GIT_EXEC_PATH
Hi! Concerning $GIT_EXEC_PATH .. is that supposed to be a $PATh like variable? as in can it have more than one path (colon-separated)? I have currently two directories there (one with a git-annex installation, one with the normal git stuff) and it seems to mostly work. However git-sh-setup is unhappy: > % git pull --rebase > /opt/local/libexec/git-core/git-sh-setup: line 46: > /opt/local/libexec/git-core:/Applications/git-annex.app/Contents/MacOS//git-sh-i18n: > No such file or directory Christoph
Re: [PATCH +warn] Implement https public key pinning
Hi! Junio C Hamano <gits...@pobox.com> writes: > Christoph Egger <christ...@christoph-egger.org> writes: > >> Add the http.pinnedpubkey configuration option for public key >> pinning. It allows any string supported by libcurl -- >> base64(sha256(pubkey)) or filename of the full public key. >> >> If cURL does not support pinning (is too old) output a warning to the >> user. >> >> Signed-off-by: Christoph Egger <christ...@christoph-egger.org> >> --- > > I needed this fix to unbreak it for those with older versions of > cURL. Jep sorry about that. should have run a second test with old libcurl. I've attached a consolidated patch. Christoph >From be8112d695de534629bcb3411634d101a74021a7 Mon Sep 17 00:00:00 2001 From: Christoph Egger <christ...@christoph-egger.org> Date: Thu, 11 Feb 2016 23:28:20 +0100 Subject: [PATCH] Implement https public key pinning Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christ...@christoph-egger.org> --- Documentation/config.txt | 8 http.c | 16 2 files changed, 24 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..1c295dd 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -299,6 +302,15 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.useragent", var)) return git_config_string(_agent, var, value); + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } + /* Fall back on the default ones */ return git_default_config(var, value, cb); } @@ -499,6 +511,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 > http.c | 15 --- > 1 file changed, 8 insertions(+), 7 deletions(-) > > diff --git a/http.c b/http.c > index a6b8076..3475040 100644 > --- a/http.c > +++ b/http.c > @@ -219,13 +219,6 @@ static int http_options(const char *var, const char > *value, void *cb) > if (!strcmp("http.sslcapath", var)) > return git_config_pathname(_capath, var, value); > #endif > - if (!strcmp("http.pinnedpubkey", var)) > -#if LIBCURL_VERSION_NUM >= 0x072c00 > - return git_config_pathname(_pinnedkey, var, value); > -#else > - warning(_("Public key pinning not supported with cURL < > 7.44.0")); > - return 0; > -#endif > if (!strcmp("http.sslcainfo", var)) > return git_config_pathname(_cainfo, var, value); > if (!strcmp("http.sslcertpasswordprotected", var)) { > @@ -283,6 +276,14 @@ static int http_options(const char *var, const char > *value, void *cb) > if (!strcmp("http.useragent", var)) > return git_config_string(_agent, var, value); > > + if (!strcmp("http.pinnedpubkey", var)) { > +#if LIBCURL_VERSION_NUM >= 0x072c00 > + return git_config_pathname(_pinnedkey, var, value); > +#else > + warning(_("Public key pinning not supported with cURL < > 7.44.0")); > + return 0; > +#endif > + } > /* Fall back on the default ones */ > return git_default_config(var, value, cb); > } --
[PATCH +warn2] Implement https public key pinning
Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christ...@christoph-egger.org> --- Now tested again both with and without a "new enough" cURL version. Passes tests in both configurations and is obviously more correct. Documentation/config.txt | 8 http.c | 15 +++ 2 files changed, 23 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..f640a8b 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,14 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(_capath, var, value); #endif + if (!strcmp("http.pinnedpubkey", var)) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif + } if (!strcmp("http.sslcainfo", var)) return git_config_pathname(_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +510,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH +warn] Implement https public key pinning
Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christ...@christoph-egger.org> --- This version of the patch adds a warning to the user if the option is not supported. Documentation/config.txt | 8 http.c | 14 ++ 2 files changed, 22 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..0f2643b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,14 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will + exit with an error if this option is set but not supported by + cURL. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..0bb9237 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,13 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(_capath, var, value); #endif + if (!strcmp("http.pinnedpubkey", var)) +#if LIBCURL_VERSION_NUM >= 0x072c00 + return git_config_pathname(_pinnedkey, var, value); +#else + warning(_("Public key pinning not supported with cURL < 7.44.0")); + return 0; +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +509,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Implement https public key pinning
