from:"Christoph Egger"

GIT_EXEC_PATH

2017-04-18 Thread Christoph Egger

Hi!

Concerning $GIT_EXEC_PATH .. is that supposed to be a $PATh like variable? as 
in can it have more than one path (colon-separated)? I have currently two 
directories there (one with a git-annex installation, one with the normal git 
stuff) and it seems to mostly work. However git-sh-setup is unhappy:

> % git pull --rebase
> /opt/local/libexec/git-core/git-sh-setup: line 46: 
> /opt/local/libexec/git-core:/Applications/git-annex.app/Contents/MacOS//git-sh-i18n:
>  No such file or directory

  Christoph

Re: [PATCH +warn] Implement https public key pinning

2016-02-22 Thread Christoph Egger

Hi!

Junio C Hamano <gits...@pobox.com> writes:
> Christoph Egger <christ...@christoph-egger.org> writes:
>
>> Add the http.pinnedpubkey configuration option for public key
>> pinning. It allows any string supported by libcurl --
>> base64(sha256(pubkey)) or filename of the full public key.
>>
>> If cURL does not support pinning (is too old) output a warning to the
>> user.
>>
>> Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
>> ---
>
> I needed this fix to unbreak it for those with older versions of
> cURL.

Jep sorry about that. should have run a second test with old libcurl.
I've attached a consolidated patch.

  Christoph

>From be8112d695de534629bcb3411634d101a74021a7 Mon Sep 17 00:00:00 2001
From: Christoph Egger <christ...@christoph-egger.org>
Date: Thu, 11 Feb 2016 23:28:20 +0100
Subject: [PATCH] Implement https public key pinning

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---
 Documentation/config.txt |  8 
 http.c   | 16 
 2 files changed, 24 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+	exit with an error if this option is set but not supported by
+	cURL.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..1c295dd 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -299,6 +302,15 @@ static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.useragent", var))
 		return git_config_string(_agent, var, value);
 
+	if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+		return git_config_pathname(_pinnedkey, var, value);
+#else
+		warning(_("Public key pinning not supported with cURL < 7.44.0"));
+		return 0;
+#endif
+	}
+
 	/* Fall back on the default ones */
 	return git_default_config(var, value, cb);
 }
@@ -499,6 +511,10 @@ static CURL *get_curl_handle(void)
 	if (ssl_capath != NULL)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+	if (ssl_pinnedkey != NULL)
+		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
+#endif
 	if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


>  http.c | 15 ---
>  1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/http.c b/http.c
> index a6b8076..3475040 100644
> --- a/http.c
> +++ b/http.c
> @@ -219,13 +219,6 @@ static int http_options(const char *var, const char 
> *value, void *cb)
>   if (!strcmp("http.sslcapath", var))
>   return git_config_pathname(_capath, var, value);
>  #endif
> - if (!strcmp("http.pinnedpubkey", var))
> -#if LIBCURL_VERSION_NUM >= 0x072c00
> - return git_config_pathname(_pinnedkey, var, value);
> -#else
> - warning(_("Public key pinning not supported with cURL < 
> 7.44.0"));
> - return 0;
> -#endif
>   if (!strcmp("http.sslcainfo", var))
>   return git_config_pathname(_cainfo, var, value);
>   if (!strcmp("http.sslcertpasswordprotected", var)) {
> @@ -283,6 +276,14 @@ static int http_options(const char *var, const char 
> *value, void *cb)
>   if (!strcmp("http.useragent", var))
>   return git_config_string(_agent, var, value);
>  
> + if (!strcmp("http.pinnedpubkey", var)) {
> +#if LIBCURL_VERSION_NUM >= 0x072c00
> + return git_config_pathname(_pinnedkey, var, value);
> +#else
> + warning(_("Public key pinning not supported with cURL < 
> 7.44.0"));
> + return 0;
> +#endif
> + }
>   /* Fall back on the default ones */
>   return git_default_config(var, value, cb);
>  }

--

[PATCH +warn2] Implement https public key pinning

2016-02-16 Thread Christoph Egger

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---

 Now tested again both with and without a "new enough" cURL version.
 Passes tests in both configurations and is obviously more correct.

 Documentation/config.txt |  8 
 http.c   | 15 +++
 2 files changed, 23 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+   Public key of the https service. It may either be the filename of
+   a PEM or DER encoded public key file or a string starting with
+   'sha256//' followed by the base64 encoded sha256 hash of the
+   public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+   exit with an error if this option is set but not supported by
+   cURL.
+
 http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..f640a8b 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,14 @@ static int http_options(const char *var, const char 
*value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(_capath, var, value);
 #endif
+   if (!strcmp("http.pinnedpubkey", var)) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   return git_config_pathname(_pinnedkey, var, value);
+#else
+   warning(_("Public key pinning not supported with cURL < 
7.44.0"));
+   return 0;
+#endif
+   }
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +510,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   if (ssl_pinnedkey != NULL)
+   curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, 
ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH +warn] Implement https public key pinning

2016-02-15 Thread Christoph Egger

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---

 This version of the patch adds a warning to the user if the option is
 not supported.

