Google Git
Sign in
googlers / jrn / git / b89363e4a5277038629491f8765c0598f366326c
commitb89363e4a5277038629491f8765c0598f366326c[log] [tgz]
authorJunio C Hamano <gitster@pobox.com>Thu Aug 21 16:45:30 2014 -0700
committerJunio C Hamano <gitster@pobox.com>Wed Sep 17 14:27:40 2014 -0700
tree254c02373450167a86f33afdeac9cd851859ca00
parent9be89160e7382a88e56a02bcf38f4694dd6542d6 [diff]
signed push: fortify against replay attacks

In order to prevent a valid push certificate for pushing into an
repository from getting replayed in a different push operation, send
a nonce string from the receive-pack process and have the signer
include it in the push certificate.  The receiving end uses an HMAC
hash of the path to the repository it serves and the current time
stamp, hashed with a secret seed (the secret seed does not have to
be per-repository but can be defined in /etc/gitconfig) to generate
the nonce, in order to ensure that a random third party cannot forge
a nonce that looks like it originated from it.

The original nonce is exported as GIT_PUSH_CERT_NONCE for the hooks
to examine and match against the value on the "nonce" header in the
certificate to notice a replay, but returned "nonce" header in the
push certificate is examined by receive-pack and the result is
exported as GIT_PUSH_CERT_NONCE_STATUS, whose value would be "OK"
if the nonce recorded in the certificate matches what we expect, so
that the hooks can more easily check.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
7 files changed
tree: 254c02373450167a86f33afdeac9cd851859ca00
  1. block-sha1/
  2. builtin/
  3. compat/
  4. contrib/
  5. Documentation/
  6. ewah/
  7. git-gui/
  8. gitk-git/
  9. gitweb/
  10. mergetools/
  11. perl/
  12. po/
  13. ppc/
  14. t/
  15. templates/
  16. vcs-svn/
  17. xdiff/
  18. RelNotesDocumentation/RelNotes/2.1.0.txt
  19. .gitattributes
  20. .gitignore
  21. .mailmap
  22. abspath.c
  23. aclocal.m4
  24. advice.c
  25. advice.h
  26. alias.c
  27. alloc.c
  28. archive-tar.c
  29. archive-zip.c
  30. archive.c
  31. archive.h
  32. argv-array.c
  33. argv-array.h
  34. attr.c
  35. attr.h
  36. base85.c
  37. bisect.c
  38. bisect.h
  39. blob.c
  40. blob.h
  41. branch.c
  42. branch.h
  43. builtin.h
  44. bulk-checkin.c
  45. bulk-checkin.h
  46. bundle.c
  47. bundle.h
  48. cache-tree.c
  49. cache-tree.h
  50. cache.h
  51. check-builtins.sh
  52. check-racy.c
  53. check_bindir
  54. color.c
  55. color.h
  56. column.c
  57. column.h
  58. combine-diff.c
  59. command-list.txt
  60. commit-slab.h
  61. commit.c
  62. commit.h
  63. config.c
  64. config.mak.in
  65. config.mak.uname
  66. configure.ac
  67. connect.c
  68. connect.h
  69. connected.c
  70. connected.h
  71. convert.c
  72. convert.h
  73. copy.c
  74. COPYING
  75. credential-cache--daemon.c
  76. credential-cache.c
  77. credential-store.c
  78. credential.c
  79. credential.h
  80. csum-file.c
  81. csum-file.h
  82. ctype.c
  83. daemon.c
  84. date.c
  85. decorate.c
  86. decorate.h
  87. delta.h
  88. diff-delta.c
  89. diff-lib.c
  90. diff-no-index.c
  91. diff.c
  92. diff.h
  93. diffcore-break.c
  94. diffcore-delta.c
  95. diffcore-order.c
  96. diffcore-pickaxe.c
  97. diffcore-rename.c
  98. diffcore.h
  99. dir.c
  100. dir.h
  101. editor.c
  102. entry.c
  103. environment.c
  104. exec_cmd.c
  105. exec_cmd.h
  106. fast-import.c
  107. fetch-pack.c
  108. fetch-pack.h
  109. fmt-merge-msg.h
  110. fsck.c
  111. fsck.h
  112. generate-cmdlist.sh
  113. gettext.c
  114. gettext.h
  115. git-add--interactive.perl
  116. git-am.sh
  117. git-archimport.perl
  118. git-bisect.sh
  119. git-compat-util.h
  120. git-cvsexportcommit.perl
  121. git-cvsimport.perl
  122. git-cvsserver.perl
  123. git-difftool--helper.sh
  124. git-difftool.perl
  125. git-filter-branch.sh
  126. git-instaweb.sh
  127. git-merge-octopus.sh
  128. git-merge-one-file.sh
  129. git-merge-resolve.sh
  130. git-mergetool--lib.sh
  131. git-mergetool.sh
  132. git-p4.py
  133. git-parse-remote.sh
  134. git-pull.sh
  135. git-quiltimport.sh
  136. git-rebase--am.sh
  137. git-rebase--interactive.sh
  138. git-rebase--merge.sh
  139. git-rebase.sh
  140. git-relink.perl
  141. git-remote-testgit.sh
  142. git-request-pull.sh
  143. git-send-email.perl
  144. git-sh-i18n.sh
  145. git-sh-setup.sh
  146. git-stash.sh
  147. git-submodule.sh
  148. git-svn.perl
  149. GIT-VERSION-GEN
