mirror of git://git.gnupg.org/gnupg.git
dirmngr: Validate SRV records in WKD queries.
* dirmngr/server.c (proc_wkd_get): Check the returned SRV record names to mitigate rogue DNS servers. -- I am not sure wether this really is very useful because the security relies on a trustworthy DNS system anyway. However, that check is easy enough to do. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch
parent
ddee9f9409
commit
ebe727ef59
|
|
@ -887,6 +887,18 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
|
|||
if (err)
|
||||
goto leave;
|
||||
|
||||
/* Check for rogue DNS names. */
|
||||
for (i = 0; i < srvscount; i++)
|
||||
{
|
||||
if (!is_valid_domain_name (srvs[i].target))
|
||||
{
|
||||
err = gpg_error (GPG_ERR_DNS_ADDRESS);
|
||||
log_error ("rogue openpgpkey SRV record for '%s'\n", domain);
|
||||
xfree (srvs);
|
||||
goto leave;
|
||||
}
|
||||
}
|
||||
|
||||
/* Find the first target which also ends in DOMAIN or is equal
|
||||
* to DOMAIN. */
|
||||
domainlen = strlen (domain);
|
||||
|
|
|
|||
Loading…
Reference in New Issue