From 18bf7ef3d725a30ee4e6f28e31be1f393dbb780f Mon Sep 17 00:00:00 2001
From: Pascal Muller <pascalmuller@gmail.com>
Date: Wed, 23 Jun 2021 21:21:10 +0200
Subject: [PATCH] http: optionally send SSL client certificate

This adds support for a new http.sslAutoClientCert config value.

In cURL 7.77 or later the schannel backend does not automatically send
client certificates from the Windows Certificate Store anymore.

This config value is only used if http.sslBackend is set to "schannel",
and can be used to opt in to the old behavior and force cURL to send
client certificates.

This fixes https://github.com/git-for-windows/git/issues/3292

Signed-off-by: Pascal Muller <pascalmuller@gmail.com>
---
 Documentation/config/http.adoc |  5 +++++
 git-curl-compat.h              |  8 ++++++++
 http.c                         | 24 +++++++++++++++++++++---
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 847a9e79ab..33abad4a6e 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -260,6 +260,11 @@ http.schannelUseSSLCAInfo::
 	when the `schannel` backend was configured via `http.sslBackend`,
 	unless `http.schannelUseSSLCAInfo` overrides this behavior.
 
+http.sslAutoClientCert::
+	As of cURL v7.77.0, the Secure Channel backend won't automatically
+	send client certificates from the Windows Certificate Store anymore.
+	To opt in to the old behavior, http.sslAutoClientCert can be set.
+
 http.pinnedPubkey::
 	Public key of the https service. It may either be the filename of
 	a PEM or DER encoded public key file or a string starting with
diff --git a/git-curl-compat.h b/git-curl-compat.h
index dccdd4d6e5..5c8ceb076a 100644
--- a/git-curl-compat.h
+++ b/git-curl-compat.h
@@ -45,6 +45,14 @@
 #define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
 #endif
 
+/**
+ * CURLSSLOPT_AUTO_CLIENT_CERT was added in 7.77.0, released in May
+ * 2021.
+ */
+#if LIBCURL_VERSION_NUM >= 0x074d00
+#define GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
+#endif
+
 /**
  * CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
  * released in August 2022.
diff --git a/http.c b/http.c
index c91f8e35af..18d080f0d0 100644
--- a/http.c
+++ b/http.c
@@ -169,6 +169,8 @@ static long http_max_retry_time = 300;
  */
 static int http_schannel_use_ssl_cainfo;
 
+static int http_auto_client_cert;
+
 static int always_auth_proactively(void)
 {
 	return http_proactive_auth != PROACTIVE_AUTH_NONE &&
@@ -457,6 +459,11 @@ static int http_options(const char *var, const char *value,
 		return 0;
 	}
 
+	if (!strcmp("http.sslautoclientcert", var)) {
+		http_auto_client_cert = git_config_bool(var, value);
+		return 0;
+	}
+
 	if (!strcmp("http.minsessions", var)) {
 		min_curl_sessions = git_config_int(var, value, ctx->kvi);
 		if (min_curl_sessions > 1)
@@ -1175,9 +1182,20 @@ static CURL *get_curl_handle(void)
 	}
 #endif
 
-	if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
-	    http_schannel_check_revoke_mode) {
-		curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
+	if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
+		long ssl_options = 0;
+		if (http_schannel_check_revoke_mode) {
+			ssl_options |= http_schannel_check_revoke_mode;
+		}
+
+		if (http_auto_client_cert) {
+#ifdef GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
+			ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
+#endif
+		}
+
+		if (ssl_options)
+			curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
 	}
 
 	if (http_proactive_auth != PROACTIVE_AUTH_NONE)