From 99db4b0c7fd128ea5b2e251fe854bd57f6322238 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 26 Apr 2021 14:15:21 +0200 Subject: [PATCH] gpg: Do not use import-clean for LDAP keyserver imports. * g10/options.h (opts): New field expl_import_only. * g10/import.c (parse_import_options): Set it. * g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP. -- I can be assumed that configured LDAP servers are somehow curated and not affected by rogue key signatures as the HKP servers are. Thus we don't clean the key anymore so that key certifications are kept even if the public key has not yet been imported. See-commit: 6c26e593df51475921410ac97e9227df6b258618 GnuPG-bug-id: 5387 --- g10/import.c | 14 +++++++++++--- g10/keyserver.c | 14 +++++++++----- g10/options.h | 3 +++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/g10/import.c b/g10/import.c index 62ee2a46e..821ddf0d4 100644 --- a/g10/import.c +++ b/g10/import.c @@ -225,12 +225,14 @@ parse_import_options(char *str,unsigned int *options,int noisy) {NULL,0,NULL,NULL} }; int rc; - int saved_self_sigs_only; + int saved_self_sigs_only, saved_import_clean; - /* We need to set a flag indicating wether the user has set - * IMPORT_SELF_SIGS_ONLY or it came from the default. */ + /* We need to set flags indicating wether the user has set certain + * options or if they came from the default. */ saved_self_sigs_only = (*options & IMPORT_SELF_SIGS_ONLY); saved_self_sigs_only &= ~IMPORT_SELF_SIGS_ONLY; + saved_import_clean = (*options & IMPORT_CLEAN); + saved_import_clean &= ~IMPORT_CLEAN; rc = parse_options (str, options, import_opts, noisy); @@ -239,6 +241,12 @@ parse_import_options(char *str,unsigned int *options,int noisy) else *options |= saved_self_sigs_only; + if (rc && (*options & IMPORT_CLEAN)) + opt.flags.expl_import_clean = 1; + else + *options |= saved_import_clean; + + if (rc && (*options & IMPORT_RESTORE)) { /* Alter other options we want or don't want for restore. */ diff --git a/g10/keyserver.c b/g10/keyserver.c index 492ce0ce5..48033ab8d 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -1771,13 +1771,17 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, never accept or send them but we better protect against rogue keyservers. */ - /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY unless it has - * been set explicitly. */ + /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY and + * IMPORT_CLEAN unless they have been set explicitly. */ options = (opt.keyserver_options.import_options | IMPORT_NO_SECKEY); if (source && (!strncmp (source, "ldap:", 5) - || !strncmp (source, "ldaps:", 6)) - && !opt.flags.expl_import_self_sigs_only) - options &= ~IMPORT_SELF_SIGS_ONLY; + || !strncmp (source, "ldaps:", 6))) + { + if (!opt.flags.expl_import_self_sigs_only) + options &= ~IMPORT_SELF_SIGS_ONLY; + if (!opt.flags.expl_import_clean) + options &= ~IMPORT_CLEAN; + } screenerarg.desc = desc; screenerarg.ndesc = *r_ndesc_used; diff --git a/g10/options.h b/g10/options.h index fca23cb5c..2c558d2e7 100644 --- a/g10/options.h +++ b/g10/options.h @@ -259,6 +259,9 @@ struct /* The next flag is set internally iff IMPORT_SELF_SIGS_ONLY has * been set by the user and is not the default value. */ unsigned int expl_import_self_sigs_only:1; + /* The next flag is set internally iff IMPORT_CLEAN has + * been set by the user and is not the default value. */ + unsigned int expl_import_clean:1; } flags; /* Linked list of ways to find a key if the key isn't on the local