* getkey.c (merge_selfsigs_main), main.h, sig-check.c

(check_key_signature2): Pass the ultimately trusted pk directly to
check_key_signature2 to avoid going through the key selection mechanism.
This prevents a deadly embrace when two keys without selfsigs each sign
the other.

4 files changed, 21 insertions, 9 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index 581c0b6a8..33fd17f09 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,5 +1,11 @@
 2002-12-27  David Shaw  <[email protected]>
 
+	* getkey.c (merge_selfsigs_main), main.h, sig-check.c
+	(check_key_signature2): Pass the ultimately trusted pk directly to
+	check_key_signature2 to avoid going through the key selection
+	mechanism.  This prevents a deadly embrace when two keys without
+	selfsigs each sign the other.
+
 	* keyserver.c (keyserver_refresh): Don't print the "refreshing..."
 	line if there are no keys to refresh or if there is no keyserver
 	set.
diff --git a/g10/getkey.c b/g10/getkey.c
index d7165f62f..420f35dc6 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1576,6 +1576,8 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked )
 	    else if ( k->pkt->pkttype == PKT_SIGNATURE && uidnode )
 	      {
 		PKT_signature *sig = k->pkt->pkt.signature;
+		u32 dummy;
+		int dum2;
 
 		if(sig->keyid[0] != kid[0] || sig->keyid[1]!=kid[1])
 		  {
@@ -1583,9 +1585,10 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked )
 
 		    ultimate_pk=m_alloc_clear(sizeof(*ultimate_pk));
 
-		    if(get_pubkey_fast(ultimate_pk,sig->keyid)==0 &&
-		       check_key_signature(keyblock,k,NULL)==0 &&
-		       get_ownertrust(ultimate_pk)==TRUST_ULTIMATE)
+		    if(get_pubkey_fast(ultimate_pk,sig->keyid)==0
+		       && check_key_signature2(keyblock,k,ultimate_pk,
+					       NULL,&dummy,&dum2)==0
+		       && get_ownertrust(ultimate_pk)==TRUST_ULTIMATE)
 		      {
 			free_public_key(ultimate_pk);
 			pk->is_valid=1;
diff --git a/g10/main.h b/g10/main.h
index 55fc126bf..0cd508833 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -110,7 +110,7 @@ int sign_symencrypt_file (const char *fname, STRLIST locusr);
 /*-- sig-check.c --*/
 int check_revocation_keys (PKT_public_key *pk, PKT_signature *sig);
 int check_key_signature( KBNODE root, KBNODE node, int *is_selfsig );
-int check_key_signature2( KBNODE root, KBNODE node,
+int check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *pk,
 			  int *is_selfsig, u32 *r_expiredate, int *r_expired );
 
 /*-- delkey.c --*/
diff --git a/g10/sig-check.c b/g10/sig-check.c
index c254b4897..bdbb958d6 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -475,15 +475,16 @@ check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
 {
     u32 dummy;
     int dum2;
-    return check_key_signature2(root, node, is_selfsig, &dummy, &dum2 );
+    return check_key_signature2(root, node, NULL, is_selfsig, &dummy, &dum2 );
 }
 
+/* If pk is NULL, then it is set from ROOT.  Note that is_selfsig is
+   set from the pk. */
 int
-check_key_signature2( KBNODE root, KBNODE node, int *is_selfsig,
-				       u32 *r_expiredate, int *r_expired )
+check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *pk,
+		      int *is_selfsig, u32 *r_expiredate, int *r_expired )
 {
     MD_HANDLE md;
-    PKT_public_key *pk;
     PKT_signature *sig;
     int algo;
     int rc;
@@ -495,7 +496,9 @@ check_key_signature2( KBNODE root, KBNODE node, int *is_selfsig,
     assert( node->pkt->pkttype == PKT_SIGNATURE );
     assert( root->pkt->pkttype == PKT_PUBLIC_KEY );
 
-    pk = root->pkt->pkt.public_key;
+    if(pk==NULL)
+      pk = root->pkt->pkt.public_key;
+
     sig = node->pkt->pkt.signature;
     algo = sig->digest_algo;