security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

gpg: Switch to a hash and CERT record based PKA system.

Browse source 
* common/dns-cert.c (get_dns_cert): Make r_key optional.
* common/pka.c: Rewrite for the new hash based lookup.
* common/t-pka.c: New.
* configure.ac: Remove option --disable-dns-pka.
(USE_DNS_PKA): Remove ac_define.
* g10/getkey.c (parse_auto_key_locate): Always include PKA.

--

Note that although PKA is now always build, it will only work if
support for looking up via DNS has not been disabled.

The new PKA only works with the IPGP DNS certtype and shall be used
only to retrieve the fingerprint and optional the key for the first
time.  Due to the security problems with DNSSEC the former assumption
to validate the key using DNSSEC is not anymore justified.  Instead an
additional layer (e.g. Trust-On-First-Use) needs to be implemented to
track change to the key.  Having a solid way of getting a key matching
a mail address is however a must have.

More work needs to go into a redefinition of the --verify-options
pka-lookups and pka-trust-increase.  The auto-key-locate mechanism
should also be able to continue key fetching with another methods once
the fingerprint has been retrieved with PKA.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2015-02-25 16:34:19 +01:00
parent af60152a46
commit 2fc27c8696
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
9 changed files with 144 additions and 315 deletions
Download patch file Download diff file Expand all files Collapse all files

15
common/dns-cert.c
View file

@ -70,7 +70,7 @@
returns the first CERT found with a supported type; it is expected
that only one CERT record is used. If WANT_CERTTYPE is one of the
supported certtypes only records wih this certtype are considered
and the first found is returned. */
and the first found is returned. R_KEY is optional. */
gpg_error_t
get_dns_cert (const char *name, int want_certtype,
estream_t *r_key,
@ -84,7 +84,8 @@ get_dns_cert (const char *name, int want_certtype,
unsigned int ctype;
int count;
*r_key = NULL;
if (r_key)
*r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;
@ -129,7 +130,7 @@ get_dns_cert (const char *name, int want_certtype,
if (want_certtype && want_certtype != ctype)
; /* Not of the requested certtype. */
else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11)
else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key)
{
/* CERT type is PGP. Gpg checks for a minimum length of 11,
thus we do the same. */
@ -197,7 +198,8 @@ get_dns_cert (const char *name, int want_certtype,
int r;
u16 count;
*r_key = NULL;
if (r_key)
*r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;
@ -292,7 +294,7 @@ get_dns_cert (const char *name, int want_certtype,
/* 15 bytes takes us to here */
if (want_certtype && want_certtype != ctype)
; /* Not of the requested certtype. */
else if (ctype == DNS_CERTTYPE_PGP && dlen)
else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key)
{
/* PGP type */
*r_key = es_fopenmem_init (0, "rwb", pt, dlen);
@ -355,7 +357,8 @@ get_dns_cert (const char *name, int want_certtype,
#endif /*!USE_ADNS */
#else /* !USE_DNS_CERT */
(void)name;
*r_key = NULL;
if (r_key)
*r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;