THIS IS A TEST INSTANCE ONLY! REPOSITORIES CAN BE DELETED AT ANY TIME!

Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.
git
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

403 lines
9.9KB

  1. #include "cache.h"
  2. #include "config.h"
  3. #include "run-command.h"
  4. #include "strbuf.h"
  5. #include "gpg-interface.h"
  6. #include "sigchain.h"
  7. #include "tempfile.h"
  8. static char *configured_signing_key;
  9. struct gpg_format {
  10. const char *name;
  11. const char *program;
  12. const char **verify_args;
  13. const char **sigs;
  14. };
  15. static const char *openpgp_verify_args[] = {
  16. "--keyid-format=long",
  17. NULL
  18. };
  19. static const char *openpgp_sigs[] = {
  20. "-----BEGIN PGP SIGNATURE-----",
  21. "-----BEGIN PGP MESSAGE-----",
  22. NULL
  23. };
  24. static const char *x509_verify_args[] = {
  25. NULL
  26. };
  27. static const char *x509_sigs[] = {
  28. "-----BEGIN SIGNED MESSAGE-----",
  29. NULL
  30. };
  31. static struct gpg_format gpg_format[] = {
  32. { .name = "openpgp", .program = "gpg",
  33. .verify_args = openpgp_verify_args,
  34. .sigs = openpgp_sigs
  35. },
  36. { .name = "x509", .program = "gpgsm",
  37. .verify_args = x509_verify_args,
  38. .sigs = x509_sigs
  39. },
  40. };
  41. static struct gpg_format *use_format = &gpg_format[0];
  42. static struct gpg_format *get_format_by_name(const char *str)
  43. {
  44. int i;
  45. for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
  46. if (!strcmp(gpg_format[i].name, str))
  47. return gpg_format + i;
  48. return NULL;
  49. }
  50. static struct gpg_format *get_format_by_sig(const char *sig)
  51. {
  52. int i, j;
  53. for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
  54. for (j = 0; gpg_format[i].sigs[j]; j++)
  55. if (starts_with(sig, gpg_format[i].sigs[j]))
  56. return gpg_format + i;
  57. return NULL;
  58. }
  59. void signature_check_clear(struct signature_check *sigc)
  60. {
  61. FREE_AND_NULL(sigc->payload);
  62. FREE_AND_NULL(sigc->gpg_output);
  63. FREE_AND_NULL(sigc->gpg_status);
  64. FREE_AND_NULL(sigc->signer);
  65. FREE_AND_NULL(sigc->key);
  66. FREE_AND_NULL(sigc->fingerprint);
  67. FREE_AND_NULL(sigc->primary_key_fingerprint);
  68. }
  69. /* An exclusive status -- only one of them can appear in output */
  70. #define GPG_STATUS_EXCLUSIVE (1<<0)
  71. /* The status includes key identifier */
  72. #define GPG_STATUS_KEYID (1<<1)
  73. /* The status includes user identifier */
  74. #define GPG_STATUS_UID (1<<2)
  75. /* The status includes key fingerprints */
  76. #define GPG_STATUS_FINGERPRINT (1<<3)
  77. /* Short-hand for standard exclusive *SIG status with keyid & UID */
  78. #define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID)
  79. static struct {
  80. char result;
  81. const char *check;
  82. unsigned int flags;
  83. } sigcheck_gpg_status[] = {
  84. { 'G', "GOODSIG ", GPG_STATUS_STDSIG },
  85. { 'B', "BADSIG ", GPG_STATUS_STDSIG },
  86. { 'U', "TRUST_NEVER", 0 },
  87. { 'U', "TRUST_UNDEFINED", 0 },
  88. { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID },
  89. { 'X', "EXPSIG ", GPG_STATUS_STDSIG },
  90. { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG },
  91. { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG },
  92. { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT },
  93. };
  94. static void replace_cstring(char **field, const char *line, const char *next)
  95. {
  96. free(*field);
  97. if (line && next)
  98. *field = xmemdupz(line, next - line);
  99. else
  100. *field = NULL;
  101. }
  102. static void parse_gpg_output(struct signature_check *sigc)
  103. {
  104. const char *buf = sigc->gpg_status;
  105. const char *line, *next;
  106. int i, j;
  107. int seen_exclusive_status = 0;
  108. /* Iterate over all lines */
  109. for (line = buf; *line; line = strchrnul(line+1, '\n')) {
  110. while (*line == '\n')
  111. line++;
  112. if (!*line)
  113. break;
  114. /* Skip lines that don't start with GNUPG status */
  115. if (!skip_prefix(line, "[GNUPG:] ", &line))
  116. continue;
  117. /* Iterate over all search strings */
  118. for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
  119. if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
  120. if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
  121. if (seen_exclusive_status++)
  122. goto found_duplicate_status;
  123. }
  124. if (sigcheck_gpg_status[i].result)
