THIS IS A TEST INSTANCE ONLY! REPOSITORIES CAN BE DELETED AT ANY TIME!

Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.
git
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

382 lines
9.5KB

  1. #include "cache.h"
  2. #include "config.h"
  3. #include "run-command.h"
  4. #include "strbuf.h"
  5. #include "gpg-interface.h"
  6. #include "sigchain.h"
  7. #include "tempfile.h"
  8. static char *configured_signing_key;
  9. struct gpg_format {
  10. const char *name;
  11. const char *program;
  12. const char **verify_args;
  13. const char **sigs;
  14. };
  15. static const char *openpgp_verify_args[] = {
  16. "--keyid-format=long",
  17. NULL
  18. };
  19. static const char *openpgp_sigs[] = {
  20. "-----BEGIN PGP SIGNATURE-----",
  21. "-----BEGIN PGP MESSAGE-----",
  22. NULL
  23. };
  24. static const char *x509_verify_args[] = {
  25. NULL
  26. };
  27. static const char *x509_sigs[] = {
  28. "-----BEGIN SIGNED MESSAGE-----",
  29. NULL
  30. };
  31. static struct gpg_format gpg_format[] = {
  32. { .name = "openpgp", .program = "gpg",
  33. .verify_args = openpgp_verify_args,
  34. .sigs = openpgp_sigs
  35. },
  36. { .name = "x509", .program = "gpgsm",
  37. .verify_args = x509_verify_args,
  38. .sigs = x509_sigs
  39. },
  40. };
  41. static struct gpg_format *use_format = &gpg_format[0];
  42. static struct gpg_format *get_format_by_name(const char *str)
  43. {
  44. int i;
  45. for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
  46. if (!strcmp(gpg_format[i].name, str))
  47. return gpg_format + i;
  48. return NULL;
  49. }
  50. static struct gpg_format *get_format_by_sig(const char *sig)
  51. {
  52. int i, j;
  53. for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
  54. for (j = 0; gpg_format[i].sigs[j]; j++)
  55. if (starts_with(sig, gpg_format[i].sigs[j]))
  56. return gpg_format + i;
  57. return NULL;
  58. }
  59. void signature_check_clear(struct signature_check *sigc)
  60. {
  61. FREE_AND_NULL(sigc->payload);
  62. FREE_AND_NULL(sigc->gpg_output);
  63. FREE_AND_NULL(sigc->gpg_status);
  64. FREE_AND_NULL(sigc->signer);
  65. FREE_AND_NULL(sigc->key);
  66. FREE_AND_NULL(sigc->fingerprint);
  67. FREE_AND_NULL(sigc->primary_key_fingerprint);
  68. }
  69. /* An exclusive status -- only one of them can appear in output */
  70. #define GPG_STATUS_EXCLUSIVE (1<<0)
  71. /* The status includes key identifier */
  72. #define GPG_STATUS_KEYID (1<<1)
  73. /* The status includes user identifier */
  74. #define GPG_STATUS_UID (1<<2)
  75. /* The status includes key fingerprints */
  76. #define GPG_STATUS_FINGERPRINT (1<<3)
  77. /* Short-hand for standard exclusive *SIG status with keyid & UID */
  78. #define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID)
  79. static struct {
  80. char result;
  81. const char *check;
  82. unsigned int flags;
  83. } sigcheck_gpg_status[] = {
  84. { 'G', "GOODSIG ", GPG_STATUS_STDSIG },
  85. { 'B', "BADSIG ", GPG_STATUS_STDSIG },
  86. { 'U', "TRUST_NEVER", 0 },
  87. { 'U', "TRUST_UNDEFINED", 0 },
  88. { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID },
  89. { 'X', "EXPSIG ", GPG_STATUS_STDSIG },
  90. { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG },
  91. { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG },
  92. { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT },
  93. };
  94. static void parse_gpg_output(struct signature_check *sigc)
  95. {
  96. const char *buf = sigc->gpg_status;
