security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

gpg: Protect against rogue keyservers sending secret keys.

Browse Source 
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe)

Resolved conflicts:
	g10/import.c
	g10/keyserver.c
This commit is contained in:
Werner Koch 2013-10-04 13:44:39 +02:00
parent 90688b29f3
commit db1f74ba53
3 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
g10/import.c
View File

@ -1563,6 +1563,12 @@ import_secret_one (ctrl_t ctrl, const char *fname, KBNODE keyblock,
} }
stats->secret_read++; stats->secret_read++;
if ((options & IMPORT_NO_SECKEY))
{
log_error (_("importing secret keys not allowed\n"));
return 0;
}
if (!uidnode) if (!uidnode)
{ {
log_error( _("key %s: no user ID\n"), keystr_from_pk (pk)); log_error( _("key %s: no user ID\n"), keystr_from_pk (pk));

12
g10/keyserver.c
View File

@ -1578,11 +1578,14 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
harmless to ignore them, but ignoring them does make gpg harmless to ignore them, but ignoring them does make gpg
complain about "no valid OpenPGP data found". One way to do complain about "no valid OpenPGP data found". One way to do
this could be to continue parsing this line-by-line and make this could be to continue parsing this line-by-line and make
a temp iobuf for each key. */ a temp iobuf for each key. Note that we don't allow the
import of secret keys from a keyserver. Keyservers should
never accept or send them but we better protect against rogue
keyservers. */
import_keys_es_stream (ctrl, datastream, stats_handle, NULL, NULL, import_keys_es_stream (ctrl, datastream, stats_handle, NULL, NULL,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
import_print_stats (stats_handle); import_print_stats (stats_handle);
import_release_stats_handle (stats_handle); import_release_stats_handle (stats_handle);
} }
@ -1721,7 +1724,8 @@ keyserver_import_cert (ctrl_t ctrl,
opt.no_armor=1; opt.no_armor=1;
err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
opt.no_armor=armor_status; opt.no_armor=armor_status;

1
g10/options.h
View File

@ -324,6 +324,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
#define IMPORT_MERGE_ONLY (1<<4) #define IMPORT_MERGE_ONLY (1<<4)
#define IMPORT_MINIMAL (1<<5) #define IMPORT_MINIMAL (1<<5)
#define IMPORT_CLEAN (1<<6) #define IMPORT_CLEAN (1<<6)
#define IMPORT_NO_SECKEY (1<<7)
#define EXPORT_LOCAL_SIGS (1<<0) #define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1) #define EXPORT_ATTRIBUTES (1<<1)