| Message ID | 20181012210928.18033-1-mgorny@gentoo.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] gpg-interface.c: detect and reject multiple signatures on commits | expand |
Thanks, will take a look.
Michał Górny <mgorny@gentoo.org> writes: > GnuPG supports creating signatures consisting of multiple signature > packets. If such a signature is verified, it outputs all the status > messages for each signature separately. However, git currently does not > account for such scenario and gets terribly confused over getting > multiple *SIG statuses. > > For example, if a malicious party alters a signed commit and appends > a new untrusted signature, git is going to ignore the original bad > signature and report untrusted commit instead. However, %GK and %GS > format strings may still expand to the data corresponding > to the original signature, potentially tricking the scripts into > trusting the malicious commit. > > Given that the use of multiple signatures is quite rare, git does not > support creating them without jumping through a few hoops, and finally > supporting them properly would require extensive API improvement, it > seems reasonable to just reject them at the moment. > > Signed-off-by: Michał Górny <mgorny@gentoo.org> > --- > gpg-interface.c | 94 +++++++++++++++++++++++++++------------- > t/t7510-signed-commit.sh | 26 +++++++++++ > 2 files changed, 91 insertions(+), 29 deletions(-) > > Changes in v3: reworked the whole loop to iterate over lines rather > than scanning the whole buffer, as requested. Now it also catches > duplicate instances of the same status. > > diff --git a/gpg-interface.c b/gpg-interface.c > index db17d65f8..480aab4ee 100644 > --- a/gpg-interface.c > +++ b/gpg-interface.c > @@ -75,48 +75,84 @@ void signature_check_clear(struct signature_check *sigc) > FREE_AND_NULL(sigc->key); > } > > +/* An exclusive status -- only one of them can appear in output */ > +#define GPG_STATUS_EXCLUSIVE (1<<0) > + > static struct { > char result; > const char *check; > + unsigned int flags; > } sigcheck_gpg_status[] = { > - { 'G', "\n[GNUPG:] GOODSIG " }, > - { 'B', "\n[GNUPG:] BADSIG " }, > - { 'U', "\n[GNUPG:] TRUST_NEVER" }, > - { 'U', "\n[GNUPG:] TRUST_UNDEFINED" }, > - { 'E', "\n[GNUPG:] ERRSIG "}, > - { 'X', "\n[GNUPG:] EXPSIG "}, > - { 'Y', "\n[GNUPG:] EXPKEYSIG "}, > - { 'R', "\n[GNUPG:] REVKEYSIG "}, > + { 'G', "GOODSIG ", GPG_STATUS_EXCLUSIVE }, > + { 'B', "BADSIG ", GPG_STATUS_EXCLUSIVE }, > + { 'U', "TRUST_NEVER", 0 }, > + { 'U', "TRUST_UNDEFINED", 0 }, > + { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE }, > + { 'X', "EXPSIG ", GPG_STATUS_EXCLUSIVE }, > + { 'Y', "EXPKEYSIG ", GPG_STATUS_EXCLUSIVE }, > + { 'R', "REVKEYSIG ", GPG_STATUS_EXCLUSIVE }, > }; > > static void parse_gpg_output(struct signature_check *sigc) > { > const char *buf = sigc->gpg_status; > + const char *line, *next; > int i; > - > - /* Iterate over all search strings */ > - for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { > - const char *found, *next; > - > - if (!skip_prefix(buf, sigcheck_gpg_status[i].check + 1, &found)) { > - found = strstr(buf, sigcheck_gpg_status[i].check); > - if (!found) > - continue; > - found += strlen(sigcheck_gpg_status[i].check); > - } > - sigc->result = sigcheck_gpg_status[i].result; > - /* The trust messages are not followed by key/signer information */ > - if (sigc->result != 'U') { > - next = strchrnul(found, ' '); > - sigc->key = xmemdupz(found, next - found); > - /* The ERRSIG message is not followed by signer information */ > - if (*next && sigc-> result != 'E') { > - found = next + 1; > - next = strchrnul(found, '\n'); > - sigc->signer = xmemdupz(found, next - found); > + int had_exclusive_status = 0; > + > + /* Iterate over all lines */ > + for (line = buf; *line; line = strchrnul(line+1, '\n')) { > + while (*line == '\n') > + line++; > + /* Skip