summaryrefslogtreecommitdiff
path: root/gpg-interface.c
diff options
context:
space:
mode:
authorHans Jerry Illikainen <hji@dyntopia.com>2019-11-27 17:48:21 (GMT)
committerJunio C Hamano <gitster@pobox.com>2019-11-30 21:52:35 (GMT)
commit72b006f4bfd30b7c5037c163efaf279ab65bea9c (patch)
tree50fdf5a566469f65c1b496efaaee77961775322e /gpg-interface.c
parent67a6ea63008bcee32a239934ad29eb5c5a554509 (diff)
downloadgit-72b006f4bfd30b7c5037c163efaf279ab65bea9c.zip
git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.tar.gz
git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.tar.bz2
gpg-interface: prefer check_signature() for GPG verification
This commit refactors the use of verify_signed_buffer() outside of gpg-interface.c to use check_signature() instead. It also turns verify_signed_buffer() into a file-local function since it's now only invoked internally by check_signature(). There were previously two globally scoped functions used in different parts of Git to perform GPG signature verification: verify_signed_buffer() and check_signature(). Now only check_signature() is used. The verify_signed_buffer() function doesn't guard against duplicate signatures as described by Michał Górny [1]. Instead it only ensures a non-erroneous exit code from GPG and the presence of at least one GOODSIG status field. This stands in contrast with check_signature() that returns an error if more than one signature is encountered. The lower degree of verification makes the use of verify_signed_buffer() problematic if callers don't parse and validate the various parts of the GPG status message themselves. And processing these messages seems like a task that should be reserved to gpg-interface.c with the function check_signature(). Furthermore, the use of verify_signed_buffer() makes it difficult to introduce new functionality that relies on the content of the GPG status lines. Now all operations that does signature verification share a single entry point to gpg-interface.c. This makes it easier to propagate changed or additional functionality in GPG signature verification to all parts of Git, without having odd edge-cases that don't perform the same degree of verification. [1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html Signed-off-by: Hans Jerry Illikainen <hji@dyntopia.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gpg-interface.c')
-rw-r--r--gpg-interface.c97
1 files changed, 49 insertions, 48 deletions
diff --git a/gpg-interface.c b/gpg-interface.c
index 131e7d5..5134ce2 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -207,6 +207,55 @@ found_duplicate_status:
FREE_AND_NULL(sigc->key);
}
+static int verify_signed_buffer(const char *payload, size_t payload_size,
+ const char *signature, size_t signature_size,
+ struct strbuf *gpg_output,
+ struct strbuf *gpg_status)
+{
+ struct child_process gpg = CHILD_PROCESS_INIT;
+ struct gpg_format *fmt;
+ struct tempfile *temp;
+ int ret;
+ struct strbuf buf = STRBUF_INIT;
+
+ temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
+ if (!temp)
+ return error_errno(_("could not create temporary file"));
+ if (write_in_full(temp->fd, signature, signature_size) < 0 ||
+ close_tempfile_gently(temp) < 0) {
+ error_errno(_("failed writing detached signature to '%s'"),
+ temp->filename.buf);
+ delete_tempfile(&temp);
+ return -1;
+ }
+
+ fmt = get_format_by_sig(signature);
+ if (!fmt)
+ BUG("bad signature '%s'", signature);
+
+ argv_array_push(&gpg.args, fmt->program);
+ argv_array_pushv(&gpg.args, fmt->verify_args);
+ argv_array_pushl(&gpg.args,
+ "--status-fd=1",
+ "--verify", temp->filename.buf, "-",
+ NULL);
+
+ if (!gpg_status)
+ gpg_status = &buf;
+
+ sigchain_push(SIGPIPE, SIG_IGN);
+ ret = pipe_command(&gpg, payload, payload_size,
+ gpg_status, 0, gpg_output, 0);
+ sigchain_pop(SIGPIPE);
+
+ delete_tempfile(&temp);
+
+ ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
+ strbuf_release(&buf); /* no matter it was used or not */
+
+ return ret;
+}
+
int check_signature(const char *payload, size_t plen, const char *signature,
size_t slen, struct signature_check *sigc)
{
@@ -351,51 +400,3 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig
return 0;
}
-
-int verify_signed_buffer(const char *payload, size_t payload_size,
- const char *signature, size_t signature_size,
- struct strbuf *gpg_output, struct strbuf *gpg_status)
-{
- struct child_process gpg = CHILD_PROCESS_INIT;
- struct gpg_format *fmt;
- struct tempfile *temp;
- int ret;
- struct strbuf buf = STRBUF_INIT;
-
- temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
- if (!temp)
- return error_errno(_("could not create temporary file"));
- if (write_in_full(temp->fd, signature, signature_size) < 0 ||
- close_tempfile_gently(temp) < 0) {
- error_errno(_("failed writing detached signature to '%s'"),
- temp->filename.buf);
- delete_tempfile(&temp);
- return -1;
- }
-
- fmt = get_format_by_sig(signature);
- if (!fmt)
- BUG("bad signature '%s'", signature);
-
- argv_array_push(&gpg.args, fmt->program);
- argv_array_pushv(&gpg.args, fmt->verify_args);
- argv_array_pushl(&gpg.args,
- "--status-fd=1",
- "--verify", temp->filename.buf, "-",
- NULL);
-
- if (!gpg_status)
- gpg_status = &buf;
-
- sigchain_push(SIGPIPE, SIG_IGN);
- ret = pipe_command(&gpg, payload, payload_size,
- gpg_status, 0, gpg_output, 0);
- sigchain_pop(SIGPIPE);
-
- delete_tempfile(&temp);
-
- ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
- strbuf_release(&buf); /* no matter it was used or not */
-
- return ret;
-}