security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

dirmngr: Support the new WKD draft with the openpgpkey subdomain.

Browse Source 
* dirmngr/server.c (proc_wkd_get): Implement new openpgpkey subdomain
method.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 914fa3be22bf8848a97a7dd405a040d6ef31e2fd)
This commit is contained in:
Werner Koch 2019-07-03 15:29:41 +02:00
parent a1f2f38dfb
commit 458973f502
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 60 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@ -1,6 +1,9 @@
Noteworthy changes in version 2.2.17 (unreleased) Noteworthy changes in version 2.2.17 (unreleased)
------------------------------------------------- -------------------------------------------------
* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07. [#4590].
Noteworthy changes in version 2.2.16 (2019-05-28) Noteworthy changes in version 2.2.16 (2019-05-28)
------------------------------------------------- -------------------------------------------------
@ -168,7 +171,7 @@ Noteworthy changes in version 2.2.12 (2018-12-14)
* gpg: Fix a bug where a LF was accidentally written to the console. * gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF * gpg: --card-status now shows whether a card has the new KDF
feature enabled. feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure * agent: New runtime option --s2k-calibration=MSEC. New configure

64
dirmngr/server.c
View File

@ -837,8 +837,11 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
gpg_error_t err = 0; gpg_error_t err = 0;
char *mbox = NULL; char *mbox = NULL;
char *domainbuf = NULL; char *domainbuf = NULL;
char *domain; /* Points to mbox or domainbuf. */ char *domain; /* Points to mbox or domainbuf. This is used to
char *domain_orig;/* Points to mbox. */ * connect to the host. */
char *domain_orig;/* Points to mbox. This is the used for the
* query; i.e. the domain part of the
* addrspec. */
char sha1buf[20]; char sha1buf[20];
char *uri = NULL; char *uri = NULL;
char *encodedhash = NULL; char *encodedhash = NULL;
@ -847,6 +850,7 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
int is_wkd_query; /* True if this is a real WKD query. */ int is_wkd_query; /* True if this is a real WKD query. */
int no_log = 0; int no_log = 0;
char portstr[20] = { 0 }; char portstr[20] = { 0 };
int subdomain_mode = 0;
opt_submission_addr = has_option (line, "--submission-address"); opt_submission_addr = has_option (line, "--submission-address");
opt_policy_flags = has_option (line, "--policy-flags"); opt_policy_flags = has_option (line, "--policy-flags");
@ -864,7 +868,8 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
*domain++ = 0; *domain++ = 0;
domain_orig = domain; domain_orig = domain;
/* First check whether we already know that the domain does not
/* Let's check whether we already know that the domain does not
* support WKD. */ * support WKD. */
if (is_wkd_query) if (is_wkd_query)
{ {
@ -875,8 +880,41 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
} }
} }
/* Check for SRV records. */
if (1) /* First try the new "openpgp" subdomain. We check that the domain
* is valid because it is later used as an unescaped filename part
* of the URI. */
if (is_valid_domain_name (domain_orig))
{
dns_addrinfo_t aibuf;
domainbuf = strconcat ( "openpgpkey.", domain_orig, NULL);
if (!domainbuf)
{
err = gpg_error_from_syserror ();
goto leave;
}
/* FIXME: We should put a cache into dns-stuff because the same
* query (with a different port and socket type, though) will be
* done later by http function. */
err = resolve_dns_name (ctrl, domainbuf, 0, 0, 0, &aibuf, NULL);
if (err)
{
err = 0;
xfree (domainbuf);
domainbuf = NULL;
}
else /* Got a subdomain. */
{
free_dns_addrinfo (aibuf);
subdomain_mode = 1;
domain = domainbuf;
}
}
/* Check for SRV records unless we have a subdomain. */
if (!subdomain_mode)
{ {
struct srventry *srvs; struct srventry *srvs;
unsigned int srvscount; unsigned int srvscount;
@ -931,6 +969,7 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
xfree (srvs); xfree (srvs);
} }
/* Prepare the hash of the local part. */
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox)); gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
encodedhash = zb32_encode (sha1buf, 8*20); encodedhash = zb32_encode (sha1buf, 8*20);
if (!encodedhash) if (!encodedhash)
@ -944,7 +983,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://", uri = strconcat ("https://",
domain, domain,
portstr, portstr,
"/.well-known/openpgpkey/submission-address", "/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"submission-address",
NULL); NULL);
} }
else if (opt_policy_flags) else if (opt_policy_flags)
@ -952,7 +994,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://", uri = strconcat ("https://",
domain, domain,
portstr, portstr,
"/.well-known/openpgpkey/policy", "/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"policy",
NULL); NULL);
} }
else else
@ -965,7 +1010,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://", uri = strconcat ("https://",
domain, domain,
portstr, portstr,
"/.well-known/openpgpkey/hu/", "/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"hu/",
encodedhash, encodedhash,
"?l=", "?l=",
escapedmbox, escapedmbox,