lines that don't start with GNUPG status */ > + if (strncmp(line, "[GNUPG:] ", 9)) > + continue; > + line += 9; You do not want to count to 9 yourself. Instead if (!skip_prefix(line, "[GNUPG:] ", &line)) continue; > + /* Iterate over all search strings */ > + for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { > + if (!strncmp(line, sigcheck_gpg_status[i].check, > + strlen(sigcheck_gpg_status[i].check))) { > + line += strlen(sigcheck_gpg_status[i].check); Likewise. > + if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) > + had_exclusive_status++; "has" is fine, but I think existing code elsewhere we use "seen" for things like this. > + sigc->result = sigcheck_gpg_status[i].result; > + /* The trust messages are not followed by key/signer information */ > + if (sigc->result != 'U') { > + next = strchrnul(line, ' '); > + free(sigc->key); > + sigc->key = xmemdupz(line, next - line); > + /* The ERRSIG message is not followed by signer information */ > + if (*next && sigc->result != 'E') { > + line = next + 1; > + next = strchrnul(line, '\n'); > + free(sigc->signer); > + sigc->signer = xmemdupz(line, next - line); > + } > + } > + break; > } > } > } So unless U/E, we expect to see a key, and unless E, we also expect there is a signer; we keep the last value we see in the sequence in sigc. Because all of these that are not U are marked exclusive, if we check if sigc->key already has value at the point you free the sigc->key field above, we can see if there is a duplicate record that are of "exclusive" type? I am not suggesting to lose the addition of "flags = GPG_STATUS_EXCLUSIVE|0" field, but trying to see if I am getting the logic right. For gpg_status that is !GPG_STATUS_EXCLUSIVE (i.e. "U"), we do not do any replacement of already seen .key/.signer, and all the cases that we do the replacement are GPG_STATUS_EXCLUSIVE, which we know will become an error in the code below when we do see twice. So it is fine not to check if .key/.signer we see twice are the same or different. It is an error even if we see the same .key/.signer twice---having two records is already wrong no matter whose key/sign it is. OK, so the whole thing makes sense to me. Having said that, if we wanted to short-circuit, I think for (each line) { for (each sigcheck_gpg_status[]) { if (not the one on line) continue; if (sigc->result != 'U') { if (sigc->key) goto found_dup; sigc->key = make a copy; if (*next && sigc->result != 'E') { if (sigc->signer) goto found_dup; sigc->signer = make a copy; } } break; } } return; found_dup: sigc->result = 'E'; FREE_AND_NULL(sigc->signer); FREE_AND_NULL(sigc->key); return; would also be fine. > + > + /* > + * GOODSIG, BADSIG etc. can occur only once for each signature. > + * Therefore, if we had more than one then we're dealing with multiple > + * signatures. We don't support them currently, and they're rather > + * hard to create, so something is likely fishy and we should reject > + * them altogether. > + */ > + if (had_exclusive_status > 1) { > + sigc->result = 'E'; > + /* Clear partial data to avoid confusion */ > + if (sigc->signer) > + FREE_AND_NULL(sigc->signer); > + if (sigc->key) > + FREE_AND_NULL(sigc->key); I think it is OK to use FREE_AND_NULL() unconditionally (just like we can use free(x) on x==NULL). > + } > }
