ChangeLog
@@ -1,3 +1,8 @@
+2000-11-30  Werner Koch  <[email protected]>
+
+	* iobuf.c (iobuf_translate_file_handle): New.
+	(iobuf_open, iobuf_create): Use it for special filenames
+
 2000-11-11  Paul Eggert  <[email protected]>
 
         * iobuf.c (iobuf_get_filelength): Now returns off_t, not u32.
diff --git a/util/iobuf.c b/util/iobuf.c
index 7cf780f89..12ca89fc2 100644
--- a/util/iobuf.c
+++ b/util/iobuf.c
@@ -1,5 +1,5 @@
 /* iobuf.c  -  file handling
- *	Copyright (C) 1998, 1999 Free Software Foundation, Inc.
+ *	Copyright (C) 1998, 1999, 2000 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -620,7 +620,7 @@ iobuf_open( const char *fname )
 	print_only = 1;
     }
     else if ( (fd = check_special_filename ( fname )) != -1 )
-        return iobuf_fdopen ( fd, "rb" );
+        return iobuf_fdopen ( iobuf_translate_file_handle (fd,0), "rb" );
     else if( !(fp = fopen(fname, "rb")) )
 	return NULL;
     a = iobuf_alloc(1, 8192 );
@@ -692,7 +692,7 @@ iobuf_create( const char *fname )
 	print_only = 1;
     }
     else if ( (fd = check_special_filename ( fname )) != -1 )
-        return iobuf_fdopen ( fd, "wb" );
+        return iobuf_fdopen ( iobuf_translate_file_handle (fd, 1), "wb" );
     else if( !(fp = fopen(fname, "wb")) )
 	return NULL;
     a = iobuf_alloc(2, 8192 );
@@ -1620,3 +1620,20 @@ iobuf_read_line( IOBUF a, byte **addr_of_buffer,
     return nbytes;
 }
 
+
+int
+iobuf_translate_file_handle ( int fd, int for_write )
+{
+  #ifdef __MINGW32__
+    {
+        int x = _open_osfhandle ( (void*)fd, for_write? 1:0 );
+        if (x==-1 )
+            log_error ("failed to translate osfhandle %p\n", (void*)fd );
+        else {
+            log_info ("_open_osfhandle %p yields %d\n", (void*)fd, x );
+            fd = x;
+        }
+    }
+  #endif
+    return fd;
+}