  97. const char *line, *next;
  98. int i, j;
  99. int seen_exclusive_status = 0;
  100. /* Iterate over all lines */
  101. for (line = buf; *line; line = strchrnul(line+1, '\n')) {
  102. while (*line == '\n')
  103. line++;
  104. if (!*line)
  105. break;
  106. /* Skip lines that don't start with GNUPG status */
  107. if (!skip_prefix(line, "[GNUPG:] ", &line))
  108. continue;
  109. /* Iterate over all search strings */
  110. for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
  111. if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
  112. if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
  113. if (seen_exclusive_status++)
  114. goto found_duplicate_status;
  115. }
  116. if (sigcheck_gpg_status[i].result)
  117. sigc->result = sigcheck_gpg_status[i].result;
  118. /* Do we have key information? */
  119. if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) {
  120. next = strchrnul(line, ' ');
  121. free(sigc->key);
  122. sigc->key = xmemdupz(line, next - line);
  123. /* Do we have signer information? */
  124. if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) {
  125. line = next + 1;
  126. next = strchrnul(line, '\n');
  127. free(sigc->signer);
  128. sigc->signer = xmemdupz(line, next - line);
  129. }
  130. }
  131. /* Do we have fingerprint? */
  132. if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) {
  133. next = strchrnul(line, ' ');
  134. free(sigc->fingerprint);
  135. sigc->fingerprint = xmemdupz(line, next - line);
  136. /* Skip interim fields */
  137. for (j = 9; j > 0; j--) {
  138. if (!*next)
  139. break;
  140. line = next + 1;
  141. next = strchrnul(line, ' ');
  142. }
  143. next = strchrnul(line, '\n');
  144. free(sigc->primary_key_fingerprint);
  145. sigc->primary_key_fingerprint = xmemdupz(line, next - line);
  146. }
  147. break;
  148. }
  149. }
  150. }
  151. return;
  152. found_duplicate_status:
  153. /*
  154. * GOODSIG, BADSIG etc. can occur only once for each signature.
  155. * Therefore, if we had more than one then we're dealing with multiple
  156. * signatures. We don't support them currently, and they're rather
  157. * hard to create, so something is likely fishy and we should reject
  158. * them altogether.
  159. */
  160. sigc->result = 'E';
  161. /* Clear partial data to avoid confusion */
  162. FREE_AND_NULL(sigc->primary_key_fingerprint);
  163. FREE_AND_NULL(sigc->fingerprint);
  164. FREE_AND_NULL(sigc->signer);
  165. FREE_AND_NULL(sigc->key);
  166. }
  167. int check_signature(const char *payload, size_t plen, const char *signature,
  168. size_t slen, struct signature_check *sigc)
  169. {
  170. struct strbuf gpg_output = STRBUF_INIT;
  171. struct strbuf gpg_status = STRBUF_INIT;
  172. int status;
  173. sigc->result = 'N';
  174. status = verify_signed_buffer(payload, plen, signature, slen,
  175. &gpg_output, &gpg_status);
  176. if (status && !gpg_output.len)
  177. goto out;
  178. sigc->payload = xmemdupz(payload, plen);
  179. sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
  180. sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
  181. parse_gpg_output(sigc);
  182. status |= sigc->result != 'G' && sigc->result != 'U';
  183. out:
  184. strbuf_release(&gpg_status);
  185. strbuf_release(&gpg_output);
  186. return !!status;
  187. }
  188. void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
  189. {
  190. const char *output = flags & GPG_VERIFY_RAW ?
