diff options
author | Thomas Glanzmann <thomas@glanzmann.de> | 2016-11-25 10:47:25 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-11-25 10:49:38 +0100 |
commit | 4f8b17743d7c55a0bfb48463238c88564875ae47 (patch) | |
tree | ea77a17d0cc904146e5bd17909c5c4dfbe1002ea /lib/vtls | |
parent | 1232dbb8bd49b5502834ae9dd9f7ab1cb7a88b7b (diff) | |
download | curl-4f8b17743d7c55a0bfb48463238c88564875ae47.tar.gz |
HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/cyassl.c | 8 | ||||
-rw-r--r-- | lib/vtls/gskit.c | 3 | ||||
-rw-r--r-- | lib/vtls/gtls.c | 3 | ||||
-rw-r--r-- | lib/vtls/mbedtls.c | 8 | ||||
-rw-r--r-- | lib/vtls/nss.c | 6 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 3 | ||||
-rw-r--r-- | lib/vtls/polarssl.c | 8 |
7 files changed, 28 insertions, 11 deletions
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 5570760d4..db5ce2756 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -424,6 +424,10 @@ cyassl_connect_step2(struct connectdata *conn, conn->host.name; const char * const dispname = SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + conn->http_proxy.host.dispname : conn->host.dispname; conn->recv[sockindex] = cyassl_recv; conn->send[sockindex] = cyassl_send; @@ -497,7 +501,7 @@ cyassl_connect_step2(struct connectdata *conn, } } - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { #ifdef KEEP_PEER_CERT X509 *x509; const char *x509_der; @@ -529,7 +533,7 @@ cyassl_connect_step2(struct connectdata *conn, } result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, (const unsigned char *)pubkey->header, (size_t)(pubkey->end - pubkey->header)); if(result) { diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 6cac9573c..fccbe508e 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -1096,7 +1096,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } /* Check pinned public key. */ - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(!result && ptr) { curl_X509certificate x509; curl_asn1Element *p; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5249dd49d..c3bfeed51 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1229,7 +1229,8 @@ gtls_connect_step3(struct connectdata *conn, infof(data, "\t server certificate activation date OK\n"); } - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(ptr) { result = pkp_pin_peer_pubkey(data, x509_cert, ptr); if(result != CURLE_OK) { diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index c428a210d..8bcaddd25 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -171,7 +171,6 @@ mbed_connect_step1(struct connectdata *conn, const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; - int ret = -1; char errorbuf[128]; errorbuf[0]=0; @@ -453,6 +452,9 @@ mbed_connect_step2(struct connectdata *conn, struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; const mbedtls_x509_crt *peercert; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; #ifdef HAS_ALPN const char *next_protocol; @@ -524,7 +526,7 @@ mbed_connect_step2(struct connectdata *conn, free(buffer); } - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { int size; CURLcode result; mbedtls_x509_crt *p; @@ -563,7 +565,7 @@ mbed_connect_step2(struct connectdata *conn, /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { mbedtls_x509_crt_free(p); diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 91b8e05cc..efb19e6e7 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1926,6 +1926,10 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) PRUint32 timeout; long * const certverifyresult = SSL_IS_PROXY() ? &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + /* check timeout situation */ const long time_left = Curl_timeleft(data, NULL, TRUE); @@ -1971,7 +1975,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) } } - result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + result = cmp_peer_pubkey(connssl, pinnedpubkey); if(result) /* status already printed */ goto error; diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1d7892550..8507f866f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2891,7 +2891,8 @@ static CURLcode servercert(struct connectdata *conn, /* when not strict, we don't bother about the verify cert problems */ result = CURLE_OK; - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(!result && ptr) { result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr); if(result) diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index f2f973c50..4bba3e3f2 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -397,6 +397,10 @@ polarssl_connect_step2(struct connectdata *conn, struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; char buffer[1024]; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + char errorbuf[128]; errorbuf[0] = 0; @@ -458,7 +462,7 @@ polarssl_connect_step2(struct connectdata *conn, } /* adapted from mbedtls.c */ - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { int size; CURLcode result; x509_crt *p; @@ -500,7 +504,7 @@ polarssl_connect_step2(struct connectdata *conn, /* pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { x509_crt_free(p); |