security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-20 14:37:08 +01:00
Code Activity

gpg: Protect against rogue keyservers sending secret keys.

Browse Source 
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe)

Resolved conflicts:
	g10/options.h
This commit is contained in:
Werner Koch 2013-10-04 13:44:39 +02:00
parent fe0fb5e6b0
commit d74dd36c11
3 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
g10/import.c
View File

@ -1175,6 +1175,12 @@ import_secret_one( const char *fname, KBNODE keyblock,
} }
stats->secret_read++; stats->secret_read++;
if ((options & IMPORT_NO_SECKEY))
{
log_error (_("importing secret keys not allowed\n"));
return 0;
}
if( !uidnode ) if( !uidnode )
{ {
log_error( _("key %s: no user ID\n"), keystr_from_sk(sk)); log_error( _("key %s: no user ID\n"), keystr_from_sk(sk));

15
g10/keyserver.c
View File

@ -1503,10 +1503,14 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
It's harmless to ignore them, but ignoring them does make It's harmless to ignore them, but ignoring them does make
gpg complain about "no valid OpenPGP data found". One gpg complain about "no valid OpenPGP data found". One
way to do this could be to continue parsing this way to do this could be to continue parsing this
line-by-line and make a temp iobuf for each key. */ line-by-line and make a temp iobuf for each key. Note
that we don't allow the import of secret keys from a
keyserver. Keyservers should never accept or send them
but we better protect against rogue keyservers. */
import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len, import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
import_print_stats(stats_handle); import_print_stats(stats_handle);
import_release_stats_handle(stats_handle); import_release_stats_handle(stats_handle);
@ -2037,8 +2041,9 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
/* CERTs are always in binary format */ /* CERTs are always in binary format */
opt.no_armor=1; opt.no_armor=1;
rc=import_keys_stream(key,NULL,fpr,fpr_len, rc=import_keys_stream (key, NULL, fpr, fpr_len,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
opt.no_armor=armor_status; opt.no_armor=armor_status;

1
g10/options.h
View File

@ -293,6 +293,7 @@ struct {
#define IMPORT_MERGE_ONLY (1<<4) #define IMPORT_MERGE_ONLY (1<<4)
#define IMPORT_MINIMAL (1<<5) #define IMPORT_MINIMAL (1<<5)
#define IMPORT_CLEAN (1<<6) #define IMPORT_CLEAN (1<<6)
#define IMPORT_NO_SECKEY (1<<7)
#define EXPORT_LOCAL_SIGS (1<<0) #define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1) #define EXPORT_ATTRIBUTES (1<<1)