* [PATCH] Implement https public key pinning @ 2016-02-11 22:54 Christoph Egger 2016-02-11 23:30 ` Daniel Stenberg 0 siblings, 1 reply; 16+ messages in thread From: Christoph Egger @ 2016-02-11 22:54 UTC (permalink / raw) To: git Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> --- For some more sensitive repositories I'd like to properly pin the public key of the https service. libcURL properly supports this since 7.44.0, some parts earlier, the option just needs to be exposed by git. There seem to be no test regressions. Documentation/config.txt | 6 ++++++ http.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..35b4495 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,12 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..60776cc 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (!strcmp("http.pinnedpubkey", var)) + return git_config_pathname(&ssl_pinnedkey, var, value); +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +506,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x074400 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] Implement https public key pinning 2016-02-11 22:54 [PATCH] Implement https public key pinning Christoph Egger @ 2016-02-11 23:30 ` Daniel Stenberg 2016-02-12 1:15 ` Christoph Egger 0 siblings, 1 reply; 16+ messages in thread From: Daniel Stenberg @ 2016-02-11 23:30 UTC (permalink / raw) To: Christoph Egger; +Cc: git On Thu, 11 Feb 2016, Christoph Egger wrote: > +#if LIBCURL_VERSION_NUM >= 0x074400 That should probably be 0x072c00 ... -- / daniel.haxx.se ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] Implement https public key pinning 2016-02-11 23:30 ` Daniel Stenberg @ 2016-02-12 1:15 ` Christoph Egger 2016-02-12 1:18 ` [PATCH v2] " Christoph Egger 2016-02-12 10:02 ` [PATCH] " Thomas Gummerer 0 siblings, 2 replies; 16+ messages in thread From: Christoph Egger @ 2016-02-12 1:15 UTC (permalink / raw) To: Daniel Stenberg; +Cc: git [-- Attachment #1: Type: text/plain, Size: 846 bytes --] Daniel Stenberg <daniel@haxx.se> writes: > On Thu, 11 Feb 2016, Christoph Egger wrote: >> +#if LIBCURL_VERSION_NUM >= 0x074400 > > That should probably be 0x072c00 ... This is, of course, right. I used 7.44 / 0x072c00 as base because it has robust support for this feature (including the sha256// variant). One could lower that depending on the compromises one is willing to take FWIW Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL backends not supported. Also some people suggested that git should fail if this option is requested in the config but not supported by the libcurl version instead of falling back to just not pin the key. I'm undecided about that. Christoph [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 818 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH v2] Implement https public key pinning 2016-02-12 1:15 ` Christoph Egger @ 2016-02-12 1:18 ` Christoph Egger 2016-02-12 10:02 ` [PATCH] " Thomas Gummerer 1 sibling, 0 replies; 16+ messages in thread From: Christoph Egger @ 2016-02-12 1:18 UTC (permalink / raw) To: git Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> --- Documentation/config.txt | 6 ++++++ http.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..35b4495 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,12 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..5549fe5 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (!strcmp("http.pinnedpubkey", var)) + return git_config_pathname(&ssl_pinnedkey, var, value); +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +506,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] Implement https public key pinning 2016-02-12 1:15 ` Christoph Egger 2016-02-12 1:18 ` [PATCH v2] " Christoph Egger @ 2016-02-12 10:02 ` Thomas Gummerer 2016-02-12 18:37 ` Jeff King 1 sibling, 1 reply; 16+ messages in thread From: Thomas Gummerer @ 2016-02-12 10:02 UTC (permalink / raw) To: Christoph Egger; +Cc: Daniel Stenberg, git On 02/12, Christoph Egger wrote: > Daniel Stenberg <daniel@haxx.se> writes: > > On Thu, 11 Feb 2016, Christoph Egger wrote: > >> +#if LIBCURL_VERSION_NUM >= 0x074400 > > > > That should probably be 0x072c00 ... > > This is, of course, right. > > I used 7.44 / 0x072c00 as base because it has robust support for this > feature (including the sha256// variant). One could lower that depending > on the compromises