mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-18 14:17:03 +01:00
* options.h, keydb.h, g10.c (main), getkey.c (parse_auto_key_locate):
Parse a list of key access methods. (get_pubkey_byname): Walk the list here to try and retrieve keys we don't have locally.
This commit is contained in:
David Shaw
parent
e396cd2c7c
commit
7eab1846ca
@ -1,3 +1,10 @@
|
||||
2006-02-22 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* options.h, keydb.h, g10.c (main), getkey.c
|
||||
(parse_auto_key_locate): Parse a list of key access methods.
|
||||
(get_pubkey_byname): Walk the list here to try and retrieve keys
|
||||
we don't have locally.
|
||||
|
||||
2006-02-21 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* getkey.c (get_pubkey_byname): Fix minor security problem with
|
||||
|
||||
114
g10/getkey.c
114
g10/getkey.c
@ -905,45 +905,38 @@ get_pubkey_byname (PKT_public_key *pk,
|
||||
KEYDB_HANDLE *ret_kdbhd, int include_unusable )
|
||||
{
|
||||
int rc;
|
||||
int tried_cert=0, tried_pka=0, tried_ks=0;
|
||||
STRLIST namelist = NULL;
|
||||
|
||||
add_to_strlist( &namelist, name );
|
||||
retry:
|
||||
|
||||
rc = key_byname( NULL, namelist, pk, NULL, 0,
|
||||
include_unusable, ret_keyblock, ret_kdbhd);
|
||||
|
||||
/* If the requested name resembles a valid mailbox and automatic
|
||||
retrieval has been enabled, we try to import the key. */
|
||||
|
||||
if (rc == G10ERR_NO_PUBKEY && is_valid_mailbox(name))
|
||||
{
|
||||
int res;
|
||||
struct akl *akl;
|
||||
|
||||
if(!tried_cert
|
||||
&& (opt.keyserver_options.options&KEYSERVER_AUTO_CERT_RETRIEVE))
|
||||
for(akl=opt.auto_key_locate;akl;akl=akl->next)
|
||||
{
|
||||
tried_cert=1;
|
||||
|
||||
switch(akl->type)
|
||||
{
|
||||
case AKL_CERT:
|
||||
glo_ctrl.in_auto_key_retrieve++;
|
||||
res=keyserver_import_cert(name);
|
||||
glo_ctrl.in_auto_key_retrieve--;
|
||||
|
||||
if(res==0)
|
||||
{
|
||||
log_info(_("Automatically retrieved `%s' via %s\n"),
|
||||
name,"DNS CERT");
|
||||
goto retry;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
if(!tried_pka
|
||||
&& opt.allow_pka_lookup
|
||||
&& (opt.keyserver_options.options&KEYSERVER_AUTO_PKA_RETRIEVE))
|
||||
case AKL_PKA:
|
||||
{
|
||||
unsigned char fpr[MAX_FINGERPRINT_LEN];
|
||||
/* If the requested name resembles a valid mailbox and
|
||||
automatic retrieval via PKA records has been enabled, we
|
||||
try to import the key via the URI and try again. */
|
||||
|
||||
tried_pka=1;
|
||||
|
||||
glo_ctrl.in_auto_key_retrieve++;
|
||||
res=keyserver_import_pka(name,fpr);
|
||||
@ -952,7 +945,7 @@ get_pubkey_byname (PKT_public_key *pk,
|
||||
if(res==0)
|
||||
{
|
||||
int i;
|
||||
char fpr_string[2+(MAX_FINGERPRINT_LEN*2)+1];
|
||||
char fpr_string[MAX_FINGERPRINT_LEN*2+1];
|
||||
|
||||
log_info(_("Automatically retrieved `%s' via %s\n"),
|
||||
name,"PKA");
|
||||
@ -964,32 +957,42 @@ get_pubkey_byname (PKT_public_key *pk,
|
||||
sprintf(fpr_string+2*i,"%02X",fpr[i]);
|
||||
|
||||
add_to_strlist( &namelist, fpr_string );
|
||||
|
||||
goto retry;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
/* Try keyserver last as it is likely to be the slowest.
