Submitted By:            Fernando de Oliveira <famobr at yahoo dot com dot br>
Date: 2014-08.12
Initial Package Version: 2.0.25
Upstream Status:         Fixed
Origin:                  Upstream and MacGPG2
URL:                     https://raw.githubusercontent.com/GPGTools/MacGPG2/517a05d757ea3396a2e94beb6b4b12b1c5bfd510/Formula/Patches/gnupg2/import-filter.patch
URL:                     http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=088f82c0b5e39687f70e44d3ab719854e808eeb6;hp=25d5480e98068f6dd15c70c9e58236c77037535d
URL:                     http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=25d5480e98068f6dd15c70c9e58236c77037535d;hp=4500d3cb6dd3525a835c251e6104f500050cf075

Description:             Fixes wrong "rejected by import filter". Add kbnode_t for easier backporting.


# Drop this patch with gnupg 2.0.26

--- a/g10/gpg.h
+++ b/g10/gpg.h
@@ -50,6 +50,7 @@
 
 /* Object used to describe a keyblok node.  */
 typedef struct kbnode_struct *KBNODE;
+typedef struct kbnode_struct *kbnode_t;
 /* Object used for looking ob keys.  */
 typedef struct keydb_search_desc KEYDB_SEARCH_DESC;
 
--- a/g10/import.c
+++ b/g10/import.c
@@ -799,7 +799,7 @@
 	return 0;
       }
 
-    if (filter && filter (pk, NULL, filter_arg))
+    if (filter && filter (keyblock, filter_arg))
       {
         log_error (_("key %s: %s\n"), keystr_from_pk(pk),
                    _("rejected by import filter"));
@@ -1201,7 +1201,7 @@
     keyid_from_sk( sk, keyid );
     uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
 
-    if (filter && filter (NULL, sk, filter_arg)) {
+    if (filter && filter (keyblock, filter_arg)) {
         log_error (_("secret key %s: %s\n"), keystr_from_sk(sk),
                    _("rejected by import filter"));
         return 0;
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -994,52 +994,68 @@
    returns 0 if the key shall be imported.  Note that this kind of
    filter is not related to the iobuf filters. */
 static int
-keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk,
-                            void *opaque)
+keyserver_retrieval_filter (kbnode_t keyblock, void *opaque)
 {
   struct ks_retrieval_filter_arg_s *arg = opaque;
   KEYDB_SEARCH_DESC *desc = arg->desc;
   int ndesc = arg->ndesc;
+  kbnode_t node;
+  PKT_public_key *pk;
   int n;
   u32 keyid[2];
   byte fpr[MAX_FINGERPRINT_LEN];
   size_t fpr_len = 0;
 
-  /* Secret keys are not expected from a keyserver.  Do not import.  */
-  if (sk)
-    return G10ERR_GENERAL;
+  /* Secret keys are not expected from a keyserver.  We do not
+     care about secret subkeys because the import code takes care
+     of skipping them.  Not allowing an import of a public key
+     with a secret subkey would make it too easy to inhibit the
+     downloading of a public key.  Recall that keyservers do only
+     limited checks.  */
+  node = find_kbnode (keyblock, PKT_SECRET_KEY);
+  if (node)
+    return G10ERR_GENERAL;   /* Do not import. */
 
   if (!ndesc)
     return 0; /* Okay if no description given.  */
 
-  fingerprint_from_pk (pk, fpr, &fpr_len);
-  keyid_from_pk (pk, keyid);
-
-  /* Compare requested and returned fingerprints if available. */
-  for (n = 0; n < ndesc; n++)
+  /* Loop over all key packets.  */
+  for (node = keyblock; node; node = node->next)
     {
-      if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
-        {
-          if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
-            return 0;
-        }
-      else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
-        {
-          if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
-            return 0;
-        }
-      else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
-        {
-          if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
-            return 0;
-        }
-      else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
+      if (node->pkt->pkttype != PKT_PUBLIC_KEY
+          && node->pkt->pkttype != PKT_PUBLIC_SUBKEY)
+        continue;
+
+      pk = node->pkt->pkt.public_key;
+      fingerprint_from_pk (pk, fpr, &fpr_len);
+      keyid_from_pk (pk, keyid);
+
+      /* Compare requested and returned fingerprints if available. */
+      for (n = 0; n < ndesc; n++)
         {
-          if (keyid[1] == desc[n].u.kid[1])
-            return 0;
+          if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
+            {
+              if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
+                return 0;
+            }
+          else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
+            {
+              if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
+                return 0;
+            }
+          else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
+            {
+              if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
+                return 0;
+            }
+          else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
+            {
+              if (keyid[1] == desc[n].u.kid[1])
+                return 0;
+            }
+          else /* No keyid or fingerprint - can't check.  */
+            return 0; /* allow import.  */
         }
-      else
-        return 0;
     }
 
   return G10ERR_GENERAL;
--- a/g10/main.h
+++ b/g10/main.h
@@ -261,8 +261,7 @@
 
 /*-- import.c --*/
 
-typedef int (*import_filter_t)(PKT_public_key *pk, PKT_secret_key *sk,
-                               void *arg);
+typedef int (*import_filter_t)(kbnode_t keyblock, void *arg);
 
 int parse_import_options(char *str,unsigned int *options,int noisy);
 void import_keys( char **fnames, int nnames,