Mailing List Archive: [PATCH GnuPG 1/2] gpg: fix fpr comparison in keyserver screener

[PATCH GnuPG 1/2] gpg: fix fpr comparison in keyserver screener

May 12, 2019, 3:36 AM

Post #1 of 3 (298 views)

* g10/keyserver.c (keyserver_retrieval_screener): Only compare actual
fpr_len
---
g10/keyserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/g10/keyserver.c b/g10/keyserver.c
index 04802d1a5..5b5cf1c13 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1055,7 +1055,7 @@ keyserver_retrieval_screener (kbnode_t keyblock, void *opaque)
{
if (desc[n].mode == KEYDB_SEARCH_MODE_FPR)
{
- if (fpr_len == desc[n].fprlen && !memcmp (fpr, desc[n].u.fpr, 32))
+ if (fpr_len == desc[n].fprlen && !memcmp (fpr, desc[n].u.fpr, fpr_len))
return 0;
}
else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)
--
2.20.1

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Re: [PATCH GnuPG 1/2] gpg: fix fpr comparison in keyserver screener [ In reply to ]

dkg at fifthhorseman

May 13, 2019, 12:38 PM

Post #2 of 3 (296 views)

Permalink

On Sun 2019-05-12 12:36:55 +0200, Vincent Breitmoser wrote:
> * g10/keyserver.c (keyserver_retrieval_screener): Only compare actual
> fpr_len
> ---
> g10/keyserver.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/g10/keyserver.c b/g10/keyserver.c
> index 04802d1a5..5b5cf1c13 100644
> --- a/g10/keyserver.c
> +++ b/g10/keyserver.c
> @@ -1055,7 +1055,7 @@ keyserver_retrieval_screener (kbnode_t keyblock, void *opaque)
> {
> if (desc[n].mode == KEYDB_SEARCH_MODE_FPR)
> {
> - if (fpr_len == desc[n].fprlen && !memcmp (fpr, desc[n].u.fpr, 32))
> + if (fpr_len == desc[n].fprlen && !memcmp (fpr, desc[n].u.fpr, fpr_len))
> return 0;
> }
> else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID)

fwiw, this looks like it is only relevant on the master branch
(presumably used for testing v5 keys?) -- the STABLE-BRANCH-2-2 branch
doesn't have this stanza.

aiui, Vincent is saying here that uninitialized memory might be compared
here in the case of a v4 fingerprint. I haven't tested this myself.

I'd recommend considering this as a distinct change from the other patch
in this series, rather than treating them as interdependent.

--dkg

Re: [PATCH GnuPG 1/2] gpg: fix fpr comparison in keyserver screener [ In reply to ]

wk at gnupg

May 14, 2019, 10:30 PM

Post #3 of 3 (296 views)

Permalink

On Mon, 13 May 2019 15:38, dkg@fifthhorseman.net said:

> aiui, Vincent is saying here that uninitialized memory might be compared
> here in the case of a v4 fingerprint. I haven't tested this myself.

Yep, the keyserver screen does not yet work in master.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Mailing List Archive

Attached Files:

Attached Files: