From cd27f604e41475633d068d3f4852ab6b597c5e75 Mon Sep 17 00:00:00 2001 From: John Szakmeister Date: Thu, 11 Mar 2021 21:40:26 -0500 Subject: http: store credential when PKI auth is used We already looked for the PKI credentials in the credential store, but failed to approve it on success. Meaning, the PKI certificate password was never stored and git would request it on every connection to the remote. Let's complete the chain by storing the certificate password on success. Likewise, we also need to reject the credential when there is a failure. Curl appears to report client-related certificate issues are reported with the CURLE_SSL_CERTPROBLEM error. This includes not only a bad password, but potentially other client certificate related problems. Since we cannot get more information from curl, we'll go ahead and reject the credential upon receiving that error, just to be safe and avoid caching or saving a bad password. Signed-off-by: John Szakmeister Signed-off-by: Junio C Hamano --- http.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/http.c b/http.c index f8ea28bb2e..60d01c6e83 100644 --- a/http.c +++ b/http.c @@ -1637,7 +1637,17 @@ static int handle_curl_result(struct slot_results *results) credential_approve(&http_auth); if (proxy_auth.password) credential_approve(&proxy_auth); + credential_approve(&cert_auth); return HTTP_OK; + } else if (results->curl_result == CURLE_SSL_CERTPROBLEM) { + /* + * We can't tell from here whether it's a bad path, bad + * certificate, bad password, or something else wrong + * with the certificate. So we reject the credential to + * avoid caching or saving a bad password. + */ + credential_reject(&cert_auth); + return HTTP_NOAUTH; } else if (missing_target(results)) return HTTP_MISSING_TARGET; else if (results->http_code == 401) { -- cgit v1.2.3 From a4a4439fdf2fa5867b3f30040be535cff65b8a42 Mon Sep 17 00:00:00 2001 From: John Szakmeister Date: Thu, 11 Mar 2021 21:40:27 -0500 Subject: http: drop the check for an empty proxy password before approving credential_approve() already checks for a non-empty password before saving, so there's no need to do the extra check here. Signed-off-by: John Szakmeister Signed-off-by: Junio C Hamano --- http.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/http.c b/http.c index 60d01c6e83..3aeabf0947 100644 --- a/http.c +++ b/http.c @@ -1635,8 +1635,7 @@ static int handle_curl_result(struct slot_results *results) if (results->curl_result == CURLE_OK) { credential_approve(&http_auth); - if (proxy_auth.password) - credential_approve(&proxy_auth); + credential_approve(&proxy_auth); credential_approve(&cert_auth); return HTTP_OK; } else if (results->curl_result == CURLE_SSL_CERTPROBLEM) { -- cgit v1.2.3