From: Junio C Hamano <gitster@pobox.com>
To: Fabian Stelzer <fs@gigacodes.de>
Cc: Jeff King <peff@peff.net>,
Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
Johannes Schindelin <johannes.schindelin@gmx.de>,
pedro martelletto <pedro@yubico.com>,
Damien Miller <djm@mindrot.org>
Subject: Re: [PATCH] gpg-interface: trim CR from ssh-keygen -Y find-principals
Date: Sat, 04 Dec 2021 21:50:38 -0800 [thread overview]
Message-ID: <xmqqk0gjob0x.fsf@gitster.g> (raw)
In-Reply-To: <20211204131149.cvyu7dvf6p66dotq@fs> (Fabian Stelzer's message of "Sat, 4 Dec 2021 14:11:49 +0100")
Fabian Stelzer <fs@gigacodes.de> writes:
> On 03.12.2021 10:58, Jeff King wrote:
>>On Fri, Dec 03, 2021 at 01:31:16PM +0000, Johannes Schindelin via GitGitGadget wrote:
>>
>>> We need to trim \r from the output of 'ssh-keygen -Y find-principals' on
>>> Windows, or we end up calling 'ssh-keygen -Y verify' with a bogus signer
>>> identity. ssh-keygen.c:2841 contains a call to puts(3), which confirms this
>>> hypothesis. Signature verification passes with the fix.
>>> [...]
>>> @@ -497,7 +497,7 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc,
>>> if (!*line)
>>> break;
>>>
>>> - trust_size = strcspn(line, "\n");
>>> + trust_size = strcspn(line, "\r\n");
>>> principal = xmemdupz(line, trust_size);
>>
>>Just playing devil's advocate for a moment: this parsing is kind of
>>loose. Is there any chance that I could smuggle a CR into my principal
>>name, and make "a principal\rthat is fake" now get parsed as "a
>>principal"? Our strcspn() here would cut off at the first CR.
>>
>>I'm guessing probably not, but when it comes to something with security
>>implications like this, it pays to be extra careful. I'm hoping somebody
>>familiar with the ssh-keygen side and how the rest of the parsing works
>>(like Fabian) can verify that this is OK.
>>
>
> A good point. I just tested this and CR is a valid character to use in
> a principal name in the allowed signers file and as of now the
> principal will be passed to the verify call `as is` and everything
> works just fine. When we introduce the patch above a principal with a
> CR in it will fail to verify.
>
> I've added Damien Miller to this thread. He knows more about what the
> expected behaviour for the principal would/should be. I think at the
> moment almost everything except \n or \0 goes. Maybe restricting \r as
> well would make life easier for other uses too?
>
> From a security perspective I don't think this is problem. The
> principal does not come from any user input but is actually looked up
> in the allowed signers file using the signatures public key (with
> ssh-keygen -Y find-principals). If I could manipulate this file I
> could change the key as well.
>
> If we add `trust on first use` in a future series I would assume we
> use the email address from the commit/tag author ident when adding a
> new principal to the file. Can the ident contain a CR?
> Even if it did, I would only allow a list of allowed alphanumeric
> chars to be added anyway since a principal can contain wildcards which
> we obviously don't want to trust on first use ;).
So instead of the posted patch, we should do something along this
line instead?
trust_size = strcspn(line, "\n"); /* truncate at LF */
if (trust_size && line[trust_size - 1] == '\r')
trust_size--; /* the LF was part of CRLF at the end */
next prev parent reply other threads:[~2021-12-05 5:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 13:31 [PATCH] gpg-interface: trim CR from ssh-keygen -Y find-principals Johannes Schindelin via GitGitGadget
2021-12-03 14:18 ` Fabian Stelzer
2021-12-03 15:58 ` Jeff King
2021-12-04 13:11 ` Fabian Stelzer
2021-12-05 5:50 ` Junio C Hamano [this message]
[not found] ` <CABPYr=y+sDDko9zPxQTOM6Tz4E7CafH7hJc6oB1zv7XYA9KH1A@mail.gmail.com>
2021-12-09 16:33 ` Fabian Stelzer
[not found] ` <CABPYr=xfotWvTQK9k1eKHa0kP4SsB=TKKuM0d8cpMb5BtuUZLA@mail.gmail.com>
2021-12-09 17:20 ` Fabian Stelzer
2021-12-30 10:25 ` Fabian Stelzer
2021-12-05 23:06 ` Damien Miller
2021-12-06 8:39 ` Fabian Stelzer
2022-01-03 9:53 ` [PATCH v2] gpg-interface: trim CR from ssh-keygen Fabian Stelzer
2022-01-03 17:17 ` Eric Sunshine
2022-01-03 23:34 ` Junio C Hamano
2022-01-04 0:41 ` Eric Sunshine
2022-01-04 1:19 ` Junio C Hamano
2022-01-04 3:06 ` Eric Sunshine
2022-01-04 12:55 ` Fabian Stelzer
2022-01-04 19:33 ` Junio C Hamano
2022-01-05 7:09 ` Eric Sunshine
2022-01-05 10:36 ` Fabian Stelzer
2022-01-05 20:40 ` Junio C Hamano
2022-01-06 10:26 ` Fabian Stelzer
2022-01-06 17:50 ` Junio C Hamano
2022-01-09 20:49 ` Eric Sunshine
2022-01-10 12:28 ` Fabian Stelzer
2022-01-07 9:07 ` [PATCH v3] " Fabian Stelzer
2022-01-09 21:37 ` Eric Sunshine
2022-01-10 12:59 ` Fabian Stelzer
2022-01-10 17:51 ` Junio C Hamano
2022-01-10 17:03 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqk0gjob0x.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=djm@mindrot.org \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=johannes.schindelin@gmx.de \
--cc=pedro@yubico.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.