From b35c403de9628e6ca3473382e410efff806f44e7 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Sat, 1 Oct 2016 16:21:59 -0700 Subject: [PATCH] Ensure signatures exist when verifying multipart/signed emails. (closes #3881). TAKAHASHI Tamotsu reported that when gpg2 isn't in PATH, the gpgme_op_verify() won't return an error, but instead will return a result with no signatures. verify_one() was only returning an error if a signature actually failed, so in this case the function was defaulting to returning success. Other callers of gpgme_op_verify() check to make sure the result->signatures exist before processing signatures. Add a check for verify_one() too. --- crypt-gpgme.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/crypt-gpgme.c b/crypt-gpgme.c index fb51af6a7..d5c6f3347 100644 --- a/crypt-gpgme.c +++ b/crypt-gpgme.c @@ -1561,6 +1561,7 @@ static int verify_one (BODY *sigbdy, STATE *s, { /* Verification succeeded, see what the result is. */ int res, idx; int anybad = 0; + gpgme_verify_result_t verify_result; if (signature_key) { @@ -1568,15 +1569,19 @@ static int verify_one (BODY *sigbdy, STATE *s, signature_key = NULL; } - for(idx=0; (res = show_one_sig_status (ctx, idx, s)) != -1; idx++) + verify_result = gpgme_op_verify_result (ctx); + if (verify_result && verify_result->signatures) + { + for (idx=0; (res = show_one_sig_status (ctx, idx, s)) != -1; idx++) { if (res == 1) anybad = 1; else if (res == 2) anywarn = 2; } - if (!anybad) - badsig = 0; + if (!anybad) + badsig = 0; + } } if (!badsig) -- 2.40.0