Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.
Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---
For some more sensitive repositories I'd like to properly pin the
public key of the https service. libcURL properly supports this since
7.44.0, some parts earlier, the option just needs to be exposed by
git.
There seem to be no test regressions.
Documentation/config.txt | 6 ++++++
http.c | 11 +++++++++++
2 files changed, 17 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
+http.pinnedpubkey::
+ Public key of the https service. It may either be the filename of
+ a PEM or DER encoded public key file or a string starting with
+ 'sha256//' followed by the base64 encoded sha256 hash of the
+ public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..60776cc 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
#if LIBCURL_VERSION_NUM >= 0x070908
static const char *ssl_capath;
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
static const char *ssl_cainfo;
static long curl_low_speed_limit = -1;
static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char
*value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(&ssl_capath, var, value);
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ if (!strcmp("http.pinnedpubkey", var))
+ return git_config_pathname(&ssl_pinnedkey, var, value);
+#endif
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(&ssl_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
+#if LIBCURL_VERSION_NUM >= 0x074400
+ if (ssl_pinnedkey != NULL)
+ curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY,
ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
--
2.7.0
--
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
