dirmngr: Fix handling of CNAMEed keyserver pools.

* dirmngr/ks-engine-hkp.c (map_host): Don't use the cname for HTTPHOST. * dirmngr/server.c (make_keyserver_item): Map keys.gnupg.net. -- For a description of the problem see the comment in make_keyserver_item. GnuPG-bug-id: 3755 Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2018-04-26 12:28:53 +02:00 · 2018-04-26 12:28:53 +02:00 · cc66108253
commit cc66108253
parent bb8894760f
3 changed files with 36 additions and 1 deletions
--- a/3
+++ b/3
@ -19,6 +19,9 @@ Noteworthy changes in version 2.2.7 (unreleased)
  * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
    caches under Windows.  [#2448,#3923]

+  * dirmngr: Fix a CNAME problem with pools and TLS.  Also use a fixed
+    mapping of keys.gnupg.net to sks-keyservers.net.  [#3755]
+

 Noteworthy changes in version 2.2.6 (2018-04-09)
 ------------------------------------------------
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -583,7 +583,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
      /* Deal with the pool name before selecting a host. */
      if (r_httphost)
        {
-          *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name);
+          *r_httphost = xtrystrdup (hi->name);
          if (!*r_httphost)
            return gpg_error_from_syserror ();
        }
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -1997,6 +1997,38 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
  uri_item_t item;

  *r_item = NULL;
+
+  /* We used to have DNS CNAME redirection from the URLs below to
+   * sks-keyserver. pools.  The idea was to allow for a quick way to
+   * switch to a different set of pools.  The problem with that
+   * approach is that TLS needs to verify the hostname and - because
+   * DNS is not secured - it can only check the user supplied hostname
+   * and not a hostname from a CNAME RR.  Thus the final server all
+   * need to have certificates with the actual pool name as well as
+   * for keys.gnupg.net - that would render the advantage of
+   * keys.gnupg.net useless and so we better give up on this.  Because
+   * the keys.gnupg.net URL are still in widespread use we do a static
+   * mapping here.
+   */
+  if (!strcmp (uri, "hkps://keys.gnupg.net")
+      || !strcmp (uri, "keys.gnupg.net"))
+    uri = "hkps://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "https://keys.gnupg.net"))
+    uri = "https://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkp://keys.gnupg.net"))
+    uri = "hkp://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "http://keys.gnupg.net"))
+    uri = "http://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
+           || !strcmp (uri, "http-keys.gnupg.net"))
+    uri = "hkps://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "https://http-keys.gnupg.net"))
+    uri = "https://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
+    uri = "hkp://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "http://http-keys.gnupg.net"))
+    uri = "http://ha.pool.sks-keyservers.net";
+
  item = xtrymalloc (sizeof *item + strlen (uri));
  if (!item)
    return gpg_error_from_syserror ();