mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-18 14:17:03 +01:00
gpg: Do not use self-sigs-only for LDAP keyserver imports.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status. * g10/options.h (opts): New field expl_import_self_sigs_only. * g10/import.c (parse_import_options): Set it. * g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP. -- I can be assumed that configured LDAP servers are somehow curated and not affected by rogue key signatures as the HKP servers are. Thus we can allow the import of key signature from LDAP keyservers by default. GnuPG-bug-id: 5387
This commit is contained in:
parent
b0a7132856
commit
1303b0ed84
@ -966,7 +966,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
|
|||||||
{
|
{
|
||||||
/* The ordering is significant. Specifically, "pgpcertid" needs
|
/* The ordering is significant. Specifically, "pgpcertid" needs
|
||||||
to be the second item in the list, since everything after it
|
to be the second item in the list, since everything after it
|
||||||
may be discarded we aren't in verbose mode. */
|
may be discarded if we aren't in verbose mode. */
|
||||||
char *attrs[] =
|
char *attrs[] =
|
||||||
{
|
{
|
||||||
"dummy",
|
"dummy",
|
||||||
@ -1016,6 +1016,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
|
|||||||
/* The set of entries that we've seen. */
|
/* The set of entries that we've seen. */
|
||||||
strlist_t seen = NULL;
|
strlist_t seen = NULL;
|
||||||
LDAPMessage *each;
|
LDAPMessage *each;
|
||||||
|
int anykey = 0;
|
||||||
|
|
||||||
for (npth_unprotect (),
|
for (npth_unprotect (),
|
||||||
each = ldap_first_entry (ldap_conn, message),
|
each = ldap_first_entry (ldap_conn, message),
|
||||||
@ -1068,6 +1069,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
|
|||||||
es_fprintf (fp, "\nKEY 0x%s END\n", certid[0]);
|
es_fprintf (fp, "\nKEY 0x%s END\n", certid[0]);
|
||||||
|
|
||||||
ldap_value_free (vals);
|
ldap_value_free (vals);
|
||||||
|
anykey = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1079,6 +1081,10 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
|
|||||||
|
|
||||||
if (! fp)
|
if (! fp)
|
||||||
err = gpg_error (GPG_ERR_NO_DATA);
|
err = gpg_error (GPG_ERR_NO_DATA);
|
||||||
|
|
||||||
|
if (!err && anykey)
|
||||||
|
err = dirmngr_status_printf (ctrl, "SOURCE", "%s://%s",
|
||||||
|
uri->scheme, uri->host? uri->host:"");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1988,7 +1988,9 @@ are available for all keyserver types, some common options are:
|
|||||||
|
|
||||||
The default list of options is: "self-sigs-only, import-clean,
|
The default list of options is: "self-sigs-only, import-clean,
|
||||||
repair-keys, repair-pks-subkey-bug, export-attributes,
|
repair-keys, repair-pks-subkey-bug, export-attributes,
|
||||||
honor-pka-record".
|
honor-pka-record". However, if
|
||||||
|
the actual used source is an LDAP server "no-self-sigs-only" is
|
||||||
|
assumed unless "self-sigs-only" has been explictly configured.
