[1/2] http: add client cert for HTTPS proxies.

Message ID	3cf866d0384a0743e6625dd4e5124f00a5db5e7d.1582321003.git.gitgitgadget@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=3Brp=4J=vger.kernel.org=git-owner@kernel.org> Message-Id: <3cf866d0384a0743e6625dd4e5124f00a5db5e7d.1582321003.git.gitgitgadget@gmail.com> In-Reply-To: <pull.559.git.1582321003.gitgitgadget@gmail.com> References: <pull.559.git.1582321003.gitgitgadget@gmail.com> From: "Jorge Lopez Silva via GitGitGadget" <gitgitgadget@gmail.com> Date: Fri, 21 Feb 2020 21:36:42 +0000 Subject: [PATCH 1/2] http: add client cert for HTTPS proxies. Fcc: Sent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 To: git@vger.kernel.org Cc: Jorge <JALopezSilva@gmail.com>, Jorge Lopez Silva <jalopezsilva@gmail.com> Sender: git-owner@vger.kernel.org Precedence: bulk
Series	Add HTTPS proxy SSL options (cert, key, cainfo) \| expand [0/2] Add HTTPS proxy SSL options (cert, key, cainfo) [1/2] http: add client cert for HTTPS proxies. [2/2] config: documentation for HTTPS proxy client cert.

Message ID

3cf866d0384a0743e6625dd4e5124f00a5db5e7d.1582321003.git.gitgitgadget@gmail.com (mailing list archive)

State

New, archived

Headers

Message-Id: 
 <3cf866d0384a0743e6625dd4e5124f00a5db5e7d.1582321003.git.gitgitgadget@gmail.com>
In-Reply-To: <pull.559.git.1582321003.gitgitgadget@gmail.com>
References: <pull.559.git.1582321003.gitgitgadget@gmail.com>
From: "Jorge Lopez Silva via GitGitGadget" <gitgitgadget@gmail.com>
Date: Fri, 21 Feb 2020 21:36:42 +0000
Subject: [PATCH 1/2] http: add client cert for HTTPS proxies.
Fcc: Sent
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
To: git@vger.kernel.org
Cc: Jorge <JALopezSilva@gmail.com>,
        Jorge Lopez Silva <jalopezsilva@gmail.com>
Sender: git-owner@vger.kernel.org
Precedence: bulk

Series

Add HTTPS proxy SSL options (cert, key, cainfo) | expand

Commit Message

Koji Nakamaru via GitGitGadget Feb. 21, 2020, 9:36 p.m. UTC

From: Jorge Lopez Silva <jalopezsilva@gmail.com>

Git currently supports performing connections to HTTPS proxies but we
don't support doing mutual authentication with them (through TLS). This
commit adds the necessary options to be able to send a client
certificate to the HTTPS proxy.

A client certificate can provide an alternative way of authentication
instead of using 'ProxyAuthorization' or other more common methods of
authentication.

Libcurl supports this functionality already. The feature is guarded by
the first available libcurl version that supports these options.

Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
---
 http.c | 48 +++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 3 deletions(-)

Comments

Eric Sunshine Feb. 21, 2020, 10:28 p.m. UTC | #1

On Fri, Feb 21, 2020 at 4:37 PM Jorge Lopez Silva via GitGitGadget
<gitgitgadget@gmail.com> wrote:
> Git currently supports performing connections to HTTPS proxies but we
> don't support doing mutual authentication with them (through TLS). This
> commit adds the necessary options to be able to send a client
> certificate to the HTTPS proxy.
> [...]
> Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
> ---
> diff --git a/http.c b/http.c
> @@ -1018,9 +1046,23 @@ static CURL *get_curl_handle(void)
>  #if LIBCURL_VERSION_NUM >= 0x073400
> -               else if (starts_with(curl_http_proxy, "https"))
> +               else if (starts_with(curl_http_proxy, "https")) {
>                         curl_easy_setopt(result,
>                                 CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
> +
> +                       if (http_proxy_ssl_cert != NULL) {
> +                               curl_easy_setopt(result,
> +                                       CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert);
> +                               }
> +                       if (http_proxy_ssl_key != NULL) {
> +                               curl_easy_setopt(result,
> +                                       CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key);
> +                               }
> +                       if (http_proxy_ssl_key_passwd != NULL) {
> +                               curl_easy_setopt(result,
> +                                       CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_key_passwd);
> +                               }
> +                       }
>  #endif

All the closing braces in this hunk seem to be over-indented. Also,
all of the braces for the one-liner 'if' bodies can be dropped, thus
making it less noisy.

Jorge A López Silva Feb. 26, 2020, 9:05 p.m. UTC | #2

Thanks Eric for the feedback. I'm addressing your comments and sending a v2.