  191. sigc->gpg_status : sigc->gpg_output;
  192. if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
  193. fputs(sigc->payload, stdout);
  194. if (output)
  195. fputs(output, stderr);
  196. }
  197. size_t parse_signature(const char *buf, size_t size)
  198. {
  199. size_t len = 0;
  200. size_t match = size;
  201. while (len < size) {
  202. const char *eol;
  203. if (get_format_by_sig(buf + len))
  204. match = len;
  205. eol = memchr(buf + len, '\n', size - len);
  206. len += eol ? eol - (buf + len) + 1 : size - len;
  207. }
  208. return match;
  209. }
  210. void set_signing_key(const char *key)
  211. {
  212. free(configured_signing_key);
  213. configured_signing_key = xstrdup(key);
  214. }
  215. int git_gpg_config(const char *var, const char *value, void *cb)
  216. {
  217. struct gpg_format *fmt = NULL;
  218. char *fmtname = NULL;
  219. if (!strcmp(var, "user.signingkey")) {
  220. if (!value)
  221. return config_error_nonbool(var);
  222. set_signing_key(value);
  223. return 0;
  224. }
  225. if (!strcmp(var, "gpg.format")) {
  226. if (!value)
  227. return config_error_nonbool(var);
  228. fmt = get_format_by_name(value);
  229. if (!fmt)
  230. return error("unsupported value for %s: %s",
  231. var, value);
  232. use_format = fmt;
  233. return 0;
  234. }
  235. if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
  236. fmtname = "openpgp";
  237. if (!strcmp(var, "gpg.x509.program"))
  238. fmtname = "x509";
  239. if (fmtname) {
  240. fmt = get_format_by_name(fmtname);
  241. return git_config_string(&fmt->program, var, value);
  242. }
  243. return 0;
  244. }
  245. const char *get_signing_key(void)
  246. {
  247. if (configured_signing_key)
  248. return configured_signing_key;
  249. return git_committer_info(IDENT_STRICT|IDENT_NO_DATE);
  250. }
  251. int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *signing_key)
  252. {
  253. struct child_process gpg = CHILD_PROCESS_INIT;
  254. int ret;
  255. size_t i, j, bottom;
  256. struct strbuf gpg_status = STRBUF_INIT;
  257. argv_array_pushl(&gpg.args,
  258. use_format->program,
  259. "--status-fd=2",
  260. "-bsau", signing_key,
  261. NULL);
  262. bottom = signature->len;
  263. /*
  264. * When the username signingkey is bad, program could be terminated
  265. * because gpg exits without reading and then write gets SIGPIPE.
  266. */
  267. sigchain_push(SIGPIPE, SIG_IGN);
  268. ret = pipe_command(&gpg, buffer->buf, buffer->len,
  269. signature, 1024, &gpg_status, 0);
  270. sigchain_pop(SIGPIPE);
  271. ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED ");
  272. strbuf_release(&gpg_status);
  273. if (ret)
  274. return error(_("gpg failed to sign the data"));
  275. /* Strip CR from the line endings, in case we are on Windows. */
  276. for (i = j = bottom; i < signature->len; i++)
  277. if (signature->buf[i] != '\r') {
  278. if (i != j)
  279. signature->buf[j] = signature->buf[i];
  280. j++;
  281. }
  282. strbuf_setlen(signature, j);
  283. return 0;
  284. }
  285. int verify_signed_buffer(const char *payload, size_t payload_size,
  286. const char *signature, size_t signature_size,
  287. struct strbuf *gpg_output, struct strbuf *gpg_status)
  288. {
  289. struct child_process gpg = CHILD_PROCESS_INIT;
  290. struct gpg_format *fmt;
  291. struct tempfile *temp;
  292. int ret;
  293. struct strbuf buf = STRBUF_INIT;
  294. temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
  295. if (!temp)
  296. return error_errno(_("could not create temporary file"));
  297. if (write_in_full(temp->fd, signature, signature_size) < 0 ||
  298. close_tempfile_gently(temp) < 0) {
  299. error_errno(_("failed writing detached signature to '%s'"),
  300. temp->filename.buf);
  301. delete_tempfile(&temp);
  302. return -1;
  303. }
  304. fmt = get_format_by_sig(signature);
  305. if (!fmt)
  306. BUG("bad signature '%s'", signature);
  307. argv_array_push(&gpg.args, fmt->program);
  308. argv_array_pushv(&gpg.args, fmt->verify_args);
  309. argv_array_pushl(&gpg.args,
  310. "--status-fd=1",
  311. "--verify", temp->filename.buf, "-",
  312. NULL);
  313. if (!gpg_status)
  314. gpg_status = &buf;
  315. sigchain_push(SIGPIPE, SIG_IGN);
  316. ret = pipe_command(&gpg, payload, payload_size,
  317. gpg_status, 0, gpg_output, 0);
  318. sigchain_pop(SIGPIPE);
  319. delete_tempfile(&temp);
  320. ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
  321. strbuf_release(&buf); /* no matter it was used or not */
  322. return ret;
  323. }