2 * gpg_agent.c: GPG Agent provider for SVN_AUTH_CRED_*
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
21 * ====================================================================
24 /* ==================================================================== */
26 /* This auth provider stores a plaintext password in memory managed by
27 * a running gpg-agent. In contrast to other password store providers
28 * it does not save the password to disk.
30 * Prompting is performed by the gpg-agent using a "pinentry" program
31 * which needs to be installed separately. There are several pinentry
32 * implementations with different front-ends (e.g. qt, gtk, ncurses).
34 * The gpg-agent will let the password time out after a while,
35 * or immediately when it receives the SIGHUP signal.
36 * When the password has timed out it will automatically prompt the
37 * user for the password again. This is transparent to Subversion.
39 * SECURITY CONSIDERATIONS:
41 * Communication to the agent happens over a UNIX socket, which is located
42 * in a directory which only the user running Subversion can access.
43 * However, any program the user runs could access this socket and get
44 * the Subversion password if the program knows the "cache ID" Subversion
45 * uses for the password.
46 * The cache ID is very easy to obtain for programs running as the same user.
47 * Subversion uses the MD5 of the realmstring as cache ID, and these checksums
48 * are also used as filenames within ~/.subversion/auth/svn.simple.
49 * Unlike GNOME Keyring or KDE Wallet, the user is not prompted for
50 * permission if another program attempts to access the password.
52 * Therefore, while the gpg-agent is running and has the password cached,
53 * this provider is no more secure than a file storing the password in
64 #include <sys/socket.h>
67 #include <apr_pools.h>
69 #include "svn_config.h"
70 #include "svn_error.h"
71 #include "svn_pools.h"
72 #include "svn_cmdline.h"
73 #include "svn_checksum.h"
74 #include "svn_string.h"
77 #include "svn_dirent_uri.h"
80 #include "private/svn_auth_private.h"
82 #include "svn_private_config.h"
84 #ifdef SVN_HAVE_GPG_AGENT
86 #define BUFFER_SIZE 1024
87 #define ATTEMPT_PARAMETER "svn.simple.gpg_agent.attempt"
89 /* Modify STR in-place such that blanks are escaped as required by the
90 * gpg-agent protocol. Return a pointer to STR. */
92 escape_blanks(char *str)
106 /* Generate the string CACHE_ID_P based on the REALMSTRING allocated in
107 * RESULT_POOL using SCRATCH_POOL for temporary allocations. This is similar
108 * to other password caching mechanisms. */
110 get_cache_id(const char **cache_id_p, const char *realmstring,
111 apr_pool_t *result_pool, apr_pool_t *scratch_pool)
113 const char *cache_id = NULL;
114 svn_checksum_t *digest = NULL;
116 SVN_ERR(svn_checksum(&digest, svn_checksum_md5, realmstring,
117 strlen(realmstring), scratch_pool));
118 cache_id = svn_checksum_to_cstring(digest, result_pool);
119 *cache_id_p = cache_id;
124 /* Attempt to read a gpg-agent response message from the socket SD into
125 * buffer BUF. Buf is assumed to be N bytes large. Return TRUE if a response
126 * message could be read that fits into the buffer. Else return FALSE.
127 * If a message could be read it will always be NUL-terminated and the
128 * trailing newline is retained. */
130 receive_from_gpg_agent(int sd, char *buf, size_t n)
136 /* Clear existing buffer content before reading response. */
140 /* Require the message to fit into the buffer and be terminated
144 recvd = read(sd, &c, 1);
149 if (i < n && c == '\n')
159 /* Using socket SD, send the option OPTION with the specified VALUE
160 * to the gpg agent. Store the response in BUF, assumed to be N bytes
161 * in size, and evaluate the response. Return TRUE if the agent liked
162 * the smell of the option, if there is such a thing, and doesn't feel
163 * saturated by it. Else return FALSE.
164 * Do temporary allocations in scratch_pool. */
166 send_option(int sd, char *buf, size_t n, const char *option, const char *value,
167 apr_pool_t *scratch_pool)
171 request = apr_psprintf(scratch_pool, "OPTION %s=%s\n", option, value);
173 if (write(sd, request, strlen(request)) == -1)
176 if (!receive_from_gpg_agent(sd, buf, n))
179 return (strncmp(buf, "OK", 2) == 0);
182 /* Send the BYE command and disconnect from the gpg-agent. Doing this avoids
183 * gpg-agent emitting a "Connection reset by peer" log message with some
184 * versions of gpg-agent. */
186 bye_gpg_agent(int sd)
188 /* don't bother to check the result of the write, it either worked or it
189 * didn't, but either way we're closing. */
190 write(sd, "BYE\n", 4);
194 /* Locate a running GPG Agent, and return an open file descriptor
195 * for communication with the agent in *NEW_SD. If no running agent
196 * can be found, set *NEW_SD to -1. */
198 find_running_gpg_agent(int *new_sd, apr_pool_t *pool)
201 char *gpg_agent_info = NULL;
202 const char *socket_name = NULL;
203 const char *request = NULL;
204 const char *p = NULL;
210 /* This implements the method of finding the socket as described in
211 * the gpg-agent man page under the --use-standard-socket option.
