[PATCH v4] filter and verify keyserver responses
Stefan Tomanek
tomanek at internet-sicherheit.de
Sun Oct 20 14:53:23 CEST 2013
This changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.
It also prevents the accidental import of secret keys through key server
responses.
---
g10/import.c | 47 ++++++++++++++++++++++++++++++++---------------
g10/keyserver.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
g10/main.h | 4 +++-
3 files changed, 79 insertions(+), 20 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 441dcca..cd93f12 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -59,14 +59,17 @@ struct stats_s {
static int import( IOBUF inp, const char* fname,struct stats_s *stats,
- unsigned char **fpr,size_t *fpr_len,unsigned int options );
+ unsigned char **fpr,size_t *fpr_len,unsigned int options,
+ import_filter filter, void *filter_arg );
static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
static void revocation_present(KBNODE keyblock);
static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats,
unsigned char **fpr,size_t *fpr_len,
- unsigned int options,int from_sk);
+ unsigned int options,int from_sk,
+ import_filter filter, void *filter_arg);
static int import_secret_one( const char *fname, KBNODE keyblock,
- struct stats_s *stats, unsigned int options);
+ struct stats_s *stats, unsigned int options,
+ import_filter filter, void *filter_arg );
static int import_revoke_cert( const char *fname, KBNODE node,
struct stats_s *stats);
static int chk_self_sigs( const char *fname, KBNODE keyblock,
@@ -163,7 +166,8 @@ import_release_stats_handle (void *p)
static int
import_keys_internal( IOBUF inp, char **fnames, int nnames,
void *stats_handle, unsigned char **fpr, size_t *fpr_len,
- unsigned int options )
+ unsigned int options,
+ import_filter filter, void *filter_arg )
{
int i, rc = 0;
struct stats_s *stats = stats_handle;
@@ -172,7 +176,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
stats = import_new_stats_handle ();
if (inp) {
- rc = import( inp, "[stream]", stats, fpr, fpr_len, options);
+ rc = import( inp, "[stream]", stats, fpr, fpr_len, options, filter, filter_arg);
}
else {
int once = (!fnames && !nnames);
@@ -192,7 +196,7 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
log_error(_("can't open `%s': %s\n"), fname, strerror(errno) );
else
{
- rc = import( inp2, fname, stats, fpr, fpr_len, options );
+ rc = import( inp2, fname, stats, fpr, fpr_len, options, NULL, NULL );
iobuf_close(inp2);
/* Must invalidate that ugly cache to actually close it. */
iobuf_ioctl (NULL, 2, 0, (char*)fname);
@@ -223,19 +227,21 @@ void
import_keys( char **fnames, int nnames,
void *stats_handle, unsigned int options )
{
- import_keys_internal(NULL,fnames,nnames,stats_handle,NULL,NULL,options);
+ import_keys_internal(NULL,fnames,nnames,stats_handle,NULL,NULL,options,NULL,NULL);
}
int
import_keys_stream( IOBUF inp, void *stats_handle,
- unsigned char **fpr, size_t *fpr_len,unsigned int options )
+ unsigned char **fpr, size_t *fpr_len,unsigned int options,
+ import_filter filter, void *filter_arg )
{
- return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options);
+ return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options,filter,filter_arg);
}
static int
import( IOBUF inp, const char* fname,struct stats_s *stats,
- unsigned char **fpr,size_t *fpr_len,unsigned int options )
+ unsigned char **fpr,size_t *fpr_len,unsigned int options,
+ import_filter filter, void *filter_arg )
{
PACKET *pending_pkt = NULL;
KBNODE keyblock = NULL;
@@ -252,9 +258,10 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) {
if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY )
- rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0);
+ rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0,
+ filter, filter_arg);
else if( keyblock->pkt->pkttype == PKT_SECRET_KEY )
- rc = import_secret_one( fname, keyblock, stats, options );
+ rc = import_secret_one( fname, keyblock, stats, options, filter, filter_arg );
else if( keyblock->pkt->pkttype == PKT_SIGNATURE
&& keyblock->pkt->pkt.signature->sig_class == 0x20 )
rc = import_revoke_cert( fname, keyblock, stats );
@@ -738,7 +745,7 @@ check_prefs(KBNODE keyblock)
static int
import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
unsigned char **fpr,size_t *fpr_len,unsigned int options,
- int from_sk )
+ int from_sk, import_filter filter, void *filter_arg)
