1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00

gpg: Do not use import-clean for LDAP keyserver imports.

* g10/options.h (opts): New field expl_import_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
don't clean the key anymore so that key certifications are kept even
if the public key has not yet been imported.

See-commit: 6c26e593df51475921410ac97e9227df6b258618
GnuPG-bug-id: 5387
This commit is contained in:
Werner Koch 2021-04-26 14:15:21 +02:00
parent 100037ac0f
commit 99db4b0c7f
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 23 additions and 8 deletions

View File

@ -225,12 +225,14 @@ parse_import_options(char *str,unsigned int *options,int noisy)
{NULL,0,NULL,NULL} {NULL,0,NULL,NULL}
}; };
int rc; int rc;
int saved_self_sigs_only; int saved_self_sigs_only, saved_import_clean;
/* We need to set a flag indicating wether the user has set /* We need to set flags indicating wether the user has set certain
* IMPORT_SELF_SIGS_ONLY or it came from the default. */ * options or if they came from the default. */
saved_self_sigs_only = (*options & IMPORT_SELF_SIGS_ONLY); saved_self_sigs_only = (*options & IMPORT_SELF_SIGS_ONLY);
saved_self_sigs_only &= ~IMPORT_SELF_SIGS_ONLY; saved_self_sigs_only &= ~IMPORT_SELF_SIGS_ONLY;
saved_import_clean = (*options & IMPORT_CLEAN);
saved_import_clean &= ~IMPORT_CLEAN;
rc = parse_options (str, options, import_opts, noisy); rc = parse_options (str, options, import_opts, noisy);
@ -239,6 +241,12 @@ parse_import_options(char *str,unsigned int *options,int noisy)
else else
*options |= saved_self_sigs_only; *options |= saved_self_sigs_only;
if (rc && (*options & IMPORT_CLEAN))
opt.flags.expl_import_clean = 1;
else
*options |= saved_import_clean;
if (rc && (*options & IMPORT_RESTORE)) if (rc && (*options & IMPORT_RESTORE))
{ {
/* Alter other options we want or don't want for restore. */ /* Alter other options we want or don't want for restore. */

View File

@ -1771,13 +1771,17 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
never accept or send them but we better protect against rogue never accept or send them but we better protect against rogue
keyservers. */ keyservers. */
/* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY unless it has /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY and
* been set explicitly. */ * IMPORT_CLEAN unless they have been set explicitly. */
options = (opt.keyserver_options.import_options | IMPORT_NO_SECKEY); options = (opt.keyserver_options.import_options | IMPORT_NO_SECKEY);
if (source && (!strncmp (source, "ldap:", 5) if (source && (!strncmp (source, "ldap:", 5)
|| !strncmp (source, "ldaps:", 6)) || !strncmp (source, "ldaps:", 6)))
&& !opt.flags.expl_import_self_sigs_only) {
options &= ~IMPORT_SELF_SIGS_ONLY; if (!opt.flags.expl_import_self_sigs_only)
options &= ~IMPORT_SELF_SIGS_ONLY;
if (!opt.flags.expl_import_clean)
options &= ~IMPORT_CLEAN;
}
screenerarg.desc = desc; screenerarg.desc = desc;
screenerarg.ndesc = *r_ndesc_used; screenerarg.ndesc = *r_ndesc_used;

View File

@ -259,6 +259,9 @@ struct
/* The next flag is set internally iff IMPORT_SELF_SIGS_ONLY has /* The next flag is set internally iff IMPORT_SELF_SIGS_ONLY has
* been set by the user and is not the default value. */ * been set by the user and is not the default value. */
unsigned int expl_import_self_sigs_only:1; unsigned int expl_import_self_sigs_only:1;
/* The next flag is set internally iff IMPORT_CLEAN has
* been set by the user and is not the default value. */
unsigned int expl_import_clean:1;
} flags; } flags;
/* Linked list of ways to find a key if the key isn't on the local /* Linked list of ways to find a key if the key isn't on the local