212 * The manage page misleadingly says the standard socket is
213 * "named 'S.gpg-agent' located in the home directory." The standard
214 * socket path is actually in the .gnupg directory in the home directory,
215 * i.e. ~/.gnupg/S.gpg-agent */
216 gpg_agent_info = getenv("GPG_AGENT_INFO");
217 if (gpg_agent_info != NULL)
219 apr_array_header_t *socket_details;
221 /* For reference GPG_AGENT_INFO consists of 3 : separated fields.
222 * The path to the socket, the pid of the gpg-agent process and
223 * finally the version of the protocol the agent talks. */
224 socket_details = svn_cstring_split(gpg_agent_info, ":", TRUE,
226 socket_name = APR_ARRAY_IDX(socket_details, 0, const char *);
230 const char *homedir = svn_user_get_homedir(pool);
235 homedir = svn_dirent_canonicalize(homedir, pool);
236 socket_name = svn_dirent_join_many(pool, homedir, ".gnupg",
237 "S.gpg-agent", SVN_VA_NULL);
240 if (socket_name != NULL)
242 struct sockaddr_un addr;
244 addr.sun_family = AF_UNIX;
245 strncpy(addr.sun_path, socket_name, sizeof(addr.sun_path) - 1);
246 addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
248 sd = socket(AF_UNIX, SOCK_STREAM, 0);
252 if (connect(sd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
261 /* Receive the connection status from the gpg-agent daemon. */
262 buffer = apr_palloc(pool, BUFFER_SIZE);
263 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
269 if (strncmp(buffer, "OK", 2) != 0)
275 /* The GPG-Agent documentation says:
276 * "Clients should deny to access an agent with a socket name which does
277 * not match its own configuration". */
278 request = "GETINFO socket_name\n";
279 if (write(sd, request, strlen(request)) == -1)
284 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
289 if (strncmp(buffer, "D", 1) == 0)
296 ep = strchr(p, '\n');
299 if (strcmp(socket_name, p) != 0)
304 /* The agent will terminate its response with "OK". */
305 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
310 if (strncmp(buffer, "OK", 2) != 0)
321 send_options(int sd, char *buf, size_t n, apr_pool_t *scratch_pool)
323 const char *tty_name;
324 const char *tty_type;
325 const char *lc_ctype;
328 /* Send TTY_NAME to the gpg-agent daemon. */
329 tty_name = getenv("GPG_TTY");
330 if (tty_name != NULL)
332 if (!send_option(sd, buf, n, "ttyname", tty_name, scratch_pool))
336 /* Send TTY_TYPE to the gpg-agent daemon. */
337 tty_type = getenv("TERM");
338 if (tty_type != NULL)
340 if (!send_option(sd, buf, n, "ttytype", tty_type, scratch_pool))
344 /* Compute LC_CTYPE. */
345 lc_ctype = getenv("LC_ALL");
346 if (lc_ctype == NULL)
347 lc_ctype = getenv("LC_CTYPE");
348 if (lc_ctype == NULL)
349 lc_ctype = getenv("LANG");
351 /* Send LC_CTYPE to the gpg-agent daemon. */
352 if (lc_ctype != NULL)
354 if (!send_option(sd, buf, n, "lc-ctype", lc_ctype, scratch_pool))
358 /* Send DISPLAY to the gpg-agent daemon. */
359 display = getenv("DISPLAY");
362 if (!send_option(sd, buf, n, "display", display, scratch_pool))
369 /* Implementation of svn_auth__password_get_t that retrieves the password
372 password_get_gpg_agent(svn_boolean_t *done,
373 const char **password,
375 const char *realmstring,
376 const char *username,
377 apr_hash_t *parameters,
378 svn_boolean_t non_interactive,
382 const char *p = NULL;
385 const char *request = NULL;
386 const char *cache_id = NULL;
387 char *password_prompt;
394 attempt = svn_hash_gets(parameters, ATTEMPT_PARAMETER);
396 SVN_ERR(find_running_gpg_agent(&sd, pool));
400 buffer = apr_palloc(pool, BUFFER_SIZE);
402 if (!send_options(sd, buffer, BUFFER_SIZE, pool))
408 SVN_ERR(get_cache_id(&cache_id, realmstring, pool, pool));
410 password_prompt = apr_psprintf(pool, _("Password for '%s': "), username);
411 realm_prompt = apr_psprintf(pool, _("Enter your Subversion password for %s"),
414 /* X means no error to the gpg-agent protocol */
415 error_prompt = apr_pstrdup(pool, "X");
417 error_prompt = apr_pstrdup(pool, _("Authentication failed"));
419 request = apr_psprintf(pool,
420 "GET_PASSPHRASE --data %s"
422 non_interactive ? "--no-ask " : "",
424 escape_blanks(error_prompt),
425 escape_blanks(password_prompt),
426 escape_blanks(realm_prompt));
428 if (write(sd, request, strlen(request)) == -1)
433 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
441 if (strncmp(buffer, "ERR", 3) == 0)
445 if (strncmp(buffer, "D", 1) == 0)
