Skip to content

Commit e79112d

Browse files
gitstergitster
committed
Merge branch 'ce/https-public-key-pinning'
You can now set http.[<url>.]pinnedpubkey to specify the pinned public key when building with recent enough versions of libcURL. * ce/https-public-key-pinning: http: implement public key pinning
2 parents 65ba75b + aeff8a6 commit e79112d

File tree

2 files changed

+24
-0
lines changed

2 files changed

+24
-0
lines changed

Documentation/config.txt

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1733,6 +1733,14 @@ http.sslCAPath::
17331733
with when fetching or pushing over HTTPS. Can be overridden
17341734
by the 'GIT_SSL_CAPATH' environment variable.
17351735

1736+
http.pinnedpubkey::
1737+
Public key of the https service. It may either be the filename of
1738+
a PEM or DER encoded public key file or a string starting with
1739+
'sha256//' followed by the base64 encoded sha256 hash of the
1740+
public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
1741+
exit with an error if this option is set but not supported by
1742+
cURL.
1743+
17361744
http.sslTry::
17371745
Attempt to use AUTH SSL/TLS and encrypted data transfers
17381746
when connecting via regular FTP protocol. This might be needed

http.c

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,9 @@ static const char *ssl_key;
6262
#if LIBCURL_VERSION_NUM >= 0x070908
6363
static const char *ssl_capath;
6464
#endif
65+
#if LIBCURL_VERSION_NUM >= 0x072c00
66+
static const char *ssl_pinnedkey;
67+
#endif
6568
static const char *ssl_cainfo;
6669
static long curl_low_speed_limit = -1;
6770
static long curl_low_speed_time = -1;
@@ -310,6 +313,15 @@ static int http_options(const char *var, const char *value, void *cb)
310313
return 0;
311314
}
312315

316+
if (!strcmp("http.pinnedpubkey", var)) {
317+
#if LIBCURL_VERSION_NUM >= 0x072c00
318+
return git_config_pathname(&ssl_pinnedkey, var, value);
319+
#else
320+
warning(_("Public key pinning not supported with cURL < 7.44.0"));
321+
return 0;
322+
#endif
323+
}
324+
313325
/* Fall back on the default ones */
314326
return git_default_config(var, value, cb);
315327
}
@@ -512,6 +524,10 @@ static CURL *get_curl_handle(void)
512524
#if LIBCURL_VERSION_NUM >= 0x070908
513525
if (ssl_capath != NULL)
514526
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
527+
#endif
528+
#if LIBCURL_VERSION_NUM >= 0x072c00
529+
if (ssl_pinnedkey != NULL)
530+
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
515531
#endif
516532
if (ssl_cainfo != NULL)
517533
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);

0 commit comments

Comments
 (0)