Hi!
Junio C Hamano <gitster@xxxxxxxxx> writes:
> Christoph Egger <christoph@xxxxxxxxxxxxxxxxxxx> writes:
>
>> Add the http.pinnedpubkey configuration option for public key
>> pinning. It allows any string supported by libcurl --
>> base64(sha256(pubkey)) or filename of the full public key.
>>
>> If cURL does not support pinning (is too old) output a warning to the
>> user.
>>
>> Signed-off-by: Christoph Egger <christoph@xxxxxxxxxxxxxxxxxxx>
>> ---
>
> I needed this fix to unbreak it for those with older versions of
> cURL.
Jep sorry about that. should have run a second test with old libcurl.
I've attached a consolidated patch.
Christoph
>From be8112d695de534629bcb3411634d101a74021a7 Mon Sep 17 00:00:00 2001
From: Christoph Egger <christoph@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Feb 2016 23:28:20 +0100
Subject: [PATCH] Implement https public key pinning
Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.
If cURL does not support pinning (is too old) output a warning to the
user.
Signed-off-by: Christoph Egger <christoph@xxxxxxxxxxxxxxxxxxx>
---
Documentation/config.txt | 8 ++++++++
http.c | 16 ++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
+http.pinnedpubkey::
+ Public key of the https service. It may either be the filename of
+ a PEM or DER encoded public key file or a string starting with
+ 'sha256//' followed by the base64 encoded sha256 hash of the
+ public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+ exit with an error if this option is set but not supported by
+ cURL.
+
http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..1c295dd 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
#if LIBCURL_VERSION_NUM >= 0x070908
static const char *ssl_capath;
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
static const char *ssl_cainfo;
static long curl_low_speed_limit = -1;
static long curl_low_speed_time = -1;
@@ -299,6 +302,15 @@ static int http_options(const char *var, const char *value, void *cb)
if (!strcmp("http.useragent", var))
return git_config_string(&user_agent, var, value);
+ if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+ warning(_("Public key pinning not supported with cURL < 7.44.0"));
+ return 0;
+#endif
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, cb);
}
@@ -499,6 +511,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ if (ssl_pinnedkey != NULL)
+ curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
--
2.7.0
> http.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/http.c b/http.c
> index a6b8076..3475040 100644
> --- a/http.c
> +++ b/http.c
> @@ -219,13 +219,6 @@ static int http_options(const char *var, const char *value, void *cb)
> if (!strcmp("http.sslcapath", var))
> return git_config_pathname(&ssl_capath, var, value);
> #endif
> - if (!strcmp("http.pinnedpubkey", var))
> -#if LIBCURL_VERSION_NUM >= 0x072c00
> - return git_config_pathname(&ssl_pinnedkey, var, value);
> -#else
> - warning(_("Public key pinning not supported with cURL < 7.44.0"));
> - return 0;
> -#endif
> if (!strcmp("http.sslcainfo", var))
> return git_config_pathname(&ssl_cainfo, var, value);
> if (!strcmp("http.sslcertpasswordprotected", var)) {
> @@ -283,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb)
> if (!strcmp("http.useragent", var))
> return git_config_string(&user_agent, var, value);
>
> + if (!strcmp("http.pinnedpubkey", var)) {
> +#if LIBCURL_VERSION_NUM >= 0x072c00
> + return git_config_pathname(&ssl_pinnedkey, var, value);
> +#else
> + warning(_("Public key pinning not supported with cURL < 7.44.0"));
> + return 0;
> +#endif
> + }
> /* Fall back on the default ones */
> return git_default_config(var, value, cb);
> }
--