From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Subject: [PATCH v4 22/22] signed push: allow stale nonce in stateless mode
Date: Fri, 5 Sep 2014 13:55:10 -0700 [thread overview]
Message-ID: <1409950510-10209-23-git-send-email-gitster@pobox.com> (raw)
In-Reply-To: <1409950510-10209-1-git-send-email-gitster@pobox.com>
When operating with the stateless RPC mode, we will receive a nonce
issued by another instance of us that advertised our capability and
refs some time ago. Update the logic to check received nonce to
detect this case, compute how much time has passed since the nonce
was issued and report the status with a new environment variable
GIT_PUSH_CERT_NONCE_SLOP to the hooks.
GIT_PUSH_CERT_NONCE_STATUS will report "SLOP" in such a case. The
hooks are free to decide how large a slop it is willing to accept.
Strictly speaking, the "nonce" is not really a "nonce" anymore in
the stateless RPC mode, as it will happily take any "nonce" issued
by it (which is protected by HMAC and its secret key) as long as it
is fresh enough. The degree of this security degradation, relative
to the native protocol, is about the same as the "we make sure that
the 'git push' decided to update our refs with new objects based on
the freshest observation of our refs by making sure the values they
claim the original value of the refs they ask us to update exactly
match the current state" security is loosened to accomodate the
stateless RPC mode in the existing code without this series, so
there is no need for those who are already using smart HTTP to push
to their repositories to be alarmed any more than they already are.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
Documentation/git-receive-pack.txt | 11 ++++++++
builtin/receive-pack.c | 57 ++++++++++++++++++++++++++++++++------
2 files changed, 59 insertions(+), 9 deletions(-)
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 2d4b452..2e5131d 100644
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -89,6 +89,17 @@ the following environment variables:
"git push --signed" sent a bogus nonce.
`OK`;;
"git push --signed" sent the nonce we asked it to send.
+`SLOP`;;
+ "git push --signed" sent a nonce different from what we
+ asked it to send now, but in a previous session. See
+ `GIT_PUSH_CERT_NONCE_SLOP` environment variable.
+
+`GIT_PUSH_CERT_NONCE_SLOP`::
+ "git push --signed" sent a nonce different from what we
+ asked it to send now, but in a different session whose
+ starting time is different by this many seconds from the
+ current session. Only meaningful when
+ `GIT_PUSH_CERT_NONCE_STATUS` says `SLOP`.
This hook is called before any refname is updated and before any
fast-forward checks are performed.
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index a1823e5..86fb5a4 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -43,6 +43,8 @@ static int prefer_ofs_delta = 1;
static int auto_update_server_info;
static int auto_gc = 1;
static int fix_thin = 1;
+static int stateless_rpc;
+static const char *service_dir;
static const char *head_name;
static void *head_name_to_free;
static int sent_capabilities;
@@ -58,7 +60,9 @@ static const char *NONCE_UNSOLICITED = "UNSOLICITED";
static const char *NONCE_BAD = "BAD";
static const char *NONCE_MISSING = "MISSING";
static const char *NONCE_OK = "OK";
+static const char *NONCE_SLOP = "SLOP";
static const char *nonce_status;
+static long nonce_stamp_slop;
static enum deny_action parse_deny_action(const char *var, const char *value)
{
@@ -359,6 +363,8 @@ static const char *find_header(const char *msg, size_t len, const char *key)
static const char *check_nonce(const char *buf, size_t len)
{
const char *nonce = find_header(buf, len, "nonce");
+ unsigned long stamp, ostamp;
+ char *bohmac, *expect;
if (!nonce)
return NONCE_MISSING;
@@ -368,7 +374,39 @@ static const char *check_nonce(const char *buf, size_t len)
return NONCE_OK;
/* returned nonce MUST match what we gave out earlier */
- return NONCE_BAD;
+ if (!stateless_rpc)
+ return NONCE_BAD;
+
+ /*
+ * In stateless mode, we may be receiving a nonce issued
+ * by another instance of the server that serving the same
+ * repository, and the timestamps may not match, but the
+ * nonce-seed and dir should match, so we can recompute
+ * and report the time slop.