one is willing to take FWIW > > Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS > and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added > in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL > backends not supported. > > Also some people suggested that git should fail if this option is > requested in the config but not supported by the libcurl version instead > of falling back to just not pin the key. I'm undecided about that. This seems to have been suggested off list (or at least I can't find the message). FWIW I do agree with failing or as a bare minimum warning the user if the config option is set, but not supported by the libcurl version. Otherwise we risk giving the user a false sense of security when the option is set, which is arguably worse than not having the security option at all. > Christoph ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] Implement https public key pinning 2016-02-12 10:02 ` [PATCH] " Thomas Gummerer @ 2016-02-12 18:37 ` Jeff King 2016-02-15 13:58 ` Christoph Egger 0 siblings, 1 reply; 16+ messages in thread From: Jeff King @ 2016-02-12 18:37 UTC (permalink / raw) To: Thomas Gummerer; +Cc: Christoph Egger, Daniel Stenberg, git On Fri, Feb 12, 2016 at 11:02:26AM +0100, Thomas Gummerer wrote: > > Also some people suggested that git should fail if this option is > > requested in the config but not supported by the libcurl version instead > > of falling back to just not pin the key. I'm undecided about that. > > This seems to have been suggested off list (or at least I can't find > the message). FWIW I do agree with failing or as a bare minimum > warning the user if the config option is set, but not supported by the > libcurl version. Otherwise we risk giving the user a false sense of > security when the option is set, which is arguably worse than not > having the security option at all. We can't do this perfectly, because older versions of git do not yet know about the option, and will therefore just silently ignore it. And for consistency there, we usually do the same for features that we know about but are unsupported. But I agree for something with security implications like this, we are better off warning when we know support is not built in. That's not perfect, but it's better than nothing. I wonder if there are other options which should get the same treatment. Most of the obvious ones I could think of (e.g., http.sslverify) do not need it, because either they always have support built, or they fail-closed, or both. -Peff ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] Implement https public key pinning 2016-02-12 18:37 ` Jeff King @ 2016-02-15 13:58 ` Christoph Egger 2016-02-15 14:04 ` [PATCH +warn] " Christoph Egger 0 siblings, 1 reply; 16+ messages in thread From: Christoph Egger @ 2016-02-15 13:58 UTC (permalink / raw) To: Jeff King; +Cc: Thomas Gummerer, Daniel Stenberg, git [-- Attachment #1: Type: text/plain, Size: 1175 bytes --] Jeff King <peff@peff.net> writes: > We can't do this perfectly, because older versions of git do not yet > know about the option, and will therefore just silently ignore it. And > for consistency there, we usually do the same for features that we know > about but are unsupported. Jep that's why I originally did it this way. But if I (the user) just have to check the git version to know I'm fine (and not also check which version of curl it is linked with) to be sure I'd assume that's an improvement still. > But I agree for something with security implications like this, we are > better off warning when we know support is not built in. That's not > perfect, but it's better than nothing. I'll add an updated patch taking this into account > I wonder if there are other options which should get the same treatment. > Most of the obvious ones I could think of (e.g., http.sslverify) do not > need it, because either they always have support built, or they > fail-closed, or both. does CURLOPT_CAPATH add to CURLOPT_CAINFO or replace it? The documentation [0] is inconclusive to me in this regard. Christoph [0] https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 818 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH +warn] Implement https public key pinning 2016-02-15 13:58 ` Christoph Egger @ 2016-02-15 14:04 ` Christoph Egger 2016-02-15 23:25 ` Junio C Hamano 2016-02-17 21:05 ` Junio C Hamano 0 siblings, 2 replies; 16+ messages in thread From: Christoph Egger @ 2016-02-15 14:04 UTC (permalink / raw) To: git Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> --- This version of the patch adds a warning to the user if the option is not supported. Documentation/config.txt | 8 ++++++++ http.