2 * gpg_agent.c: GPG Agent provider for SVN_AUTH_CRED_*
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
21 * ====================================================================
24 /* ==================================================================== */
26 /* This auth provider stores a plaintext password in memory managed by
27 * a running gpg-agent. In contrast to other password store providers
28 * it does not save the password to disk.
30 * Prompting is performed by the gpg-agent using a "pinentry" program
31 * which needs to be installed separately. There are several pinentry
32 * implementations with different front-ends (e.g. qt, gtk, ncurses).
34 * The gpg-agent will let the password time out after a while,
35 * or immediately when it receives the SIGHUP signal.
36 * When the password has timed out it will automatically prompt the
37 * user for the password again. This is transparent to Subversion.
39 * SECURITY CONSIDERATIONS:
41 * Communication to the agent happens over a UNIX socket, which is located
42 * in a directory which only the user running Subversion can access.
43 * However, any program the user runs could access this socket and get
44 * the Subversion password if the program knows the "cache ID" Subversion
45 * uses for the password.
46 * The cache ID is very easy to obtain for programs running as the same user.
47 * Subversion uses the MD5 of the realmstring as cache ID, and these checksums
48 * are also used as filenames within ~/.subversion/auth/svn.simple.
49 * Unlike GNOME Keyring or KDE Wallet, the user is not prompted for
50 * permission if another program attempts to access the password.
52 * Therefore, while the gpg-agent is running and has the password cached,
53 * this provider is no more secure than a file storing the password in
64 #include <sys/socket.h>
67 #include <apr_pools.h>
68 #include <apr_strings.h>
71 #include "svn_config.h"
72 #include "svn_error.h"
74 #include "svn_pools.h"
75 #include "svn_cmdline.h"
76 #include "svn_checksum.h"
77 #include "svn_string.h"
80 #include "svn_dirent_uri.h"
83 #include "private/svn_auth_private.h"
85 #include "svn_private_config.h"
87 #ifdef SVN_HAVE_GPG_AGENT
89 #define BUFFER_SIZE 1024
90 #define ATTEMPT_PARAMETER "svn.simple.gpg_agent.attempt"
92 /* Modify STR in-place such that blanks are escaped as required by the
93 * gpg-agent protocol. Return a pointer to STR. */
95 escape_blanks(char *str)
109 #define is_hex(c) (((c) >= '0' && (c) <= '9') || ((c) >= 'A' && (c) <= 'F'))
110 #define hex_to_int(c) ((c) < '9' ? (c) - '0' : (c) - 'A' + 10)
112 /* Modify STR in-place. '%', CR and LF are always percent escaped,
113 other characters may be percent escaped, always using uppercase
114 hex, see https://www.gnupg.org/documentation/manuals/assuan.pdf */
116 unescape_assuan(char *str)
122 if (s[0] == '%' && is_hex(s[1]) && is_hex(s[2]))
125 char val = hex_to_int(s[1]) * 16 + hex_to_int(s[2]);
143 /* Generate the string CACHE_ID_P based on the REALMSTRING allocated in
144 * RESULT_POOL using SCRATCH_POOL for temporary allocations. This is similar
145 * to other password caching mechanisms. */
147 get_cache_id(const char **cache_id_p, const char *realmstring,
148 apr_pool_t *result_pool, apr_pool_t *scratch_pool)
150 const char *cache_id = NULL;
151 svn_checksum_t *digest = NULL;
153 SVN_ERR(svn_checksum(&digest, svn_checksum_md5, realmstring,
154 strlen(realmstring), scratch_pool));
155 cache_id = svn_checksum_to_cstring(digest, result_pool);
156 *cache_id_p = cache_id;
161 /* Attempt to read a gpg-agent response message from the socket SD into
162 * buffer BUF. Buf is assumed to be N bytes large. Return TRUE if a response
163 * message could be read that fits into the buffer. Else return FALSE.
164 * If a message could be read it will always be NUL-terminated and the
165 * trailing newline is retained. */
167 receive_from_gpg_agent(int sd, char *buf, size_t n)
173 /* Clear existing buffer content before reading response. */
177 /* Require the message to fit into the buffer and be terminated
181 recvd = read(sd, &c, 1);
186 if (i < n && c == '\n')
196 /* Using socket SD, send the option OPTION with the specified VALUE
197 * to the gpg agent. Store the response in BUF, assumed to be N bytes
198 * in size, and evaluate the response. Return TRUE if the agent liked
199 * the smell of the option, if there is such a thing, and doesn't feel
200 * saturated by it. Else return FALSE.
