[PATCH] Implement https public key pinning

[PATCH] Implement https public key pinning

[Christoph Egger]

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---

 For some more sensitive repositories I'd like to properly pin the
 public key of the https service. libcURL properly supports this since
 7.44.0, some parts earlier, the option just needs to be exposed by
 git.

 There seem to be no test regressions.

 Documentation/config.txt |  6 ++++++
 http.c                   | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..60776cc 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (!strcmp("http.pinnedpubkey", var))
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#endif
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x074400
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 

Re: [PATCH] Implement https public key pinning

[Daniel Stenberg]

On Thu, 11 Feb 2016, Christoph Egger wrote:

> +#if LIBCURL_VERSION_NUM >= 0x074400

That should probably be 0x072c00 ...

-- 

  / daniel.haxx.se

Re: [PATCH] Implement https public key pinning

[Christoph Egger]

[-- Attachment #1: Type: text/plain, Size: 846 bytes --]

Daniel Stenberg <daniel@haxx.se> writes:
> On Thu, 11 Feb 2016, Christoph Egger wrote:
>> +#if LIBCURL_VERSION_NUM >= 0x074400
>
> That should probably be 0x072c00 ...

This is, of course, right.

I used 7.44 / 0x072c00 as base because it has robust support for this
feature (including the sha256// variant). One could lower that depending
on the compromises one is willing to take FWIW

  Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS
  and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added
  in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL
  backends not supported.

Also some people suggested that git should fail if this option is
requested in the config but not supported by the libcurl version instead
of falling back to just not pin the key. I'm undecided about that.

  Christoph

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

[PATCH v2] Implement https public key pinning

[Christoph Egger]

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---
 Documentation/config.txt |  6 ++++++
 http.c                   | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..5549fe5 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (!strcmp("http.pinnedpubkey", var))
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#endif
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 

Re: [PATCH] Implement https public key pinning

[Thomas Gummerer]

On 02/12, Christoph Egger wrote:
> Daniel Stenberg <daniel@haxx.se> writes:
> > On Thu, 11 Feb 2016, Christoph Egger wrote:
> >> +#if LIBCURL_VERSION_NUM >= 0x074400
> >
> > That should probably be 0x072c00 ...
>
> This is, of course, right.
>
> I used 7.44 / 0x072c00 as base because it has robust support for this
> feature (including the sha256// variant). One could lower that depending
> on the compromises one is willing to take FWIW
>
>   Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS
>   and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added
>   in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL
>   backends not supported.
>
> Also some people suggested that git should fail if this option is
> requested in the config but not supported by the libcurl version instead
> of falling back to just not pin the key. I'm undecided about that.

This seems to have been suggested off list (or at least I can't find
the message).  FWIW I do agree with failing or as a bare minimum
warning the user if the config option is set, but not supported by the
libcurl version.  Otherwise we risk giving the user a false sense of
security when the option is set, which is arguably worse than not
having the security option at all.

>   Christoph

Re: [PATCH] Implement https public key pinning

[Jeff King]

On Fri, Feb 12, 2016 at 11:02:26AM +0100, Thomas Gummerer wrote:

> > Also some people suggested that git should fail if this option is
> > requested in the config but not supported by the libcurl version instead
> > of falling back to just not pin the key. I'm undecided about that.
> 
> This seems to have been suggested off list (or at least I can't find
> the message).  FWIW I do agree with failing or as a bare minimum
> warning the user if the config option is set, but not supported by the
> libcurl version.  Otherwise we risk giving the user a false sense of
> security when the option is set, which is arguably worse than not
> having the security option at all.

We can't do this perfectly, because older versions of git do not yet
know about the option, and will therefore just silently ignore it. And
for consistency there, we usually do the same for features that we know
about but are unsupported.

But I agree for something with security implications like this, we are
better off warning when we know support is not built in. That's not
perfect, but it's better than nothing.

I wonder if there are other options which should get the same treatment.
Most of the obvious ones I could think of (e.g., http.sslverify) do not
need it, because either they always have support built, or they
fail-closed, or both.

-Peff

Re: [PATCH] Implement https public key pinning

[Christoph Egger]

[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]

Jeff King <peff@peff.net> writes:
> We can't do this perfectly, because older versions of git do not yet
> know about the option, and will therefore just silently ignore it. And
> for consistency there, we usually do the same for features that we know
> about but are unsupported.

Jep that's why I originally did it this way. But if I (the user) just
have to check the git version to know I'm fine (and not also check which
version of curl it is linked with) to be sure I'd assume that's an
improvement still.

> But I agree for something with security implications like this, we are
> better off warning when we know support is not built in. That's not
> perfect, but it's better than nothing.

I'll add an updated patch taking this into account

> I wonder if there are other options which should get the same treatment.
> Most of the obvious ones I could think of (e.g., http.sslverify) do not
> need it, because either they always have support built, or they
> fail-closed, or both.

does CURLOPT_CAPATH add to CURLOPT_CAINFO or replace it? The
documentation [0] is inconclusive to me in this regard.

