Page MenuHome GnuPG

dirmngr appears to unilaterally import system CAs
Closed, ResolvedPublic

Description

reading through dirmngr/http.c and dirmngr/ks-engine-http.c, it appears that HTTP_FLAG_TRUST_SYS is being unilaterally set.

This is probably inappropriate in instances where the target is the SKS HKPS pool (hkps.pool.sks-keyservers.net) because we know that that pool should only be authenticated by @kristianf's CA.

Details

Version
2.2.16

Related Objects

Event Timeline

To be clear, this would allow the least competent CA in the system root trust anchor list to certify an arbitrary server as a member of hkps.pool.sks-keyservers.net. So it is in some sense a security vulnerability -- it allows for a bypass of the correct authority.

gniibe added a subscriber: gniibe.

With NTBTLS, it seems it works correctly.

Comparing the path for NTBTLS (which I usually using for my development) and the one for GNUTLS,
I think that following one liner gives us same behavior to respect @kristianf 's CA for GNUTLS.

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 81b7ba897..8e0701fab 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -792,6 +792,8 @@ http_session_new (http_session_t *r_session,
                         pemname, gnutls_strerror (rc));
             xfree (pemname);
           }
+
+        add_system_cas = 0;
       }
 
     /* Add configured certificates to the session.  */
gniibe changed the task status from Open to Testing.Jul 16 2019, 3:15 AM

Pushed the change to master as well as 2.2 branch.

gniibe triaged this task as Normal priority.Jul 16 2019, 5:35 AM

While I understand incorrectness, the risk in practice is not that high. So, I put this as "normal" priority.

I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.