diff options
| author | Junio C Hamano <gitster@pobox.com> | 2014-08-22 03:45:30 +0400 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2014-09-18 01:27:40 +0400 |
| commit | b89363e4a5277038629491f8765c0598f366326c (patch) | |
| tree | 254c02373450167a86f33afdeac9cd851859ca00 /t/t5534-push-signed.sh | |
| parent | 9be89160e7382a88e56a02bcf38f4694dd6542d6 (diff) | |
signed push: fortify against replay attacks
In order to prevent a valid push certificate for pushing into an
repository from getting replayed in a different push operation, send
a nonce string from the receive-pack process and have the signer
include it in the push certificate. The receiving end uses an HMAC
hash of the path to the repository it serves and the current time
stamp, hashed with a secret seed (the secret seed does not have to
be per-repository but can be defined in /etc/gitconfig) to generate
the nonce, in order to ensure that a random third party cannot forge
a nonce that looks like it originated from it.
The original nonce is exported as GIT_PUSH_CERT_NONCE for the hooks
to examine and match against the value on the "nonce" header in the
certificate to notice a replay, but returned "nonce" header in the
push certificate is examined by receive-pack and the result is
exported as GIT_PUSH_CERT_NONCE_STATUS, whose value would be "OK"
if the nonce recorded in the certificate matches what we expect, so
that the hooks can more easily check.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t5534-push-signed.sh')
| -rwxr-xr-x | t/t5534-push-signed.sh | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/t/t5534-push-signed.sh b/t/t5534-push-signed.sh index 2f4b74ed83..2786346f9a 100755 --- a/t/t5534-push-signed.sh +++ b/t/t5534-push-signed.sh @@ -50,7 +50,6 @@ test_expect_success 'unsigned push does not send push certificate' ' test_expect_success 'talking with a receiver without push certificate support' ' prepare_dst && mkdir -p dst/.git/hooks && - git -C dst config receive.acceptpushcert no && write_script dst/.git/hooks/post-receive <<-\EOF && # discard the update list cat >/dev/null @@ -68,7 +67,6 @@ test_expect_success 'talking with a receiver without push certificate support' ' test_expect_success 'push --signed fails with a receiver without push certificate support' ' prepare_dst && mkdir -p dst/.git/hooks && - git -C dst config receive.acceptpushcert no && test_must_fail git push --signed dst noop ff +noff 2>err && test_i18ngrep "the receiving end does not support" err ' @@ -89,6 +87,7 @@ test_expect_success GPG 'no certificate for a signed push with no update' ' test_expect_success GPG 'signed push sends push certificate' ' prepare_dst && mkdir -p dst/.git/hooks && + git -C dst config receive.certnonceseed sekrit && write_script dst/.git/hooks/post-receive <<-\EOF && # discard the update list cat >/dev/null @@ -102,17 +101,24 @@ test_expect_success GPG 'signed push sends push certificate' ' SIGNER=${GIT_PUSH_CERT_SIGNER-nobody} KEY=${GIT_PUSH_CERT_KEY-nokey} STATUS=${GIT_PUSH_CERT_STATUS-nostatus} + NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus} + NONCE=${GIT_PUSH_CERT_NONCE-nononce} E_O_F EOF - cat >expect <<-\EOF && - SIGNER=C O Mitter <committer@example.com> - KEY=13B6F51ECDDE430D - STATUS=G - EOF - git push --signed dst noop ff +noff && + + ( + cat <<-\EOF && + SIGNER=C O Mitter <committer@example.com> + KEY=13B6F51ECDDE430D + STATUS=G + NONCE_STATUS=OK + EOF + sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert + ) >expect && + grep "$(git rev-parse noop ff) refs/heads/ff" dst/push-cert && grep "$(git rev-parse noop noff) refs/heads/noff" dst/push-cert && test_cmp expect dst/push-cert-status |