201 * Do temporary allocations in scratch_pool. */
203 send_option(int sd, char *buf, size_t n, const char *option, const char *value,
204 apr_pool_t *scratch_pool)
208 request = apr_psprintf(scratch_pool, "OPTION %s=%s\n", option, value);
210 if (write(sd, request, strlen(request)) == -1)
213 if (!receive_from_gpg_agent(sd, buf, n))
216 return (strncmp(buf, "OK", 2) == 0);
219 /* Send the BYE command and disconnect from the gpg-agent. Doing this avoids
220 * gpg-agent emitting a "Connection reset by peer" log message with some
221 * versions of gpg-agent. */
223 bye_gpg_agent(int sd)
225 /* don't bother to check the result of the write, it either worked or it
226 * didn't, but either way we're closing. */
227 write(sd, "BYE\n", 4);
231 /* This implements a method of finding the socket which is a mix of the
232 * description from GPG 1.x's gpg-agent man page under the
233 * --use-standard-socket option and the logic from GPG 2.x's socket discovery
234 * code in common/homedir.c.
236 * The man page says the standard socket is "named 'S.gpg-agent' located
237 * in the home directory." GPG's home directory is either the directory
238 * specified by $GNUPGHOME or ~/.gnupg. GPG >= 2.1.13 will check for a
239 * socket under (/var)/run/UID/gnupg before ~/.gnupg if no environment
242 * $GPG_AGENT_INFO takes precedence, if set, otherwise $GNUPGHOME will be
243 * used. For GPG >= 2.1.13, $GNUPGHOME will be used directly only if it
244 * refers to the canonical home -- ~/.gnupg. Otherwise, the path specified
245 * by $GNUPGHOME is hashed (SHA1 + z-base-32) and the socket is expected to
246 * be present under (/var)/run/UID/gnupg/d.HASH. This last mechanism is not
247 * yet supported here. */
249 find_gpg_agent_socket(apr_pool_t *result_pool, apr_pool_t *scratch_pool)
251 char *gpg_agent_info = NULL;
252 char *gnupghome = NULL;
253 const char *socket_name = NULL;
255 if ((gpg_agent_info = getenv("GPG_AGENT_INFO")) != NULL)
257 apr_array_header_t *socket_details;
259 /* For reference GPG_AGENT_INFO consists of 3 : separated fields.
260 * The path to the socket, the pid of the gpg-agent process and
261 * finally the version of the protocol the agent talks. */
262 socket_details = svn_cstring_split(gpg_agent_info, ":", TRUE,
264 socket_name = APR_ARRAY_IDX(socket_details, 0, const char *);
266 else if ((gnupghome = getenv("GNUPGHOME")) != NULL)
268 const char *homedir = svn_dirent_canonicalize(gnupghome, scratch_pool);
269 socket_name = svn_dirent_join(homedir, "S.gpg-agent", scratch_pool);
274 const char *maybe_socket[] = {NULL, NULL, NULL, NULL};
281 if (apr_uid_current(&uid, &gid, scratch_pool) == APR_SUCCESS)
283 const char *uidbuf = apr_psprintf(scratch_pool, "%lu",
285 maybe_socket[i++] = svn_dirent_join_many(scratch_pool, "/run/user",
289 maybe_socket[i++] = svn_dirent_join_many(scratch_pool,
297 homedir = svn_user_get_homedir(scratch_pool);
299 maybe_socket[i++] = svn_dirent_join_many(scratch_pool, homedir,
300 ".gnupg", "S.gpg-agent",
303 for (i = 0; !socket_name && maybe_socket[i]; i++)
306 svn_error_t *err = svn_io_stat(&finfo, maybe_socket[i],
307 APR_FINFO_TYPE, scratch_pool);
308 if (!err && finfo.filetype == APR_SOCK)
309 socket_name = maybe_socket[i];
310 svn_error_clear(err);
315 socket_name = apr_pstrdup(result_pool, socket_name);
320 /* Locate a running GPG Agent, and return an open file descriptor
321 * for communication with the agent in *NEW_SD. If no running agent
322 * can be found, set *NEW_SD to -1. */
324 find_running_gpg_agent(int *new_sd, apr_pool_t *pool)
327 const char *socket_name = find_gpg_agent_socket(pool, pool);
328 const char *request = NULL;
329 const char *p = NULL;
335 if (socket_name != NULL)
337 struct sockaddr_un addr;
339 addr.sun_family = AF_UNIX;
340 strncpy(addr.sun_path, socket_name, sizeof(addr.sun_path) - 1);