  Christoph

[0] https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

[PATCH +warn] Implement https public key pinning

[Christoph Egger]

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---

 This version of the patch adds a warning to the user if the option is
 not supported.

 Documentation/config.txt |  8 ++++++++
 http.c                   | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+	exit with an error if this option is set but not supported by
+	cURL.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..0bb9237 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,13 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+	if (!strcmp("http.pinnedpubkey", var))
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +509,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 

Re: [PATCH +warn] Implement https public key pinning

[Junio C Hamano]

Thanks.  This, when applied on top of 2.7.1, however seems to break
at least t5541 and t5551.

Re: [PATCH +warn] Implement https public key pinning

[Jeff King]

On Mon, Feb 15, 2016 at 03:25:32PM -0800, Junio C Hamano wrote:

> Thanks.  This, when applied on top of 2.7.1, however seems to break
> at least t5541 and t5551.

Hrm. I cannot see how the new code can possibly do anything unless
http.pinnedpubkey is set, and our tests don't do that. Neither t5541 nor
t5551 fails for me with the patch on top of v2.7.1 (or current "pu", for
that matter).

What does the failure look like?

-Peff

Re: [PATCH +warn] Implement https public key pinning

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Mon, Feb 15, 2016 at 03:25:32PM -0800, Junio C Hamano wrote:
>
>> Thanks.  This, when applied on top of 2.7.1, however seems to break
>> at least t5541 and t5551.
>
> Hrm. I cannot see how the new code can possibly do anything unless
> http.pinnedpubkey is set, and our tests don't do that. Neither t5541 nor
> t5551 fails for me with the patch on top of v2.7.1 (or current "pu", for
> that matter).

> What does the failure look like?

In t5541, #17 "push (chunked)" fails.

The test expects to see "POST git-receive-pack (chunked)" in the
error output, but here is what I see in $TRASH/test_repo_clone/err:

    Pushing to http://127.0.0.1:5541/smart/test_repo.git
    POST git-receive-pack (467 bytes)
    To http://127.0.0.1:5541/smart/test_repo.git
       8598732..09a7db2  master -> master
    updating local tracking ref 'refs/remotes/origin/master'

"git reset --hard HEAD^" to get rid of this patch before retesting
makes the same test pass, so even though I cannot see how this could
make any difference, it apparently is making some difference.

#define LIBCURL_VERSION_NUM 0x072300

I suspect that "#else" is too agressive to bail out or something
silly like that.

Oh, I think I found it.

@@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+	if (!strcmp("http.pinnedpubkey", var))
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif

We are not writing in Python.  Indenting the second line the same
way does not make it part of the block.  Of course by inserting the
new config in the earlier part of the function, it broke everything
that comes after.




 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -415,6 +425,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 

Re: [PATCH +warn] Implement https public key pinning

[Jeff King]

On Mon, Feb 15, 2016 at 07:19:07PM -0800, Junio C Hamano wrote:

> I suspect that "#else" is too agressive to bail out or something
> silly like that.
> 
> Oh, I think I found it.
> 
> @@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb)
>  	if (!strcmp("http.sslcapath", var))
>  		return git_config_pathname(&ssl_capath, var, value);
>  #endif
> +	if (!strcmp("http.pinnedpubkey", var))
> +#if LIBCURL_VERSION_NUM >= 0x072c00
> +		return git_config_pathname(&ssl_pinnedkey, var, value);
> +#else
> +		warning(_("Public key pinning not supported with cURL < 7.44.0"));
> +		return 0;
> +#endif
> 
> We are not writing in Python.  Indenting the second line the same
> way does not make it part of the block.  Of course by inserting the
> new config in the earlier part of the function, it broke everything
> that comes after.

Oof. Good eyes. I suspected something funny with the #if, but after
starting at it for minutes, couldn't see it.

That makes sense, and the fix is obvious.

-Peff

[PATCH +warn2] Implement https public key pinning

[Christoph Egger]

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---

 Now tested again both with and without a "new enough" cURL version.
 Passes tests in both configurations and is obviously more correct.

 Documentation/config.txt |  8 ++++++++
 http.c                   | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+	exit with an error if this option is set but not supported by
+	cURL.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..f640a8b 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,14 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+	if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif
+	}
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +510,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 

Re: [PATCH +warn] Implement https public key pinning

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Mon, Feb 15, 2016 at 07:19:07PM -0800, Junio C Hamano wrote:
>
>> I suspect that "#else" is too agressive to bail out or something
>> silly like that.
>> 
>> Oh, I think I found it.
>> 
>> @@ -216,6 +219,13 @@ static int http_options(const char *var, const char *value, void *cb)
>>  	if (!strcmp("http.sslcapath", var))
>>  		return git_config_pathname(&ssl_capath, var, value);
>>  #endif
>> +	if (!strcmp("http.pinnedpubkey", var))
>> +#if LIBCURL_VERSION_NUM >= 0x072c00
>> +		return git_config_pathname(&ssl_pinnedkey, var, value);
>> +#else
>> +		warning(_("Public key pinning not supported with cURL < 7.44.0"));
>> +		return 0;
>> +#endif
>> 
>> We are not writing in Python.  Indenting the second line the same
>> way does not make it part of the block.  Of course by inserting the
>> new config in the earlier part of the function, it broke everything
>> that comes after.
>
> Oof. Good eyes. I suspected something funny with the #if, but after
> starting at it for minutes, couldn't see it.
>
> That makes sense, and the fix is obvious.

