security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-10 13:04:23 +01:00
Code Activity

dirmngr: Validate SRV records in WKD queries.

Browse Source 
* dirmngr/server.c (proc_wkd_get): Check the returned SRV record names
to mitigate rogue DNS servers.
--

I am not sure wether this really is very useful because the security
relies on a trustworthy DNS system anyway.  However, that check is
easy enough to do.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ebe727ef596eefebb5eff7d03a98649ffc7ae3ee)
This commit is contained in:
Werner Koch 2018-07-27 12:23:38 +02:00
parent 4f59187a17
commit 8a98aa25bb
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
dirmngr/server.c
View File

@ -887,6 +887,18 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
if (err)
goto leave;
/* Check for rogue DNS names. */
for (i = 0; i < srvscount; i++)
{
if (!is_valid_domain_name (srvs[i].target))
{
err = gpg_error (GPG_ERR_DNS_ADDRESS);
log_error ("rogue openpgpkey SRV record for '%s'\n", domain);
xfree (srvs);
goto leave;
}
}
/* Find the first target which also ends in DOMAIN or is equal
* to DOMAIN. */
domainlen = strlen (domain);