341 addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
343 sd = socket(AF_UNIX, SOCK_STREAM, 0);
347 if (connect(sd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
356 /* Receive the connection status from the gpg-agent daemon. */
357 buffer = apr_palloc(pool, BUFFER_SIZE);
358 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
364 if (strncmp(buffer, "OK", 2) != 0)
370 /* The GPG-Agent documentation says:
371 * "Clients should deny to access an agent with a socket name which does
372 * not match its own configuration". */
373 request = "GETINFO socket_name\n";
374 if (write(sd, request, strlen(request)) == -1)
379 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
384 if (strncmp(buffer, "D", 1) == 0)
391 ep = strchr(p, '\n');
394 if (strcmp(socket_name, p) != 0)
399 /* The agent will terminate its response with "OK". */
400 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
405 if (strncmp(buffer, "OK", 2) != 0)
416 send_options(int sd, char *buf, size_t n, apr_pool_t *scratch_pool)
418 const char *tty_name;
419 const char *tty_type;
420 const char *lc_ctype;
423 /* Send TTY_NAME to the gpg-agent daemon. */
424 tty_name = getenv("GPG_TTY");
425 if (tty_name != NULL)
427 if (!send_option(sd, buf, n, "ttyname", tty_name, scratch_pool))
431 /* Send TTY_TYPE to the gpg-agent daemon. */
432 tty_type = getenv("TERM");
433 if (tty_type != NULL)
435 if (!send_option(sd, buf, n, "ttytype", tty_type, scratch_pool))
439 /* Compute LC_CTYPE. */
440 lc_ctype = getenv("LC_ALL");
441 if (lc_ctype == NULL)
442 lc_ctype = getenv("LC_CTYPE");
443 if (lc_ctype == NULL)
444 lc_ctype = getenv("LANG");
446 /* Send LC_CTYPE to the gpg-agent daemon. */
447 if (lc_ctype != NULL)
449 if (!send_option(sd, buf, n, "lc-ctype", lc_ctype, scratch_pool))
453 /* Send DISPLAY to the gpg-agent daemon. */
454 display = getenv("DISPLAY");
457 if (!send_option(sd, buf, n, "display", display, scratch_pool))
464 /* Implementation of svn_auth__password_get_t that retrieves the password
467 password_get_gpg_agent(svn_boolean_t *done,
468 const char **password,
470 const char *realmstring,
471 const char *username,
472 apr_hash_t *parameters,
473 svn_boolean_t non_interactive,
480 const char *request = NULL;
481 const char *cache_id = NULL;
482 char *password_prompt;
489 attempt = svn_hash_gets(parameters, ATTEMPT_PARAMETER);
491 SVN_ERR(find_running_gpg_agent(&sd, pool));
495 buffer = apr_palloc(pool, BUFFER_SIZE);
497 if (!send_options(sd, buffer, BUFFER_SIZE, pool))
503 SVN_ERR(get_cache_id(&cache_id, realmstring, pool, pool));
505 password_prompt = apr_psprintf(pool, _("Password for '%s': "), username);
506 realm_prompt = apr_psprintf(pool, _("Enter your Subversion password for %s"),
509 /* X means no error to the gpg-agent protocol */
510 error_prompt = apr_pstrdup(pool, "X");
512 error_prompt = apr_pstrdup(pool, _("Authentication failed"));
514 request = apr_psprintf(pool,
515 "GET_PASSPHRASE --data %s"
517 non_interactive ? "--no-ask " : "",
519 escape_blanks(error_prompt),
520 escape_blanks(password_prompt),
521 escape_blanks(realm_prompt));
523 if (write(sd, request, strlen(request)) == -1)
528 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
536 if (strncmp(buffer, "ERR", 3) == 0)
540 if (strncmp(buffer, "D", 1) == 0)
546 ep = strchr(p, '\n');
550 *password = unescape_assuan(p);
557 /* Implementation of svn_auth__password_set_t that would store the
558 password in GPG Agent if that's how this particular integration
559 worked. But it isn't. GPG Agent stores the password provided by
560 the user via the pinentry program immediately upon its provision
561 (and regardless of its accuracy as passwords go), so we just need
562 to check if a running GPG Agent exists. */
564 password_set_gpg_agent(svn_boolean_t *done,
566 const char *realmstring,
567 const char *username,
