diff options
| author |  Christoph Egger <christoph@christoph-egger.org> | 2016-02-15 15:04:22 +0100 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2016-02-15 19:21:48 -0800 |
| commit | aeff8a61216bf6e0d663c08c583bc8552fa3c344 (patch) | |
| tree | 56089a2c0b99c783ee4ebed5bf90445c32b0fa3c | |
| parent | Git 2.7.1 (diff) | |
| download | tgif-aeff8a61216bf6e0d663c08c583bc8552fa3c344.tar.xz | |
http: implement public key pinning
Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.
If cURL does not support pinning (is too old) output a warning to the
user.
Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | Documentation/config.txt | 8 | ||||
| -rw-r--r-- | http.c | 15 |
2 files changed, 23 insertions, 0 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index f61788668e..bc0237fd62 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1679,6 +1679,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -273,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.useragent", var)) return git_config_string(&user_agent, var, value); + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } /* Fall back on the default ones */ return git_default_config(var, value, cb); } @@ -415,6 +426,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); |