[FIX] Import-filter rejects keys. [#134 state:fixed assigned:mento]

The patch is based on changes in the gunpg repo.

Formula/MacGPG2.rb

@@ -30,7 +30,8 @@ def patches
               "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/gpg-agent.patch",
               "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/MacGPG2VersionString.patch",
               "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/passphrase-fd.patch",
-              "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/options.skel.patch"] }
+              "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/options.skel.patch",
+              "#{HOMEBREW_PREFIX}/Library/Formula/Patches/gnupg2/import-filter.patch"] }
   end
 
   def install

Formula/Patches/gnupg2/import-filter.patch

@@ -0,0 +1,145 @@
+# Drop this patch with gnupg 2.0.26
+
+--- a/g10/gpg.h
++++ b/g10/gpg.h
+@@ -50,6 +50,7 @@
+
+ /* Object used to describe a keyblok node.  */
+ typedef struct kbnode_struct *KBNODE;
++typedef struct kbnode_struct *kbnode_t;
+ /* Object used for looking ob keys.  */
+ typedef struct keydb_search_desc KEYDB_SEARCH_DESC;
+
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -799,7 +799,7 @@
+ 	return 0;
+       }
+
+-    if (filter && filter (pk, NULL, filter_arg))
++    if (filter && filter (keyblock, filter_arg))
+       {
+         log_error (_("key %s: %s\n"), keystr_from_pk(pk),
+                    _("rejected by import filter"));
+@@ -1201,7 +1201,7 @@
+     keyid_from_sk( sk, keyid );
+     uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
+
+-    if (filter && filter (NULL, sk, filter_arg)) {
++    if (filter && filter (keyblock, filter_arg)) {
+         log_error (_("secret key %s: %s\n"), keystr_from_sk(sk),
+                    _("rejected by import filter"));
+         return 0;
+--- a/g10/keyserver.c
++++ b/g10/keyserver.c
+@@ -994,52 +994,68 @@
+    returns 0 if the key shall be imported.  Note that this kind of
+    filter is not related to the iobuf filters. */
+ static int
+-keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk,
+-                            void *opaque)
++keyserver_retrieval_filter (kbnode_t keyblock, void *opaque)
+ {
+   struct ks_retrieval_filter_arg_s *arg = opaque;
+   KEYDB_SEARCH_DESC *desc = arg->desc;
+   int ndesc = arg->ndesc;
++  kbnode_t node;
++  PKT_public_key *pk;
+   int n;
+   u32 keyid[2];
+   byte fpr[MAX_FINGERPRINT_LEN];
+   size_t fpr_len = 0;
+
+-  /* Secret keys are not expected from a keyserver.  Do not import.  */
+-  if (sk)
+-    return G10ERR_GENERAL;
++  /* Secret keys are not expected from a keyserver.  We do not
++     care about secret subkeys because the import code takes care
++     of skipping them.  Not allowing an import of a public key
++     with a secret subkey would make it too easy to inhibit the
++     downloading of a public key.  Recall that keyservers do only
++     limited checks.  */
++  node = find_kbnode (keyblock, PKT_SECRET_KEY);
++  if (node)
++    return G10ERR_GENERAL;   /* Do not import. */
+
+   if (!ndesc)
+     return 0; /* Okay if no description given.  */
+
+-  fingerprint_from_pk (pk, fpr, &fpr_len);
+-  keyid_from_pk (pk, keyid);
+-
+-  /* Compare requested and returned fingerprints if available. */
+-  for (n = 0; n < ndesc; n++)
++  /* Loop over all key packets.  */
++  for (node = keyblock; node; node = node->next)
+     {
+-      if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
+-        {
+-          if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
+-            return 0;
+-        }
+-      else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
+-        {
+-          if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
+-            return 0;
+-        }
+-      else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
+-        {
+-          if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
+-            return 0;
+-        }
+-      else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
++      if (node->pkt->pkttype != PKT_PUBLIC_KEY
++          && node->pkt->pkttype != PKT_PUBLIC_SUBKEY)
++        continue;
++
++      pk = node->pkt->pkt.public_key;
++      fingerprint_from_pk (pk, fpr, &fpr_len);
++      keyid_from_pk (pk, keyid);
++
++      /* Compare requested and returned fingerprints if available. */
++      for (n = 0; n < ndesc; n++)
+         {
+-          if (keyid[1] == desc[n].u.kid[1])
+-            return 0;
++          if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20)
++            {
++              if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20))
++                return 0;
++            }
++          else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16)
++            {
++              if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16))
++                return 0;
++            }
++          else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
++            {
++              if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1])
++                return 0;
++            }
++          else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID)
++            {
++              if (keyid[1] == desc[n].u.kid[1])
++                return 0;
++            }
++          else /* No keyid or fingerprint - can't check.  */
++            return 0; /* allow import.  */
+         }
+-      else
+-        return 0;
+     }
+
+   return G10ERR_GENERAL;
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -261,8 +261,7 @@
+
+ /*-- import.c --*/
+
+-typedef int (*import_filter_t)(PKT_public_key *pk, PKT_secret_key *sk,
+-                               void *arg);
++typedef int (*import_filter_t)(kbnode_t keyblock, void *arg);
+
+ int parse_import_options(char *str,unsigned int *options,int noisy);
+ void import_keys( char **fnames, int nnames,