[git] GnuPG - branch, master, updated. gnupg-2.1.21-147-g87b5421
by Werner Koch
cvs at cvs.gnupg.org
Mon Jul 24 21:16:02 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 87b5421ca84bbea68217c9ed771ee8c0a98a4d0c (commit)
via 2ca0381d077d766593db26f4215b8eddee8d7963 (commit)
from e7068bf92ec5ca5d440346d43a382c1f625b924d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 87b5421ca84bbea68217c9ed771ee8c0a98a4d0c
Author: Werner Koch <wk at gnupg.org>
Date: Mon Jul 24 21:07:03 2017 +0200
gpg: Extend --key-origin to take an optional URL arg.
* g10/getkey.c (parse_key_origin): Parse appended URL.
* g10/options.h (struct opt): Add field 'key_origin_url'.
* g10/gpg.c (main) <aImport>: Pass that option to import_keys.
* g10/import.c (apply_meta_data): Extend for file and url.
* g10/keyserver.c (keyserver_fetch): Pass the url to
import_keys_es_stream.
--
Example:
gpg --key-origin url,myscheme://bla --import FILE
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 9147bdf..dddb930 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2260,12 +2260,14 @@ hint to optimize its buffer allocation strategy. It is also used by
the @option{--status-fd} line ``PROGRESS'' to provide a value for
``total'' if that is not available by other means.
- at item --key-origin @var{string}
+ at item --key-origin @var{string}[, at var{url}]
@opindex key-origin
gpg can track the origin of a key. Certain origins are implicitly
known (e.g. keyserver, web key directory) and set. For a standard
-import the origin of the keys imported can be set with this optionb.
-To list the possible values use "help" for @var{string}.
+import the origin of the keys imported can be set with this option.
+To list the possible values use "help" for @var{string}. Some origins
+can store an optional @var{url} argument. That URL can appended to
+ at var{string} after a comma.
@item --import-options @code{parameters}
@opindex import-options
diff --git a/g10/getkey.c b/g10/getkey.c
index 74eed13..390e2dc 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -4325,6 +4325,11 @@ int
parse_key_origin (char *string)
{
int i;
+ char *comma;
+
+ comma = strchr (string, ',');
+ if (comma)
+ *comma = 0;
if (!ascii_strcasecmp (string, "help"))
{
@@ -4338,9 +4343,19 @@ parse_key_origin (char *string)
if (!ascii_strcasecmp (string, key_origin_list[i].name))
{
opt.key_origin = key_origin_list[i].origin;
+ xfree (opt.key_origin_url);
+ opt.key_origin_url = NULL;
+ if (comma && comma[1])
+ {
+ opt.key_origin_url = xstrdup (comma+1);
+ trim_spaces (opt.key_origin_url);
+ }
+
return 1;
}
+ if (comma)
+ *comma = ',';
return 0;
}
diff --git a/g10/gpg.c b/g10/gpg.c
index 7495e17..52b6089 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4515,7 +4515,7 @@ main (int argc, char **argv)
opt.import_options |= IMPORT_FAST; /* fall through */
case aImport:
import_keys (ctrl, argc? argv:NULL, argc, NULL,
- opt.import_options, opt.key_origin, NULL);
+ opt.import_options, opt.key_origin, opt.key_origin_url);
break;
/* TODO: There are a number of command that use this same
diff --git a/g10/import.c b/g10/import.c
index d22c8f4..f18ef48 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1425,6 +1425,22 @@ apply_meta_data (kbnode_t keyblock, int origin, const char *url)
if (!pk->updateurl)
return gpg_error_from_syserror ();
}
+ else if (origin == KEYORG_FILE)
+ {
+ pk->keyorg = origin;
+ pk->keyupdate = curtime;
+ }
+ else if (origin == KEYORG_URL)
+ {
+ pk->keyorg = origin;
+ pk->keyupdate = curtime;
+ if (url)
+ {
+ pk->updateurl = xtrystrdup (url);
+ if (!pk->updateurl)
+ return gpg_error_from_syserror ();
