gpg: Fix regression due to the keyserver import filter.

* g10/keyserver.c (keyserver_retrieval_filter): Change args. Rewrite to take subpakets in account. * g10/import.c (import_one, import_secret_one): Pass keyblock to filter. -- GnuPG-bug-id: 1680
2025-03-28 22:49:59 +01:00 · 2014-08-06 17:11:21 +02:00 · 2014-08-06 17:11:21 +02:00 · 088f82c0b5
commit 088f82c0b5
parent 25d5480e98
3 changed files with 49 additions and 34 deletions
--- a/g10/import.c
+++ b/g10/import.c
@ -799,7 +799,7 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
 	return 0;
      }
-    if (filter && filter (pk, NULL, filter_arg))
+    if (filter && filter (keyblock, filter_arg))
      {
        log_error (_("key %s: %s\n"), keystr_from_pk(pk),
                   _("rejected by import filter"));
@ -1201,7 +1201,7 @@ import_secret_one (const char *fname, KBNODE keyblock,
    keyid_from_sk( sk, keyid );
    uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
-    if (filter && filter (NULL, sk, filter_arg)) {
+    if (filter && filter (keyblock, filter_arg)) {
        log_error (_("secret key %s: %s\n"), keystr_from_sk(sk),
                   _("rejected by import filter"));
        return 0;
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@ -994,52 +994,68 @@ struct ks_retrieval_filter_arg_s
   returns 0 if the key shall be imported.  Note that this kind of
   filter is not related to the iobuf filters. */
 static int
-keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk,
+keyserver_retrieval_filter (kbnode_t keyblock, void *opaque)
                            void *opaque)
 {
  struct ks_retrieval_filter_arg_s *arg = opaque;
  KEYDB_SEARCH_DESC *desc = arg->desc;
  int ndesc = arg->ndesc;
  kbnode_t node;
  PKT_public_key *pk;
  int n;
  u32 keyid[2];
  byte fpr[MAX_FINGERPRINT_LEN];
  size_t fpr_len = 0;
-  /* Secret keys are not expected from a keyserver.  Do not import.  */
+  /* Secret keys are not expected from a keyserver.  We do not
-  if (sk)
+     care about secret subkeys because the import code takes care
-    return G10ERR_GENERAL;
+     of skipping them.  Not allowing an import of a public key
     with a secret subkey would make it too easy to inhibit the
     downloading of a public key.  Recall that keyservers do only
     limited checks.  */
  node = find_kbnode (keyblock, PKT_SECRET_KEY);
  if (node)
    return G10ERR_GENERAL;   /* Do not import. */
  if (!ndesc)
    return 0; /* Okay if no description given.  */
-  fingerprint_from_pk (pk, fpr, &fpr_len);
+  /* Loop over all key packets.  */
-  keyid_from_pk (pk, keyid);
+  for (node = keyblock; node; node = node->next)
  /* Compare requested and returned fingerprints if available. */
  for (n = 0; n < ndesc; n++)
    {
-      if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
+      if (node->pkt->pkttype != PKT_PUBLIC_KEY
          && node->pkt->pkttype != PKT_PUBLIC_SUBKEY)
        continue;
      pk = node->pkt->pkt.public_key;
      fingerprint_from_pk (pk, fpr, &fpr_len);
      keyid_from_pk (pk, keyid);
      /* Compare requested and returned fingerprints if available. */
      for (n = 0; n < ndesc; n++)
        {
-          if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
+          if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
-            return 0;
+            {
              if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
                return 0;
            }
          else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
            {
              if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
                return 0;
            }
          else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
            {
              if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
                return 0;
            }
          else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
            {
              if (keyid[1] == desc[n].u.kid[1])
                return 0;
            }
          else /* No keyid or fingerprint - can't check.  */
            return 0; /* allow import.  */
        }
      else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
        {
          if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
            return 0;
        }
      else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
        {
          if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
            return 0;
        }
      else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
        {
          if (keyid[1] == desc[n].u.kid[1])
            return 0;
        }
      else
        return 0;
    }
  return G10ERR_GENERAL;
--- a/g10/main.h
+++ b/g10/main.h
@ -261,8 +261,7 @@ gcry_mpi_t encode_md_value( PKT_public_key *pk, PKT_secret_key *sk,
 /*-- import.c --*/
-typedef int (*import_filter_t)(PKT_public_key *pk, PKT_secret_key *sk,
+typedef int (*import_filter_t)(kbnode_t keyblock, void *arg);
                               void *arg);
 int parse_import_options(char *str,unsigned int *options,int noisy);
 void import_keys( char **fnames, int nnames,