security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

hkps: Fix host name verification when using pools. 

* common/http.c (send_request): Set the requested for SNI.
* dirmngr/ks-engine-hkp.c (map_host): Return the poolname and not
the selecting a host.
--

GnuPG-bug-id: 1792

Thanks to davidw for figuring out the problem.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2015-03-19 15:37:05 +01:00
parent 28bb3ab686
commit dc10d466bf
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common/http.c
View File

@ -1443,7 +1443,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
} }
# if HTTP_USE_NTBTLS # if HTTP_USE_NTBTLS
err = ntbtls_set_hostname (hd->session->tls_session, server); err = ntbtls_set_hostname (hd->session->tls_session,
hd->session->servername);
if (err) if (err)
{ {
log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err)); log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err));
@ -1452,7 +1453,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
# elif HTTP_USE_GNUTLS # elif HTTP_USE_GNUTLS
rc = gnutls_server_name_set (hd->session->tls_session, rc = gnutls_server_name_set (hd->session->tls_session,
GNUTLS_NAME_DNS, GNUTLS_NAME_DNS,
server, strlen (server)); hd->session->servername
strlen (hd->session->servername));
if (rc < 0) if (rc < 0)
log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc)); log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc));
# endif /*HTTP_USE_GNUTLS*/ # endif /*HTTP_USE_GNUTLS*/

25
dirmngr/ks-engine-hkp.c
View File

@ -521,6 +521,14 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
hi = hosttable[idx]; hi = hosttable[idx];
if (hi->pool) if (hi->pool)
{ {
/* Deal with the pool name before selecting a host. */
if (r_poolname && hi->cname)
{
*r_poolname = xtrystrdup (hi->cname);
if (!*r_poolname)
return gpg_error_from_syserror ();
}
/* If the currently selected host is now marked dead, force a /* If the currently selected host is now marked dead, force a
re-selection . */ re-selection . */
if (force_reselect) if (force_reselect)
@ -536,6 +544,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
if (hi->poolidx == -1) if (hi->poolidx == -1)
{ {
log_error ("no alive host found in pool '%s'\n", name); log_error ("no alive host found in pool '%s'\n", name);
if (r_poolname)
{
xfree (*r_poolname);
*r_poolname = NULL;
}
return gpg_error (GPG_ERR_NO_KEYSERVER); return gpg_error (GPG_ERR_NO_KEYSERVER);
} }
} }
@ -548,6 +561,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
if (hi->dead) if (hi->dead)
{ {
log_error ("host '%s' marked as dead\n", hi->name); log_error ("host '%s' marked as dead\n", hi->name);
if (r_poolname)
{
xfree (*r_poolname);
*r_poolname = NULL;
}
return gpg_error (GPG_ERR_NO_KEYSERVER); return gpg_error (GPG_ERR_NO_KEYSERVER);
} }
@ -564,13 +582,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
*r_httpflags |= HTTP_FLAG_IGNORE_IPv6; *r_httpflags |= HTTP_FLAG_IGNORE_IPv6;
} }
if (r_poolname && hi->pool && hi->cname)
{
*r_poolname = xtrystrdup (hi->cname);
if (!*r_poolname)
return gpg_error_from_syserror ();
}
*r_host = xtrystrdup (hi->name); *r_host = xtrystrdup (hi->name);
if (!*r_host) if (!*r_host)
{ {