2 files changed, 69 insertions, 40 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index 439333294..3747350d2 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,10 @@
+2008-11-18  David Shaw  <[email protected]>
+
+	* trustdb.c (validate_one_keyblock): Fix the trust signature
+	calculations so that we lower the trust depth of signatures to fit
+	within the current chain, rather than discarding any signature
+	that does not fit within the trust depth.
+
 2008-10-03  David Shaw  <[email protected]>
 
 	* main.h, mainproc.c (check_sig_and_print),
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 10f82ef97..57684590a 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -1,6 +1,6 @@
 /* trustdb.c
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
- *               2007 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+ *               2008 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1933,50 +1933,72 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
 		     (uidnode && check_regexp(kr->trust_regexp,
 					    uidnode->pkt->pkt.user_id->name))))
             {
-	      if(DBG_TRUST && opt.trust_model==TM_PGP && sig->trust_depth)
-		log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n",
-			  uidnode->pkt->pkt.user_id->name,sig->trust_depth,
-			  kr->trust_depth);
-
 	      /* Are we part of a trust sig chain?  We always favor
                  the latest trust sig, rather than the greater or
                  lesser trust sig or value.  I could make a decent
                  argument for any of these cases, but this seems to be
                  what PGP does, and I'd like to be compatible. -dms */
-	      if(opt.trust_model==TM_PGP && sig->trust_depth
-		 && pk->trust_timestamp<=sig->timestamp
-		 && (sig->trust_depth<=kr->trust_depth
-		     || kr->ownertrust==TRUST_ULTIMATE))
+	      if(opt.trust_model==TM_PGP
+		 && sig->trust_depth
+		 && pk->trust_timestamp<=sig->timestamp)
 		{
-		  /* If we got here, we know that:
-
-		     this is a trust sig.
-
-		     it's a newer trust sig than any previous trust
-		     sig on this key (not uid).
-
-		     it is legal in that it was either generated by an
-		     ultimate key, or a key that was part of a trust
-		     chain, and the depth does not violate the
-		     original trust sig.
-
-		     if there is a regexp attached, it matched
-		     successfully.
-		  */
-
-		  if(DBG_TRUST)
-		    log_debug("replacing trust value %d with %d and "
-			      "depth %d with %d\n",
-			      pk->trust_value,sig->trust_value,
-			      pk->trust_depth,sig->trust_depth);
-
-		  pk->trust_value=sig->trust_value;
-		  pk->trust_depth=sig->trust_depth-1;
-
-		  /* If the trust sig contains a regexp, record it
-		     on the pk for the next round. */
-		  if(sig->trust_regexp)
-		    pk->trust_regexp=sig->trust_regexp;
+		  byte depth;
+
+		  /* If the depth on the signature is less than the
+		     chain currently has, then use the signature depth
+		     so we don't increase the depth beyond what the
+		     signer wanted.  If the depth on the signature is
+		     more than the chain currently has, then use the
+		     chain depth so we use as much of the signature
+		     depth as the chain will permit.  An ultimately
+		     trusted signature can restart the depth to
+		     whatever level it likes. */
+
+		  if(sig->trust_depth<kr->trust_depth
+		     || kr->ownertrust==TRUST_ULTIMATE)
+		    depth=sig->trust_depth;
+		  else
+		    depth=kr->trust_depth;
+
+		  if(depth)
+		    {
+		      if(DBG_TRUST)
+			log_debug("trust sig on %s, sig depth is %d,"
+				  " kr depth is %d\n",
+				  uidnode->pkt->pkt.user_id->name,
+				  sig->trust_depth,
+				  kr->trust_depth);
+
+		      /* If we got here, we know that:
+
+			 this is a trust sig.
+
+			 it's a newer trust sig than any previous trust
+			 sig on this key (not uid).
+
+			 it is legal in that it was either generated by an
+			 ultimate key, or a key that was part of a trust
+			 chain, and the depth does not violate the
+			 original trust sig.
+
+			 if there is a regexp attached, it matched
+			 successfully.
+		      */
+
+		      if(DBG_TRUST)
+			log_debug("replacing trust value %d with %d and "
+				  "depth %d with %d\n",
+				  pk->trust_value,sig->trust_value,
+				  pk->trust_depth,depth);
+
+		      pk->trust_value=sig->trust_value;
+		      pk->trust_depth=depth-1;
+
+		      /* If the trust sig contains a regexp, record it
+			 on the pk for the next round. */
+		      if(sig->trust_regexp)
+			pk->trust_regexp=sig->trust_regexp;
+		    }
 		}
 
               if (kr->ownertrust == TRUST_ULTIMATE)