From ebe727ef596eefebb5eff7d03a98649ffc7ae3ee Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 27 Jul 2018 12:23:38 +0200
Subject: [PATCH] dirmngr: Validate SRV records in WKD queries.

* dirmngr/server.c (proc_wkd_get): Check the returned SRV record names
to mitigate rogue DNS servers.
--

I am not sure wether this really is very useful because the security
relies on a trustworthy DNS system anyway.  However, that check is
easy enough to do.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/server.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dirmngr/server.c b/dirmngr/server.c
index 33ce4cfe3..2519fd601 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -887,6 +887,18 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
       if (err)
         goto leave;
 
+      /* Check for rogue DNS names.  */
+      for (i = 0; i < srvscount; i++)
+        {
+          if (!is_valid_domain_name (srvs[i].target))
+            {
+              err = gpg_error (GPG_ERR_DNS_ADDRESS);
+              log_error ("rogue openpgpkey SRV record for '%s'\n", domain);
+              xfree (srvs);
+              goto leave;
+            }
+        }
+
       /* Find the first target which also ends in DOMAIN or is equal
        * to DOMAIN.  */
       domainlen = strlen (domain);