thodg/libgit2

Browse

Commit ab8a0fdb31ff7e944d01348f28a2da19e50f8839

Edward Thomson 2017-01-06T17:10:49

Merge branch '25_certcheckcb' into maint/v0.25 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

diff --git a/src/transports/http.c b/src/transports/http.c
index ad28c58..155fd7b 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -624,13 +624,12 @@ static int http_connect(http_subtransport *t)
 	if ((!error || error == GIT_ECERTIFICATE) && t->owner->certificate_check_cb != NULL &&
 	    git_stream_is_encrypted(t->io)) {
 		git_cert *cert;
-		int is_valid;
+		int is_valid = (error == GIT_OK);
 
 		if ((error = git_stream_certificate(&cert, t->io)) < 0)
 			return error;
 
 		giterr_clear();
-		is_valid = error != GIT_ECERTIFICATE;
 		error = t->owner->certificate_check_cb(cert, is_valid, t->connection_data.host, t->owner->message_cb_payload);
 
 		if (error < 0) {
diff --git a/tests/online/badssl.c b/tests/online/badssl.c
index 66b090d..f3470f6 100644
--- a/tests/online/badssl.c
+++ b/tests/online/badssl.c
@@ -10,37 +10,66 @@ static bool g_has_ssl = true;
 static bool g_has_ssl = false;
 #endif
 
+static int cert_check_assert_invalid(git_cert *cert, int valid, const char* host, void *payload)
+{
+	GIT_UNUSED(cert); GIT_UNUSED(host); GIT_UNUSED(payload);
+
+	cl_assert_equal_i(0, valid);
+
+	return GIT_ECERTIFICATE;
+}
+
 void test_online_badssl__expired(void)
 {
+	git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+	opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
 	if (!g_has_ssl)
 		cl_skip();
 
 	cl_git_fail_with(GIT_ECERTIFICATE,
 			 git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", NULL));
+
+	cl_git_fail_with(GIT_ECERTIFICATE,
+			 git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", &opts));
 }
 
 void test_online_badssl__wrong_host(void)
 {
+	git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+	opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
 	if (!g_has_ssl)
 		cl_skip();
 
 	cl_git_fail_with(GIT_ECERTIFICATE,
 			 git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", NULL));
+	cl_git_fail_with(GIT_ECERTIFICATE,
+			 git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", &opts));
 }
 
 void test_online_badssl__self_signed(void)
 {
+	git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+	opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
 	if (!g_has_ssl)
 		cl_skip();
 
 	cl_git_fail_with(GIT_ECERTIFICATE,
 			 git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", NULL));
+	cl_git_fail_with(GIT_ECERTIFICATE,
+			 git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", &opts));
 }
 
 void test_online_badssl__old_cipher(void)
 {
+	git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+	opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
 	if (!g_has_ssl)
 		cl_skip();
 
 	cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL));
+	cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", &opts));
 }
kmx.io     mail     discord kmxgit v0.4.0