From 621b0599fda143aff7fbf2bca7479997a06a5d11 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 12 Aug 2014 15:04:17 -0700 Subject: send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher 20e8b465 (refactor ref status logic for pushing, 2010-01-08) restructured the code to set status for each ref to be pushed, but did not quite go far enough. We inspect the status set earlier by set_refs_status_for_push() and then perform yet another update to the status of a ref with an otherwise OK status to be deleted to mark it with REF_STATUS_REJECT_NODELETE when the protocol tells us never to delete. Split the latter into a separate loop that comes before we enter the per-ref loop. This way we would have one less condition to check in the main loop. Signed-off-by: Junio C Hamano --- send-pack.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 6129b0fd8..22a1709f6 100644 --- a/send-pack.c +++ b/send-pack.c @@ -231,6 +231,15 @@ int send_pack(struct send_pack_args *args, return 0; } + /* + * NEEDSWORK: why does delete-refs have to be so specific to + * send-pack machinery that set_ref_status_for_push() cannot + * set this bit for us??? + */ + for (ref = remote_refs; ref; ref = ref->next) + if (ref->deletion && !allow_deleting_refs) + ref->status = REF_STATUS_REJECT_NODELETE; + if (!args->dry_run) advertise_shallow_grafts_buf(&req_buf); @@ -249,17 +258,13 @@ int send_pack(struct send_pack_args *args, case REF_STATUS_REJECT_FETCH_FIRST: case REF_STATUS_REJECT_NEEDS_FORCE: case REF_STATUS_REJECT_STALE: + case REF_STATUS_REJECT_NODELETE: case REF_STATUS_UPTODATE: continue; default: ; /* do nothing */ } - if (ref->deletion && !allow_deleting_refs) { - ref->status = REF_STATUS_REJECT_NODELETE; - continue; - } - if (!ref->deletion) new_refs++; -- cgit v1.2.1 From e40671a3d9115f2c0cea614d8b5d265150f44c24 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 12 Aug 2014 15:40:00 -0700 Subject: send-pack: refactor decision to send update per ref A new helper function ref_update_to_be_sent() decides for each ref if the update is to be sent based on the status previously set by set_ref_status_for_push() and also if this is a mirrored push. Signed-off-by: Junio C Hamano --- send-pack.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 22a1709f6..43e98fa7d 100644 --- a/send-pack.c +++ b/send-pack.c @@ -190,6 +190,26 @@ static void advertise_shallow_grafts_buf(struct strbuf *sb) for_each_commit_graft(advertise_shallow_grafts_cb, sb); } +static int ref_update_to_be_sent(const struct ref *ref, const struct send_pack_args *args) +{ + if (!ref->peer_ref && !args->send_mirror) + return 0; + + /* Check for statuses set by set_ref_status_for_push() */ + switch (ref->status) { + case REF_STATUS_REJECT_NONFASTFORWARD: + case REF_STATUS_REJECT_ALREADY_EXISTS: + case REF_STATUS_REJECT_FETCH_FIRST: + case REF_STATUS_REJECT_NEEDS_FORCE: + case REF_STATUS_REJECT_STALE: + case REF_STATUS_REJECT_NODELETE: + case REF_STATUS_UPTODATE: + return 0; + default: + return 1; + } +} + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs, @@ -248,23 +268,9 @@ int send_pack(struct send_pack_args *args, */ new_refs = 0; for (ref = remote_refs; ref; ref = ref->next) { - if (!ref->peer_ref && !args->send_mirror) + if (!ref_update_to_be_sent(ref, args)) continue; - /* Check for statuses set by set_ref_status_for_push() */ - switch (ref->status) { - case REF_STATUS_REJECT_NONFASTFORWARD: - case REF_STATUS_REJECT_ALREADY_EXISTS: - case REF_STATUS_REJECT_FETCH_FIRST: - case REF_STATUS_REJECT_NEEDS_FORCE: - case REF_STATUS_REJECT_STALE: - case REF_STATUS_REJECT_NODELETE: - case REF_STATUS_UPTODATE: - continue; - default: - ; /* do nothing */ - } - if (!ref->deletion) new_refs++; -- cgit v1.2.1 From 64de20a1265b676f9cc0e5f46379a017560fa333 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 15 Aug 2014 11:30:36 -0700 Subject: send-pack: always send capabilities We tried to avoid sending one extra byte, NUL and nothing behind it to signal there is no protocol capabilities being sent, on the first command packet on the wire, but it just made the code look ugly. Signed-off-by: Junio C Hamano --- send-pack.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 43e98fa7d..e81f74120 100644 --- a/send-pack.c +++ b/send-pack.c @@ -281,8 +281,7 @@ int send_pack(struct send_pack_args *args, char *new_hex = sha1_to_hex(ref->new_sha1); int quiet = quiet_supported && (args->quiet || !args->progress); - if (!cmds_sent && (status_report || use_sideband || - quiet || agent_supported)) { + if (!cmds_sent) packet_buf_write(&req_buf, "%s %s %s%c%s%s%s%s%s", old_hex, new_hex, ref->name, 0, @@ -292,7 +291,6 @@ int send_pack(struct send_pack_args *args, agent_supported ? " agent=" : "", agent_supported ? git_user_agent_sanitized() : "" ); - } else packet_buf_write(&req_buf, "%s %s %s", old_hex, new_hex, ref->name); -- cgit v1.2.1 From 887f3533fd764722ffb6e4ea34c01ad9256f0186 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 15 Aug 2014 11:37:01 -0700 Subject: send-pack: factor out capability string generation A run of 'var ? " var" : ""' fed to a long printf string in a deeply nested block was hard to read. Move it outside the loop and format it into a strbuf. As an added bonus, the trick to add "agent=" by using two conditionals is replaced by a more readable version. Signed-off-by: Junio C Hamano --- send-pack.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index e81f74120..0cb44aba9 100644 --- a/send-pack.c +++ b/send-pack.c @@ -218,6 +218,7 @@ int send_pack(struct send_pack_args *args, int in = fd[0]; int out = fd[1]; struct strbuf req_buf = STRBUF_INIT; + struct strbuf cap_buf = STRBUF_INIT; struct ref *ref; int new_refs; int allow_deleting_refs = 0; @@ -251,6 +252,15 @@ int send_pack(struct send_pack_args *args, return 0; } + if (status_report) + strbuf_addstr(&cap_buf, " report-status"); + if (use_sideband) + strbuf_addstr(&cap_buf, " side-band-64k"); + if (quiet_supported && (args->quiet || !args->progress)) + strbuf_addstr(&cap_buf, " quiet"); + if (agent_supported) + strbuf_addf(&cap_buf, " agent=%s", git_user_agent_sanitized()); + /* * NEEDSWORK: why does delete-refs have to be so specific to * send-pack machinery that set_ref_status_for_push() cannot @@ -279,18 +289,12 @@ int send_pack(struct send_pack_args *args, } else { char *old_hex = sha1_to_hex(ref->old_sha1); char *new_hex = sha1_to_hex(ref->new_sha1); - int quiet = quiet_supported && (args->quiet || !args->progress); if (!cmds_sent) packet_buf_write(&req_buf, - "%s %s %s%c%s%s%s%s%s", + "%s %s %s%c%s", old_hex, new_hex, ref->name, 0, - status_report ? " report-status" : "", - use_sideband ? " side-band-64k" : "", - quiet ? " quiet" : "", - agent_supported ? " agent=" : "", - agent_supported ? git_user_agent_sanitized() : "" - ); + cap_buf.buf); else packet_buf_write(&req_buf, "%s %s %s", old_hex, new_hex, ref->name); @@ -311,6 +315,7 @@ int send_pack(struct send_pack_args *args, packet_flush(out); } strbuf_release(&req_buf); + strbuf_release(&cap_buf); if (use_sideband && cmds_sent) { memset(&demux, 0, sizeof(demux)); -- cgit v1.2.1 From ab2b0c908aa1d1643fb15ffca4b943c3add9b945 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 15 Aug 2014 12:23:51 -0700 Subject: send-pack: rename "new_refs" to "need_pack_data" The variable counts how many non-deleting command is being sent, but is only checked with 0-ness to decide if we need to send the pack data. Signed-off-by: Junio C Hamano --- send-pack.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 0cb44aba9..716c11bbd 100644 --- a/send-pack.c +++ b/send-pack.c @@ -220,7 +220,7 @@ int send_pack(struct send_pack_args *args, struct strbuf req_buf = STRBUF_INIT; struct strbuf cap_buf = STRBUF_INIT; struct ref *ref; - int new_refs; + int need_pack_data = 0; int allow_deleting_refs = 0; int status_report = 0; int use_sideband = 0; @@ -276,13 +276,12 @@ int send_pack(struct send_pack_args *args, /* * Finally, tell the other end! */ - new_refs = 0; for (ref = remote_refs; ref; ref = ref->next) { if (!ref_update_to_be_sent(ref, args)) continue; if (!ref->deletion) - new_refs++; + need_pack_data = 1; if (args->dry_run) { ref->status = REF_STATUS_OK; @@ -327,7 +326,7 @@ int send_pack(struct send_pack_args *args, in = demux.out; } - if (new_refs && cmds_sent) { + if (need_pack_data && cmds_sent) { if (pack_objects(out, remote_refs, extra_have, args) < 0) { for (ref = remote_refs; ref; ref = ref->next) ref->status = REF_STATUS_NONE; -- cgit v1.2.1 From b783aa71c096032c02a20f9a41c5f42ce7b914c4 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 15 Aug 2014 12:29:42 -0700 Subject: send-pack: refactor inspecting and resetting status and sending commands The main loop over remote_refs list inspects the ref status to see if we need to generate pack data (i.e. a delete-only push does not need to send any additional data), resets it to "expecting the status report" state, and formats the actual update commands to be sent. Split the former two out of the main loop, as it will become conditional in later steps. Besides, we should have code that does real thing here, before the "Finally, tell the other end!" part ;-) Signed-off-by: Junio C Hamano --- send-pack.c | 49 ++++++++++++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 19 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 716c11bbd..6dc8a460c 100644 --- a/send-pack.c +++ b/send-pack.c @@ -274,7 +274,8 @@ int send_pack(struct send_pack_args *args, advertise_shallow_grafts_buf(&req_buf); /* - * Finally, tell the other end! + * Clear the status for each ref and see if we need to send + * the pack data. */ for (ref = remote_refs; ref; ref = ref->next) { if (!ref_update_to_be_sent(ref, args)) @@ -283,25 +284,35 @@ int send_pack(struct send_pack_args *args, if (!ref->deletion) need_pack_data = 1; - if (args->dry_run) { + if (args->dry_run || !status_report) ref->status = REF_STATUS_OK; - } else { - char *old_hex = sha1_to_hex(ref->old_sha1); - char *new_hex = sha1_to_hex(ref->new_sha1); - - if (!cmds_sent) - packet_buf_write(&req_buf, - "%s %s %s%c%s", - old_hex, new_hex, ref->name, 0, - cap_buf.buf); - else - packet_buf_write(&req_buf, "%s %s %s", - old_hex, new_hex, ref->name); - ref->status = status_report ? - REF_STATUS_EXPECTING_REPORT : - REF_STATUS_OK; - cmds_sent++; - } + else + ref->status = REF_STATUS_EXPECTING_REPORT; + } + + /* + * Finally, tell the other end! + */ + for (ref = remote_refs; ref; ref = ref->next) { + char *old_hex, *new_hex; + + if (args->dry_run) + continue; + + if (!ref_update_to_be_sent(ref, args)) + continue; + + old_hex = sha1_to_hex(ref->old_sha1); + new_hex = sha1_to_hex(ref->new_sha1); + if (!cmds_sent) + packet_buf_write(&req_buf, + "%s %s %s%c%s", + old_hex, new_hex, ref->name, 0, + cap_buf.buf); + else + packet_buf_write(&req_buf, "%s %s %s", + old_hex, new_hex, ref->name); + cmds_sent++; } if (args->stateless_rpc) { -- cgit v1.2.1 From c67072b90bdc56501483e0ba96d0d833e86362c3 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 19 Aug 2014 13:02:19 -0700 Subject: send-pack: clarify that cmds_sent is a boolean We use it to make sure that the feature request is sent only once on the very first request packet (ignoring the "shallow " line, which was an unfortunate mistake we cannot retroactively fix with existing receive-pack already deployed in the field) and we set it to "true" with cmds_sent++, not because we care about the actual number of updates sent but because it is merely an idiomatic way. Set it explicitly to one to clarify that the code that uses this variable only cares about its zero-ness. Signed-off-by: Junio C Hamano --- send-pack.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 6dc8a460c..bb13599c3 100644 --- a/send-pack.c +++ b/send-pack.c @@ -304,15 +304,16 @@ int send_pack(struct send_pack_args *args, old_hex = sha1_to_hex(ref->old_sha1); new_hex = sha1_to_hex(ref->new_sha1); - if (!cmds_sent) + if (!cmds_sent) { packet_buf_write(&req_buf, "%s %s %s%c%s", old_hex, new_hex, ref->name, 0, cap_buf.buf); - else + cmds_sent = 1; + } else { packet_buf_write(&req_buf, "%s %s %s", old_hex, new_hex, ref->name); - cmds_sent++; + } } if (args->stateless_rpc) { -- cgit v1.2.1 From a85b377d0419a9dfaca8af2320cc33b051cbed04 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 12 Sep 2014 11:17:07 -0700 Subject: push: the beginning of "git push --signed" While signed tags and commits assert that the objects thusly signed came from you, who signed these objects, there is not a good way to assert that you wanted to have a particular object at the tip of a particular branch. My signing v2.0.1 tag only means I want to call the version v2.0.1, and it does not mean I want to push it out to my 'master' branch---it is likely that I only want it in 'maint', so the signature on the object alone is insufficient. The only assurance to you that 'maint' points at what I wanted to place there comes from your trust on the hosting site and my authentication with it, which cannot easily audited later. Introduce a mechanism that allows you to sign a "push certificate" (for the lack of better name) every time you push, asserting that what object you are pushing to update which ref that used to point at what other object. Think of it as a cryptographic protection for ref updates, similar to signed tags/commits but working on an orthogonal axis. The basic flow based on this mechanism goes like this: 1. You push out your work with "git push --signed". 2. The sending side learns where the remote refs are as usual, together with what protocol extension the receiving end supports. If the receiving end does not advertise the protocol extension "push-cert", an attempt to "git push --signed" fails. Otherwise, a text file, that looks like the following, is prepared in core: certificate version 0.1 pusher Junio C Hamano 1315427886 -0700 7339ca65... 21580ecb... refs/heads/master 3793ac56... 12850bec... refs/heads/next The file begins with a few header lines, which may grow as we gain more experience. The 'pusher' header records the name of the signer (the value of user.signingkey configuration variable, falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the certificate generation. After the header, a blank line follows, followed by a copy of the protocol message lines. Each line shows the old and the new object name at the tip of the ref this push tries to update, in the way identical to how the underlying "git push" protocol exchange tells the ref updates to the receiving end (by recording the "old" object name, the push certificate also protects against replaying). It is expected that new command packet types other than the old-new-refname kind will be included in push certificate in the same way as would appear in the plain vanilla command packets in unsigned pushes. The user then is asked to sign this push certificate using GPG, formatted in a way similar to how signed tag objects are signed, and the result is sent to the other side (i.e. receive-pack). In the protocol exchange, this step comes immediately before the sender tells what the result of the push should be, which in turn comes before it sends the pack data. 3. When the receiving end sees a push certificate, the certificate is written out as a blob. The pre-receive hook can learn about the certificate by checking GIT_PUSH_CERT environment variable, which, if present, tells the object name of this blob, and make the decision to allow or reject this push. Additionally, the post-receive hook can also look at the certificate, which may be a good place to log all the received certificates for later audits. Because a push certificate carry the same information as the usual command packets in the protocol exchange, we can omit the latter when a push certificate is in use and reduce the protocol overhead. This however is not included in this patch to make it easier to review (in other words, the series at this step should never be released without the remainder of the series, as it implements an interim protocol that will be incompatible with the final one). As such, the documentation update for the protocol is left out of this step. Signed-off-by: Junio C Hamano --- send-pack.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index bb13599c3..ef93f33aa 100644 --- a/send-pack.c +++ b/send-pack.c @@ -11,6 +11,7 @@ #include "transport.h" #include "version.h" #include "sha1-array.h" +#include "gpg-interface.h" static int feed_object(const unsigned char *sha1, int fd, int negative) { @@ -210,6 +211,64 @@ static int ref_update_to_be_sent(const struct ref *ref, const struct send_pack_a } } +/* + * the beginning of the next line, or the end of buffer. + * + * NEEDSWORK: perhaps move this to git-compat-util.h or somewhere and + * convert many similar uses found by "git grep -A4 memchr". + */ +static const char *next_line(const char *line, size_t len) +{ + const char *nl = memchr(line, '\n', len); + if (!nl) + return line + len; /* incomplete line */ + return nl + 1; +} + +static void generate_push_cert(struct strbuf *req_buf, + const struct ref *remote_refs, + struct send_pack_args *args) +{ + const struct ref *ref; + char stamp[60]; + char *signing_key = xstrdup(get_signing_key()); + const char *cp, *np; + struct strbuf cert = STRBUF_INIT; + int update_seen = 0; + + datestamp(stamp, sizeof(stamp)); + strbuf_addf(&cert, "certificate version 0.1\n"); + strbuf_addf(&cert, "pusher %s %s\n", signing_key, stamp); + strbuf_addstr(&cert, "\n"); + + for (ref = remote_refs; ref; ref = ref->next) { + if (!ref_update_to_be_sent(ref, args)) + continue; + update_seen = 1; + strbuf_addf(&cert, "%s %s %s\n", + sha1_to_hex(ref->old_sha1), + sha1_to_hex(ref->new_sha1), + ref->name); + } + if (!update_seen) + goto free_return; + + if (sign_buffer(&cert, &cert, signing_key)) + die(_("failed to sign the push certificate")); + + packet_buf_write(req_buf, "push-cert\n"); + for (cp = cert.buf; cp < cert.buf + cert.len; cp = np) { + np = next_line(cp, cert.buf + cert.len - cp); + packet_buf_write(req_buf, + "%.*s", (int)(np - cp), cp); + } + packet_buf_write(req_buf, "push-cert-end\n"); + +free_return: + free(signing_key); + strbuf_release(&cert); +} + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs, @@ -245,6 +304,8 @@ int send_pack(struct send_pack_args *args, agent_supported = 1; if (server_supports("no-thin")) args->use_thin_pack = 0; + if (args->push_cert && !server_supports("push-cert")) + die(_("the receiving end does not support --signed push")); if (!remote_refs) { fprintf(stderr, "No refs in common and none specified; doing nothing.\n" @@ -273,6 +334,9 @@ int send_pack(struct send_pack_args *args, if (!args->dry_run) advertise_shallow_grafts_buf(&req_buf); + if (!args->dry_run && args->push_cert) + generate_push_cert(&req_buf, remote_refs, args); + /* * Clear the status for each ref and see if we need to send * the pack data. -- cgit v1.2.1 From 20a7558f31e44e26ddbb8aa55bfd9316a6b67f82 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Mon, 18 Aug 2014 13:46:58 -0700 Subject: send-pack: send feature request on push-cert packet We would want to update the interim protocol so that we do not send the usual update commands when the push certificate feature is in use, as the same information is in the certificate. Once that happens, the push-cert packet may become the only protocol command, but then there is no packet to put the feature request behind, like we always did. As we have prepared the receiving end that understands the push-cert feature to accept the feature request on the first protocol packet (other than "shallow ", which was an unfortunate historical mistake that has to come before everything else), we can give the feature request on the push-cert packet instead of the first update protocol packet, in preparation for the next step to actually update to the final protocol. Signed-off-by: Junio C Hamano --- send-pack.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index ef93f33aa..d392f5b3a 100644 --- a/send-pack.c +++ b/send-pack.c @@ -225,9 +225,10 @@ static const char *next_line(const char *line, size_t len) return nl + 1; } -static void generate_push_cert(struct strbuf *req_buf, - const struct ref *remote_refs, - struct send_pack_args *args) +static int generate_push_cert(struct strbuf *req_buf, + const struct ref *remote_refs, + struct send_pack_args *args, + const char *cap_string) { const struct ref *ref; char stamp[60]; @@ -256,7 +257,7 @@ static void generate_push_cert(struct strbuf *req_buf, if (sign_buffer(&cert, &cert, signing_key)) die(_("failed to sign the push certificate")); - packet_buf_write(req_buf, "push-cert\n"); + packet_buf_write(req_buf, "push-cert%c%s", 0, cap_string); for (cp = cert.buf; cp < cert.buf + cert.len; cp = np) { np = next_line(cp, cert.buf + cert.len - cp); packet_buf_write(req_buf, @@ -267,6 +268,7 @@ static void generate_push_cert(struct strbuf *req_buf, free_return: free(signing_key); strbuf_release(&cert); + return update_seen; } int send_pack(struct send_pack_args *args, @@ -335,7 +337,8 @@ int send_pack(struct send_pack_args *args, advertise_shallow_grafts_buf(&req_buf); if (!args->dry_run && args->push_cert) - generate_push_cert(&req_buf, remote_refs, args); + cmds_sent = generate_push_cert(&req_buf, remote_refs, args, + cap_buf.buf); /* * Clear the status for each ref and see if we need to send -- cgit v1.2.1 From 4adf569dea052dac88121d822e11c249986b3398 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Mon, 18 Aug 2014 14:38:45 -0700 Subject: signed push: remove duplicated protocol info With the interim protocol, we used to send the update commands even though we already send a signed copy of the same information when push certificate is in use. Update the send-pack/receive-pack pair not to do so. The notable thing on the receive-pack side is that it makes sure that there is no command sent over the traditional protocol packet outside the push certificate. Otherwise a pusher can claim to be pushing one set of ref updates in the signed certificate while issuing commands to update unrelated refs, and such an update will evade later audits. Finally, start documenting the protocol. Signed-off-by: Junio C Hamano --- send-pack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index d392f5b3a..857beb393 100644 --- a/send-pack.c +++ b/send-pack.c @@ -363,7 +363,7 @@ int send_pack(struct send_pack_args *args, for (ref = remote_refs; ref; ref = ref->next) { char *old_hex, *new_hex; - if (args->dry_run) + if (args->dry_run || args->push_cert) continue; if (!ref_update_to_be_sent(ref, args)) -- cgit v1.2.1 From 9be89160e7382a88e56a02bcf38f4694dd6542d6 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 22 Aug 2014 18:15:24 -0700 Subject: signed push: add "pushee" header to push certificate Record the URL of the intended recipient for a push (after anonymizing it if it has authentication material) on a new "pushee URL" header. Because the networking configuration (SSH-tunnels, proxies, etc.) on the pushing user's side varies, the receiving repository may not know the single canonical URL all the pushing users would refer it as (besides, many sites allow pushing over ssh://host/path and https://host/path protocols to the same repository but with different local part of the path). So this value may not be reliably used for replay-attack prevention purposes, but this will still serve as a human readable hint to identify the repository the certificate refers to. Signed-off-by: Junio C Hamano --- send-pack.