summaryrefslogtreecommitdiff
path: root/http.c
diff options
context:
space:
mode:
authorChristoph Egger <christoph@christoph-egger.org>2016-02-15 15:04:22 +0100
committerJunio C Hamano <gitster@pobox.com>2016-02-15 19:21:48 -0800
commitaeff8a61216bf6e0d663c08c583bc8552fa3c344 (patch)
tree56089a2c0b99c783ee4ebed5bf90445c32b0fa3c /http.c
parenta08595f76159b09d57553e37a5123f1091bb13e7 (diff)
downloadgit-aeff8a61216bf6e0d663c08c583bc8552fa3c344.tar.gz
http: implement public key pinningce/https-public-key-pinning
Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'http.c')
-rw-r--r--http.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/http.c b/http.c
index 0da9e66398..3475040107 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
#if LIBCURL_VERSION_NUM >= 0x070908
static const char *ssl_capath;
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
static const char *ssl_cainfo;
static long curl_low_speed_limit = -1;
static long curl_low_speed_time = -1;
@@ -273,6 +276,14 @@ static int http_options(const char *var, const char *value, void *cb)
if (!strcmp("http.useragent", var))
return git_config_string(&user_agent, var, value);
+ if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ return git_config_pathname(&ssl_pinnedkey, var, value);
+#else
+ warning(_("Public key pinning not supported with cURL < 7.44.0"));
+ return 0;
+#endif
+ }
/* Fall back on the default ones */
return git_default_config(var, value, cb);
}
@@ -415,6 +426,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+ if (ssl_pinnedkey != NULL)
+ curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);