Commit ab8a0fdb by Edward Thomson

Merge branch '25_certcheckcb' into maint/v0.25

parents 75db289a 98d66240
...@@ -624,13 +624,12 @@ static int http_connect(http_subtransport *t) ...@@ -624,13 +624,12 @@ static int http_connect(http_subtransport *t)
if ((!error || error == GIT_ECERTIFICATE) && t->owner->certificate_check_cb != NULL && if ((!error || error == GIT_ECERTIFICATE) && t->owner->certificate_check_cb != NULL &&
git_stream_is_encrypted(t->io)) { git_stream_is_encrypted(t->io)) {
git_cert *cert; git_cert *cert;
int is_valid; int is_valid = (error == GIT_OK);
if ((error = git_stream_certificate(&cert, t->io)) < 0) if ((error = git_stream_certificate(&cert, t->io)) < 0)
return error; return error;
giterr_clear(); giterr_clear();
is_valid = error != GIT_ECERTIFICATE;
error = t->owner->certificate_check_cb(cert, is_valid, t->connection_data.host, t->owner->message_cb_payload); error = t->owner->certificate_check_cb(cert, is_valid, t->connection_data.host, t->owner->message_cb_payload);
if (error < 0) { if (error < 0) {
......
...@@ -10,37 +10,66 @@ static bool g_has_ssl = true; ...@@ -10,37 +10,66 @@ static bool g_has_ssl = true;
static bool g_has_ssl = false; static bool g_has_ssl = false;
#endif #endif
static int cert_check_assert_invalid(git_cert *cert, int valid, const char* host, void *payload)
{
GIT_UNUSED(cert); GIT_UNUSED(host); GIT_UNUSED(payload);
cl_assert_equal_i(0, valid);
return GIT_ECERTIFICATE;
}
void test_online_badssl__expired(void) void test_online_badssl__expired(void)
{ {
git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
if (!g_has_ssl) if (!g_has_ssl)
cl_skip(); cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE, cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", NULL)); git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", NULL));
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", &opts));
} }
void test_online_badssl__wrong_host(void) void test_online_badssl__wrong_host(void)
{ {
git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
if (!g_has_ssl) if (!g_has_ssl)
cl_skip(); cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE, cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", NULL)); git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", NULL));
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", &opts));
} }
void test_online_badssl__self_signed(void) void test_online_badssl__self_signed(void)
{ {
git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
if (!g_has_ssl) if (!g_has_ssl)
cl_skip(); cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE, cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", NULL)); git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", NULL));
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", &opts));
} }
void test_online_badssl__old_cipher(void) void test_online_badssl__old_cipher(void)
{ {
git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
if (!g_has_ssl) if (!g_has_ssl)
cl_skip(); cl_skip();
cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL)); cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL));
cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", &opts));
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment