dirmngr appears to unilaterally import system CAs
Testing, NormalPublic

Description

reading through dirmngr/http.c and dirmngr/ks-engine-http.c, it appears that HTTP_FLAG_TRUST_SYS is being unilaterally set.

This is probably inappropriate in instances where the target is the SKS HKPS pool (hkps.pool.sks-keyservers.net) because we know that that pool should only be authenticated by @kristianf's CA.

dkg created this task.Sun, Jun 30, 6:14 PM
dkg added a comment.Sun, Jun 30, 7:26 PM

To be clear, this would allow the least competent CA in the system root trust anchor list to certify an arbitrary server as a member of hkps.pool.sks-keyservers.net. So it is in some sense a security vulnerability -- it allows for a bypass of the correct authority.

georg added a subscriber: georg.Tue, Jul 2, 8:11 AM
RBS added a subscriber: RBS.Mon, Jul 8, 5:07 PM
gniibe claimed this task.EditedThu, Jul 11, 9:36 AM
gniibe added a subscriber: gniibe.

With NTBTLS, it seems it works correctly.

Comparing the path for NTBTLS (which I usually using for my development) and the one for GNUTLS,
I think that following one liner gives us same behavior to respect @kristianf 's CA for GNUTLS.

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 81b7ba897..8e0701fab 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -792,6 +792,8 @@ http_session_new (http_session_t *r_session,
                         pemname, gnutls_strerror (rc));
             xfree (pemname);
           }
+
+        add_system_cas = 0;
       }
 
     /* Add configured certificates to the session.  */
gniibe changed the task status from Open to Testing.Tue, Jul 16, 3:15 AM

Pushed the change to master as well as 2.2 branch.

gniibe triaged this task as Normal priority.Tue, Jul 16, 5:35 AM

While I understand incorrectness, the risk in practice is not that high. So, I put this as "normal" priority.

werner added a subscriber: werner.Tue, Jul 16, 8:04 AM

I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.