On Wed, Mar 10, 2021 at 3:01 PM Jeff King <peff@xxxxxxxx> wrote: [snip] > I think it was just something that nobody ever cared about before. The > cert password request got converted to credential_fill() as part of > 148bb6a7b4 (http: use credential API to get passwords, 2011-12-10). That > commit added approve/reject for http, because that's what I really cared > about, but the intent was always to treat most password queries > consistently. I figured it'd be something like that, but wanted to ask, just in case. :-) > > diff --git a/http.c b/http.c > > index f8ea28bb2e..440890695f 100644 > > --- a/http.c > > +++ b/http.c > > @@ -1637,6 +1637,8 @@ static int handle_curl_result(struct slot_results *results) > > credential_approve(&http_auth); > > if (proxy_auth.password) > > credential_approve(&proxy_auth); > > + if (cert_auth.password) > > + credential_approve(&cert_auth); > > So I think this is the right direction, but: > > - you'd need a credential_reject() somewhere, too. Otherwise a bad > password will get stored and then reused over and over, with no > opportunity to tell the helper to forget about it. Right, I totally forgot about that aspect of this. > - is this the best spot to check that our password was right? We only > care about unlocking the local cert, which in theory is independent > of what the server tells us. I suspect we can't really tell the > difference, though (we hand the cert path and password off to curl, > and then hopefully a request is successful). So this may be the best > we can do for approval. But for rejection, I doubt that a 401 would > be the right response. How does curl respond when the password is > bad? Likewise, what happens if the password is bad but the server is > willing to make the request anyway (does curl bail immediately, or > might we get an HTTP 200 even with a bad cert password)? It turns out that it was the right spot. Curl will report CURLE_SSL_CERTPROBLEM when provided a bad password, so I ended up checking for that and using it to reject the credential. It's a bit loose in that other problems with the client certificate could cause the same error, but there's not a good way to know whether the issue was password-related or not. So the new patch set will just reject it, even if the issue was ultimately some other problem with the cert. It seemed like the best response given the information we have. > - I think proxy_cert_auth would probably want the same treatment. Oh, I think I misread this before making my fixes. I think what you're saying here is that proxy_cert_auth should be approved and rejected in the same spots as the client cert auth? I missed that but am happy to add it, if that's what you meant. The only trouble is that I don't have a great way of checking that particular feature. > - The "if (cert_auth.password)" is redundant. credential_approve() > will return silently if there is no password to approve. I know > you're copying the pattern from directly above, but I think that one > should be cleaned up, too. Done. > (I also was mildly surprised that this worked at all, since > credential_approve() will bail if there is no username field. But > the cert code fills in an empty username). > > Most of those are "nice to have" improvements over what you have here, > but I think without a matching reject() this would be a regression. No worries. If we can figure out the details, I'm happy to add it. -John
