diff options
| author | Junio C Hamano <gitster@pobox.com> | 2016-02-24 13:25:58 -0800 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2016-02-24 13:25:58 -0800 |
| commit | e79112d21024beb997951381db21a70b087d459d (patch) | |
| tree | 704e66558f2e558b07506a605f0829ce72cfa238 | |
| parent | 65ba75ba7daae3298139f18cf866a23d01f4dd48 (diff) | |
| parent | aeff8a61216bf6e0d663c08c583bc8552fa3c344 (diff) | |
| download | git-e79112d21024beb997951381db21a70b087d459d.tar.gz | |
Merge branch 'ce/https-public-key-pinning'
You can now set http.[<url>.]pinnedpubkey to specify the pinned
public key when building with recent enough versions of libcURL.
* ce/https-public-key-pinning:
http: implement public key pinning
| -rw-r--r-- | Documentation/config.txt | 8 | ||||
| -rw-r--r-- | http.c | 16 |
2 files changed, 24 insertions, 0 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index 542cb229c8..2cd6bdd7d2 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1733,6 +1733,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed @@ -62,6 +62,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -310,6 +313,15 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(&ssl_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } + /* Fall back on the default ones */ return git_default_config(var, value, cb); } @@ -513,6 +525,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); |