On Mon, 2018-10-15 at 12:31 +0900, Junio C Hamano wrote: > Michał Górny <mgorny@gentoo.org> writes: > > > GnuPG supports creating signatures consisting of multiple signature > > packets. If such a signature is verified, it outputs all the status > > messages for each signature separately. However, git currently does not > > account for such scenario and gets terribly confused over getting > > multiple *SIG statuses. > > > > For example, if a malicious party alters a signed commit and appends > > a new untrusted signature, git is going to ignore the original bad > > signature and report untrusted commit instead. However, %GK and %GS > > format strings may still expand to the data corresponding > > to the original signature, potentially tricking the scripts into > > trusting the malicious commit. > > > > Given that the use of multiple signatures is quite rare, git does not > > support creating them without jumping through a few hoops, and finally > > supporting them properly would require extensive API improvement, it > > seems reasonable to just reject them at the moment. > > > > Signed-off-by: Michał Górny <mgorny@gentoo.org> > > --- > > gpg-interface.c | 94 +++++++++++++++++++++++++++------------- > > t/t7510-signed-commit.sh | 26 +++++++++++ > > 2 files changed, 91 insertions(+), 29 deletions(-) > > > > Changes in v3: reworked the whole loop to iterate over lines rather > > than scanning the whole buffer, as requested. Now it also catches > > duplicate instances of the same status. > > > > diff --git a/gpg-interface.c b/gpg-interface.c > > index db17d65f8..480aab4ee 100644 > > --- a/gpg-interface.c > > +++ b/gpg-interface.c > > @@ -75,48 +75,84 @@ void signature_check_clear(struct signature_check *sigc) > > FREE_AND_NULL(sigc->key); > > } > > > > +/* An exclusive status -- only one of them can appear in output */ > > +#define GPG_STATUS_EXCLUSIVE (1<<0) > > + > > static struct { > > char result; > > const char *check; > > + unsigned int flags; > > } sigcheck_gpg_status[] = { > > - { 'G', "\n[GNUPG:] GOODSIG " }, > > - { 'B', "\n[GNUPG:] BADSIG " }, > > - { 'U', "\n[GNUPG:] TRUST_NEVER" }, > > - { 'U', "\n[GNUPG:] TRUST_UNDEFINED" }, > > - { 'E', "\n[GNUPG:] ERRSIG "}, > > - { 'X', "\n[GNUPG:] EXPSIG "}, > > - { 'Y', "\n[GNUPG:] EXPKEYSIG "}, > > - { 'R', "\n[GNUPG:] REVKEYSIG "}, > > + { 'G', "GOODSIG ", GPG_STATUS_EXCLUSIVE }, > > + { 'B', "BADSIG ", GPG_STATUS_EXCLUSIVE }, > > + { 'U', "TRUST_NEVER", 0 }, > > + { 'U', "TRUST_UNDEFINED", 0 }, > > + { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE }, > > + { 'X', "EXPSIG ", GPG_STATUS_EXCLUSIVE }, > > + { 'Y', "EXPKEYSIG ", GPG_STATUS_EXCLUSIVE }, > > + { 'R', "REVKEYSIG ", GPG_STATUS_EXCLUSIVE }, > > }; > > > > static void parse_gpg_output(struct signature_check *sigc) > > { > > const char *buf = sigc->gpg_status; > > + const char *line, *next; > > int i; > > - > > - /* Iterate over all search strings */ > > - for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { > > - const char *found, *next; > > - > > - if (!skip_prefix(buf, sigcheck_gpg_status[i].check + 1, &found)) { > > - found = strstr(buf, sigcheck_gpg_status[i].check); > > - if (!found) > > - continue; > > - found += strlen(sigcheck_gpg_status[i].check); > > - } > > - sigc->result = sigcheck_gpg_status[i].result; > > - /* The trust messages are not followed by key/signer information */ > > - if (sigc->result != 'U') { > > - next = strchrnul(found, ' '); > > - sigc->key = xmemdupz(found, next - found); > > - /* The ERRSIG message is not followed by signer information */ > > - if (*next && sigc-> result != 'E') { > > - found = next + 1; > > - next = strchrnul(found, '\n'); > > - sigc->signer = xmemdupz(found, next - found); > > + int had_exclusive_status = 0; > > + > > + /* Iterate over all lines */ > > + for (line = buf; *line; line = strchrnul(line+1, '\n')) { > > + while (*line == '\n') > > + line++; > > + /* Skip lines that don't start with GNUPG status */ > > + if (strncmp(line, "[GNUPG:] ", 9)) > > + continue; > > + line += 9; > > You do not want to count to 9 yourself. Instead > > if (!skip_prefix(line, "[GNUPG:] ", &line)) > continue; > > > > + /* Iterate over all search strings */ > > + for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { > > + if (!strncmp(line, sigcheck_gpg_status[i].check, > > + strlen(sigcheck_gpg_status[i].check))) { > > + line += strlen(sigcheck_gpg_status[i].check); > > Likewise. Both