{
PKT_public_key *pk;
PKT_public_key *pk_orig;
@@ -778,6 +785,10 @@ import_one( const char *fname, KBNODE keyblock, struct stats_s *stats,
return 0;
}
+ if (filter && filter(pk, NULL, filter_arg)) {
+ log_error( _("key %s: rejected by import filter\n"), keystr_from_pk(pk));
+ return 0;
+ }
if (opt.interactive) {
if(is_status_enabled())
print_import_check (pk, uidnode->pkt->pkt.user_id);
@@ -1146,7 +1157,8 @@ sec_to_pub_keyblock(KBNODE sec_keyblock)
*/
static int
import_secret_one( const char *fname, KBNODE keyblock,
- struct stats_s *stats, unsigned int options)
+ struct stats_s *stats, unsigned int options,
+ import_filter filter, void *filter_arg )
{
PKT_secret_key *sk;
KBNODE node, uidnode;
@@ -1162,6 +1174,11 @@ import_secret_one( const char *fname, KBNODE keyblock,
keyid_from_sk( sk, keyid );
uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
+ if (filter && filter(NULL, sk, filter_arg)) {
+ log_error( _("secret key %s: rejected by import filter\n"), keystr_from_sk(sk));
+ return 0;
+ }
+
if( opt.verbose )
{
log_info( "sec %4u%c/%s %s ",
@@ -1241,7 +1258,7 @@ import_secret_one( const char *fname, KBNODE keyblock,
if(pub_keyblock)
{
import_one(fname,pub_keyblock,stats,
- NULL,NULL,opt.import_options,1);
+ NULL,NULL,opt.import_options,1,NULL,NULL);
release_kbnode(pub_keyblock);
}
}
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 3cef647..eaf44bc 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -971,6 +971,46 @@ direct_uri_map(const char *scheme,unsigned int is_direct)
#define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
#define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
+static int
+keyserver_retrieval_filter(PKT_public_key *pk, PKT_secret_key *sk, void *arg)
+{
+ KEYDB_SEARCH_DESC *desc = arg;
+ u32 keyid[2];
+ byte fpr[MAX_FINGERPRINT_LEN];
+ size_t fpr_len = 0;
+
+ /* we definitely do not want to import secret keys! */
+ if (sk) {
+ return 1;
+ }
+
+ fingerprint_from_pk(pk, fpr, &fpr_len);
+ keyid_from_pk(pk, keyid);
+
+ /* compare requested and returned fingerprints if available */
+ if (desc->mode == KEYDB_SEARCH_MODE_FPR20) {
+ if (fpr_len != 20 || memcmp(fpr, desc->u.fpr, 20)) {
+ return 1;
+ }
+ }
+ else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) {
+ if (fpr_len != 16 || memcmp(fpr, desc->u.fpr, 16)) {
+ return 1;
+ }
+ }
+ else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) {
+ if (memcmp(keyid, desc->u.kid, sizeof(keyid))) {
+ return 1;
+ }
+ }
+ else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) {
+ if (memcmp(&keyid[1], &desc->u.kid[1], 1)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static int
keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
int count,int *prog,unsigned char **fpr,size_t *fpr_len,
@@ -1520,9 +1560,9 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
keyserver. Keyservers should never accept or send them
but we better protect against rogue keyservers. */
- import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len,
- (opt.keyserver_options.import_options
- | IMPORT_NO_SECKEY));
+ import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
+ (opt.keyserver_options.import_options | IMPORT_NO_SECKEY),
+ &keyserver_retrieval_filter, desc);
import_print_stats(stats_handle);
import_release_stats_handle(stats_handle);
@@ -2055,7 +2095,7 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
rc=import_keys_stream (key, NULL, fpr, fpr_len,
(opt.keyserver_options.import_options
- | IMPORT_NO_SECKEY));
+ | IMPORT_NO_SECKEY), NULL, NULL);
opt.no_armor=armor_status;
diff --git a/g10/main.h b/g10/main.h
index eadac1f..73a5529 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -207,11 +207,13 @@ MPI encode_md_value( PKT_public_key *pk, PKT_secret_key *sk,
MD_HANDLE md, int hash_algo );
/*-- import.c --*/
+typedef int (*import_filter)(PKT_public_key *pk, PKT_secret_key *sk, void *arg);
int parse_import_options(char *str,unsigned int *options,int noisy);
void import_keys( char **fnames, int nnames,
void *stats_hd, unsigned int options );
int import_keys_stream( IOBUF inp,void *stats_hd,unsigned char **fpr,
- size_t *fpr_len,unsigned int options );
+ size_t *fpr_len,unsigned int options,
+ import_filter constr, void *filter_arg);
void *import_new_stats_handle (void);
void import_release_stats_handle (void *p);
void import_print_stats (void *hd);
--
1.7.10.4
More information about the Gnupg-devel
mailing list