Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.
If cURL does not support pinning (is too old) output a warning to the
user.
Signed-off-by: Christoph Egger <christoph@xxxxxxxxxxxxxxxxxxx>
---
Now tested again both with and without a "new enough" cURL version.
Passes tests in both configurations and is obviously more correct.
Documentation/config.txt | 8 ++++++++
http.c | 15 +++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
+http.pinnedpubkey::
+ Public key of the https service. It may either be the filename of
+ a PEM or DER encoded public key file or a string starting with
+ 'sha256//' followed by the base64 encoded sha256 hash of the
+ public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+ exit with an error if this option is set but not supported by
+ cURL.
+
http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..f640a8b 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
#if LIBCURL_VERSION_NUM >= 0x070908
static const char *ssl_capath;
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
static const char *ssl_cainfo;
static long curl_low_speed_limit = -1;
static long curl_low_speed_time = -1;
@@ -239,6 +242,14 @@ static int http_options(const char *var, const char *value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(&ssl_capath, var, value);
#endif
+ if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+ warning(_("Public key pinning not supported with cURL < 7.44.0"));
+ return 0;
+#endif
+ }
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(&ssl_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +510,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ if (ssl_pinnedkey != NULL)
+ curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
--
2.7.0
--
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html