+ }
+ }
}
else if (node->pkt->pkttype == PKT_USER_ID)
{
@@ -1458,6 +1474,16 @@ apply_meta_data (kbnode_t keyblock, int origin, const char *url)
uid->keyorg = origin;
uid->keyupdate = curtime;
}
+ else if (origin == KEYORG_FILE)
+ {
+ uid->keyorg = origin;
+ uid->keyupdate = curtime;
+ }
+ else if (origin == KEYORG_URL)
+ {
+ uid->keyorg = origin;
+ uid->keyupdate = curtime;
+ }
}
}
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 4d2a2c8..a8c222d 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1884,7 +1884,7 @@ keyserver_fetch (ctrl_t ctrl, strlist_t urilist, int origin)
stats_handle = import_new_stats_handle();
import_keys_es_stream (ctrl, datastream, stats_handle, NULL, NULL,
opt.keyserver_options.import_options,
- NULL, NULL, origin, NULL);
+ NULL, NULL, origin, sl->d);
import_print_stats (stats_handle);
import_release_stats_handle (stats_handle);
diff --git a/g10/options.h b/g10/options.h
index 21249e9..83f4028 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -266,6 +266,7 @@ struct
/* The value of --key-origin. See parse_key_origin(). */
int key_origin;
+ char *key_origin_url;
int passphrase_repeat;
int pinentry_mode;
commit 2ca0381d077d766593db26f4215b8eddee8d7963
Author: Werner Koch <wk at gnupg.org>
Date: Mon Jul 24 20:47:41 2017 +0200
gpg: Store key origin info for new keys from a keyserver
* g10/keyserver.c (keyserver_get_chunk): Use KEYORG_KS if request was
done by fingerprint.
* g10/import.c (apply_meta_data): Implement that.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/g10/import.c b/g10/import.c
index e3c8c37..d22c8f4 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1394,38 +1394,69 @@ apply_meta_data (kbnode_t keyblock, int origin, const char *url)
{
if (is_deleted_kbnode (node))
;
- else if (node->pkt->pkttype == PKT_PUBLIC_KEY
- && (origin == KEYORG_WKD || origin == KEYORG_DANE))
- {
- /* For WKD and DANE we insert origin information also for
- * the key but we don't record the URL because we have have
- * no use for that: An update using a keyserver has higher
- * precedence and will thus update this origin info. For
- * refresh using WKD or DANE we need to go via the User ID
- * anyway. Recall that we are only inserting a new key. */
+ else if (node->pkt->pkttype == PKT_PUBLIC_KEY)
+ {
PKT_public_key *pk = node->pkt->pkt.public_key;
- pk->keyorg = origin;
- pk->keyupdate = curtime;
+ if (origin == KEYORG_WKD || origin == KEYORG_DANE)
+ {
+ /* For WKD and DANE we insert origin information also
+ * for the key but we don't record the URL because we
+ * have have no use for that: An update using a
+ * keyserver has higher precedence and will thus update
+ * this origin info. For refresh using WKD or DANE we
+ * need to go via the User ID anyway. Recall that we
+ * are only inserting a new key. */
+ pk->keyorg = origin;
+ pk->keyupdate = curtime;
+ }
+ else if (origin == KEYORG_KS && url)
+ {
+ /* If the key was retrieved from a keyserver using a
+ * fingerprint request we add the meta information.
+ * Note that the use of a fingerprint needs to be
+ * enforced by the caller of the import function. This
+ * is commonly triggered by verifying a modern signature
+ * which has an Issuer Fingerprint signature
+ * subpacket. */
+ pk->keyorg = origin;
+ pk->keyupdate = curtime;
+ pk->updateurl = xtrystrdup (url);
+ if (!pk->updateurl)
+ return gpg_error_from_syserror ();
+ }
}
- else if (node->pkt->pkttype == PKT_USER_ID
- && (origin == KEYORG_WKD || origin == KEYORG_DANE))
- {
- /* We insert origin information on a UID only when we
- * received them via the Web Key Directory or a DANE record.
