]> git.ipfire.org Git - thirdparty/git.git/blame - gpg-interface.c
projects / thirdparty / git.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
The sixth batch
[thirdparty/git.git] / gpg-interface.c
CommitLineData
2f47eae2 1#include "cache.h"
b2141fc1 2#include "config.h"
2f47eae2
JH		 3#include "run-command.h"
4#include "strbuf.h"
5#include "gpg-interface.h"
6#include "sigchain.h"
4322353b 7#include "tempfile.h"
2f47eae2
JH		 8
9static char *configured_signing_key;
54887b46
HJI		 10static enum signature_trust_level configured_min_trust_level = TRUST_UNDEFINED;
11
58af57e1
HS		 12struct gpg_format {
13 const char *name;
14 const char *program;
15 const char **verify_args;
16 const char **sigs;
17};
18
19static const char *openpgp_verify_args[] = {
20 "--keyid-format=long",
21 NULL
22};
23static const char *openpgp_sigs[] = {
24 "-----BEGIN PGP SIGNATURE-----",
25 "-----BEGIN PGP MESSAGE-----",
26 NULL
27};
28
1e7adb97
HS		 29static const char *x509_verify_args[] = {
30 NULL
31};
32static const char *x509_sigs[] = {
33 "-----BEGIN SIGNED MESSAGE-----",
34 NULL
35};
36
58af57e1
HS		 37static struct gpg_format gpg_format[] = {
38 { .name = "openpgp", .program = "gpg",
39 .verify_args = openpgp_verify_args,
40 .sigs = openpgp_sigs
41 },
1e7adb97
HS		 42 { .name = "x509", .program = "gpgsm",
43 .verify_args = x509_verify_args,
44 .sigs = x509_sigs
45 },
58af57e1
HS		 46};
47
48static struct gpg_format *use_format = &gpg_format[0];
2f47eae2 49
58af57e1
HS		 50static struct gpg_format *get_format_by_name(const char *str)
51{
52 int i;
53
54 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
55 if (!strcmp(gpg_format[i].name, str))
56 return gpg_format + i;
57 return NULL;
58}
59
60static struct gpg_format *get_format_by_sig(const char *sig)
61{
62 int i, j;
63
64 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
65 for (j = 0; gpg_format[i].sigs[j]; j++)
66 if (starts_with(sig, gpg_format[i].sigs[j]))
67 return gpg_format + i;
68 return NULL;
69}
d7c67668 70
01e57b5d
MG		 71void signature_check_clear(struct signature_check *sigc)
72{
88ce3ef6
ÆAB		 73 FREE_AND_NULL(sigc->payload);
74 FREE_AND_NULL(sigc->gpg_output);
75 FREE_AND_NULL(sigc->gpg_status);
76 FREE_AND_NULL(sigc->signer);
77 FREE_AND_NULL(sigc->key);
3daaaabe 78 FREE_AND_NULL(sigc->fingerprint);
4de9394d 79 FREE_AND_NULL(sigc->primary_key_fingerprint);
01e57b5d
MG		 80}
81
da6cf1b3
MG		 82/* An exclusive status -- only one of them can appear in output */
83#define GPG_STATUS_EXCLUSIVE (1<<0)
0b11a84e
MG		 84/* The status includes key identifier */
85#define GPG_STATUS_KEYID (1<<1)
86/* The status includes user identifier */
87#define GPG_STATUS_UID (1<<2)
3daaaabe
MG		 88/* The status includes key fingerprints */
89#define GPG_STATUS_FINGERPRINT (1<<3)
54887b46
HJI		 90/* The status includes trust level */
91#define GPG_STATUS_TRUST_LEVEL (1<<4)
0b11a84e
MG		 92
93/* Short-hand for standard exclusive *SIG status with keyid & UID */
94#define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID)
da6cf1b3 95
a50e7ca3
JH		 96static struct {
97 char result;
98 const char *check;
da6cf1b3 99 unsigned int flags;
a50e7ca3 100} sigcheck_gpg_status[] = {
0b11a84e
MG		 101 { 'G', "GOODSIG ", GPG_STATUS_STDSIG },
102 { 'B', "BADSIG ", GPG_STATUS_STDSIG },
0b11a84e
MG		 103 { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID },
104 { 'X', "EXPSIG ", GPG_STATUS_STDSIG },
105 { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG },
106 { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG },
3daaaabe 107 { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT },
54887b46
HJI		 108 { 0, "TRUST_", GPG_STATUS_TRUST_LEVEL },
109};
110
111static struct {