On Fri, Feb 21, 2020 at 2:28 PM Eric Sunshine <sunshine@sunshineco.com> wrote:
>
> On Fri, Feb 21, 2020 at 4:37 PM Jorge Lopez Silva via GitGitGadget
> <gitgitgadget@gmail.com> wrote:
> > Git currently supports performing connections to HTTPS proxies but we
> > don't support doing mutual authentication with them (through TLS). This
> > commit adds the necessary options to be able to send a client
> > certificate to the HTTPS proxy.
> > [...]
> > Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
> > ---
> > diff --git a/http.c b/http.c
> > @@ -1018,9 +1046,23 @@ static CURL *get_curl_handle(void)
> >  #if LIBCURL_VERSION_NUM >= 0x073400
> > -               else if (starts_with(curl_http_proxy, "https"))
> > +               else if (starts_with(curl_http_proxy, "https")) {
> >                         curl_easy_setopt(result,
> >                                 CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
> > +
> > +                       if (http_proxy_ssl_cert != NULL) {
> > +                               curl_easy_setopt(result,
> > +                                       CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert);
> > +                               }
> > +                       if (http_proxy_ssl_key != NULL) {
> > +                               curl_easy_setopt(result,
> > +                                       CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key);
> > +                               }
> > +                       if (http_proxy_ssl_key_passwd != NULL) {
> > +                               curl_easy_setopt(result,
> > +                                       CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_key_passwd);
> > +                               }
> > +                       }
> >  #endif
>
> All the closing braces in this hunk seem to be over-indented. Also,
> all of the braces for the one-liner 'if' bodies can be dropped, thus
> making it less noisy.

diff --git a/http.c b/http.c
index 00a0e507633..141cf8f80cd 100644
--- a/http.c
+++ b/http.c
@@ -86,6 +86,14 @@  static long curl_low_speed_time = -1;
 static int curl_ftp_no_epsv;
 static const char *curl_http_proxy;
 static const char *http_proxy_authmethod;
+
+#if LIBCURL_VERSION_NUM >= 0x073400
+static const char *http_proxy_ssl_cert;
+static const char *http_proxy_ssl_key;
+static const char *http_proxy_ssl_key_passwd;
+#endif
+static const char *http_proxy_ssl_ca_info;
+
 static struct {
 	const char *name;
 	long curlauth_param;
@@ -365,6 +373,20 @@  static int http_options(const char *var, const char *value, void *cb)
 	if (!strcmp("http.proxyauthmethod", var))
 		return git_config_string(&http_proxy_authmethod, var, value);
 
+#if LIBCURL_VERSION_NUM >= 0x073400
+	if (!strcmp("http.proxycert", var))
+		return git_config_string(&http_proxy_ssl_cert, var, value);
+
+	if (!strcmp("http.proxykey", var))
+		return git_config_string(&http_proxy_ssl_key, var, value);
+
+	if (!strcmp("http.proxykeypass", var))
+		return git_config_string(&http_proxy_ssl_key_passwd, var, value);
+
+	if (!strcmp("http.proxycainfo", var))
+		return git_config_string(&http_proxy_ssl_ca_info, var, value);
+#endif
+
 	if (!strcmp("http.cookiefile", var))
 		return git_config_pathname(&curl_cookie_file, var, value);
 	if (!strcmp("http.savecookies", var)) {
@@ -924,8 +946,14 @@  static CURL *get_curl_handle(void)
 #if LIBCURL_VERSION_NUM >= 0x073400
 		curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
 #endif
-	} else if (ssl_cainfo != NULL)
-		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
+	} else if (ssl_cainfo != NULL || http_proxy_ssl_ca_info != NULL) {
+		if (ssl_cainfo != NULL)
+			curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
+#if LIBCURL_VERSION_NUM >= 0x073400
+		if (http_proxy_ssl_ca_info != NULL)
+			curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, http_proxy_ssl_ca_info);
+#endif
+	}
 
 	if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
 		curl_easy_setopt(result, CURLOPT_LOW_SPEED_LIMIT,
@@ -1018,9 +1046,23 @@  static CURL *get_curl_handle(void)
 				CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4);
 #endif
 #if LIBCURL_VERSION_NUM >= 0x073400
-		else if (starts_with(curl_http_proxy, "https"))
+		else if (starts_with(curl_http_proxy, "https")) {
 			curl_easy_setopt(result,
 				CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+
+			if (http_proxy_ssl_cert != NULL) {
+				curl_easy_setopt(result,
+					CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert);
+				}
+			if (http_proxy_ssl_key != NULL) {
+				curl_easy_setopt(result,
+					CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key);
+				}
+			if (http_proxy_ssl_key_passwd != NULL) {
+				curl_easy_setopt(result,
+					CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_key_passwd);
+				}
+			}
 #endif
 		if (strstr(curl_http_proxy, "://"))
 			credential_from_url(&proxy_auth, curl_http_proxy);

[1/2] http: add client cert for HTTPS proxies.

Commit Message

Comments

Patch