- * The key we receive here from the WKD has been filtered to
- * contain only the user ID as looked up in the WKD. For a
- * DANE origin we this should also be the case. Thus we
- * will see here only one user id. */
+ else if (node->pkt->pkttype == PKT_USER_ID)
+ {
PKT_user_id *uid = node->pkt->pkt.user_id;
- uid->keyorg = origin;
- uid->keyupdate = curtime;
- if (url)
+ if (origin == KEYORG_WKD || origin == KEYORG_DANE)
{
- uid->updateurl = xtrystrdup (url);
- if (!uid->updateurl)
- return gpg_error_from_syserror ();
+ /* We insert origin information on a UID only when we
+ * received them via the Web Key Directory or a DANE
+ * record. The key we receive here from the WKD has
+ * been filtered to contain only the user ID as looked
+ * up in the WKD. For a DANE origin we this should also
+ * be the case. Thus we will see here only one user
+ * id. */
+ uid->keyorg = origin;
+ uid->keyupdate = curtime;
+ if (url)
+ {
+ uid->updateurl = xtrystrdup (url);
+ if (!uid->updateurl)
+ return gpg_error_from_syserror ();
+ }
+ }
+ else if (origin == KEYORG_KS && url)
+ {
+ /* If the key was retrieved from a keyserver using a
+ * fingerprint request we mark that also in the user ID.
+ * However we do not store the keyserver URL in the UID.
+ * A later update (merge) from a more trusted source
+ * will replace this info. */
+ uid->keyorg = origin;
+ uid->keyupdate = curtime;
}
}
}
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 9586448..4d2a2c8 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1590,11 +1590,12 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
{
gpg_error_t err = 0;
char **pattern;
- int idx, npat;
+ int idx, npat, npat_fpr;
estream_t datastream;
char *source = NULL;
size_t linelen; /* Estimated linelen for KS_GET. */
size_t n;
+ int only_fprs;
#define MAX_KS_GET_LINELEN 950 /* Somewhat lower than the real limit. */
@@ -1613,7 +1614,7 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
but we are sure that R_NDESC_USED has been updated. This avoids
a possible indefinite loop. */
linelen = 17; /* "KS_GET --quick --" */
- for (npat=idx=0; idx < ndesc; idx++)
+ for (npat=npat_fpr=0, idx=0; idx < ndesc; idx++)
{
int quiet = 0;
@@ -1635,6 +1636,8 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
desc[idx].mode == KEYDB_SEARCH_MODE_FPR20? 20 : 16,
pattern[npat]+2);
npat++;
+ if (desc[idx].mode == KEYDB_SEARCH_MODE_FPR20)
+ npat_fpr++;
}
}
else if(desc[idx].mode == KEYDB_SEARCH_MODE_LONG_KID)
@@ -1716,6 +1719,8 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
this is different from NPAT. */
*r_ndesc_used = idx;
+ only_fprs = (npat && npat == npat_fpr);
+
err = gpg_dirmngr_ks_get (ctrl, pattern, override_keyserver, quick,
&datastream, &source);
for (idx=0; idx < npat; idx++)
@@ -1747,7 +1752,8 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
(opt.keyserver_options.import_options
| IMPORT_NO_SECKEY),
keyserver_retrieval_screener, &screenerarg,
- 0 /* FIXME? */, NULL);
+ only_fprs? KEYORG_KS : 0,
+ source);
}
es_fclose (datastream);
xfree (source);
-----------------------------------------------------------------------
Summary of changes:
doc/gpg.texi | 8 +++--
g10/getkey.c | 15 ++++++++
g10/gpg.c | 2 +-
g10/import.c | 109 ++++++++++++++++++++++++++++++++++++++++++--------------
g10/keyserver.c | 14 +++++---
g10/options.h | 1 +
6 files changed, 115 insertions(+), 34 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list