112 const char *key;
113 enum signature_trust_level value;
114} sigcheck_gpg_trust_level[] = {
115 { "UNDEFINED", TRUST_UNDEFINED },
116 { "NEVER", TRUST_NEVER },
117 { "MARGINAL", TRUST_MARGINAL },
118 { "FULLY", TRUST_FULLY },
119 { "ULTIMATE", TRUST_ULTIMATE },
a50e7ca3
JH		 120};
121
392b862e
HJI		 122static void replace_cstring(char **field, const char *line, const char *next)
123{
124 free(*field);
125
126 if (line && next)
127 *field = xmemdupz(line, next - line);
128 else
129 *field = NULL;
130}
131
54887b46
HJI		 132static int parse_gpg_trust_level(const char *level,
133 enum signature_trust_level *res)
134{
135 size_t i;
136
137 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_trust_level); i++) {
138 if (!strcmp(sigcheck_gpg_trust_level[i].key, level)) {
139 *res = sigcheck_gpg_trust_level[i].value;
140 return 0;
141 }
142 }
143 return 1;
144}
145
fbd0f166 146static void parse_gpg_output(struct signature_check *sigc)
a50e7ca3
JH		 147{
148 const char *buf = sigc->gpg_status;
da6cf1b3 149 const char *line, *next;
4de9394d 150 int i, j;
da6cf1b3
MG		 151 int seen_exclusive_status = 0;
152
153 /* Iterate over all lines */
154 for (line = buf; *line; line = strchrnul(line+1, '\n')) {
155 while (*line == '\n')
156 line++;
64c45dc7
SR		 157 if (!*line)
158 break;
159
da6cf1b3
MG		 160 /* Skip lines that don't start with GNUPG status */
161 if (!skip_prefix(line, "[GNUPG:] ", &line))
162 continue;
163
164 /* Iterate over all search strings */
165 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
166 if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
54887b46
HJI		 167 /*
168 * GOODSIG, BADSIG etc. can occur only once for
169 * each signature. Therefore, if we had more
170 * than one then we're dealing with multiple
171 * signatures. We don't support them
172 * currently, and they're rather hard to
173 * create, so something is likely fishy and we
174 * should reject them altogether.
175 */
da6cf1b3 176 if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
02561896 177 if (seen_exclusive_status++)
54887b46 178 goto error;
da6cf1b3
MG		 179 }
180
3daaaabe
MG		 181 if (sigcheck_gpg_status[i].result)
182 sigc->result = sigcheck_gpg_status[i].result;
0b11a84e
MG		 183 /* Do we have key information? */
184 if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) {
da6cf1b3 185 next = strchrnul(line, ' ');
392b862e 186 replace_cstring(&sigc->key, line, next);
0b11a84e
MG		 187 /* Do we have signer information? */
188 if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) {
da6cf1b3
MG		 189 line = next + 1;
190 next = strchrnul(line, '\n');
392b862e 191 replace_cstring(&sigc->signer, line, next);
da6cf1b3
MG		 192 }
193 }
54887b46
HJI		 194
195 /* Do we have trust level? */
196 if (sigcheck_gpg_status[i].flags & GPG_STATUS_TRUST_LEVEL) {
197 /*
198 * GPG v1 and v2 differs in how the
199 * TRUST_ lines are written. Some
200 * trust lines contain no additional
201 * space-separated information for v1.
202 */
203 size_t trust_size = strcspn(line, " \n");
204 char *trust = xmemdupz(line, trust_size);
205
206 if (parse_gpg_trust_level(trust, &sigc->trust_level)) {
207 free(trust);
208 goto error;
209 }
210 free(trust);
211 }
212
3daaaabe
MG		 213 /* Do we have fingerprint? */
214 if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) {
67a6ea63
HJI		 215 const char *limit;
216 char **field;
217
3daaaabe 218 next = strchrnul(line, ' ');
392b862e 219 replace_cstring(&sigc->fingerprint, line, next);
4de9394d 220
67a6ea63
HJI		 221 /*
222 * Skip interim fields. The search is
223 * limited to the same line since only
224 * OpenPGP signatures has a field with
225 * the primary fingerprint.
