[tor-commits] [rbm/master] Bug 30480: Check that a signed tag object contains the expected tag name

[gk at torproject.org]

commit e04f03f9626e993bb66d7784d258f95ca07bc769
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Thu May 16 12:38:08 2019 +0200

    Bug 30480: Check that a signed tag object contains the expected tag name
    
    When checking the signature on a tag, we also need to check that the tag
    is really the expected tag in order to avoid rollback attacks.
    
    Thanks to Santiago Torres-Arias and Keving Gallagher from NYU for
    reporting and helping to fix this issue.
---
 lib/RBM.pm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/RBM.pm b/lib/RBM.pm
index 4416a0c..75912af 100644
--- a/lib/RBM.pm
+++ b/lib/RBM.pm
@@ -308,6 +308,16 @@ sub git_commit_sign_id {
     return gpg_get_fingerprint(@l);
 }
 
+sub git_get_signed_tagname {
+    foreach my $l (split(/\n/, $_[0])) {
+        # the tag message is separated from headers by an empty line, so we
+        # ignore anything after the first empty line
+        return '' unless $l;
+        return $1 if $l =~ m/^tag (.*)$/;
+    }
+    return '';
+}
+
 sub git_tag_sign_id {
     my ($project, $tag) = @_;
     my $w = set_git_gpg_wrapper($project);
@@ -315,6 +325,7 @@ sub git_tag_sign_id {
         = capture_exec('git', 'tag', '-v', $tag);
     unset_git_gpg_wrapper($w);
     return undef unless $success;
+    return undef unless git_get_signed_tagname($stdout) eq $tag;
     return gpg_get_fingerprint(split /\n/, $stderr);
 }