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..0bb9237 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,13 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif + if (!strcmp("http.pinnedpubkey", var)) +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +509,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-15 14:04 ` [PATCH +warn] " Christoph Egger @ 2016-02-15 23:25 ` Junio C Hamano 2016-02-16 1:22 ` Jeff King 2016-02-17 21:05 ` Junio C Hamano 1 sibling, 1 reply; 16+ messages in thread From: Junio C Hamano @ 2016-02-15 23:25 UTC (permalink / raw) To: Christoph Egger; +Cc: git Thanks. This, when applied on top of 2.7.1, however seems to break at least t5541 and t5551. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-15 23:25 ` Junio C Hamano @ 2016-02-16 1:22 ` Jeff King 2016-02-16 3:19 ` Junio C Hamano 0 siblings, 1 reply; 16+ messages in thread From: Jeff King @ 2016-02-16 1:22 UTC (permalink / raw) To: Junio C Hamano; +Cc: Christoph Egger, git On Mon, Feb 15, 2016 at 03:25:32PM -0800, Junio C Hamano wrote: > Thanks. This, when applied on top of 2.7.1, however seems to break > at least t5541 and t5551. Hrm. I cannot see how the new code can possibly do anything unless http.pinnedpubkey is set, and our tests don't do that. Neither t5541 nor t5551 fails for me with the patch on top of v2.7.1 (or current "pu", for that matter). What does the failure look like? -Peff ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-16 1:22 ` Jeff King @ 2016-02-16 3:19 ` Junio C Hamano 2016-02-16 3:28 ` Jeff King 0 siblings, 1 reply; 16+ messages in thread From: Junio C Hamano @ 2016-02-16 3:19 UTC (permalink / raw) To: Jeff King; +Cc: Christoph Egger, git Jeff King <peff@peff.net> writes: > On Mon, Feb 15, 2016 at 03:25:32PM -0800, Junio C Hamano wrote: > >> Thanks. This, when applied on top of 2.7.1, however seems to break >> at least t5541 and t5551. > > Hrm. I cannot see how the new code can possibly do anything unless > http.pinnedpubkey is set, and our tests don't do that. Neither t5541 nor > t5551 fails for me with the patch on top of v2.7.1 (or current "pu", for > that matter). > What does the failure look like? In t5541, #17 "push (chunked)" fails. The test expects to see "POST git-receive-pack (chunked)" in the error output, but here is what I see in $TRASH/test_repo_clone/err: Pushing to http://127.0.0.1:5541/smart/test_repo.git POST git-receive-pack (467 bytes) To http://127.0.0.1:5541/smart/test_repo.git 8598732..09a7db2 master -> master updating local tracking ref 'refs/remotes/origin/master' "git reset --hard HEAD^" to get rid of this patch before retesting makes the same test pass, so even though I cannot see how this could make any difference, it apparently is making some difference. #define LIBCURL_VERSION_NUM 0x072300 I suspect that "#else" is too agressive to bail out or something silly like that. Oh, I think I found it. @@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif + if (!strcmp("http.pinnedpubkey", var)) +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif We are not writing in Python. Indenting the second line the same way does not make it part of the block. Of course by inserting the new config in the earlier part of the function, it broke everything that comes after. if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -415,6 +425,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-16 3:19 ` Junio C Hamano @ 2016-02-16 3:28 ` Jeff King 2016-02-16 11:19 ` [PATCH +warn2] " Christoph Egger 2016-02-16 21:20 ` [PATCH +warn] " Junio C Hamano 0 siblings, 2 replies; 16+ messages in thread From: Jeff King @ 2016-02-16 3:28 UTC (permalink / raw) To: Junio C Hamano; +Cc: Christoph Egger, git On Mon, Feb 15, 2016 at 07:19:07PM -0800, Junio C Hamano wrote: > I suspect that "#else" is too agressive to bail out or something > silly like that. > > Oh, I think I found it. > > @@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb) > if (!strcmp("http.sslcapath", var)) > return