mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-03 22:56:33 +02:00
* keyserver-internal.h, keyserver.c (keyserver_import_pka): Use the
same API as the other auto-key-locate fetchers. * getkey.c (get_pubkey_byname): Use the fingerprint of the key that we actually fetched. This helps prevent problems where the key that we fetched doesn't have the same name that we used to fetch it. In the case of CERT and PKA, this is an actual security requirement as the URL might point to a key put in by an attacker. By forcing the use of the fingerprint, we won't use the attacker's key here.
This commit is contained in:
David Shaw
parent
b478ce7a79
commit
9f524c4a04
4 changed files with 61 additions and 31 deletions
|
|
@ -2036,24 +2036,30 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
|
|||
/* Import key pointed to by a PKA record. Return the requested
|
||||
fingerprint in fpr. */
|
||||
int
|
||||
keyserver_import_pka(const char *name,unsigned char *fpr)
|
||||
keyserver_import_pka(const char *name,unsigned char **fpr,size_t *fpr_len)
|
||||
{
|
||||
char *uri;
|
||||
int rc=-1;
|
||||
|
||||
uri = get_pka_info (name, fpr);
|
||||
*fpr=xmalloc(20);
|
||||
*fpr_len=20;
|
||||
|
||||
uri = get_pka_info (name, *fpr);
|
||||
if (uri)
|
||||
{
|
||||
struct keyserver_spec *spec;
|
||||
spec = parse_keyserver_uri (uri, 1, NULL, 0);
|
||||
if (spec)
|
||||
{
|
||||
rc=keyserver_import_fprint (fpr, 20, spec);
|
||||
rc=keyserver_import_fprint (*fpr, 20, spec);
|
||||
free_keyserver_spec (spec);
|
||||
}
|
||||
xfree (uri);
|
||||
}
|
||||
|
||||
if(rc!=0)
|
||||
xfree(*fpr);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue