git-commit-vandalism/builtin
Junio C Hamano 5732373daa signed push: allow stale nonce in stateless mode
When operating with the stateless RPC mode, we will receive a nonce
issued by another instance of us that advertised our capability and
refs some time ago.  Update the logic to check received nonce to
detect this case, compute how much time has passed since the nonce
was issued and report the status with a new environment variable
GIT_PUSH_CERT_NONCE_SLOP to the hooks.

GIT_PUSH_CERT_NONCE_STATUS will report "SLOP" in such a case.  The
hooks are free to decide how large a slop it is willing to accept.

Strictly speaking, the "nonce" is not really a "nonce" anymore in
the stateless RPC mode, as it will happily take any "nonce" issued
by it (which is protected by HMAC and its secret key) as long as it
is fresh enough.  The degree of this security degradation, relative
to the native protocol, is about the same as the "we make sure that
the 'git push' decided to update our refs with new objects based on
the freshest observation of our refs by making sure the values they
claim the original value of the refs they ask us to update exactly
match the current state" security is loosened to accomodate the
stateless RPC mode in the existing code without this series, so
there is no need for those who are already using smart HTTP to push
to their repositories to be alarmed any more than they already are.

In addition, the server operator can set receive.certnonceslop
configuration variable to specify how stale a nonce can be (in
seconds).  When this variable is set, and if the nonce received in
the certificate that passes the HMAC check was less than that many
seconds old, hooks are given "OK" in GIT_PUSH_CERT_NONCE_STATUS
(instead of "SLOP") and the received nonce value is given in
GIT_PUSH_CERT_NONCE, which makes it easier for a simple-minded
hook to check if the certificate we received is recent enough.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-17 15:19:54 -07:00
..
add.c read-cache: new API write_locked_index instead of write_index/write_cache 2014-06-13 11:49:10 -07:00
annotate.c annotate: use argv_array 2014-07-16 11:10:11 -07:00
apply.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
archive.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
bisect--helper.c Replace deprecated OPT_BOOLEAN by OPT_BOOL 2013-08-05 11:32:19 -07:00
blame.c Merge branch 'rs/code-cleaning' 2014-07-22 10:59:37 -07:00
branch.c refactor skip_prefix to return a boolean 2014-06-20 10:44:43 -07:00
bundle.c Teach progress eye-candy to fetch_refs_from_bundle() 2011-09-19 11:07:21 -07:00
cat-file.c Merge branch 'jk/warn-on-object-refname-ambiguity' 2014-03-25 11:07:36 -07:00
check-attr.c Merge branch 'jc/check-attr-honor-working-tree' 2014-03-14 14:06:00 -07:00
check-ignore.c Merge branch 'dw/check-ignore-sans-index' 2013-09-20 12:37:32 -07:00
check-mailmap.c builtin: add git-check-mailmap command 2013-07-13 10:19:37 -07:00
check-ref-format.c Change check_refname_format() to reject unnormalized refnames 2011-10-05 13:45:30 -07:00
checkout-index.c entry.c: update cache_changed if refresh_cache is set in checkout_entry() 2014-06-13 11:49:39 -07:00
checkout.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
clean.c use xcalloc() to allocate zero-initialized memory 2014-07-21 10:30:21 -07:00
clone.c use local cloning if insteadOf makes a local URL 2014-07-17 11:17:13 -07:00
column.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
commit-tree.c commit_tree: take a pointer/len pair rather than a const strbuf 2014-06-12 10:29:41 -07:00
commit.c Merge branch 'ta/string-list-init' 2014-07-23 11:35:54 -07:00
config.c Merge branch 'jk/daemon-tolower' 2014-06-16 10:07:15 -07:00
count-objects.c count-objects: add -H option to humanize sizes 2013-04-10 13:27:26 -07:00
credential.c
describe.c hashmap: add simplified hashmap_get_from_hash() API 2014-07-07 13:56:35 -07:00
diff-files.c convert read_cache_preload() to take struct pathspec 2013-07-15 10:56:08 -07:00
diff-index.c convert read_cache_preload() to take struct pathspec 2013-07-15 10:56:08 -07:00
diff-tree.c Merge branch 'jk/alloc-commit-id' 2014-07-22 10:59:25 -07:00
diff.c Merge branch 'tg/diff-no-index-refactor' 2013-12-27 14:58:17 -08:00
fast-export.c Merge branch 'jk/commit-buffer-length' 2014-07-02 12:53:02 -07:00
fetch-pack.c Merge branch 'nd/shallow-clone' 2014-01-17 12:21:20 -08:00
fetch.c Merge branch 'jk/xstrfmt' 2014-07-09 11:34:05 -07:00
fmt-merge-msg.c Merge branch 'jk/xstrfmt' 2014-07-09 11:34:05 -07:00
for-each-ref.c use commit_list_count() to count the members of commit_lists 2014-07-17 13:36:25 -07:00
fsck.c refs.c: add a public is_branch function 2014-07-16 13:06:41 -07:00
gc.c Merge branch 'nd/daemonize-gc' 2014-06-16 12:18:12 -07:00
get-tar-commit-id.c stop installing git-tar-tree link 2013-12-03 12:35:22 -08:00
grep.c Merge branch 'sk/spawn-less-case-insensitively-from-grep-O-i' 2014-06-06 11:32:49 -07:00
