summaryrefslogtreecommitdiff
path: root/send-pack.c
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2014-08-21 16:45:30 -0700
committerJunio C Hamano <gitster@pobox.com>2014-09-17 14:27:40 -0700
commitb89363e4a5277038629491f8765c0598f366326c (patch)
tree254c02373450167a86f33afdeac9cd851859ca00 /send-pack.c
parent9be89160e7382a88e56a02bcf38f4694dd6542d6 (diff)
downloadgit-b89363e4a5277038629491f8765c0598f366326c.tar.gz
signed push: fortify against replay attacks
In order to prevent a valid push certificate for pushing into an repository from getting replayed in a different push operation, send a nonce string from the receive-pack process and have the signer include it in the push certificate. The receiving end uses an HMAC hash of the path to the repository it serves and the current time stamp, hashed with a secret seed (the secret seed does not have to be per-repository but can be defined in /etc/gitconfig) to generate the nonce, in order to ensure that a random third party cannot forge a nonce that looks like it originated from it. The original nonce is exported as GIT_PUSH_CERT_NONCE for the hooks to examine and match against the value on the "nonce" header in the certificate to notice a replay, but returned "nonce" header in the push certificate is examined by receive-pack and the result is exported as GIT_PUSH_CERT_NONCE_STATUS, whose value would be "OK" if the nonce recorded in the certificate matches what we expect, so that the hooks can more easily check. Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'send-pack.c')
-rw-r--r--send-pack.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/send-pack.c b/send-pack.c
index 9c2c64966d..7ad1a5968b 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -228,7 +228,8 @@ static const char *next_line(const char *line, size_t len)
static int generate_push_cert(struct strbuf *req_buf,
const struct ref *remote_refs,
struct send_pack_args *args,
- const char *cap_string)
+ const char *cap_string,
+ const char *push_cert_nonce)
{
const struct ref *ref;
char stamp[60];
@@ -245,6 +246,8 @@ static int generate_push_cert(struct strbuf *req_buf,
strbuf_addf(&cert, "pushee %s\n", anon_url);
free(anon_url);
}
+ if (push_cert_nonce[0])
+ strbuf_addf(&cert, "nonce %s\n", push_cert_nonce);
strbuf_addstr(&cert, "\n");
for (ref = remote_refs; ref; ref = ref->next) {
@@ -295,6 +298,7 @@ int send_pack(struct send_pack_args *args,
unsigned cmds_sent = 0;
int ret;
struct async demux;
+ const char *push_cert_nonce = NULL;
/* Does the other end support the reporting? */
if (server_supports("report-status"))
@@ -311,8 +315,14 @@ int send_pack(struct send_pack_args *args,
agent_supported = 1;
if (server_supports("no-thin"))
args->use_thin_pack = 0;
- if (args->push_cert && !server_supports("push-cert"))
- die(_("the receiving end does not support --signed push"));
+ if (args->push_cert) {
+ int len;
+
+ push_cert_nonce = server_feature_value("push-cert", &len);
+ if (!push_cert_nonce)
+ die(_("the receiving end does not support --signed push"));
+ push_cert_nonce = xmemdupz(push_cert_nonce, len);
+ }
if (!remote_refs) {
fprintf(stderr, "No refs in common and none specified; doing nothing.\n"
@@ -343,7 +353,7 @@ int send_pack(struct send_pack_args *args,
if (!args->dry_run && args->push_cert)
cmds_sent = generate_push_cert(&req_buf, remote_refs, args,
- cap_buf.buf);
+ cap_buf.buf, push_cert_nonce);
/*
* Clear the status for each ref and see if we need to send