| commit | 35a3c0c411c1918966a4854f726779a143c09564 | |
| author | Junio C Hamano <gitster@pobox.com> | |
| Thu, 21 Aug 2014 23:45:30 +0000 (21 16:45 -0700) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Mon, 25 Aug 2014 21:44:15 +0000 (25 14:44 -0700) | ||
| tree | 27fa3bf4663c9470775fc53143b21fb60dd64943 | treesnapshot (tar.gz zip) |
| parent | efa6f9007cd6754c7a99391b451d1163447d98b9 | commitdiff |
signed push: fortify against replay attacks
In order to prevent a valid push certificate for pushing into an
repository from getting replayed to push to an unrelated one, send a
nonce string from the receive-pack process and have the signer
include it in the push certificate. The original nonce is exported
as GIT_PUSH_CERT_NONCE for the hooks to examine and match against
the value on the "nonce" header in the certificate to notice a replay.
Because the built-in nonce generation may not be suitable for all
situations, allow the server to invoke receive-pack with pregenerated
nonce from the command line argument.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
In order to prevent a valid push certificate for pushing into an
repository from getting replayed to push to an unrelated one, send a
nonce string from the receive-pack process and have the signer
include it in the push certificate. The original nonce is exported
as GIT_PUSH_CERT_NONCE for the hooks to examine and match against
the value on the "nonce" header in the certificate to notice a replay.
Because the built-in nonce generation may not be suitable for all
situations, allow the server to invoke receive-pack with pregenerated
nonce from the command line argument.
Signed-off-by: Junio C Hamano <gitster@pobox.com>