Yup.  I think I sent a patch already and I followed the "when adding
a new thing to a set, add it at the end unless there is other reason
to place it elsewhere".

Thanks.

Re: [PATCH +warn] Implement https public key pinning

[Junio C Hamano]

Christoph Egger <christoph@christoph-egger.org> writes:

> Add the http.pinnedpubkey configuration option for public key
> pinning. It allows any string supported by libcurl --
> base64(sha256(pubkey)) or filename of the full public key.
>
> If cURL does not support pinning (is too old) output a warning to the
> user.
>
> Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
> ---

I needed this fix to unbreak it for those with older versions of
cURL.


 http.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/http.c b/http.c
index a6b8076..3475040 100644
--- a/http.c
+++ b/http.c
@@ -219,13 +219,6 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
-	if (!strcmp("http.pinnedpubkey", var))
-#if LIBCURL_VERSION_NUM >= 0x072c00
-		return git_config_pathname(&ssl_pinnedkey, var, value);
-#else
-		warning(_("Public key pinning not supported with cURL < 7.44.0"));
-		return 0;
-#endif
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -283,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.useragent", var))
 		return git_config_string(&user_agent, var, value);
 
+	if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif
+	}
 	/* Fall back on the default ones */
 	return git_default_config(var, value, cb);
 }

Re: [PATCH +warn] Implement https public key pinning

[Christoph Egger]

[-- Attachment #1: Type: text/plain, Size: 651 bytes --]

Hi!

Junio C Hamano <gitster@pobox.com> writes:
> Christoph Egger <christoph@christoph-egger.org> writes:
>
>> Add the http.pinnedpubkey configuration option for public key
>> pinning. It allows any string supported by libcurl --
>> base64(sha256(pubkey)) or filename of the full public key.
>>
>> If cURL does not support pinning (is too old) output a warning to the
>> user.
>>
>> Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
>> ---
>
> I needed this fix to unbreak it for those with older versions of
> cURL.

Jep sorry about that. should have run a second test with old libcurl.
I've attached a consolidated patch.

  Christoph


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Implement-https-public-key-pinning.patch --]
[-- Type: text/x-diff, Size: 2766 bytes --]

>From be8112d695de534629bcb3411634d101a74021a7 Mon Sep 17 00:00:00 2001
From: Christoph Egger <christoph@christoph-egger.org>
Date: Thu, 11 Feb 2016 23:28:20 +0100
Subject: [PATCH] Implement https public key pinning

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---
 Documentation/config.txt |  8 ++++++++
 http.c                   | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+	exit with an error if this option is set but not supported by
+	cURL.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..1c295dd 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -299,6 +302,15 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.useragent", var))
 		return git_config_string(&user_agent, var, value);
 
+	if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif
+	}
+
 	/* Fall back on the default ones */
 	return git_default_config(var, value, cb);
 }
@@ -499,6 +511,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


[-- Attachment #3: Type: text/plain, Size: 1330 bytes --]


>  http.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/http.c b/http.c
> index a6b8076..3475040 100644
> --- a/http.c
> +++ b/http.c
> @@ -219,13 +219,6 @@ static int http_options(const char *var, const char *value, void *cb)
>  	if (!strcmp("http.sslcapath", var))
>  		return git_config_pathname(&ssl_capath, var, value);
>  #endif
> -	if (!strcmp("http.pinnedpubkey", var))
> -#if LIBCURL_VERSION_NUM >= 0x072c00
> -		return git_config_pathname(&ssl_pinnedkey, var, value);
> -#else
> -		warning(_("Public key pinning not supported with cURL < 7.44.0"));
> -		return 0;
> -#endif
>  	if (!strcmp("http.sslcainfo", var))
>  		return git_config_pathname(&ssl_cainfo, var, value);
>  	if (!strcmp("http.sslcertpasswordprotected", var)) {
> @@ -283,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb)
>  	if (!strcmp("http.useragent", var))
>  		return git_config_string(&user_agent, var, value);
>  
> +	if (!strcmp("http.pinnedpubkey", var)) {
> +#if LIBCURL_VERSION_NUM >= 0x072c00
> +		return git_config_pathname(&ssl_pinnedkey, var, value);
> +#else
> +		warning(_("Public key pinning not supported with cURL < 7.44.0"));
> +		return 0;
> +#endif
> +	}
>  	/* Fall back on the default ones */
>  	return git_default_config(var, value, cb);
>  }

--