|
||||||
|
|
||||||
|
|
||||||
@item --completes-needed @var{n}
|
@item --completes-needed @var{n}
|
||||||
|
12
g10/import.c
12
g10/import.c
@ -218,8 +218,20 @@ parse_import_options(char *str,unsigned int *options,int noisy)
|
|||||||
{NULL,0,NULL,NULL}
|
{NULL,0,NULL,NULL}
|
||||||
};
|
};
|
||||||
int rc;
|
int rc;
|
||||||
|
int saved_self_sigs_only;
|
||||||
|
|
||||||
|
/* We need to set a flag indicating wether the user has set
|
||||||
|
* IMPORT_SELF_SIGS_ONLY or it came from the default. */
|
||||||
|
saved_self_sigs_only = (*options & IMPORT_SELF_SIGS_ONLY);
|
||||||
|
saved_self_sigs_only &= ~IMPORT_SELF_SIGS_ONLY;
|
||||||
|
|
||||||
rc = parse_options (str, options, import_opts, noisy);
|
rc = parse_options (str, options, import_opts, noisy);
|
||||||
|
|
||||||
|
if (rc && (*options & IMPORT_SELF_SIGS_ONLY))
|
||||||
|
opt.flags.expl_import_self_sigs_only = 1;
|
||||||
|
else
|
||||||
|
*options |= saved_self_sigs_only;
|
||||||
|
|
||||||
if (rc && (*options & IMPORT_RESTORE))
|
if (rc && (*options & IMPORT_RESTORE))
|
||||||
{
|
{
|
||||||
/* Alter other options we want or don't want for restore. */
|
/* Alter other options we want or don't want for restore. */
|
||||||
|
@ -1763,9 +1763,12 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
|
|||||||
if (opt.verbose && source)
|
if (opt.verbose && source)
|
||||||
log_info ("data source: %s\n", source);
|
log_info ("data source: %s\n", source);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if (!err)
|
if (!err)
|
||||||
{
|
{
|
||||||
struct ks_retrieval_screener_arg_s screenerarg;
|
struct ks_retrieval_screener_arg_s screenerarg;
|
||||||
|
unsigned int options;
|
||||||
|
|
||||||
/* FIXME: Check whether this comment should be moved to dirmngr.
|
/* FIXME: Check whether this comment should be moved to dirmngr.
|
||||||
|
|
||||||
@ -1779,12 +1782,18 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
|
|||||||
never accept or send them but we better protect against rogue
|
never accept or send them but we better protect against rogue
|
||||||
keyservers. */
|
keyservers. */
|
||||||
|
|
||||||
|
/* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY unless it has
|
||||||
|
* been set explicitly. */
|
||||||
|
options = (opt.keyserver_options.import_options | IMPORT_NO_SECKEY);
|
||||||
|
if (source && (!strncmp (source, "ldap:", 5)
|
||||||
|
|| !strncmp (source, "ldaps:", 6))
|
||||||
|
&& !opt.flags.expl_import_self_sigs_only)
|
||||||
|
options &= ~IMPORT_SELF_SIGS_ONLY;
|
||||||
|
|
||||||
screenerarg.desc = desc;
|
screenerarg.desc = desc;
|
||||||
screenerarg.ndesc = *r_ndesc_used;
|
screenerarg.ndesc = *r_ndesc_used;
|
||||||
import_keys_es_stream (ctrl, datastream, stats_handle,
|
import_keys_es_stream (ctrl, datastream, stats_handle,
|
||||||
r_fpr, r_fprlen,
|
r_fpr, r_fprlen, options,
|
||||||
(opt.keyserver_options.import_options
|
|
||||||
| IMPORT_NO_SECKEY),
|
|
||||||
keyserver_retrieval_screener, &screenerarg,
|
keyserver_retrieval_screener, &screenerarg,
|
||||||
only_fprs? KEYORG_KS : 0,
|
only_fprs? KEYORG_KS : 0,
|
||||||
source);
|
source);
|
||||||
|
@ -243,6 +243,9 @@ struct
|
|||||||
unsigned int use_only_openpgp_card:1;
|
unsigned int use_only_openpgp_card:1;
|
||||||
/* Force signing keys even if a key signature already exists. */
|
/* Force signing keys even if a key signature already exists. */
|
||||||
unsigned int force_sign_key:1;
|
unsigned int force_sign_key:1;
|
||||||
|
/* The next flag is set internally iff IMPORT_SELF_SIGS_ONLY has
|
||||||
|
* been set by the user and is not the default value. */
|
||||||
|
unsigned int expl_import_self_sigs_only:1;
|
||||||
} flags;
|
} flags;
|
||||||
|
|
||||||
/* Linked list of ways to find a key if the key isn't on the local
|
/* Linked list of ways to find a key if the key isn't on the local
|
||||||
|
Loading…
x
Reference in New Issue
Block a user