Browse Source

http: check CURLE_SSL_PINNEDPUBKEYNOTMATCH when emitting errors

Change the error shown when a http.pinnedPubKey doesn't match to point
the http.pinnedPubKey variable added in aeff8a6121 (http: implement
public key pinning, 2016-02-15), e.g.:

    git -c http.pinnedPubKey=sha256/someNonMatchingKey ls-remote https://github.com/git/git.git
    fatal: unable to access 'https://github.com/git/git.git/' with http.pinnedPubkey configuration: SSL: public key does not match pinned public key!

Before this we'd emit the exact same thing without the " with
http.pinnedPubkey configuration". The advantage of doing this is that
we're going to get a translated message (everything after the ":" is
hardcoded in English in libcurl), and we've got a reference to the
git-specific configuration variable that's causing the error.

Unfortunately we can't test this easily, as there are no tests that
require https:// in the test suite, and t/lib-httpd.sh doesn't know
how to set up such tests. See [1] for the start of a discussion about
what it would take to have divergent "t/lib-httpd/apache.conf" test
setups. #leftoverbits

1. https://lore.kernel.org/git/YUonS1uoZlZEt+Yd@coredump.intra.peff.net/

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
pull/1069/merge
Ævar Arnfjörð Bjarmason 11 months ago committed by Junio C Hamano
parent
commit
3e8084f188
  1. 3
      git-curl-compat.h
  2. 4
      http.c
  3. 1
      http.h
  4. 4
      remote-curl.c

3
git-curl-compat.h

@ -67,10 +67,11 @@
/**
* CURLOPT_PINNEDPUBLICKEY was added in 7.39.0, released in November
* 2014.
* 2014. CURLE_SSL_PINNEDPUBKEYNOTMATCH was added in that same version.
*/
#if LIBCURL_VERSION_NUM >= 0x072c00
#define GIT_CURL_HAVE_CURLOPT_PINNEDPUBLICKEY 1
#define GIT_CURL_HAVE_CURLE_SSL_PINNEDPUBKEYNOTMATCH 1
#endif
/**

4
http.c

@ -1489,6 +1489,10 @@ static int handle_curl_result(struct slot_results *results)
*/
credential_reject(&cert_auth);
return HTTP_NOAUTH;
#ifdef GIT_CURL_HAVE_CURLE_SSL_PINNEDPUBKEYNOTMATCH
} else if (results->curl_result == CURLE_SSL_PINNEDPUBKEYNOTMATCH) {
return HTTP_NOMATCHPUBLICKEY;
#endif
} else if (missing_target(results))
return HTTP_MISSING_TARGET;
else if (results->http_code == 401) {

1
http.h

@ -154,6 +154,7 @@ struct http_get_options {
#define HTTP_START_FAILED 3
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
/*
* Requests a URL and stores the result in a strbuf.

4
remote-curl.c

@ -499,6 +499,10 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message(&type, &charset, &buffer);
die(_("Authentication failed for '%s'"),
transport_anonymize_url(url.buf));
case HTTP_NOMATCHPUBLICKEY:
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
default:
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s': %s"),

Loading…
Cancel
Save