 Documentation/config.txt |  8 
 http.c   | 14 ++
 2 files changed, 22 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..0f2643b 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,14 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+   Public key of the https service. It may either be the filename of
+   a PEM or DER encoded public key file or a string starting with
+   'sha256//' followed by the base64 encoded sha256 hash of the
+   public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+   exit with an error if this option is set but not supported by
+   cURL.
+
 http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..0bb9237 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,13 @@ static int http_options(const char *var, const char 
*value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(_capath, var, value);
 #endif
+   if (!strcmp("http.pinnedpubkey", var))
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   return git_config_pathname(_pinnedkey, var, value);
+#else
+   warning(_("Public key pinning not supported with cURL < 
7.44.0"));
+   return 0;
+#endif
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +509,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   if (ssl_pinnedkey != NULL)
+   curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, 
ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Implement https public key pinning

2016-02-15 Thread Christoph Egger

Jeff King  writes:
> We can't do this perfectly, because older versions of git do not yet
> know about the option, and will therefore just silently ignore it. And
> for consistency there, we usually do the same for features that we know
> about but are unsupported.

Jep that's why I originally did it this way. But if I (the user) just
have to check the git version to know I'm fine (and not also check which
version of curl it is linked with) to be sure I'd assume that's an
improvement still.

> But I agree for something with security implications like this, we are
> better off warning when we know support is not built in. That's not
> perfect, but it's better than nothing.

I'll add an updated patch taking this into account

> I wonder if there are other options which should get the same treatment.
> Most of the obvious ones I could think of (e.g., http.sslverify) do not
> need it, because either they always have support built, or they
> fail-closed, or both.

does CURLOPT_CAPATH add to CURLOPT_CAINFO or replace it? The
documentation [0] is inconclusive to me in this regard.

  Christoph

[0] https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html


signature.asc
Description: PGP signature

Re: [PATCH] Implement https public key pinning

2016-02-11 Thread Christoph Egger

Daniel Stenberg <dan...@haxx.se> writes:
> On Thu, 11 Feb 2016, Christoph Egger wrote:
>> +#if LIBCURL_VERSION_NUM >= 0x074400
>
> That should probably be 0x072c00 ...

This is, of course, right.

I used 7.44 / 0x072c00 as base because it has robust support for this
feature (including the sha256// variant). One could lower that depending
on the compromises one is willing to take FWIW

  Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS
  and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added
  in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL
  backends not supported.

Also some people suggested that git should fail if this option is
requested in the config but not supported by the libcurl version instead
of falling back to just not pin the key. I'm undecided about that.

  Christoph

signature.asc
Description: PGP signature

[PATCH v2] Implement https public key pinning

2016-02-11 Thread Christoph Egger

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---
 Documentation/config.txt |  6 ++
 http.c   | 11 +++
 2 files changed, 17 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+   Public key of the https service. It may either be the filename of
+   a PEM or DER encoded public key file or a string starting with
+   'sha256//' followed by the base64 encoded sha256 hash of the
+   public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
 http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..5549fe5 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char 
*value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(_capath, var, value);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   if (!strcmp("http.pinnedpubkey", var))
+   return git_config_pathname(_pinnedkey, var, value);
+#endif
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   if (ssl_pinnedkey != NULL)
+   curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, 
ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Implement https public key pinning

2016-02-11 Thread Christoph Egger

Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

Signed-off-by: Christoph Egger <christ...@christoph-egger.org>
---

 For some more sensitive repositories I'd like to properly pin the
 public key of the https service. libcURL properly supports this since
 7.44.0, some parts earlier, the option just needs to be exposed by
 git.

 There seem to be no test regressions.

 Documentation/config.txt |  6 ++
 http.c   | 11 +++
 2 files changed, 17 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 27f02be..35b4495 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1727,6 +1727,12 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+   Public key of the https service. It may either be the filename of
+   a PEM or DER encoded public key file or a string starting with
+   'sha256//' followed by the base64 encoded sha256 hash of the
+   public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'.
+
 http.sslTry::
Attempt to use AUTH SSL/TLS and encrypted data transfers
when connecting via regular FTP protocol. This might be needed
diff --git a/http.c b/http.c
index dfc53c1..60776cc 100644
--- a/http.c
+++ b/http.c
@@ -57,6 +57,9 @@ static const char *ssl_key;
 #if LIBCURL_VERSION_NUM >= 0x070908
 static const char *ssl_capath;
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+static const char *ssl_pinnedkey;
+#endif
 static const char *ssl_cainfo;
 static long curl_low_speed_limit = -1;
 static long curl_low_speed_time = -1;
@@ -239,6 +242,10 @@ static int http_options(const char *var, const char 
*value, void *cb)
if (!strcmp("http.sslcapath", var))
return git_config_pathname(_capath, var, value);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x072c00
+   if (!strcmp("http.pinnedpubkey", var))
+   return git_config_pathname(_pinnedkey, var, value);
+#endif
if (!strcmp("http.sslcainfo", var))
return git_config_pathname(_cainfo, var, value);
if (!strcmp("http.sslcertpasswordprotected", var)) {
@@ -499,6 +506,10 @@ static CURL *get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 #endif
+#if LIBCURL_VERSION_NUM >= 0x074400
+   if (ssl_pinnedkey != NULL)
+   curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, 
ssl_pinnedkey);
+#endif
if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
-- 
2.7.0


-- 
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

GIT_EXEC_PATH

Re: [PATCH +warn] Implement https public key pinning

[PATCH +warn2] Implement https public key pinning

[PATCH +warn] Implement https public key pinning

Re: [PATCH] Implement https public key pinning

Re: [PATCH] Implement https public key pinning

[PATCH v2] Implement https public key pinning

[PATCH] Implement https public key pinning

8 matches

Site Navigation

Mail list logo

Footer information