mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-03 12:11:33 +01:00
gpg: Protect against rogue keyservers sending secret keys.
* g10/options.h (IMPORT_NO_SECKEY): New. * g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new flag. * g10/import.c (import_secret_one): Deny import if flag is set. -- By modifying a keyserver or a DNS record to send a secret key, an attacker could trick a user into signing using a different key and user id. The trust model should protect against such rogue keys but we better make sure that secret keys are never received from remote sources. Suggested-by: Stefan Tomanek Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe) Resolved conflicts: g10/options.h
This commit is contained in:
parent
fe0fb5e6b0
commit
d74dd36c11
@ -1175,6 +1175,12 @@ import_secret_one( const char *fname, KBNODE keyblock,
|
||||
}
|
||||
stats->secret_read++;
|
||||
|
||||
if ((options & IMPORT_NO_SECKEY))
|
||||
{
|
||||
log_error (_("importing secret keys not allowed\n"));
|
||||
return 0;
|
||||
}
|
||||
|
||||
if( !uidnode )
|
||||
{
|
||||
log_error( _("key %s: no user ID\n"), keystr_from_sk(sk));
|
||||
|
@ -1503,10 +1503,14 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
|
||||
It's harmless to ignore them, but ignoring them does make
|
||||
gpg complain about "no valid OpenPGP data found". One
|
||||
way to do this could be to continue parsing this
|
||||
line-by-line and make a temp iobuf for each key. */
|
||||
line-by-line and make a temp iobuf for each key. Note
|
||||
that we don't allow the import of secret keys from a
|
||||
keyserver. Keyservers should never accept or send them
|
||||
but we better protect against rogue keyservers. */
|
||||
|
||||
import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len,
|
||||
opt.keyserver_options.import_options);
|
||||
(opt.keyserver_options.import_options
|
||||
| IMPORT_NO_SECKEY));
|
||||
|
||||
import_print_stats(stats_handle);
|
||||
import_release_stats_handle(stats_handle);
|
||||
@ -2038,7 +2042,8 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
|
||||
opt.no_armor=1;
|
||||
|
||||
rc=import_keys_stream (key, NULL, fpr, fpr_len,
|
||||
opt.keyserver_options.import_options);
|
||||
(opt.keyserver_options.import_options
|
||||
| IMPORT_NO_SECKEY));
|
||||
|
||||
opt.no_armor=armor_status;
|
||||
|
||||
|
@ -293,6 +293,7 @@ struct {
|
||||
#define IMPORT_MERGE_ONLY (1<<4)
|
||||
#define IMPORT_MINIMAL (1<<5)
|
||||
#define IMPORT_CLEAN (1<<6)
|
||||
#define IMPORT_NO_SECKEY (1<<7)
|
||||
|
||||
#define EXPORT_LOCAL_SIGS (1<<0)
|
||||
#define EXPORT_ATTRIBUTES (1<<1)
|
||||
|
Loading…
x
Reference in New Issue
Block a user