From cc66108253c58583d6bad3d1e2da2b004701d0f0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 26 Apr 2018 12:28:53 +0200 Subject: [PATCH] dirmngr: Fix handling of CNAMEed keyserver pools. * dirmngr/ks-engine-hkp.c (map_host): Don't use the cname for HTTPHOST. * dirmngr/server.c (make_keyserver_item): Map keys.gnupg.net. -- For a description of the problem see the comment in make_keyserver_item. GnuPG-bug-id: 3755 Signed-off-by: Werner Koch --- NEWS | 3 +++ dirmngr/ks-engine-hkp.c | 2 +- dirmngr/server.c | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7547b2aa1..ca84e2089 100644 --- a/NEWS +++ b/NEWS @@ -19,6 +19,9 @@ Noteworthy changes in version 2.2.7 (unreleased) * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL caches under Windows. [#2448,#3923] + * dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed + mapping of keys.gnupg.net to sks-keyservers.net. [#3755] + Noteworthy changes in version 2.2.6 (2018-04-09) ------------------------------------------------ diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index a9bb93666..eba7a1a48 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -583,7 +583,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, /* Deal with the pool name before selecting a host. */ if (r_httphost) { - *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name); + *r_httphost = xtrystrdup (hi->name); if (!*r_httphost) return gpg_error_from_syserror (); } diff --git a/dirmngr/server.c b/dirmngr/server.c index 8a0b940ce..b7cdb24c9 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1997,6 +1997,38 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) uri_item_t item; *r_item = NULL; + + /* We used to have DNS CNAME redirection from the URLs below to + * sks-keyserver. pools. The idea was to allow for a quick way to + * switch to a different set of pools. The problem with that + * approach is that TLS needs to verify the hostname and - because + * DNS is not secured - it can only check the user supplied hostname + * and not a hostname from a CNAME RR. Thus the final server all + * need to have certificates with the actual pool name as well as + * for keys.gnupg.net - that would render the advantage of + * keys.gnupg.net useless and so we better give up on this. Because + * the keys.gnupg.net URL are still in widespread use we do a static + * mapping here. + */ + if (!strcmp (uri, "hkps://keys.gnupg.net") + || !strcmp (uri, "keys.gnupg.net")) + uri = "hkps://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://keys.gnupg.net")) + uri = "https://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://keys.gnupg.net")) + uri = "hkp://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://keys.gnupg.net")) + uri = "http://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkps://http-keys.gnupg.net") + || !strcmp (uri, "http-keys.gnupg.net")) + uri = "hkps://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://http-keys.gnupg.net")) + uri = "https://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://http-keys.gnupg.net")) + uri = "hkp://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://http-keys.gnupg.net")) + uri = "http://ha.pool.sks-keyservers.net"; + item = xtrymalloc (sizeof *item + strlen (uri)); if (!item) return gpg_error_from_syserror ();