Shawn Pearce <spea...@spearce.org> writes:
> As you know, the stateless HTTP thing doesn't allow the nonce on the
> server to be carried from the initial ref advertisement into the final
> receive-pack. We would either need to write the nonce to disk and load
> it back up later (ick), or use some sort of stateless nonce.
>
> A stateless nonce could look like:
>
> nonce = HMAC_SHA1( SHA1(site+path) + '.' + now, site_key )
>
> where site_key is a private key known to the server. It doesn't have
> to be per-repo.
Doing the above naively will force you to check 600 HMAC if your
slack is for 10 minutes. You could just instead use
nonce = now '-' HMAC_SHA1(path + '.' + now, site_key)
and the validation side can make sure the same site_key was used,
and also "now" readable from the plaintext part is fresh enough,
with a single HMAC.
I may be missing something, but with this, we can always validate
that "nonce" is what the repository issued (whether "stateless" is
used or not). The hook script can decide if "now" is recent enough
or not without bothering receive-pack at all.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
