* getkey.c (get_pubkey_byname): Fix minor security problem with PKA when

importing at -r time. The URL in the PKA record may point to a key put in by an attacker. Fix is to use the fingerprint from the PKA record as the recipient. This ensures that the PKA record is followed. * keyserver-internal.h, keyserver.c (keyserver_import_pka): Return the fingerprint we requested.
2025-01-03 12:11:33 +01:00 · 2006-02-21 22:23:35 +00:00 · 2006-02-21 22:23:35 +00:00 · d038b36c8f
commit d038b36c8f
parent e4206de3f5
5 changed files with 27 additions and 6 deletions
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,5 +1,14 @@
 2006-02-21  David Shaw  <dshaw@jabberwocky.com>

+	* getkey.c (get_pubkey_byname): Fix minor security problem with
+	PKA when importing at -r time.  The URL in the PKA record may
+	point to a key put in by an attacker.  Fix is to use the
+	fingerprint from the PKA record as the recipient.  This ensures
+	that the PKA record is followed.
+
+	* keyserver-internal.h, keyserver.c (keyserver_import_pka): Return
+	the fingerprint we requested.
+
 	* gpgv.c: Stub keyserver_import_ldap.

 	* keyserver-internal.h, keyserver.c (keyserver_import_ldap):
--- a/g10/getkey.c
+++ b/g10/getkey.c
@ -938,6 +938,7 @@ get_pubkey_byname (PKT_public_key *pk,
 	 && opt.allow_pka_lookup
 	 && (opt.keyserver_options.options&KEYSERVER_AUTO_PKA_RETRIEVE))
 	{
+	  unsigned char fpr[MAX_FINGERPRINT_LEN];
 	  /* If the requested name resembles a valid mailbox and
 	     automatic retrieval via PKA records has been enabled, we
 	     try to import the key via the URI and try again. */
@ -945,13 +946,25 @@ get_pubkey_byname (PKT_public_key *pk,
 	  tried_pka=1;

 	  glo_ctrl.in_auto_key_retrieve++;
-	  res=keyserver_import_pka(name);
+	  res=keyserver_import_pka(name,fpr);
 	  glo_ctrl.in_auto_key_retrieve--;

 	  if(res==0)
 	    {
+	      int i;
+	      char fpr_string[2+(MAX_FINGERPRINT_LEN*2)+1];
+
 	      log_info(_("Automatically retrieved `%s' via %s\n"),
 		       name,"PKA");
+
+	      free_strlist(namelist);
+	      namelist=NULL;
+
+	      for(i=0;i<MAX_FINGERPRINT_LEN;i++)
+		sprintf(fpr_string+2*i,"%02X",fpr[i]);
+
+	      add_to_strlist( &namelist, fpr_string );
+
 	      goto retry;
 	    }
 	}
--- a/g10/gpgv.c
+++ b/g10/gpgv.c
@ -284,7 +284,7 @@ int
 keyserver_import_cert(const char *name) { return -1; }

 int
-keyserver_import_pka(const char *name) { return -1; }
+keyserver_import_pka(const char *name,unsigned char *fpr) { return -1; }

 int
 keyserver_import_name(const char *name) { return -1; }
--- a/g10/keyserver-internal.h
+++ b/g10/keyserver-internal.h
@ -42,7 +42,7 @@ int keyserver_refresh(STRLIST users);
 int keyserver_search(STRLIST tokens);
 int keyserver_fetch(STRLIST urilist);
 int keyserver_import_cert(const char *name);
-int keyserver_import_pka(const char *name);
+int keyserver_import_pka(const char *name,unsigned char *fpr);
 int keyserver_import_name(const char *name);
 int keyserver_import_ldap(const char *name);

--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@ -1979,9 +1979,8 @@ keyserver_import_cert(const char *name)

 /* Import key pointed to by a PKA record */
 int
-keyserver_import_pka(const char *name)
+keyserver_import_pka(const char *name,unsigned char *fpr)
 {
-  unsigned char fpr[MAX_FINGERPRINT_LEN];
  char *uri;
  int rc=-1;