226 */
227 limit = strchrnul(line, '\n');
4de9394d 228 for (j = 9; j > 0; j--) {
67a6ea63 229 if (!*next || limit <= next)
4de9394d
MG		 230 break;
231 line = next + 1;
232 next = strchrnul(line, ' ');
233 }
234
67a6ea63
HJI		 235 field = &sigc->primary_key_fingerprint;
236 if (!j) {
237 next = strchrnul(line, '\n');
238 replace_cstring(field, line, next);
239 } else {
240 replace_cstring(field, NULL, NULL);
241 }
3daaaabe 242 }
da6cf1b3
MG		 243
244 break;
661a1806 245 }
a50e7ca3
JH		 246 }
247 }
da6cf1b3
MG		 248 return;
249
54887b46 250error:
da6cf1b3
MG		 251 sigc->result = 'E';
252 /* Clear partial data to avoid confusion */
4de9394d 253 FREE_AND_NULL(sigc->primary_key_fingerprint);
3daaaabe 254 FREE_AND_NULL(sigc->fingerprint);
da6cf1b3
MG		 255 FREE_AND_NULL(sigc->signer);
256 FREE_AND_NULL(sigc->key);
a50e7ca3
JH		 257}
258
67948981
HJI		 259static int verify_signed_buffer(const char *payload, size_t payload_size,
260 const char *signature, size_t signature_size,
261 struct strbuf *gpg_output,
262 struct strbuf *gpg_status)
263{
264 struct child_process gpg = CHILD_PROCESS_INIT;
265 struct gpg_format *fmt;
266 struct tempfile *temp;
267 int ret;
268 struct strbuf buf = STRBUF_INIT;
269
270 temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
271 if (!temp)
272 return error_errno(_("could not create temporary file"));
273 if (write_in_full(temp->fd, signature, signature_size) < 0 ||
274 close_tempfile_gently(temp) < 0) {
275 error_errno(_("failed writing detached signature to '%s'"),
276 temp->filename.buf);
277 delete_tempfile(&temp);
278 return -1;
279 }
280
281 fmt = get_format_by_sig(signature);
282 if (!fmt)
283 BUG("bad signature '%s'", signature);
284
285 argv_array_push(&gpg.args, fmt->program);
286 argv_array_pushv(&gpg.args, fmt->verify_args);
287 argv_array_pushl(&gpg.args,
288 "--status-fd=1",
289 "--verify", temp->filename.buf, "-",
290 NULL);
291
292 if (!gpg_status)
293 gpg_status = &buf;
294
295 sigchain_push(SIGPIPE, SIG_IGN);
296 ret = pipe_command(&gpg, payload, payload_size,
297 gpg_status, 0, gpg_output, 0);
298 sigchain_pop(SIGPIPE);
299
300 delete_tempfile(&temp);
301
302 ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
303 strbuf_release(&buf); /* no matter it was used or not */
304
305 return ret;
306}
307
434060ec 308int check_signature(const char *payload, size_t plen, const char *signature,
a4cc18f2 309 size_t slen, struct signature_check *sigc)
310{
311 struct strbuf gpg_output = STRBUF_INIT;
312 struct strbuf gpg_status = STRBUF_INIT;
313 int status;
314
315 sigc->result = 'N';
54887b46 316 sigc->trust_level = -1;
a4cc18f2 317
318 status = verify_signed_buffer(payload, plen, signature, slen,
319 &gpg_output, &gpg_status);
320 if (status && !gpg_output.len)
321 goto out;
322 sigc->payload = xmemdupz(payload, plen);
323 sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
324 sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
325 parse_gpg_output(sigc);
54887b46
HJI		 326 status |= sigc->result != 'G';
327 status |= sigc->trust_level < configured_min_trust_level;
a4cc18f2 328
329 out:
330 strbuf_release(&gpg_status);
331 strbuf_release(&gpg_output);
434060ec 332
4e5dc9ca 333 return !!status;
a4cc18f2 334}
335
ca194d50 336void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
337{
aeff29dd 338 const char *output = flags & GPG_VERIFY_RAW ?