  125. sigc->result = sigcheck_gpg_status[i].result;
  126. /* Do we have key information? */
  127. if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) {
  128. next = strchrnul(line, ' ');
  129. replace_cstring(&sigc->key, line, next);
  130. /* Do we have signer information? */
  131. if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) {
  132. line = next + 1;
  133. next = strchrnul(line, '\n');
  134. replace_cstring(&sigc->signer, line, next);
  135. }
  136. }
  137. /* Do we have fingerprint? */
  138. if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) {
  139. const char *limit;
  140. char **field;
  141. next = strchrnul(line, ' ');
  142. replace_cstring(&sigc->fingerprint, line, next);
  143. /*
  144. * Skip interim fields. The search is
  145. * limited to the same line since only
  146. * OpenPGP signatures has a field with
  147. * the primary fingerprint.
  148. */
  149. limit = strchrnul(line, '\n');
  150. for (j = 9; j > 0; j--) {
  151. if (!*next || limit <= next)
  152. break;
  153. line = next + 1;
  154. next = strchrnul(line, ' ');
  155. }
  156. field = &sigc->primary_key_fingerprint;
  157. if (!j) {
  158. next = strchrnul(line, '\n');
  159. replace_cstring(field, line, next);
  160. } else {
  161. replace_cstring(field, NULL, NULL);
  162. }
  163. }
  164. break;
  165. }
  166. }
  167. }
  168. return;
  169. found_duplicate_status:
  170. /*
  171. * GOODSIG, BADSIG etc. can occur only once for each signature.
  172. * Therefore, if we had more than one then we're dealing with multiple
  173. * signatures. We don't support them currently, and they're rather
  174. * hard to create, so something is likely fishy and we should reject
  175. * them altogether.
  176. */
  177. sigc->result = 'E';
  178. /* Clear partial data to avoid confusion */
  179. FREE_AND_NULL(sigc->primary_key_fingerprint);
  180. FREE_AND_NULL(sigc->fingerprint);
  181. FREE_AND_NULL(sigc->signer);
  182. FREE_AND_NULL(sigc->key);
  183. }
  184. static int verify_signed_buffer(const char *payload, size_t payload_size,
  185. const char *signature, size_t signature_size,
  186. struct strbuf *gpg_output,
  187. struct strbuf *gpg_status)
  188. {
  189. struct child_process gpg = CHILD_PROCESS_INIT;
  190. struct gpg_format *fmt;
  191. struct tempfile *temp;
  192. int ret;
  193. struct strbuf buf = STRBUF_INIT;
  194. temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
  195. if (!temp)
  196. return error_errno(_("could not create temporary file"));
  197. if (write_in_full(temp->fd, signature, signature_size) < 0 ||
  198. close_tempfile_gently(temp) < 0) {
  199. error_errno(_("failed writing detached signature to '%s'"),
  200. temp->filename.buf);
  201. delete_tempfile(&temp);
  202. return -1;
  203. }
  204. fmt = get_format_by_sig(signature);
  205. if (!fmt)
  206. BUG("bad signature '%s'", signature);
  207. argv_array_push(&gpg.args, fmt->program);
  208. argv_array_pushv(&gpg.args, fmt->verify_args);
  209. argv_array_pushl(&gpg.args,
  210. "--status-fd=1",
  211. "--verify", temp->filename.buf, "-",
  212. NULL);
  213. if (!gpg_status)
  214. gpg_status = &buf;
  215. sigchain_push(SIGPIPE, SIG_IGN);
  216. ret = pipe_command(&gpg, payload, payload_size,
  217. gpg_status, 0, gpg_output, 0);
  218. sigchain_pop(SIGPIPE);
  219. delete_tempfile(&temp);
  220. ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
  221. strbuf_release(&buf); /* no matter it was used or not */
  222. return ret;
  223. }
  224. int check_signature(const char *payload, size_t plen, const char *signature,
  225. size_t slen, struct signature_check *sigc)
  226. {
  227. struct strbuf gpg_output = STRBUF_INIT;
  228. struct strbuf gpg_status = STRBUF_INIT;
  229. int status;
  230. sigc->result = 'N';
  231. status = verify_signed_buffer(payload, plen, signature, slen,
  232. &gpg_output, &gpg_status);
  233. if (status && !gpg_output.len)
  234. goto out;
  235. sigc->payload = xmemdupz(payload, plen);
  236. sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
  237. sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
  238. parse_gpg_output(sigc);
  239. status |= sigc->result != 'G' && sigc->result != 'U';
  240. out:
  241. strbuf_release(&gpg_status);
  242. strbuf_release(&gpg_output);
  243. return !!status;
  244. }
  245. void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
  246. {
  247. const char *output = flags & GPG_VERIFY_RAW ?
