Page MenuHome GnuPG
Create Task
Maniphest T3087

dirmngr, when configured to use an .onion address, should not permit HTTP redirects to a non-onion address
Closed, ResolvedPublic
Actions

Description

consider the following connection to a misconfigured .onion hkp backend:

dirmngr: permanently loaded certificates: 0
dirmngr:     runtime cached certificates: 0
dirmngr: URL 'http://jirk5u4osbsr34t5.onion:11371/pks/lookup?op=get&options=mr&search=0xXXXXXXXXXXXXXXXX' redirected to 'https://geekchimp.com/pks/lookup?op=get&options=mr&search=0xXXXXXXXXXXXXXXXX' (301)
dirmngr: can't connect to 'geekchimp.com': no IP address for host
dirmngr: error connecting to 'http://jirk5u4osbsr34t5.onion:11371': Unknown host
dirmngr: marking host 'jirk5u4osbsr34t5.onion' as dead
dirmngr: host 'jirk5u4osbsr34t5.onion' marked as dead
dirmngr: command 'KS_GET' failed: No keyserver available

While the server side is clearly misconfigured here, i think if the user has chosen only a .onion address, dirmngr itself should not accept redirections to a public (non-onion) service, to protect the user from such a misconfiguration.

Revisions and Commits

rG GnuPG
rGe7fc6e3bf0eb dirmngr: Forbid redirects from .onion to clearnet URIs.

Related Objects

Event Timeline

dkg created this task.Apr 17 2017, 5:10 PM
dkg created this object in space S1 Public.
justus triaged this task as Wishlist priority.Jun 8 2017, 2:53 PM
justus added projects: gnupg (gpg22), dirmngr.
justus moved this task from Backlog to Wishlist on the gnupg (gpg22) board.Jun 8 2017, 3:42 PM
justus claimed this task.Jul 19 2017, 3:02 PM
justus added a commit: rGe7fc6e3bf0eb: dirmngr: Forbid redirects from .onion to clearnet URIs..Jul 19 2017, 5:04 PM
justus added a comment.Jul 19 2017, 5:40 PM

Fixed in e7fc6e3bf0eb6ffe53e1f099d28ce45cef4a8a87.

Note that the redirect did not work, but a bit by accident. See how it says:

dirmngr: can't connect to 'geekchimp.com': no IP address for host

That is because the original host used neither IPv4 nor IPv6, and any further lookups also used neither IPv4 nor IPv6, hence it failed to connect to the redirection target. I'm not sure if it sent a DNS request.

In any case, it now explicitly denies these kind of redirects, and does not even leak DNS requests.

justus closed this task as Resolved.Jul 19 2017, 5:40 PM