339 sigc->gpg_status : sigc->gpg_output;
340
ca194d50 341 if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
342 fputs(sigc->payload, stdout);
343
aeff29dd 344 if (output)
345 fputs(output, stderr);
ca194d50 346}
347
e6fa6cde 348size_t parse_signature(const char *buf, size_t size)
d7c67668 349{
d7c67668 350 size_t len = 0;
8b44b2be
JK		 351 size_t match = size;
352 while (len < size) {
353 const char *eol;
354
58af57e1 355 if (get_format_by_sig(buf + len))
8b44b2be
JK		 356 match = len;
357
358 eol = memchr(buf + len, '\n', size - len);
d7c67668
JH		 359 len += eol ? eol - (buf + len) + 1 : size - len;
360 }
8b44b2be 361 return match;
d7c67668
JH		 362}
363
2f47eae2
JH		 364void set_signing_key(const char *key)
365{
366 free(configured_signing_key);
367 configured_signing_key = xstrdup(key);
368}
369
370int git_gpg_config(const char *var, const char *value, void *cb)
371{
58af57e1
HS		 372 struct gpg_format *fmt = NULL;
373 char *fmtname = NULL;
54887b46
HJI		 374 char *trust;
375 int ret;
58af57e1 376
2f47eae2 377 if (!strcmp(var, "user.signingkey")) {
1b0eeec3
JK		 378 if (!value)
379 return config_error_nonbool(var);
0c5e70f0 380 set_signing_key(value);
1b0eeec3 381 return 0;
0c5e70f0 382 }
1b0eeec3 383
57a8dd75
HS		 384 if (!strcmp(var, "gpg.format")) {
385 if (!value)
386 return config_error_nonbool(var);
58af57e1
HS		 387 fmt = get_format_by_name(value);
388 if (!fmt)
57a8dd75
HS		 389 return error("unsupported value for %s: %s",
390 var, value);
58af57e1
HS		 391 use_format = fmt;
392 return 0;
57a8dd75
HS		 393 }
394
54887b46
HJI		 395 if (!strcmp(var, "gpg.mintrustlevel")) {
396 if (!value)
397 return config_error_nonbool(var);
398
399 trust = xstrdup_toupper(value);
400 ret = parse_gpg_trust_level(trust, &configured_min_trust_level);
401 free(trust);
402
403 if (ret)
404 return error("unsupported value for %s: %s", var,
405 value);
406 return 0;
407 }
408
b02f51b1 409 if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
58af57e1
HS		 410 fmtname = "openpgp";
411
1e7adb97
HS		 412 if (!strcmp(var, "gpg.x509.program"))
413 fmtname = "x509";
414
58af57e1
HS		 415 if (fmtname) {
416 fmt = get_format_by_name(fmtname);
417 return git_config_string(&fmt->program, var, value);
2f47eae2 418 }
1b0eeec3 419
2f47eae2
JH		 420 return 0;
421}
422
423const char *get_signing_key(void)
424{
425 if (configured_signing_key)
426 return configured_signing_key;
f9bc573f 427 return git_committer_info(IDENT_STRICT|IDENT_NO_DATE);
2f47eae2
JH		 428}
429
2f47eae2
JH		 430int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *signing_key)
431{
d3180279 432 struct child_process gpg = CHILD_PROCESS_INIT;
0581b546 433 int ret;
2f47eae2 434 size_t i, j, bottom;
efee9553 435 struct strbuf gpg_status = STRBUF_INIT;
2f47eae2 436
aedb5dc3 437 argv_array_pushl(&gpg.args,
58af57e1 438 use_format->program,
efee9553 439 "--status-fd=2",
aedb5dc3
JK		 440 "-bsau", signing_key,
441 NULL);
2f47eae2 442
0581b546 443 bottom = signature->len;
2f47eae2
JH		 444
445 /*
446 * When the username signingkey is bad, program could be terminated
447 * because gpg exits without reading and then write gets SIGPIPE.
448 */
449 sigchain_push(SIGPIPE, SIG_IGN);
0581b546 450 ret = pipe_command(&gpg, buffer->buf, buffer->len,
efee9553 451 signature, 1024, &gpg_status, 0);
2f47eae2
JH		 452 sigchain_pop(SIGPIPE);
453
efee9553
MG		 454 ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED ");
455 strbuf_release(&gpg_status);
456 if (ret)
2f47eae2
JH		 457 return error(_("gpg failed to sign the data"));
458
459 /* Strip CR from the line endings, in case we are on Windows. */
460 for (i = j = bottom; i < signature->len; i++)
461 if (signature->buf[i] != '\r') {
462 if (i != j)
463 signature->buf[j] = signature->buf[i];
464 j++;
465 }
466 strbuf_setlen(signature, j);
467
468 return 0;
469}
Unnamed repository; edit this file 'description' to name the repository.