git_config_pathname(&ssl_capath, var, value); > #endif > + if (!strcmp("http.pinnedpubkey", var)) > +#if LIBCURL_VERSION_NUM >= 0x072c00 > + return git_config_pathname(&ssl_pinnedkey, var, value); > +#else > + warning(_("Public key pinning not supported with cURL < 7.44.0")); > + return 0; > +#endif > > We are not writing in Python. Indenting the second line the same > way does not make it part of the block. Of course by inserting the > new config in the earlier part of the function, it broke everything > that comes after. Oof. Good eyes. I suspected something funny with the #if, but after starting at it for minutes, couldn't see it. That makes sense, and the fix is obvious. -Peff ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH +warn2] Implement https public key pinning 2016-02-16 3:28 ` Jeff King @ 2016-02-16 11:19 ` Christoph Egger 2016-02-16 21:20 ` [PATCH +warn] " Junio C Hamano 1 sibling, 0 replies; 16+ messages in thread From: Christoph Egger @ 2016-02-16 11:19 UTC (permalink / raw) To: git Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> --- Now tested again both with and without a "new enough" cURL version. Passes tests in both configurations and is obviously more correct. Documentation/config.txt | 8 ++++++++ http.c | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..f640a8b 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,14 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +510,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-16 3:28 ` Jeff King 2016-02-16 11:19 ` [PATCH +warn2] " Christoph Egger @ 2016-02-16 21:20 ` Junio C Hamano 1 sibling, 0 replies; 16+ messages in thread From: Junio C Hamano @ 2016-02-16 21:20 UTC (permalink / raw) To: Jeff King; +Cc: Christoph Egger, git Jeff King <peff@peff.net> writes: > On Mon, Feb 15, 2016 at 07:19:07PM -0800, Junio C Hamano wrote: > >> I suspect that "#else" is too agressive to bail out or something >> silly like that. >> >> Oh, I think I found it. >> >> @@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb) >> if (!strcmp("http.sslcapath", var)) >> return git_config_pathname(&ssl_capath, var, value); >> #endif >> + if (!strcmp("http.pinnedpubkey", var)) >> +#if LIBCURL_VERSION_NUM >= 0x072c00 >> + return git_config_pathname(&ssl_pinnedkey, var, value); >> +#else >> + warning(_("Public key pinning not supported with cURL < 7.44.0")); >> + return 0; >> +#endif >> >> We are not writing in Python. Indenting the second line the same >> way does not make it part of the block. Of course by inserting the >> new config in the earlier part of the function, it broke everything >> that comes after. > > Oof. Good eyes. I suspected something funny with the #if, but after > starting at it for minutes, couldn't see it. > > That makes sense, and the fix is obvious. Yup. I think I sent a patch already and I followed the "when adding a new thing to a set, add it at the end unless there is other reason to place it elsewhere". Thanks. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-15 14:04 ` [PATCH +warn] " Christoph Egger 2016-02-15 23:25 ` Junio C Hamano @ 2016-02-17 21:05 ` Junio C Hamano 2016-02-22 15:41 ` Christoph Egger 1 sibling, 1 reply; 16+ messages in thread From: Junio C Hamano @ 2016-02-17 21:05 UTC (permalink / raw) To: Christoph Egger; +Cc: git Christoph Egger <christoph@christoph-egger.org> writes: > Add the http.pinnedpubkey configuration option for public key > pinning. It allows any string supported by libcurl -- > base64(sha256(pubkey)) or filename of the full public key. > > If cURL does not support pinning (is too old) output a warning to the > user. > > Signed-off-by: Christoph Egger <christoph@christoph-egger.org> > --- I needed this fix to unbreak it for those with older versions of cURL. http.