1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

gpg: Protect against rogue keyservers sending secret keys.

* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2013-10-04 13:44:39 +02:00
parent dd868acb0d
commit e7abed3448
3 changed files with 22 additions and 10 deletions

View File

@ -1195,6 +1195,12 @@ import_secret_one( const char *fname, KBNODE keyblock,
} }
stats->secret_read++; stats->secret_read++;
if ((options & IMPORT_NO_SECKEY))
{
log_error (_("importing secret keys not allowed\n"));
return 0;
}
if( !uidnode ) if( !uidnode )
{ {
log_error( _("key %s: no user ID\n"), keystr_from_sk(sk)); log_error( _("key %s: no user ID\n"), keystr_from_sk(sk));

View File

@ -1498,10 +1498,14 @@ keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
It's harmless to ignore them, but ignoring them does make It's harmless to ignore them, but ignoring them does make
gpg complain about "no valid OpenPGP data found". One gpg complain about "no valid OpenPGP data found". One
way to do this could be to continue parsing this way to do this could be to continue parsing this
line-by-line and make a temp iobuf for each key. */ line-by-line and make a temp iobuf for each key. Note
that we don't allow the import of secret keys from a
keyserver. Keyservers should never accept or send them
but we better protect against rogue keyservers. */
import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len, import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
import_print_stats(stats_handle); import_print_stats(stats_handle);
import_release_stats_handle(stats_handle); import_release_stats_handle(stats_handle);
@ -2039,8 +2043,9 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
/* CERTs are always in binary format */ /* CERTs are always in binary format */
opt.no_armor=1; opt.no_armor=1;
rc=import_keys_stream(key,NULL,fpr,fpr_len, rc=import_keys_stream (key, NULL, fpr, fpr_len,
opt.keyserver_options.import_options); (opt.keyserver_options.import_options
| IMPORT_NO_SECKEY));
opt.no_armor=armor_status; opt.no_armor=armor_status;

View File

@ -317,6 +317,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
#define IMPORT_MERGE_ONLY (1<<4) #define IMPORT_MERGE_ONLY (1<<4)
#define IMPORT_MINIMAL (1<<5) #define IMPORT_MINIMAL (1<<5)
#define IMPORT_CLEAN (1<<6) #define IMPORT_CLEAN (1<<6)
#define IMPORT_NO_SECKEY (1<<7)
#define EXPORT_LOCAL_SIGS (1<<0) #define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1) #define EXPORT_ATTRIBUTES (1<<1)