undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

http: implement public key pinning

Browse Source 
Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Christoph Egger 2016-02-15 15:04:22 +01:00 committed by Junio C Hamano
parent a08595f761
commit aeff8a6121
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Documentation/config.txt
View File

@ -1679,6 +1679,14 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable. by the 'GIT_SSL_CAPATH' environment variable.
http.pinnedpubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with
'sha256//' followed by the base64 encoded sha256 hash of the
public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
exit with an error if this option is set but not supported by
cURL.
http.sslTry:: http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed when connecting via regular FTP protocol. This might be needed

15
http.c
View File

@ -57,6 +57,9 @@ static const char *ssl_key;
#if LIBCURL_VERSION_NUM >= 0x070908 #if LIBCURL_VERSION_NUM >= 0x070908
static const char *ssl_capath; static const char *ssl_capath;
#endif #endif
#if LIBCURL_VERSION_NUM >= 0x072c00
static const char *ssl_pinnedkey;
#endif
static const char *ssl_cainfo; static const char *ssl_cainfo;
static long curl_low_speed_limit = -1; static long curl_low_speed_limit = -1;
static long curl_low_speed_time = -1; static long curl_low_speed_time = -1;
@ -273,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb)
if (!strcmp("http.useragent", var)) if (!strcmp("http.useragent", var))
return git_config_string(&user_agent, var, value); return git_config_string(&user_agent, var, value);
if (!strcmp("http.pinnedpubkey", var)) {
#if LIBCURL_VERSION_NUM >= 0x072c00
return git_config_pathname(&ssl_pinnedkey, var, value);
#else
warning(_("Public key pinning not supported with cURL < 7.44.0"));
return 0;
#endif
}
/* Fall back on the default ones */ /* Fall back on the default ones */
return git_default_config(var, value, cb); return git_default_config(var, value, cb);
} }
@ -414,6 +425,10 @@ static CURL *get_curl_handle(void)
#if LIBCURL_VERSION_NUM >= 0x070908 #if LIBCURL_VERSION_NUM >= 0x070908
if (ssl_capath != NULL) if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
#if LIBCURL_VERSION_NUM >= 0x072c00
if (ssl_pinnedkey != NULL)
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
#endif #endif
if (ssl_cainfo != NULL) if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);