security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-18 14:17:03 +01:00
Code Activity

wkd: Restrict gpg-wks-client --mirror to the given domains.

Browse Source 
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--

Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains.  Now we publish
only the user-ids as specified on the command line.

GnuPG-bug-id: T6224
This commit is contained in:
Werner Koch 2022-10-07 15:59:53 +02:00
parent 4364283f75
commit 0a151548b6
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 62 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
tools/gpg-wks-client.c
View File

@ -158,7 +158,7 @@ static gpg_error_t read_confirmation_request (estream_t msg);
static gpg_error_t command_receive_cb (void *opaque, static gpg_error_t command_receive_cb (void *opaque,
const char *mediatype, estream_t fp, const char *mediatype, estream_t fp,
unsigned int flags); unsigned int flags);
static gpg_error_t command_mirror (const char *domain); static gpg_error_t command_mirror (char *domain[]);
@ -408,10 +408,8 @@ main (int argc, char **argv)
case aMirror: case aMirror:
if (!argc) if (!argc)
err = command_mirror (NULL); err = command_mirror (NULL);
else if (argc == 1)
err = command_mirror (*argv);
else else
wrong_args ("--mirror [DOMAIN]"); err = command_mirror (argv);
break; break;
case aInstallKey: case aInstallKey:
@ -1642,6 +1640,30 @@ struct
} mirror_one_key_parm; } mirror_one_key_parm;
/* Return true if the Given a mail DOMAIN and the full addrspec MBOX
* match. */
static int
domain_matches_mbox (const char *domain, const char *mbox)
{
const char *s;
if (!domain || !mbox)
return 0;
s = strchr (domain, '@');
if (s)
domain = s+1;
if (!*domain)
return 0; /* Not a valid domain. */
s = strchr (mbox, '@');
if (!s || !s[1])
return 0; /* Not a valid mbox. */
mbox = s+1;
return !ascii_strcasecmp (domain, mbox);
}
/* Core of mirror_one_key with the goal of mirroring just one uid. /* Core of mirror_one_key with the goal of mirroring just one uid.
* UIDLIST is used to figure out whether the given MBOX occurs several * UIDLIST is used to figure out whether the given MBOX occurs several
* times in UIDLIST and then to single out the newwest one. This is * times in UIDLIST and then to single out the newwest one. This is
@ -1725,6 +1747,7 @@ mirror_one_key (estream_t key)
char *fpr; char *fpr;
uidinfo_list_t uidlist = NULL; uidinfo_list_t uidlist = NULL;
uidinfo_list_t uid; uidinfo_list_t uid;
const char *domain = mirror_one_key_parm.domain;
/* List the key to get all user ids. */ /* List the key to get all user ids. */
err = wks_list_key (key, &fpr, &uidlist); err = wks_list_key (key, &fpr, &uidlist);
@ -1740,6 +1763,9 @@ mirror_one_key (estream_t key)
{ {
if (!uid->mbox || (uid->flags & 1)) if (!uid->mbox || (uid->flags & 1))
continue; /* No mail box or already processed. */ continue; /* No mail box or already processed. */
if (!domain_matches_mbox (domain, uid->mbox))
continue; /* We don't want this one. */
err = mirror_one_keys_userid (key, uid->mbox, uidlist, fpr); err = mirror_one_keys_userid (key, uid->mbox, uidlist, fpr);
if (err) if (err)
{ {
@ -1761,23 +1787,45 @@ mirror_one_key (estream_t key)
/* Copy the keys from the configured LDAP server into a local WKD. /* Copy the keys from the configured LDAP server into a local WKD.
* DOMAIN is a domain name to restrict the copy to only this domain; * DOMAINLIST is an array of domain names to restrict the copy to only
* if it is NULL all keys are mirrored. */ * the given domains; if it is NULL all keys are mirrored. */
static gpg_error_t static gpg_error_t
command_mirror (const char *domain) command_mirror (char *domainlist[])
{ {
gpg_error_t err; gpg_error_t err;
const char *domain;
char *domainbuf = NULL;
if (domain)
{
/* Fixme: Do some sanity checks on the domain. */
}
mirror_one_key_parm.domain = domain;
mirror_one_key_parm.anyerror = 0; mirror_one_key_parm.anyerror = 0;
mirror_one_key_parm.nkeys = 0; mirror_one_key_parm.nkeys = 0;
mirror_one_key_parm.nuids = 0; mirror_one_key_parm.nuids = 0;
if (!domainlist)
{
mirror_one_key_parm.domain = "";
err = wkd_dirmngr_ks_get (NULL, mirror_one_key);
}
else
{
while ((domain = *domainlist++))
{
if (*domain != '.' && domain[1] != '@')
{
/* This does not already specify a mail search by
* domain. Change it. */
xfree (domainbuf);
domainbuf = xstrconcat (".@", domain, NULL);
domain = domainbuf;
}
mirror_one_key_parm.domain = domain;
if (opt.verbose)
log_info ("mirroring keys for domain '%s'\n", domain+2);
err = wkd_dirmngr_ks_get (domain, mirror_one_key); err = wkd_dirmngr_ks_get (domain, mirror_one_key);
if (err)
break;
}
}
if (!opt.quiet) if (!opt.quiet)
log_info ("a total of %u user ids from %d keys published\n", log_info ("a total of %u user ids from %d keys published\n",
mirror_one_key_parm.nuids, mirror_one_key_parm.nkeys); mirror_one_key_parm.nuids, mirror_one_key_parm.nkeys);
@ -1787,8 +1835,6 @@ command_mirror (const char *domain)
else if (mirror_one_key_parm.anyerror) else if (mirror_one_key_parm.anyerror)
log_info ("warning: errors encountered - not all keys are mirrored\n"); log_info ("warning: errors encountered - not all keys are mirrored\n");
xfree (domainbuf);
return err; return err;
} }