On Thu, Sep 4, 2014 at 4:57 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > Shawn Pearce <spearce@xxxxxxxxxxx> writes: > >> As you know, the stateless HTTP thing doesn't allow the nonce on the >> server to be carried from the initial ref advertisement into the final >> receive-pack. We would either need to write the nonce to disk and load >> it back up later (ick), or use some sort of stateless nonce. >> >> A stateless nonce could look like: >> >> nonce = HMAC_SHA1( SHA1(site+path) + '.' + now, site_key ) >> >> where site_key is a private key known to the server. It doesn't have >> to be per-repo. > > Doing the above naively will force you to check 600 HMAC if your > slack is for 10 minutes. You could just instead use > > nonce = now '-' HMAC_SHA1(path + '.' + now, site_key) > > and the validation side can make sure the same site_key was used, > and also "now" readable from the plaintext part is fresh enough, > with a single HMAC. Argh. Yes, thank you. This is what I meant but did not write. :( > I may be missing something, but with this, we can always validate > that "nonce" is what the repository issued (whether "stateless" is > used or not). The hook script can decide if "now" is recent enough > or not without bothering receive-pack at all. Correct. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html