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 857beb393..9c2c64966 100644 --- a/send-pack.c +++ b/send-pack.c @@ -240,6 +240,11 @@ static int generate_push_cert(struct strbuf *req_buf, datestamp(stamp, sizeof(stamp)); strbuf_addf(&cert, "certificate version 0.1\n"); strbuf_addf(&cert, "pusher %s %s\n", signing_key, stamp); + if (args->url && *args->url) { + char *anon_url = transport_anonymize_url(args->url); + strbuf_addf(&cert, "pushee %s\n", anon_url); + free(anon_url); + } strbuf_addstr(&cert, "\n"); for (ref = remote_refs; ref; ref = ref->next) { -- cgit v1.2.1 From b89363e4a5277038629491f8765c0598f366326c Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Thu, 21 Aug 2014 16:45:30 -0700 Subject: signed push: fortify against replay attacks In order to prevent a valid push certificate for pushing into an repository from getting replayed in a different push operation, send a nonce string from the receive-pack process and have the signer include it in the push certificate. The receiving end uses an HMAC hash of the path to the repository it serves and the current time stamp, hashed with a secret seed (the secret seed does not have to be per-repository but can be defined in /etc/gitconfig) to generate the nonce, in order to ensure that a random third party cannot forge a nonce that looks like it originated from it. The original nonce is exported as GIT_PUSH_CERT_NONCE for the hooks to examine and match against the value on the "nonce" header in the certificate to notice a replay, but returned "nonce" header in the push certificate is examined by receive-pack and the result is exported as GIT_PUSH_CERT_NONCE_STATUS, whose value would be "OK" if the nonce recorded in the certificate matches what we expect, so that the hooks can more easily check. Signed-off-by: Junio C Hamano --- send-pack.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'send-pack.c') diff --git a/send-pack.c b/send-pack.c index 9c2c64966..7ad1a5968 100644 --- a/send-pack.c +++ b/send-pack.c @@ -228,7 +228,8 @@ static const char *next_line(const char *line, size_t len) static int generate_push_cert(struct strbuf *req_buf, const struct ref *remote_refs, struct send_pack_args *args, - const char *cap_string) + const char *cap_string, + const char *push_cert_nonce) { const struct ref *ref; char stamp[60]; @@ -245,6 +246,8 @@ static int generate_push_cert(struct strbuf *req_buf, strbuf_addf(&cert, "pushee %s\n", anon_url); free(anon_url); } + if (push_cert_nonce[0]) + strbuf_addf(&cert, "nonce %s\n", push_cert_nonce); strbuf_addstr(&cert, "\n"); for (ref = remote_refs; ref; ref = ref->next) { @@ -295,6 +298,7 @@ int send_pack(struct send_pack_args *args, unsigned cmds_sent = 0; int ret; struct async demux; + const char *push_cert_nonce = NULL; /* Does the other end support the reporting? */ if (server_supports("report-status")) @@ -311,8 +315,14 @@ int send_pack(struct send_pack_args *args, agent_supported = 1; if (server_supports("no-thin")) args->use_thin_pack = 0; - if (args->push_cert && !server_supports("push-cert")) - die(_("the receiving end does not support --signed push")); + if (args->push_cert) { + int len; + + push_cert_nonce = server_feature_value("push-cert", &len); + if (!push_cert_nonce) + die(_("the receiving end does not support --signed push")); + push_cert_nonce = xmemdupz(push_cert_nonce, len); + } if (!remote_refs) { fprintf(stderr, "No refs in common and none specified; doing nothing.\n" @@ -343,7 +353,7 @@ int send_pack(struct send_pack_args *args, if (!args->dry_run && args->push_cert) cmds_sent = generate_push_cert(&req_buf, remote_refs, args, - cap_buf.buf); + cap_buf.buf, push_cert_nonce); /* * Clear the status for each ref and see if we need to send -- cgit v1.2.1