done. > > > + if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) > > + had_exclusive_status++; > > "has" is fine, but I think existing code elsewhere we use "seen" for > things like this. > > > + sigc->result = sigcheck_gpg_status[i].result; > > + /* The trust messages are not followed by key/signer information */ > > + if (sigc->result != 'U') { > > + next = strchrnul(line, ' '); > > + free(sigc->key); > > + sigc->key = xmemdupz(line, next - line); > > + /* The ERRSIG message is not followed by signer information */ > > + if (*next && sigc->result != 'E') { > > + line = next + 1; > > + next = strchrnul(line, '\n'); > > + free(sigc->signer); > > + sigc->signer = xmemdupz(line, next - line); > > + } > > + } > > + break; > > } > > } > > } > > So unless U/E, we expect to see a key, and unless E, we also expect > there is a signer; we keep the last value we see in the sequence in > sigc. Because all of these that are not U are marked exclusive, if > we check if sigc->key already has value at the point you free the > sigc->key field above, we can see if there is a duplicate record > that are of "exclusive" type? I am not suggesting to lose the > addition of "flags = GPG_STATUS_EXCLUSIVE|0" field, but trying to > see if I am getting the logic right. > > For gpg_status that is !GPG_STATUS_EXCLUSIVE (i.e. "U"), we do not > do any replacement of already seen .key/.signer, and all the cases > that we do the replacement are GPG_STATUS_EXCLUSIVE, which we know > will become an error in the code below when we do see twice. So it > is fine not to check if .key/.signer we see twice are the same or > different. It is an error even if we see the same .key/.signer > twice---having two records is already wrong no matter whose key/sign > it is. > > OK, so the whole thing makes sense to me. > > Having said that, if we wanted to short-circuit, I think > > for (each line) { > for (each sigcheck_gpg_status[]) { > if (not the one on line) > continue; > if (sigc->result != 'U') { > if (sigc->key) > goto found_dup; > sigc->key = make a copy; > if (*next && sigc->result != 'E') { > if (sigc->signer) > goto found_dup; > sigc->signer = make a copy; > } > } > break; > } > } > return; > > found_dup: > sigc->result = 'E'; > FREE_AND_NULL(sigc->signer); > FREE_AND_NULL(sigc->key); > return; > > would also be fine. Do I understand correctly that you mean to take advantage that 'seen exclusive status' cases match 'seen key' cases? I think this would be a little less readable. That said, I was planning on next patch that replaced the "!= 'U'" test with explicit flags for whether a particular status includes key and UID. If you'd agree with this direction, I think having this one separate as well would make sense. > > + > > + /* > > + * GOODSIG, BADSIG etc. can occur only once for each signature. > > + * Therefore, if we had more than one then we're dealing with multiple > > + * signatures. We don't support them currently, and they're rather > > + * hard to create, so something is likely fishy and we should reject > > + * them altogether. > > + */ > > + if (had_exclusive_status > 1) { > > + sigc->result = 'E'; > > + /* Clear partial data to avoid confusion */ > > + if (sigc->signer) > > + FREE_AND_NULL(sigc->signer); > > + if (sigc->key) > > + FREE_AND_NULL(sigc->key); > > I think it is OK to use FREE_AND_NULL() unconditionally (just like > we can use free(x) on x==NULL). Done as well. > > > + } > > } > >