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/http.c b/http.c index a6b8076..3475040 100644 --- a/http.c +++ b/http.c @@ -219,13 +219,6 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(&ssl_capath, var, value); #endif - if (!strcmp("http.pinnedpubkey", var)) -#if LIBCURL_VERSION_NUM >= 0x072c00 - return git_config_pathname(&ssl_pinnedkey, var, value); -#else - warning(_("Public key pinning not supported with cURL < 7.44.0")); - return 0; -#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(&ssl_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -283,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.useragent", var)) return git_config_string(&user_agent, var, value); + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } /* Fall back on the default ones */ return git_default_config(var, value, cb); } ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH +warn] Implement https public key pinning 2016-02-17 21:05 ` Junio C Hamano @ 2016-02-22 15:41 ` Christoph Egger 0 siblings, 0 replies; 16+ messages in thread From: Christoph Egger @ 2016-02-22 15:41 UTC (permalink / raw) To: Junio C Hamano; +Cc: git [-- Attachment #1: Type: text/plain, Size: 651 bytes --] Hi! Junio C Hamano <gitster@pobox.com> writes: > Christoph Egger <christoph@christoph-egger.org> writes: > >> Add the http.pinnedpubkey configuration option for public key >> pinning. It allows any string supported by libcurl -- >> base64(sha256(pubkey)) or filename of the full public key. >> >> If cURL does not support pinning (is too old) output a warning to the >> user. >> >> Signed-off-by: Christoph Egger <christoph@christoph-egger.org> >> --- > > I needed this fix to unbreak it for those with older versions of > cURL. Jep sorry about that. should have run a second test with old libcurl. I've attached a consolidated patch. Christoph [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-Implement-https-public-key-pinning.patch --] [-- Type: text/x-diff, Size: 2766 bytes --] >From be8112d695de534629bcb3411634d101a74021a7 Mon Sep 17 00:00:00 2001 From: Christoph Egger <christoph@christoph-egger.org> Date: Thu, 11 Feb 2016 23:28:20 +0100 Subject: [PATCH] Implement https public key pinning Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> --- Documentation/config.txt | 8 ++++++++ http.c | 16 ++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..1c295dd 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -299,6 +302,15 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.useragent", var)) return git_config_string(&user_agent, var, value); + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } + /* Fall back on the default ones */ return git_default_config(var, value, cb); } @@ -499,6 +511,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 [-- Attachment #3: Type: text/plain, Size: 1330 bytes --] > http.c | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > > diff --git a/http.c b/http.c > index a6b8076..3475040 100644 > --- a/http.c > +++ b/http.c > @@ -219,13 +219,6 @@ static int http_options(const char *var, const char *value, void *cb) > if (!strcmp("http.sslcapath", var)) > return git_config_pathname(&ssl_capath, var, value); > #endif > - if (!strcmp("http.pinnedpubkey", var)) > -#if LIBCURL_VERSION_NUM >= 0x072c00 > - return git_config_pathname(&ssl_pinnedkey, var, value); > -#else > - warning(_("Public key pinning not supported with cURL < 7.44.0")); > - return 0; > -#endif > if (!strcmp("http.sslcainfo", var)) > return git_config_pathname(&ssl_cainfo, var, value); > if (!strcmp("http.sslcertpasswordprotected", var)) { > @@ -283,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb) > if (!strcmp("http.useragent", var)) > return git_config_string(&user_agent, var, value); > > + if (!strcmp("http.pinnedpubkey", var)) { > +#if LIBCURL_VERSION_NUM >= 0x072c00 > + return git_config_pathname(&ssl_pinnedkey, var, value); > +#else > + warning(_("Public key pinning not supported with cURL < 7.44.0")); > + return 0; > +#endif > + } > /* Fall back on the default ones */ > return git_default_config(var, value, cb); > } -- ^ permalink raw reply related [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-02-22 15:42 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-02-11 22:54 [PATCH] Implement https public key pinning Christoph Egger 2016-02-11 23:30 ` Daniel Stenberg 2016-02-12 1:15 ` Christoph Egger 2016-02-12 1:18 ` [PATCH v2] " Christoph Egger 2016-02-12 10:02 ` [PATCH] " Thomas Gummerer 2016-02-12 18:37 ` Jeff King 2016-02-15 13:58 ` Christoph Egger 2016-02-15 14:04 ` [PATCH +warn] " Christoph Egger 2016-02-15 23:25 ` Junio C Hamano 2016-02-16 1:22 ` Jeff King 2016-02-16 3:19 ` Junio C Hamano 2016-02-16 3:28 ` Jeff King 2016-02-16 11:19 ` [PATCH +warn2] " Christoph Egger 2016-02-16 21:20 ` [PATCH +warn] " Junio C Hamano 2016-02-17 21:05 ` Junio C Hamano 2016-02-22 15:41 ` Christoph Egger
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.