  150. git-web--browse.sh
  151. git.c
  152. git.rc
  153. git.spec.in
  154. gpg-interface.c
  155. gpg-interface.h
  156. graph.c
  157. graph.h
  158. grep.c
  159. grep.h
  160. hashmap.c
  161. hashmap.h
  162. help.c
  163. help.h
  164. hex.c
  165. http-backend.c
  166. http-fetch.c
  167. http-push.c
  168. http-walker.c
  169. http.c
  170. http.h
  171. ident.c
  172. imap-send.c
  173. INSTALL
  174. khash.h
  175. kwset.c
  176. kwset.h
  177. levenshtein.c
  178. levenshtein.h
  179. LGPL-2.1
  180. line-log.c
  181. line-log.h
  182. line-range.c
  183. line-range.h
  184. list-objects.c
  185. list-objects.h
  186. ll-merge.c
  187. ll-merge.h
  188. lockfile.c
  189. log-tree.c
  190. log-tree.h
  191. mailmap.c
  192. mailmap.h
  193. Makefile
  194. match-trees.c
  195. merge-blobs.c
  196. merge-blobs.h
  197. merge-recursive.c
  198. merge-recursive.h
  199. merge.c
  200. mergesort.c
  201. mergesort.h
  202. name-hash.c
  203. notes-cache.c
  204. notes-cache.h
  205. notes-merge.c
  206. notes-merge.h
  207. notes-utils.c
  208. notes-utils.h
  209. notes.c
  210. notes.h
  211. object.c
  212. object.h
  213. pack-bitmap-write.c
  214. pack-bitmap.c
  215. pack-bitmap.h
  216. pack-check.c
  217. pack-objects.c
  218. pack-objects.h
  219. pack-revindex.c
  220. pack-revindex.h
  221. pack-write.c
  222. pack.h
  223. pager.c
  224. parse-options-cb.c
  225. parse-options.c
  226. parse-options.h
  227. patch-delta.c
  228. patch-ids.c
  229. patch-ids.h
  230. path.c
  231. pathspec.c
  232. pathspec.h
  233. pkt-line.c
  234. pkt-line.h
  235. preload-index.c
  236. pretty.c
  237. prio-queue.c
  238. prio-queue.h
  239. progress.c
  240. progress.h
  241. prompt.c
  242. prompt.h
  243. quote.c
  244. quote.h
  245. reachable.c
  246. reachable.h
  247. read-cache.c
  248. README
  249. reflog-walk.c
  250. reflog-walk.h
  251. refs.c
  252. refs.h
  253. remote-curl.c
  254. remote-testsvn.c
  255. remote.c
  256. remote.h
  257. replace_object.c
  258. rerere.c
  259. rerere.h
  260. resolve-undo.c
  261. resolve-undo.h
  262. revision.c
  263. revision.h
  264. run-command.c
  265. run-command.h
  266. send-pack.c
  267. send-pack.h
  268. sequencer.c
  269. sequencer.h
  270. server-info.c
  271. setup.c
  272. sh-i18n--envsubst.c
  273. sha1-array.c
  274. sha1-array.h
  275. sha1-lookup.c
  276. sha1-lookup.h
  277. sha1_file.c
  278. sha1_name.c
  279. shallow.c
  280. shell.c
  281. shortlog.h
  282. show-index.c
  283. sideband.c
  284. sideband.h
  285. sigchain.c
  286. sigchain.h
  287. split-index.c
  288. split-index.h
  289. strbuf.c
  290. strbuf.h
  291. streaming.c
  292. streaming.h
  293. string-list.c
  294. string-list.h
  295. submodule.c
  296. submodule.h
  297. symlinks.c
  298. tag.c
  299. tag.h
  300. tar.h
  301. test-chmtime.c
  302. test-ctype.c
  303. test-date.c
  304. test-delta.c
  305. test-dump-cache-tree.c
  306. test-dump-split-index.c
  307. test-genrandom.c
  308. test-hashmap.c
  309. test-index-version.c
  310. test-line-buffer.c
  311. test-match-trees.c
  312. test-mergesort.c
  313. test-mktemp.c
  314. test-parse-options.c
  315. test-path-utils.c
  316. test-prio-queue.c
  317. test-read-cache.c
  318. test-regex.c
  319. test-revision-walking.c
  320. test-run-command.c
  321. test-scrap-cache-tree.c
  322. test-sha1.c
  323. test-sha1.sh
  324. test-sigchain.c
  325. test-string-list.c
  326. test-subprocess.c
  327. test-svn-fe.c
  328. test-urlmatch-normalization.c
  329. test-wildmatch.c
  330. thread-utils.c
  331. thread-utils.h
  332. trace.c
  333. trace.h
  334. transport-helper.c
  335. transport.c
  336. transport.h
  337. tree-diff.c
  338. tree-walk.c
  339. tree-walk.h
  340. tree.c
  341. tree.h
  342. unicode_width.h
  343. unimplemented.sh
  344. unix-socket.c
  345. unix-socket.h
  346. unpack-trees.c
  347. unpack-trees.h
  348. update_unicode.sh
  349. upload-pack.c
  350. url.c
  351. url.h
  352. urlmatch.c
  353. urlmatch.h
  354. usage.c
  355. userdiff.c
  356. userdiff.h
  357. utf8.c
  358. utf8.h
  359. varint.c
  360. varint.h
  361. version.c
  362. version.h
  363. versioncmp.c
  364. walker.c
  365. walker.h
  366. wildmatch.c
  367. wildmatch.h
  368. wrap-for-bin.sh
  369. wrapper.c
  370. write_or_die.c
  371. ws.c
  372. wt-status.c
  373. wt-status.h
  374. xdiff-interface.c
  375. xdiff-interface.h
  376. zlib.c