Michał Górny <mgorny@gentoo.org> writes: >> OK, so the whole thing makes sense to me. >> >> Having said that, if we wanted to short-circuit, I think >> >> for (each line) { >> for (each sigcheck_gpg_status[]) { >> if (not the one on line) >> continue; >> if (sigc->result != 'U') { >> if (sigc->key) >> goto found_dup; >> sigc->key = make a copy; >> if (*next && sigc->result != 'E') { >> if (sigc->signer) >> goto found_dup; >> sigc->signer = make a copy; >> } >> } >> break; >> } >> } >> return; >> >> found_dup: >> sigc->result = 'E'; >> FREE_AND_NULL(sigc->signer); >> FREE_AND_NULL(sigc->key); >> return; >> >> would also be fine. > > Do I understand correctly that you mean to take advantage that 'seen > exclusive status' cases match 'seen key' cases? I think this would be > a little less readable. Yes, the above is taking advantage of: exclusive ones do give us key and/or signer, so it is a sign that we've found collision between two exclusive status line if we need to free and replace. But that was "whole thing makes sense, but if we wanted to...". I do not know if we want to short-circuit upon finding a single problem, or parse the whole thing to the end. I guess we could short-circuit while still using the "seen-exclusive" variable (we can just do so at the place seen-exclusive is incremented---if it is already one, then we know we have seen one already and we are looking at another one). > That said, I was planning on next patch that replaced the "!= 'U'" test > with explicit flags for whether a particular status includes key > and UID. If you'd agree with this direction, I think having this one > separate as well would make sense. Yup, it might be a bit over-engineered for this code, but we are adding the "exclusive" bit to the status[] array already, and I think it makes sense to also have "does this give us key?" and "does this tell us signer?" bit there. Thanks.
diff --git a/gpg-interface.c b/gpg-interface.c index db17d65f8..480aab4ee 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -75,48 +75,84 @@ void signature_check_clear(struct signature_check *sigc) FREE_AND_NULL(sigc->key); } +/* An exclusive status -- only one of them can appear in output */ +#define GPG_STATUS_EXCLUSIVE (1<<0) + static struct { char result; const char *check; + unsigned int flags; } sigcheck_gpg_status[] = { - { 'G', "\n[GNUPG:] GOODSIG " }, - { 'B', "\n[GNUPG:] BADSIG " }, - { 'U', "\n[GNUPG:] TRUST_NEVER" }, - { 'U', "\n[GNUPG:] TRUST_UNDEFINED" }, - { 'E', "\n[GNUPG:] ERRSIG "}, - { 'X', "\n[GNUPG:] EXPSIG "}, - { 'Y', "\n[GNUPG:] EXPKEYSIG "}, - { 'R', "\n[GNUPG:] REVKEYSIG "}, + { 'G', "GOODSIG ", GPG_STATUS_EXCLUSIVE }, + { 'B', "BADSIG ", GPG_STATUS_EXCLUSIVE }, + { 'U', "TRUST_NEVER", 0 }, + { 'U', "TRUST_UNDEFINED", 0 }, + { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE }, + { 'X', "EXPSIG ", GPG_STATUS_EXCLUSIVE }, + { 'Y', "EXPKEYSIG ", GPG_STATUS_EXCLUSIVE }, + { 'R', "REVKEYSIG ", GPG_STATUS_EXCLUSIVE }, }; static void parse_gpg_output(struct signature_check *sigc) { const char *buf = sigc->gpg_status; + const char *line, *next; int i; - - /* Iterate over all search strings */ - for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { - const char *found, *next; - - if (!skip_prefix(buf, sigcheck_gpg_status[i].check + 1, &found)) { - found = strstr(buf, sigcheck_gpg_status[i].check); - if (!found) - continue; - found += strlen(sigcheck_gpg_status[i].check); - } - sigc->result = sigcheck_gpg_status[i].result; - /* The trust messages are not followed by key/signer information */ - if (sigc->result != 'U') { - next = strchrnul(found, ' '); - sigc->key = xmemdupz(found, next - found); - /* The ERRSIG message is not followed by signer information */ - if (*next && sigc-> result != 'E') { - found = next + 1; - next = strchrnul(found, '\n'); - sigc->signer = xmemdupz(found, next - found); + int had_exclusive_status = 0; + + /* Iterate over all lines */ + for (line = buf; *line; line = strchrnul(line+1, '\n')) { + while (*line == '\n') + line++; + /* Skip lines that don't start with GNUPG status */ + if (strncmp(line, "[GNUPG:] ", 9)) + continue; + line += 9; + + /* Iterate over all search strings */ + for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { + if (!strncmp(line, sigcheck_gpg_status[i].check, + strlen(sigcheck_gpg_status[i].check))) { + line += strlen(sigcheck_gpg_status[i].check); + + if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) + had_exclusive_status++; + + sigc->result = sigcheck_gpg_status[i].result; + /* The trust messages are not followed by key/signer information */ + if (sigc->result != 'U') { + next = strchrnul(line, ' '); + free(sigc->key); + sigc->key = xmemdupz(line, next - line); + /* The ERRSIG message is not followed by signer information */ + if (*next && sigc->result != 'E') { + line = next + 1; + next = strchrnul(line, '\n'); + free(sigc->signer); + sigc->signer = xmemdupz(line, next - line); + } + } + + break; } } } + + /* + * GOODSIG, BADSIG etc. can occur only once for each signature. + * Therefore, if we had more than one then we're dealing with multiple + * signatures. We don't support them currently, and they're rather + * hard to create, so something is likely fishy and we should reject + * them altogether. + */ + if (had_exclusive_status > 1) { + sigc->result = 'E'; + /* Clear partial data to avoid confusion */ + if (sigc->signer) + FREE_AND_NULL(sigc->signer); + if (sigc->key) + FREE_AND_NULL(sigc->key); + } } int check_signature(const char *payload, size_t plen, const char *signature, diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh index 4e37ff8f1..180f0be91 100755 --- a/t/t7510-signed-commit.sh +++ b/t/t7510-signed-commit.sh @@ -234,4 +234,30 @@ test_expect_success GPG 'check config gpg.format values' ' test_must_fail git commit -S --amend -m "fail" ' +test_expect_success GPG 'detect fudged commit with double signature' ' + sed -e "/gpgsig/,/END PGP/d" forged1 >double-base && + sed -n -e "/gpgsig/,/END PGP/p" forged1 | \ + sed -e "s/^gpgsig//;s/^ //" | gpg --dearmor >double-sig1.sig && + gpg -o double-sig2.sig -u 29472784 --detach-sign double-base && + cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc && + sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/gpgsig /;2,\$s/^/ /" \ + double-combined.asc > double-gpgsig && + sed -e "/committer/r double-gpgsig" double-base >double-commit && + git hash-object -w -t commit double-commit >double-commit.commit && + test_must_fail git verify-commit $(cat double-commit.commit) && + git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual && + grep "BAD signature from" double-actual && + grep "Good signature from" double-actual +' + +test_expect_success GPG 'show double signature with custom format' ' + cat >expect <<-\EOF && + E + + + EOF + git log -1 --format="%G?%n%GK%n%GS" $(cat double-commit.commit) >actual && + test_cmp expect actual +' + test_done
GnuPG supports creating signatures consisting of multiple signature packets. If such a signature is verified, it outputs all the status messages for each signature separately. However, git currently does not account for such scenario and gets terribly confused over getting multiple *SIG statuses. For example, if a malicious party alters a signed commit and appends a new untrusted signature, git is going to ignore the original bad signature and report untrusted commit instead. However, %GK and %GS format strings may still expand to the data corresponding to the original signature, potentially tricking the scripts into trusting the malicious commit. Given that the use of multiple signatures is quite rare, git does not support creating them without jumping through a few hoops, and finally supporting them properly would require extensive API improvement, it seems reasonable to just reject them at the moment. Signed-off-by: Michał Górny <mgorny@gentoo.org> --- gpg-interface.c | 94 +++++++++++++++++++++++++++------------- t/t7510-signed-commit.sh | 26 +++++++++++ 2 files changed, 91 insertions(+), 29 deletions(-) Changes in v3: reworked the whole loop to iterate over lines rather than scanning the whole buffer, as requested. Now it also catches duplicate instances of the same status.