[PATCH v2] Implement https public key pinning

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Christoph Egger <christoph@christoph-egger.org>
To: git@vger.kernel.org
Subject: [PATCH v2] Implement https public key pinning
Date: Fri, 12 Feb 2016 02:18:34 +0100	[thread overview]
Message-ID: <20160212011834.GA3322@mitoraj.siccegge.de> (raw)
In-Reply-To: <87oabmg24u.fsf@mitoraj.siccegge.de>

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
---
 Documentation/config.txt |  6 ++++++
 http.c                   | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..5549fe5 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.sslcapath", var))
 		return git_config_pathname(&ssl_capath, var, value);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (!strcmp("http.pinnedpubkey", var))
+		return git_config_pathname(&ssl_pinnedkey, var, value);
+#endif
 	if (!strcmp("http.sslcainfo", var))
 		return git_config_pathname(&ssl_cainfo, var, value);
 	if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


--

next prev parent reply	other threads:[~2016-02-12  1:18 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-11 22:54 [PATCH] Implement https public key pinning Christoph Egger
2016-02-11 23:30 ` Daniel Stenberg
2016-02-12  1:15   ` Christoph Egger
2016-02-12  1:18     ` Christoph Egger [this message]
2016-02-12 10:02     ` Thomas Gummerer
2016-02-12 18:37       ` Jeff King
2016-02-15 13:58         ` Christoph Egger
2016-02-15 14:04           ` [PATCH +warn] " Christoph Egger
2016-02-15 23:25             ` Junio C Hamano
2016-02-16  1:22               ` Jeff King
2016-02-16  3:19                 ` Junio C Hamano
2016-02-16  3:28                   ` Jeff King
2016-02-16 11:19                     ` [PATCH +warn2] " Christoph Egger
2016-02-16 21:20                     ` [PATCH +warn] " Junio C Hamano
2016-02-17 21:05             ` Junio C Hamano
2016-02-22 15:41               ` Christoph Egger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27f02be dfblob:35b4495 dfblob:dfc53c1 dfblob:5549fe5 )
 OR (
bs:"[PATCH v2] Implement https public key pinning" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160212011834.GA3322@mitoraj.siccegge.de \
    --to=christoph@christoph-egger.org \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).