Jeff Kingwrites: > We can't do this perfectly, because older versions of git do not yet > know about the option, and will therefore just silently ignore it. And > for consistency there, we usually do the same for features that we know > about but are unsupported. Jep that's why I originally did it this way. But if I (the user) just have to check the git version to know I'm fine (and not also check which version of curl it is linked with) to be sure I'd assume that's an improvement still. > But I agree for something with security implications like this, we are > better off warning when we know support is not built in. That's not > perfect, but it's better than nothing. I'll add an updated patch taking this into account > I wonder if there are other options which should get the same treatment. > Most of the obvious ones I could think of (e.g., http.sslverify) do not > need it, because either they always have support built, or they > fail-closed, or both. does CURLOPT_CAPATH add to CURLOPT_CAINFO or replace it? The documentation [0] is inconclusive to me in this regard. Christoph [0] https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html signature.asc Description: PGP signature
Re: [PATCH] Implement https public key pinning
Daniel Stenberg <dan...@haxx.se> writes: > On Thu, 11 Feb 2016, Christoph Egger wrote: >> +#if LIBCURL_VERSION_NUM >= 0x074400 > > That should probably be 0x072c00 ... This is, of course, right. I used 7.44 / 0x072c00 as base because it has robust support for this feature (including the sha256// variant). One could lower that depending on the compromises one is willing to take FWIW Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL backends not supported. Also some people suggested that git should fail if this option is requested in the config but not supported by the libcurl version instead of falling back to just not pin the key. I'm undecided about that. Christoph signature.asc Description: PGP signature
[PATCH v2] Implement https public key pinning
Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. Signed-off-by: Christoph Egger <christ...@christoph-egger.org> --- Documentation/config.txt | 6 ++ http.c | 11 +++ 2 files changed, 17 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..35b4495 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,12 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..5549fe5 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(_capath, var, value); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (!strcmp("http.pinnedpubkey", var)) + return git_config_pathname(_pinnedkey, var, value); +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +506,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] Implement https public key pinning
Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. Signed-off-by: Christoph Egger <christ...@christoph-egger.org> --- For some more sensitive repositories I'd like to properly pin the public key of the https service. libcURL properly supports this since 7.44.0, some parts earlier, the option just needs to be exposed by git. There seem to be no test regressions. Documentation/config.txt | 6 ++ http.c | 11 +++ 2 files changed, 17 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 27f02be..35b4495 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1727,6 +1727,12 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_CAPATH' environment variable. +http.pinnedpubkey:: + Public key of the https service. It may either be the filename of + a PEM or DER encoded public key file or a string starting with + 'sha256//' followed by the base64 encoded sha256 hash of the + public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. + http.sslTry:: Attempt to use AUTH SSL/TLS and encrypted data transfers when connecting via regular FTP protocol. This might be needed diff --git a/http.c b/http.c index dfc53c1..60776cc 100644 --- a/http.c +++ b/http.c @@ -57,6 +57,9 @@ static const char *ssl_key; #if LIBCURL_VERSION_NUM >= 0x070908 static const char *ssl_capath; #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 +static const char *ssl_pinnedkey; +#endif static const char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -239,6 +242,10 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.sslcapath", var)) return git_config_pathname(_capath, var, value); #endif +#if LIBCURL_VERSION_NUM >= 0x072c00 + if (!strcmp("http.pinnedpubkey", var)) + return git_config_pathname(_pinnedkey, var, value); +#endif if (!strcmp("http.sslcainfo", var)) return git_config_pathname(_cainfo, var, value); if (!strcmp("http.sslcertpasswordprotected", var)) { @@ -499,6 +506,10 @@ static CURL *get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif +#if LIBCURL_VERSION_NUM >= 0x074400 + if (ssl_pinnedkey != NULL) + curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); +#endif if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); -- 2.7.0 -- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html