From patchwork Fri Feb 21 21:36:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philip Peterson via GitGitGadget X-Patchwork-Id: 11397577 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0CDB11580 for ; Fri, 21 Feb 2020 21:36:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E00CB24653 for ; Fri, 21 Feb 2020 21:36:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cZmyQbsj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727346AbgBUVgt (ORCPT ); Fri, 21 Feb 2020 16:36:49 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:39742 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726707AbgBUVgs (ORCPT ); Fri, 21 Feb 2020 16:36:48 -0500 Received: by mail-wm1-f67.google.com with SMTP id c84so3385050wme.4 for ; Fri, 21 Feb 2020 13:36:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=mbr+ymt8ufKrwsSgIopXYyJ4BpS6oWSc7SRMI1H0yJo=; b=cZmyQbsjWtqeVn+8btiezkIzpQOylpv1HB4q+SsBRb77yuY/KPsiVQMEK9JaJLzwSD xmmdmRVTrbPJ2S2BQbLPAP0UvxA7ondFYyARc806LmT5dAim/n9Bj9FJcodCG1rxm5Rp 7oLtkR7nt+I+e0dsl7lNipwvwgId3LItFx7v454J3aFSzA/RXBxeUHjRAZsfFaUgzaye d5Bh0A/VdrEV1qsCyCoKw+yiKPdqT5ymQwjyRPGhEnvd/YPyY0qmYwdwUDKkz6/ndgL+ uZBMmdkliq3FMpX0xeqrWK20WlNiZfIW4a0+cZJmUzIq1X1wAsJWAMu/UKAm0h3oAUhK qT8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=mbr+ymt8ufKrwsSgIopXYyJ4BpS6oWSc7SRMI1H0yJo=; b=rvFGR6CaIulwAQNj626HY66hVRoH6hN0dcuUzRgxqWM8HfsezOMK6RKNh4ebLqRIcf 61yI1S4AkKplhbDsgiSYFg6XlfGzh4aCB7bN+SY9rbeLvXQk9dDGOlv8LngPHj0IjxKx FyTkAUaoDKCKZINCqtxKc2GRgIPbcPbCSadMPMD52IUTjdqtRt+mwYFshlhfZOExW64I lGawtWJir3vJ4xWWqE63P9ZBzACO7aGdyclIZ1X5ZBrd4T35rpsGAzco/lBOKZ0CyYKE 0MbHpeTnkSDHXcUBal+VZw3oIGUgosIFIbyQ4cJm2A6F6EEgSg+KQTOcOh892emsInki Y8jw== X-Gm-Message-State: APjAAAVFvcRd0AJofUZKc7CbTThk1pk34B4dWicFQzGh0jKjdgPFUCe3 bpLX7CWCodFOlMAFu3yK0pLrFjgH X-Google-Smtp-Source: APXvYqyZZtsF++fUrcFUb7cuh33IADJ2ujKw/sV07h3T3dAE778WlJeT/FbVMk+V4sEk3q8BMoHPlQ== X-Received: by 2002:a7b:c753:: with SMTP id w19mr5943214wmk.34.1582321005329; Fri, 21 Feb 2020 13:36:45 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id a184sm5544897wmf.29.2020.02.21.13.36.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Feb 2020 13:36:44 -0800 (PST) Message-Id: <3cf866d0384a0743e6625dd4e5124f00a5db5e7d.1582321003.git.gitgitgadget@gmail.com> In-Reply-To: References: From: "Jorge Lopez Silva via GitGitGadget" Date: Fri, 21 Feb 2020 21:36:42 +0000 Subject: [PATCH 1/2] http: add client cert for HTTPS proxies. Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Jorge , Jorge Lopez Silva Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Jorge Lopez Silva Git currently supports performing connections to HTTPS proxies but we don't support doing mutual authentication with them (through TLS). This commit adds the necessary options to be able to send a client certificate to the HTTPS proxy. A client certificate can provide an alternative way of authentication instead of using 'ProxyAuthorization' or other more common methods of authentication. Libcurl supports this functionality already. The feature is guarded by the first available libcurl version that supports these options. Signed-off-by: Jorge Lopez Silva --- http.c | 48 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/http.c b/http.c index 00a0e507633..141cf8f80cd 100644 --- a/http.c +++ b/http.c @@ -86,6 +86,14 @@ static long curl_low_speed_time = -1; static int curl_ftp_no_epsv; static const char *curl_http_proxy; static const char *http_proxy_authmethod; + +#if LIBCURL_VERSION_NUM >= 0x073400 +static const char *http_proxy_ssl_cert; +static const char *http_proxy_ssl_key; +static const char *http_proxy_ssl_key_passwd; +#endif +static const char *http_proxy_ssl_ca_info; + static struct { const char *name; long curlauth_param; @@ -365,6 +373,20 @@ static int http_options(const char *var, const char *value, void *cb) if (!strcmp("http.proxyauthmethod", var)) return git_config_string(&http_proxy_authmethod, var, value); +#if LIBCURL_VERSION_NUM >= 0x073400 + if (!strcmp("http.proxycert", var)) + return git_config_string(&http_proxy_ssl_cert, var, value); + + if (!strcmp("http.proxykey", var)) + return git_config_string(&http_proxy_ssl_key, var, value); + + if (!strcmp("http.proxykeypass", var)) + return git_config_string(&http_proxy_ssl_key_passwd, var, value); + + if (!strcmp("http.proxycainfo", var)) + return git_config_string(&http_proxy_ssl_ca_info, var, value); +#endif + if (!strcmp("http.cookiefile", var)) return git_config_pathname(&curl_cookie_file, var, value); if (!strcmp("http.savecookies", var)) { @@ -924,8 +946,14 @@ static CURL *get_curl_handle(void) #if LIBCURL_VERSION_NUM >= 0x073400 curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL); #endif - } else if (ssl_cainfo != NULL) - curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); + } else if (ssl_cainfo != NULL || http_proxy_ssl_ca_info != NULL) { + if (ssl_cainfo != NULL) + curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); +#if LIBCURL_VERSION_NUM >= 0x073400 + if (http_proxy_ssl_ca_info != NULL) + curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, http_proxy_ssl_ca_info); +#endif + } if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) { curl_easy_setopt(result, CURLOPT_LOW_SPEED_LIMIT, @@ -1018,9 +1046,23 @@ static CURL *get_curl_handle(void) CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4); #endif #if LIBCURL_VERSION_NUM >= 0x073400 - else if (starts_with(curl_http_proxy, "https")) + else if (starts_with(curl_http_proxy, "https")) { curl_easy_setopt(result, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); + + if (http_proxy_ssl_cert != NULL) { + curl_easy_setopt(result, + CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert); + } + if (http_proxy_ssl_key != NULL) { + curl_easy_setopt(result, + CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key); + } + if (http_proxy_ssl_key_passwd != NULL) { + curl_easy_setopt(result, + CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_key_passwd); + } + } #endif if (strstr(curl_http_proxy, "://")) credential_from_url(&proxy_auth, curl_http_proxy); From patchwork Fri Feb 21 21:36:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philip Peterson via GitGitGadget X-Patchwork-Id: 11397579 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 37CC81892 for ; Fri, 21 Feb 2020 21:36:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 16AE42073A for ; Fri, 21 Feb 2020 21:36:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="e/Je/oc0" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727578AbgBUVgv (ORCPT ); Fri, 21 Feb 2020 16:36:51 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:52965 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726683AbgBUVgu (ORCPT ); Fri, 21 Feb 2020 16:36:50 -0500 Received: by mail-wm1-f65.google.com with SMTP id p9so3240117wmc.2 for ; Fri, 21 Feb 2020 13:36:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=p56gSG1dGjp/TZyIXuqzbEJiQkt+erjvlh9gz7GwWTo=; b=e/Je/oc0910nqb5VdHmL7k3UwlfzqUgONzQLHIaDD1wlIGFK38hZmSx9Dfx1E8Uy3E mamSKUyUPXaNw3PZvuB0Lw1WbgLs+PgJyDDtixZ55U254Kj4U2xkfZvsQDtpsVKbx617 ARO7CcHIgFT1du4dyTyK1+Z2d3yWeA2q3Sxv47GIGPLyy9ElCAoxVtcHnRUvQ+FZwPeT wmcOXOVRvvJVieaw4Y6Ohq/aGvcyGqN2/AJKEwHjFVJScsFmUQTiIxHQ6iEtSjPxJQhs ubJikYTN/mWld9NIgDLLHm/5R9O1eHE6ckViOsKfo0R89Ec1RU55rFb9bsVtXBkBFksX WXDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=p56gSG1dGjp/TZyIXuqzbEJiQkt+erjvlh9gz7GwWTo=; b=dgLSe1o7pCGd9ersUI13EvdK91gMEJ+QxbliuIaZO9hyt8HmR8fe+k/U8g428XVJHA +UMX79yI6EfSFxfSYwTOmEb4I+b9EKk/gdWbk9AGIrYh7rIWQxzUKFZW5+J4R+XrTcyI k63QiMIaEHc91mVkJy7psX5cYp4Du6ZGzcQ+3Id2aewaRPjllzCWzOopqF8v8Gir8lnH dA8ptuuYDx4oovMQqsUamL0kB/q1vHFuB8qOJ7RmqDccfh7NAkivg363MBG98ma9LAW6 o2Ya3x9K1+7pwRg16ZxpGZ/RrWeopp5kEhwQXkH2ZE795LtL1KmlHcJSEqKnXxtX5OWp bKXA== X-Gm-Message-State: APjAAAW1g0NEwyoPLogFMh2z1UHIdEaSZlivWZHb1frDBBo6UHvmGS+F QN9xwP8FzBzPckICSLdPww96ecx5 X-Google-Smtp-Source: APXvYqwFlT0XkO0t3KKthB13O0wYlsOIqhaFCTxBbYIrbjxvcbZ8/bmTK8I1rm/s0HSvOJ/OkdjEUQ== X-Received: by 2002:a1c:a752:: with SMTP id q79mr5533023wme.64.1582321005998; Fri, 21 Feb 2020 13:36:45 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id b16sm5129353wmj.39.2020.02.21.13.36.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Feb 2020 13:36:45 -0800 (PST) Message-Id: <583fdd0fe9b94c6031be40749d36ff61d55b55e3.1582321003.git.gitgitgadget@gmail.com> In-Reply-To: References: From: "Jorge Lopez Silva via GitGitGadget" Date: Fri, 21 Feb 2020 21:36:43 +0000 Subject: [PATCH 2/2] config: documentation for HTTPS proxy client cert. Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Jorge , Jorge Lopez Silva Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Jorge Lopez Silva The commit adds 4 options, client cert, key, key password and CA info. The CA info can be used to specify a different CA path to validate the HTTPS proxy cert. Signed-off-by: Jorge Lopez Silva --- Documentation/config/http.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt index e806033aab8..7e704687e87 100644 --- a/Documentation/config/http.txt +++ b/Documentation/config/http.txt @@ -29,6 +29,20 @@ http.proxyAuthMethod:: * `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`) -- +http.proxycert:: + File indicating a client certificate to use to authenticate with an HTTPS proxy. + +http.proxykey:: + File indicating a private key to use to authenticate with an HTTPS proxy. + +http.proxykeypass:: + When communicating to the proxy using TLS (using an HTTPS proxy), use this + option along `http.proxykey` to indicate a password for the key. + +http.proxycainfo:: + File containing the certificates to verify the proxy with when using an HTTPS + proxy. + http.emptyAuth:: Attempt authentication without seeking a username or password. This can be used to attempt GSS-Negotiate authentication without specifying