From d96f17b02d0690879538a836739153154682ff70 Mon Sep 17 00:00:00 2001
From: root <root@localhost>
Date: Thu, 14 Feb 2013 00:00:00 +0000
Subject: [PATCH] When decrypting or verifying the master key, check input type

We rely on gpg to exit with success, but we also check the status output
to verify that the expected action (decrypt with privkey or verify) was
performed.
---
 git-remote-gcrypt | 45 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/git-remote-gcrypt b/git-remote-gcrypt
index dd5fff0..7f8df61 100755
--- a/git-remote-gcrypt
+++ b/git-remote-gcrypt
@@ -164,6 +164,14 @@ ENCRYPT()
 			--passphrase-fd 0 --output - -c /dev/fd/3) 3<&0
 }
 
+DECRYPT()
+{
+	(printf "%s" "$MASTERKEY" | \
+		gpg -q --batch --no-default-keyring --secret-keyring /dev/null \
+			--keyring /dev/null \
+			--passphrase-fd 0 --output - -d /dev/fd/3) 3<&0
+}
+
 CLEARSIGN()
 {
 	if [ "$CONF_SIGN_MANIFEST" = "true" ]
@@ -175,20 +183,28 @@ CLEARSIGN()
 	fi
 }
 
-CHECKSIGN()
+# Require both gpg success and status word $1
+gpg_check_status()
 {
-	gpg -q --batch --no-default-keyring \
+	local STATUS
+	local ARG
+	ARG=$1 ; shift;
+	STATUS=$(gpg --status-fd 3 "$@" 3>&1 1>&4) 4>&1 &&
+		printf "%s" "$STATUS" | grep "^\[GNUPG:\] $ARG " >/dev/null
+}
+
+VERIFYSIGN()
+{
+	gpg_check_status "GOODSIG" -q --batch --no-default-keyring \
 		--secret-keyring /dev/null --keyring "$CONF_KEYRING" -d
 }
 
-DECRYPT()
+PRIVDECRYPT()
 {
-	(printf "%s" "$MASTERKEY" | \
-		gpg -q --batch --no-default-keyring --secret-keyring /dev/null \
-			--keyring /dev/null \
-			--passphrase-fd 0 --output - -d /dev/fd/3) 3<&0
+	gpg_check_status "ENC_TO" -q -d
 }
 
+
 # Append $2 to $1 with a newline separator
 append()
 {
@@ -239,12 +255,19 @@ make_new_repo()
 
 get_masterkey()
 {
+	# The master key and its clearsigned versions are safe to keep
+	# as text in variables
+	local MASTERKEYDEC
 	TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$"
 	trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT
 	GET "$URL" masterkey 2>/dev/null > "$TMPMASTERKEY_ENC" || return 0
+	MASTERKEYDEC=$(PRIVDECRYPT < "$TMPMASTERKEY_ENC") || {
+		echo_info "Decryption of master key failed!"
+		exit 1
+	}
 	echo_info "Verifying master key signature"
-	gpg -q -d < "$TMPMASTERKEY_ENC" | CHECKSIGN || {
-		echo_info "Opening of master key failed!"
+	printf "%s" "$MASTERKEYDEC" | VERIFYSIGN || {
+		echo_info "Failed to verify master key signature!"
 		echo_info "Using keyring $CONF_KEYRING"
 		if [ "$CONF_KEYRING" = "/dev/null" ] ; then
 		echo_info "Please configure gcrypt.keyring"
@@ -286,8 +309,8 @@ ensure_connected()
 	then
 		# Use gpg to verify and strip the signature
 		echo_info "Verifying manifest signature"
-		STRIPDATA="$(printf "%s" "$MANIFESTDATA" | CHECKSIGN || {
-			echo_info "WARNING: Failed to verify signature from $URL"
+		STRIPDATA="$(printf "%s" "$MANIFESTDATA" | VERIFYSIGN || {
+			echo_info "WARNING: Failed to verify manifest signature"
 			echo_info "WARNING: Using keyring $CONF_KEYRING"
 			if [ "$CONF_KEYRING" = "/dev/null" ] ; then
 			echo_info "WARNING: Please configure gcrypt.keyring"