Merge branch 'ce/https-public-key-pinning'
You can now set http.[<url>.]pinnedpubkey to specify the pinned public key when building with recent enough versions of libcURL. * ce/https-public-key-pinning: http: implement public key pinning
This commit is contained in:
Junio C Hamano
commit
e79112d210
@ -1733,6 +1733,14 @@ http.sslCAPath::
|
|||||||
with when fetching or pushing over HTTPS. Can be overridden
|
with when fetching or pushing over HTTPS. Can be overridden
|
||||||
by the 'GIT_SSL_CAPATH' environment variable.
|
by the 'GIT_SSL_CAPATH' environment variable.
|
||||||
|
|
||||||
|
http.pinnedpubkey::
|
||||||
|
Public key of the https service. It may either be the filename of
|
||||||
|
a PEM or DER encoded public key file or a string starting with
|
||||||
|
'sha256//' followed by the base64 encoded sha256 hash of the
|
||||||
|
public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
|
||||||
|
exit with an error if this option is set but not supported by
|
||||||
|
cURL.
|
||||||
|
|
||||||
http.sslTry::
|
http.sslTry::
|
||||||
Attempt to use AUTH SSL/TLS and encrypted data transfers
|
Attempt to use AUTH SSL/TLS and encrypted data transfers
|
||||||
when connecting via regular FTP protocol. This might be needed
|
when connecting via regular FTP protocol. This might be needed
|
||||||
|
|||||||
16
http.c
16
http.c
@ -62,6 +62,9 @@ static const char *ssl_key;
|
|||||||
#if LIBCURL_VERSION_NUM >= 0x070908
|
#if LIBCURL_VERSION_NUM >= 0x070908
|
||||||
static const char *ssl_capath;
|
static const char *ssl_capath;
|
||||||
#endif
|
#endif
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x072c00
|
||||||
|
static const char *ssl_pinnedkey;
|
||||||
|
#endif
|
||||||
static const char *ssl_cainfo;
|
static const char *ssl_cainfo;
|
||||||
static long curl_low_speed_limit = -1;
|
static long curl_low_speed_limit = -1;
|
||||||
static long curl_low_speed_time = -1;
|
static long curl_low_speed_time = -1;
|
||||||
@ -310,6 +313,15 @@ static int http_options(const char *var, const char *value, void *cb)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmp("http.pinnedpubkey", var)) {
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x072c00
|
||||||
|
return git_config_pathname(&ssl_pinnedkey, var, value);
|
||||||
|
#else
|
||||||
|
warning(_("Public key pinning not supported with cURL < 7.44.0"));
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
/* Fall back on the default ones */
|
/* Fall back on the default ones */
|
||||||
return git_default_config(var, value, cb);
|
return git_default_config(var, value, cb);
|
||||||
}
|
}
|
||||||
@ -512,6 +524,10 @@ static CURL *get_curl_handle(void)
|
|||||||
#if LIBCURL_VERSION_NUM >= 0x070908
|
#if LIBCURL_VERSION_NUM >= 0x070908
|
||||||
if (ssl_capath != NULL)
|
if (ssl_capath != NULL)
|
||||||
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
|
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
|
||||||
|
#endif
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x072c00
|
||||||
|
if (ssl_pinnedkey != NULL)
|
||||||
|
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
|
||||||
#endif
|
#endif
|
||||||
if (ssl_cainfo != NULL)
|
if (ssl_cainfo != NULL)
|
||||||
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
|
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user