From patchwork Thu Oct 10 23:56:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "brian m. carlson" X-Patchwork-Id: 13831326 Received: from complex.crustytoothpaste.net (complex.crustytoothpaste.net [172.105.7.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E53091BE857 for ; Thu, 10 Oct 2024 23:56:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=172.105.7.114 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728604599; cv=none; b=rWqURntoGAV0P/M35H9WB5iyJe9TOgRZhEhigeb+PqhAegzMHQ2cU8+SszKakv6K7WSFsUyMQhyxffXM95vzP0iAUxNm9i8V4sK1mLLcQOcH/iZbF/gcXY2aZGkmj/AYkQ6Hzbj1Snqip3UfMY1pq//29ujUYmaFwrzGKcyzSVk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728604599; c=relaxed/simple; bh=2yteCggdA6LXgbOa72SHjQ2rtzToPOp6SaBetTTikRA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Is2duycxSanlzX3FTAnmvwG8+aLilYUWLE2kyG0C7cZQOg6WnSObrRuUYegKmFEqzeKEcHL6mu2lN3Ewink5cZEKeyLLjdBTYrBxu99Y8dqCqS6AcBVrKS9dv6dE6/tph5YJNnULQNzlfIknwBwQKP4OI5TwHGd3RvCzw/hB+n4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net; spf=pass smtp.mailfrom=crustytoothpaste.net; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b=poURlDID; arc=none smtp.client-ip=172.105.7.114 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crustytoothpaste.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (3072-bit key) header.d=crustytoothpaste.net header.i=@crustytoothpaste.net header.b="poURlDID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1728604594; bh=2yteCggdA6LXgbOa72SHjQ2rtzToPOp6SaBetTTikRA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Reply-To: Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To:Resent-Cc: In-Reply-To:References:Content-Type:Content-Disposition; b=poURlDID2ag9TPkE+vc7S/nd6a5zKV05fk79yoNIIxzbY851iu23f7mgbcEu+7vjk 98uDYxux14YYchBQo8LLXviIISn2PrTIyMeqeUE3BFfMMQOrlkOQGcSaqxbfseSxRB RMQ5H7jaBFWDMNxA4Mvw7EJGPnpNZ321GfjgDfutlb7h58D0tsVCIgN3QPjPScUdSK rXj1GVNeNUK06A8chnUosXDeEb1QDDB8YQcx6uLPyoyZA44PMZNh7wVKYjX0+WphhF rvweu7YYl0awX67Pq1xVidTtqDkrLcd2n+G+FrgtbEaxZWiAAotCzTlW+D2va/okry FTcI4DlmIct6+90vzi2U+DR7DoL7NgKAmxwl4tikf14w4ZhR1x1H5hOToeFc5NR37Q mZg00N5X34sarc2vHHFIlPqjK+jbxjzIi7HaM1kzT8fRQxaz65hise1twjKEmblHaz sW+YZvSzpuK+OXHoyj0rKPWpgmUO8R+3RjzmRmhqXd+R8yZ3hRK Received: from tapette.. (ipagstaticip-2d4b363b-56b8-9979-23b8-fd468af1db4c.sdsl.bell.ca [142.112.6.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by complex.crustytoothpaste.net (Postfix) with ESMTPSA id 1381B200BA; Thu, 10 Oct 2024 23:56:34 +0000 (UTC) From: "brian m. carlson" To: Cc: Junio C Hamano , Jeff King Subject: [PATCH 04/13] git-curl-compat: remove check for curl 7.39.0 Date: Thu, 10 Oct 2024 23:56:12 +0000 Message-ID: <20241010235621.738239-5-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.45.2.753.g447d99e1c3b In-Reply-To: <20241010235621.738239-1-sandals@crustytoothpaste.net> References: <20241010235621.738239-1-sandals@crustytoothpaste.net> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 libcurl 7.39.0 was released in November 2014, which is almost ten years ago, and no major operating system vendor is still providing security support for it. Debian 9 and Ubuntu 16.04, both of which are out of mainstream security support, have supported a newer version, and RHEL 8, which is still in support, also has a newer version. Remove the check for this version and use this functionality unconditionally. Signed-off-by: brian m. carlson --- git-curl-compat.h | 9 --------- http.c | 11 ----------- 2 files changed, 20 deletions(-) diff --git a/git-curl-compat.h b/git-curl-compat.h index 21306fa88f..b301ef154c 100644 --- a/git-curl-compat.h +++ b/git-curl-compat.h @@ -28,15 +28,6 @@ * introduced, oldest first, in the official version of cURL library. */ -/** - * CURLOPT_PINNEDPUBLICKEY was added in 7.39.0, released in November - * 2014. CURLE_SSL_PINNEDPUBKEYNOTMATCH was added in that same version. - */ -#if LIBCURL_VERSION_NUM >= 0x072c00 -#define GIT_CURL_HAVE_CURLOPT_PINNEDPUBLICKEY 1 -#define GIT_CURL_HAVE_CURLE_SSL_PINNEDPUBKEYNOTMATCH 1 -#endif - /** * CURL_HTTP_VERSION_2 was added in 7.43.0, released in June 2015. * diff --git a/http.c b/http.c index ac4b98baa0..cdef059090 100644 --- a/http.c +++ b/http.c @@ -63,9 +63,7 @@ static char *ssl_key; static char *ssl_key_type; static char *ssl_capath; static char *curl_no_proxy; -#ifdef GIT_CURL_HAVE_CURLOPT_PINNEDPUBLICKEY static char *ssl_pinnedkey; -#endif static char *ssl_cainfo; static long curl_low_speed_limit = -1; static long curl_low_speed_time = -1; @@ -509,12 +507,7 @@ static int http_options(const char *var, const char *value, } if (!strcmp("http.pinnedpubkey", var)) { -#ifdef GIT_CURL_HAVE_CURLOPT_PINNEDPUBLICKEY return git_config_pathname(&ssl_pinnedkey, var, value); -#else - warning(_("Public key pinning not supported with cURL < 7.39.0")); - return 0; -#endif } if (!strcmp("http.extraheader", var)) { @@ -1104,10 +1097,8 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_SSLKEYTYPE, ssl_key_type); if (ssl_capath) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); -#ifdef GIT_CURL_HAVE_CURLOPT_PINNEDPUBLICKEY if (ssl_pinnedkey) curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); -#endif if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) && !http_schannel_use_ssl_cainfo) { curl_easy_setopt(result, CURLOPT_CAINFO, NULL); @@ -1825,10 +1816,8 @@ static int handle_curl_result(struct slot_results *results) */ credential_reject(&cert_auth); return HTTP_NOAUTH; -#ifdef GIT_CURL_HAVE_CURLE_SSL_PINNEDPUBKEYNOTMATCH } else if (results->curl_result == CURLE_SSL_PINNEDPUBKEYNOTMATCH) { return HTTP_NOMATCHPUBLICKEY; -#endif } else if (missing_target(results)) return HTTP_MISSING_TARGET; else if (results->http_code == 401) {