hash-object.c hash-object: replace stdin parsing OPT_BOOLEAN by OPT_COUNTUP 2013-08-07 08:30:55 -07:00
help.c builtin/help.c: speed up is_git_command() by checking for builtin commands first 2014-01-06 11:26:31 -08:00
index-pack.c Merge branch 'maint' 2014-07-21 12:35:39 -07:00
init-db.c i18n: only extract comments marked with "TRANSLATORS:" 2014-04-17 11:09:56 -07:00
log.c use strbuf_addbuf for adding strbufs 2014-07-10 14:06:45 -07:00
ls-files.c pathspec: pass directory indicator to match_pathspec_item() 2014-02-24 14:37:19 -08:00
ls-remote.c builtin/ls-remote.c: rearrange xcalloc arguments 2014-05-27 14:00:43 -07:00
ls-tree.c pathspec: rename match_pathspec_depth() to match_pathspec() 2014-02-24 14:37:14 -08:00
mailinfo.c Merge branch 'rs/mailinfo-header-cmp' 2014-06-09 11:27:53 -07:00
mailsplit.c mailsplit: sort maildir filenames more cleverly 2013-03-02 22:52:44 -08:00
merge-base.c Merge branch 'bm/merge-base-octopus-dedup' 2014-01-10 10:33:33 -08:00
merge-file.c Replace deprecated OPT_BOOLEAN by OPT_BOOL 2013-08-05 11:32:19 -07:00
merge-index.c Convert "struct cache_entry *" to "const ..." wherever possible 2013-07-09 09:12:48 -07:00
merge-ours.c Move 'builtin-*' into a 'builtin/' subdirectory 2010-02-22 14:29:41 -08:00
merge-recursive.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
merge-tree.c merge-tree: handle directory/empty conflict correctly 2013-05-06 22:17:00 -07:00
merge.c Merge branch 'rs/code-cleaning' 2014-07-16 11:33:09 -07:00
mktag.c read_sha1_file(): get rid of read_sha1_file_repl() madness 2011-05-15 15:23:33 -07:00
mktree.c builtin/mktree.c: use ALLOC_GROW() in append_to_tree() 2014-03-03 14:54:45 -08:00
mv.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
name-rev.c use xstrfmt to replace xmalloc + strcpy/strcat 2014-06-19 15:20:54 -07:00
notes.c Merge branch 'mh/ref-transaction' 2014-06-03 12:06:41 -07:00
pack-objects.c Merge branch 'jk/repack-pack-writebitmaps-config' 2014-06-25 12:23:19 -07:00
pack-redundant.c Fix sizeof usage in get_permutations 2012-12-13 11:13:44 -08:00
pack-refs.c pack-refs: merge code from pack-refs.{c,h} into refs.{c,h} 2013-05-01 15:33:11 -07:00
patch-id.c patch-id: make it stable against hunk reordering 2014-06-10 13:09:24 -07:00
prune-packed.c i18n: mark all progress lines for translation 2014-02-24 09:08:37 -08:00
prune.c Merge branch 'mh/replace-refs-variable-rename' 2014-03-14 14:27:06 -07:00
push.c push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
read-tree.c read-tree: note about dropping split-index mode or index version 2014-06-13 11:49:41 -07:00
receive-pack.c signed push: allow stale nonce in stateless mode 2014-09-17 15:19:54 -07:00
reflog.c refs.c: add new functions reflog_exists and delete_reflog 2014-05-08 14:31:43 -07:00
remote-ext.c
remote-fd.c Fix sparse warnings 2011-03-22 10:16:54 -07:00
remote.c Merge branch 'rs/ref-transaction-0' 2014-07-21 11:18:37 -07:00
repack.c Merge branch 'jk/strip-suffix' 2014-07-16 11:26:00 -07:00
replace.c Merge branch 'cc/replace-graft' 2014-07-27 15:14:18 -07:00
rerere.c rerere: fix for merge.conflictstyle 2014-04-30 10:30:02 -07:00
reset.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
rev-list.c commit: record buffer length in cache 2014-06-13 12:09:38 -07:00
rev-parse.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
revert.c parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
rm.c read-cache: new API write_locked_index instead of write_index/write_cache 2014-06-13 11:49:10 -07:00
send-pack.c signed push: teach smart-HTTP to pass "git push --signed" around 2014-09-17 14:58:04 -07:00
shortlog.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
show-branch.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
show-ref.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
stripspace.c builtin/stripspace.c: fix broken indentation 2013-09-06 13:33:17 -07:00
symbolic-ref.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
tag.c Merge branch 'jk/tag-sort' 2014-07-23 11:35:45 -07:00
unpack-file.c
unpack-objects.c Merge branch 'mh/replace-refs-variable-rename' 2014-03-14 14:27:06 -07:00
update-index.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
update-ref.c refs.c: change ref_transaction_update() to do error checking and return status 2014-07-14 11:54:42 -07:00
update-server-info.c i18n: update-server-info: mark parseopt strings for translation 2012-08-22 10:58:29 -07:00
upload-archive.c replace {pre,suf}fixcmp() with {starts,ends}_with() 2013-12-05 14:13:21 -08:00
var.c ident: rename IDENT_ERROR_ON_NO_NAME to IDENT_STRICT 2012-05-24 17:16:41 -07:00
verify-commit.c verify-commit: scriptable commit signature verification 2014-06-23 15:50:31 -07:00
verify-pack.c verify-pack: use strbuf_strip_suffix 2014-06-30 13:43:32 -07:00
verify-tag.c gpg_interface: allow to request status return 2013-02-14 09:30:04 -08:00
write-tree.c i18n: write-tree: mark parseopt strings for translation 2012-08-22 10:58:29 -07:00