451 ep = strchr(p, '\n');
462 /* Implementation of svn_auth__password_set_t that would store the
463 password in GPG Agent if that's how this particular integration
464 worked. But it isn't. GPG Agent stores the password provided by
465 the user via the pinentry program immediately upon its provision
466 (and regardless of its accuracy as passwords go), so we just need
467 to check if a running GPG Agent exists. */
469 password_set_gpg_agent(svn_boolean_t *done,
471 const char *realmstring,
472 const char *username,
473 const char *password,
474 apr_hash_t *parameters,
475 svn_boolean_t non_interactive,
482 SVN_ERR(find_running_gpg_agent(&sd, pool));
493 /* An implementation of svn_auth_provider_t::first_credentials() */
495 simple_gpg_agent_first_creds(void **credentials,
497 void *provider_baton,
498 apr_hash_t *parameters,
499 const char *realmstring,
503 int *attempt = apr_palloc(pool, sizeof(*attempt));
506 svn_hash_sets(parameters, ATTEMPT_PARAMETER, attempt);
507 err = svn_auth__simple_creds_cache_get(credentials, iter_baton,
508 provider_baton, parameters,
509 realmstring, password_get_gpg_agent,
510 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
512 *iter_baton = attempt;
517 /* An implementation of svn_auth_provider_t::next_credentials() */
519 simple_gpg_agent_next_creds(void **credentials,
521 void *provider_baton,
522 apr_hash_t *parameters,
523 const char *realmstring,
526 int *attempt = (int *)iter_baton;
529 const char *cache_id = NULL;
530 const char *request = NULL;
534 /* The users previous credentials failed so first remove the cached entry,
535 * before trying to retrieve them again. Because gpg-agent stores cached
536 * credentials immediately upon retrieving them, this gives us the
537 * opportunity to remove the invalid credentials and prompt the
538 * user again. While it's possible that server side issues could trigger
539 * this, this cache is ephemeral so at worst we're just speeding up
540 * when the user would need to re-enter their password. */
542 if (svn_hash_gets(parameters, SVN_AUTH_PARAM_NON_INTERACTIVE))
544 /* In this case since we're running non-interactively we do not
545 * want to clear the cache since the user was never prompted by
546 * gpg-agent to set a password. */
550 *attempt = *attempt + 1;
552 SVN_ERR(find_running_gpg_agent(&sd, pool));
556 buffer = apr_palloc(pool, BUFFER_SIZE);
558 if (!send_options(sd, buffer, BUFFER_SIZE, pool))
564 SVN_ERR(get_cache_id(&cache_id, realmstring, pool, pool));
566 request = apr_psprintf(pool, "CLEAR_PASSPHRASE %s\n", cache_id);
568 if (write(sd, request, strlen(request)) == -1)
574 if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE))
580 if (strncmp(buffer, "OK\n", 3) != 0)
586 /* TODO: This attempt limit hard codes it at 3 attempts (or 2 retries)
587 * which matches svn command line client's retry_limit as set in
588 * svn_cmdline_create_auth_baton(). It would be nice to have that
589 * limit reflected here but that violates the boundry between the
590 * prompt provider and the cache provider. gpg-agent is acting as
591 * both here due to the peculiarties of their design so we'll have to
592 * live with this for now. Note that when these failures get exceeded
593 * it'll eventually fall back on the retry limits of whatever prompt
594 * provider is in effect, so this effectively doubles the limit. */
596 return svn_auth__simple_creds_cache_get(credentials, &iter_baton,
597 provider_baton, parameters,
599 password_get_gpg_agent,
600 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
607 /* An implementation of svn_auth_provider_t::save_credentials() */
609 simple_gpg_agent_save_creds(svn_boolean_t *saved,
611 void *provider_baton,
612 apr_hash_t *parameters,
613 const char *realmstring,
616 return svn_auth__simple_creds_cache_set(saved, credentials,
617 provider_baton, parameters,
618 realmstring, password_set_gpg_agent,
619 SVN_AUTH__GPG_AGENT_PASSWORD_TYPE,
624 static const svn_auth_provider_t gpg_agent_simple_provider = {
625 SVN_AUTH_CRED_SIMPLE,
626 simple_gpg_agent_first_creds,
627 simple_gpg_agent_next_creds,
628 simple_gpg_agent_save_creds
634 svn_auth__get_gpg_agent_simple_provider(svn_auth_provider_object_t **provider,
637 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
639 po->vtable = &gpg_agent_simple_provider;
643 #endif /* SVN_HAVE_GPG_AGENT */