  248. sigc->gpg_status : sigc->gpg_output;
  249. if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
  250. fputs(sigc->payload, stdout);
  251. if (output)
  252. fputs(output, stderr);
  253. }
  254. size_t parse_signature(const char *buf, size_t size)
  255. {
  256. size_t len = 0;
  257. size_t match = size;
  258. while (len < size) {
  259. const char *eol;
  260. if (get_format_by_sig(buf + len))
  261. match = len;
  262. eol = memchr(buf + len, '\n', size - len);
  263. len += eol ? eol - (buf + len) + 1 : size - len;
  264. }
  265. return match;
  266. }
  267. void set_signing_key(const char *key)
  268. {
  269. free(configured_signing_key);
  270. configured_signing_key = xstrdup(key);
  271. }
  272. int git_gpg_config(const char *var, const char *value, void *cb)
  273. {
  274. struct gpg_format *fmt = NULL;
  275. char *fmtname = NULL;
  276. if (!strcmp(var, "user.signingkey")) {
  277. if (!value)
  278. return config_error_nonbool(var);
  279. set_signing_key(value);
  280. return 0;
  281. }
  282. if (!strcmp(var, "gpg.format")) {
  283. if (!value)
  284. return config_error_nonbool(var);
  285. fmt = get_format_by_name(value);
  286. if (!fmt)
  287. return error("unsupported value for %s: %s",
  288. var, value);
  289. use_format = fmt;
  290. return 0;
  291. }
  292. if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
  293. fmtname = "openpgp";
  294. if (!strcmp(var, "gpg.x509.program"))
  295. fmtname = "x509";
  296. if (fmtname) {
  297. fmt = get_format_by_name(fmtname);
  298. return git_config_string(&fmt->program, var, value);
  299. }
  300. return 0;
  301. }
  302. const char *get_signing_key(void)
  303. {
  304. if (configured_signing_key)
  305. return configured_signing_key;
  306. return git_committer_info(IDENT_STRICT|IDENT_NO_DATE);
  307. }
  308. int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *signing_key)
  309. {
  310. struct child_process gpg = CHILD_PROCESS_INIT;
  311. int ret;
  312. size_t i, j, bottom;
  313. struct strbuf gpg_status = STRBUF_INIT;
  314. argv_array_pushl(&gpg.args,
  315. use_format->program,
  316. "--status-fd=2",
  317. "-bsau", signing_key,
  318. NULL);
  319. bottom = signature->len;
  320. /*
  321. * When the username signingkey is bad, program could be terminated
  322. * because gpg exits without reading and then write gets SIGPIPE.
  323. */
  324. sigchain_push(SIGPIPE, SIG_IGN);
  325. ret = pipe_command(&gpg, buffer->buf, buffer->len,
  326. signature, 1024, &gpg_status, 0);
  327. sigchain_pop(SIGPIPE);
  328. ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED ");
  329. strbuf_release(&gpg_status);
  330. if (ret)
  331. return error(_("gpg failed to sign the data"));
  332. /* Strip CR from the line endings, in case we are on Windows. */
  333. for (i = j = bottom; i < signature->len; i++)
  334. if (signature->buf[i] != '\r') {
  335. if (i != j)
  336. signature->buf[j] = signature->buf[i];
  337. j++;
  338. }
  339. strbuf_setlen(signature, j);
  340. return 0;
  341. }