568 const char *password,
569 apr_hash_t *parameters,
570 svn_boolean_t non_interactive,
577 SVN_ERR(find_running_gpg_agent(&sd, pool));
588 /* An implementation of svn_auth_provider_t::first_credentials() */
590 simple_gpg_agent_first_creds(void **credentials,
592 void *provider_baton,
593 apr_hash_t *parameters,
594 const char *realmstring,
598 int *attempt = apr_palloc(pool, sizeof(*attempt));
601 svn_hash_sets(parameters, ATTEMPT_PARAMETER, attempt);
602 err = svn_auth__simple_creds_cache_get(credentials, iter_baton,
603 provider_baton, parameters,
604 realmstring, password_get_gpg_agent,
605 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
607 *iter_baton = attempt;
612 /* An implementation of svn_auth_provider_t::next_credentials() */
614 simple_gpg_agent_next_creds(void **credentials,
616 void *provider_baton,
617 apr_hash_t *parameters,
618 const char *realmstring,
621 int *attempt = (int *)iter_baton;
624 const char *cache_id = NULL;
625 const char *request = NULL;
629 /* The users previous credentials failed so first remove the cached entry,
630 * before trying to retrieve them again. Because gpg-agent stores cached
631 * credentials immediately upon retrieving them, this gives us the
632 * opportunity to remove the invalid credentials and prompt the
633 * user again. While it's possible that server side issues could trigger
634 * this, this cache is ephemeral so at worst we're just speeding up
635 * when the user would need to re-enter their password. */
637 if (svn_hash_gets(parameters, SVN_AUTH_PARAM_NON_INTERACTIVE))
639 /* In this case since we're running non-interactively we do not
640 * want to clear the cache since the user was never prompted by
641 * gpg-agent to set a password. */
645 *attempt = *attempt + 1;
647 SVN_ERR(find_running_gpg_agent(&sd, pool));
651 buffer = apr_palloc(pool, BUFFER_SIZE);
653 if (!send_options(sd, buffer, BUFFER_SIZE, pool))
659 SVN_ERR(get_cache_id(&cache_id, realmstring, pool, pool));
661 request = apr_psprintf(pool, "CLEAR_PASSPHRASE %s\n", cache_id);
663 if (write(sd, request, strlen(request)) == -1)
669 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
677 if (strncmp(buffer, "OK\n", 3) != 0)
680 /* TODO: This attempt limit hard codes it at 3 attempts (or 2 retries)
681 * which matches svn command line client's retry_limit as set in
682 * svn_cmdline_create_auth_baton(). It would be nice to have that
683 * limit reflected here but that violates the boundry between the
684 * prompt provider and the cache provider. gpg-agent is acting as
685 * both here due to the peculiarties of their design so we'll have to
686 * live with this for now. Note that when these failures get exceeded
687 * it'll eventually fall back on the retry limits of whatever prompt
688 * provider is in effect, so this effectively doubles the limit. */
690 return svn_auth__simple_creds_cache_get(credentials, &iter_baton,
691 provider_baton, parameters,
693 password_get_gpg_agent,
694 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
701 /* An implementation of svn_auth_provider_t::save_credentials() */
703 simple_gpg_agent_save_creds(svn_boolean_t *saved,
705 void *provider_baton,
706 apr_hash_t *parameters,
707 const char *realmstring,
710 return svn_auth__simple_creds_cache_set(saved, credentials,
711 provider_baton, parameters,
712 realmstring, password_set_gpg_agent,
713 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
718 static const svn_auth_provider_t gpg_agent_simple_provider = {
719 SVN_AUTH_CRED_SIMPLE,
720 simple_gpg_agent_first_creds,
721 simple_gpg_agent_next_creds,
722 simple_gpg_agent_save_creds
728 svn_auth__get_gpg_agent_simple_provider(svn_auth_provider_object_t **provider,
731 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
733 po->vtable = &gpg_agent_simple_provider;
737 #endif /* SVN_HAVE_GPG_AGENT */