+ */
+
+ /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
+ if (*nonce <= '0' || '9' < *nonce)
+ return NONCE_BAD;
+ stamp = strtoul(nonce, &bohmac, 10);
+ if (bohmac == nonce || bohmac[1] != '-')
+ return NONCE_BAD;
+
+ expect = prepare_push_cert_nonce(service_dir, stamp);
+ if (strcmp(expect, nonce)) {
+ free(expect);
+ return NONCE_BAD;
+ }
+ free(expect);
+
+ /*
+ * By how many seconds is this nonce stale? Negative
+ * value would mean it was issued by another server
+ * with its clock skewed in the future.
+ */
+ ostamp = strtoul(push_cert_nonce, NULL, 10);
+ nonce_stamp_slop = (long)ostamp - (long)stamp;
+ return NONCE_SLOP;
}
static void prepare_push_cert_sha1(struct child_process *proc)
@@ -417,6 +455,9 @@ static void prepare_push_cert_sha1(struct child_process *proc)
if (push_cert_nonce) {
argv_array_pushf(&env, "GIT_PUSH_CERT_NONCE=%s", push_cert_nonce);
argv_array_pushf(&env, "GIT_PUSH_CERT_NONCE_STATUS=%s", nonce_status);
+ if (nonce_status == NONCE_SLOP)
+ argv_array_pushf(&env, "GIT_PUSH_CERT_NONCE_SLOP=%ld",
+ nonce_stamp_slop);
}
proc->env = env.argv;
}
@@ -1352,9 +1393,7 @@ static int delete_only(struct command *commands)
int cmd_receive_pack(int argc, const char **argv, const char *prefix)
{
int advertise_refs = 0;
- int stateless_rpc = 0;
int i;
- const char *dir = NULL;
struct command *commands;
struct sha1_array shallow = SHA1_ARRAY_INIT;
struct sha1_array ref = SHA1_ARRAY_INIT;
@@ -1387,21 +1426,21 @@ int cmd_receive_pack(int argc, const char **argv, const char *prefix)
usage(receive_pack_usage);
}
- if (dir)
+ if (service_dir)
usage(receive_pack_usage);
- dir = arg;
+ service_dir = arg;
}
- if (!dir)
+ if (!service_dir)
usage(receive_pack_usage);
setup_path();
- if (!enter_repo(dir, 0))
- die("'%s' does not appear to be a git repository", dir);
+ if (!enter_repo(service_dir, 0))
+ die("'%s' does not appear to be a git repository", service_dir);
git_config(receive_pack_config, NULL);
if (cert_nonce_seed)
- push_cert_nonce = prepare_push_cert_nonce(dir, time(NULL));
+ push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
if (0 <= transfer_unpack_limit)
unpack_limit = transfer_unpack_limit;
--
2.1.0-399-g2df620b
prev parent reply other threads:[~2014-09-05 20:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-05 20:54 [PATCH v4 00/22] Signed push Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 01/22] receive-pack: do not overallocate command structure Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 02/22] receive-pack: parse feature request a bit earlier Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 03/22] receive-pack: do not reuse old_sha1[] for other things Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 04/22] receive-pack: factor out queueing of command Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 05/22] send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 06/22] send-pack: refactor decision to send update per ref Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 07/22] send-pack: always send capabilities Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 08/22] send-pack: factor out capability string generation Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 09/22] receive-pack: " Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 10/22] send-pack: rename "new_refs" to "need_pack_data" Junio C Hamano
2014-09-05 20:54 ` [PATCH v4 11/22] send-pack: refactor inspecting and resetting status and sending commands Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 12/22] send-pack: clarify that cmds_sent is a boolean Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 13/22] gpg-interface: move parse_gpg_output() to where it should be Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 14/22] gpg-interface: move parse_signature() " Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 15/22] pack-protocol doc: typofix for PKT-LINE Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 16/22] push: the beginning of "git push --signed" Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 17/22] receive-pack: GPG-validate push certificates Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 18/22] send-pack: send feature request on push-cert packet Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 19/22] signed push: remove duplicated protocol info Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 20/22] signed push: add "pushee" header to push certificate Junio C Hamano
2014-09-05 20:55 ` [PATCH v4 21/22] signed push: fortify against replay attacks Junio C Hamano
2014-09-05 20:55 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1409950510-10209-23-git-send-email-gitster@pobox.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).