|
||||
Strictly speaking, we don't need to only use a valid mailbox
|
||||
for the getname search, but it helps cut down on a problem
|
||||
with searching for something like "john" and getting a lot of
|
||||
keys back. */
|
||||
if(!tried_ks
|
||||
&& opt.keyserver
|
||||
&& (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE))
|
||||
case AKL_LDAP:
|
||||
glo_ctrl.in_auto_key_retrieve++;
|
||||
res=keyserver_import_ldap(name);
|
||||
glo_ctrl.in_auto_key_retrieve--;
|
||||
|
||||
if(res==0)
|
||||
log_info(_("Automatically retrieved `%s' via %s\n"),
|
||||
name,"LDAP");
|
||||
break;
|
||||
|
||||
case AKL_KEYSERVER:
|
||||
/* Strictly speaking, we don't need to only use a valid
|
||||
mailbox for the getname search, but it helps cut down
|
||||
on the problem of searching for something like "john"
|
||||
and getting a whole lot of keys back. */
|
||||
if(opt.keyserver)
|
||||
{
|
||||
tried_ks=1;
|
||||
|
||||
glo_ctrl.in_auto_key_retrieve++;
|
||||
res=keyserver_import_name(name);
|
||||
glo_ctrl.in_auto_key_retrieve--;
|
||||
|
||||
if(res==0)
|
||||
{
|
||||
log_info(_("Automatically retrieved `%s' via %s\n"),
|
||||
name,opt.keyserver->uri);
|
||||
goto retry;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
rc = key_byname( NULL, namelist, pk, NULL, 0,
|
||||
include_unusable, ret_keyblock, ret_kdbhd);
|
||||
if(rc!=G10ERR_NO_PUBKEY)
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2875,3 +2878,48 @@ get_ctx_handle(GETKEY_CTX ctx)
|
||||
{
|
||||
return ctx->kr_handle;
|
||||
}
|
||||
|
||||
int
|
||||
parse_auto_key_locate(char *options)
|
||||
{
|
||||
char *tok;
|
||||
|
||||
while((tok=optsep(&options)))
|
||||
{
|
||||
struct akl *akl,*last;
|
||||
|
||||
if(tok[0]=='\0')
|
||||
continue;
|
||||
|
||||
akl=xmalloc_clear(sizeof(*akl));
|
||||
|
||||
if(ascii_strcasecmp(tok,"cert")==0)
|
||||
akl->type=AKL_CERT;
|
||||
else if(ascii_strcasecmp(tok,"pka")==0)
|
||||
akl->type=AKL_PKA;
|
||||
else if(ascii_strcasecmp(tok,"ldap")==0)
|
||||
akl->type=AKL_LDAP;
|
||||
else if(ascii_strcasecmp(tok,"keyserver")==0)
|
||||
akl->type=AKL_KEYSERVER;
|
||||
else
|
||||
{
|
||||
xfree(akl);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* We must maintain the order the user gave us */
|
||||
for(last=opt.auto_key_locate;last && last->next;last=last->next)
|
||||
{
|
||||
/* Check for duplicates */
|
||||
if(last && last->type==akl->type)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(last)
|
||||
last->next=akl;
|
||||
else
|
||||
opt.auto_key_locate=akl;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
15
g10/gpg.c
15
g10/gpg.c
@ -354,14 +354,13 @@ enum cmd_and_opt_values
|
||||
oKeyidFormat,
|
||||
oExitOnStatusWriteError,
|
||||
oLimitCardInsertTries,
|
||||
|
||||
oReaderPort,
|
||||
octapiDriver,
|
||||
opcscDriver,
|
||||
oDisableCCID,
|
||||
|
||||
oRequireBacksigs,
|
||||
oNoRequireBacksigs,
|
||||
oAutoKeyLocate,
|
||||
|
||||
oNoop
|
||||
};
|
||||
@ -707,6 +706,7 @@ static ARGPARSE_OPTS opts[] = {
|
||||
{ oRecipient, "user", 2, "@" },
|
||||
{ oRequireBacksigs, "require-backsigs", 0, "@"},
|
||||
{ oNoRequireBacksigs, "no-require-backsigs", 0, "@"},
|
||||
{ oAutoKeyLocate, "auto-key-locate", 2, "@"},
|
||||
{0,NULL,0,NULL}
|
||||
};
|
||||
|
||||
@ -2645,6 +2645,17 @@ main (int argc, char **argv )
|
||||
case oRequireBacksigs: opt.require_backsigs=1; break;
|
||||
case oNoRequireBacksigs: opt.require_backsigs=0; break;
|
||||
|
||||
case oAutoKeyLocate:
|
||||
if(!parse_auto_key_locate(pargs.r.ret_str))
|
||||
{
|
||||
if(configname)
|
||||
log_error(_("%s:%d: invalid auto-key-locate list\n"),
|
||||
configname,configlineno);
|
||||
else
|
||||
log_error(_("invalid auto-key-locate list\n"));
|
||||
}
|
||||
break;
|
||||
|
||||
case oNoop: break;
|
||||
|
||||
default : pargs.err = configfp? 1:2; break;
|
||||
|
||||
@ -258,6 +258,7 @@ char*get_long_user_id_string( u32 *keyid );
|
||||
char*get_user_id( u32 *keyid, size_t *rn );
|
||||
char*get_user_id_native( u32 *keyid );
|
||||
KEYDB_HANDLE get_ctx_handle(GETKEY_CTX ctx);
|
||||
int parse_auto_key_locate(char *options);
|
||||
|
||||
/*-- keyid.c --*/
|
||||
int pubkey_letter( int algo );
|
||||
|
||||
@ -220,6 +220,14 @@ struct
|
||||
error (but an invalid backsig still is). */
|
||||
int require_backsigs;
|
||||
|
||||
/* Linked list of ways to find a key if the key isn't on the local
|
||||
keyring. */
|
||||
struct akl
|
||||
{
|
||||
enum {AKL_CERT, AKL_PKA, AKL_LDAP, AKL_KEYSERVER} type;
|
||||
struct akl *next;
|
||||
} *auto_key_locate;
|
||||
|
||||
} opt;
|
||||
|
||||
/* CTRL is used to keep some global variables we currently can't
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user