From 7f40633422df36b50e752749fb8795cac3e99e37 Mon Sep 17 00:00:00 2001 From: Gilles Vollant Date: Tue, 19 May 2020 22:45:37 +0200 Subject: setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency Closes #5431 --- docs/libcurl/curl_easy_setopt.3 | 4 ++ docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT.3 | 73 +++++++++++++++++++ docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT_BLOB.3 | 85 +++++++++++++++++++++++ docs/libcurl/opts/Makefile.inc | 2 + docs/libcurl/symbols-in-versions | 2 + include/curl/curl.h | 4 ++ lib/setopt.c | 17 +++++ lib/urldata.h | 1 + 8 files changed, 188 insertions(+) create mode 100644 docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT.3 create mode 100644 docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT_BLOB.3 diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 9692a10b7..a64375e0c 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -564,6 +564,10 @@ Proxy CA cert bundle. See \fICURLOPT_PROXY_CAINFO(3)\fP Issuer certificate. See \fICURLOPT_ISSUERCERT(3)\fP .IP CURLOPT_ISSUERCERT_BLOB Issuer certificate memory buffer. See \fICURLOPT_ISSUERCERT_BLOB(3)\fP +.IP CURLOPT_PROXY_ISSUERCERT +Proxy issuer certificate. See \fICURLOPT_PROXY_ISSUERCERT(3)\fP +.IP CURLOPT_PROXY_ISSUERCERT_BLOB +Proxy issuer certificate memory buffer. See \fICURLOPT_PROXY_ISSUERCERT_BLOB(3)\fP .IP CURLOPT_CAPATH Path to CA cert bundle. See \fICURLOPT_CAPATH(3)\fP .IP CURLOPT_PROXY_CAPATH diff --git a/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT.3 b/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT.3 new file mode 100644 index 000000000..7e9402f08 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT.3 @@ -0,0 +1,73 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_PROXY_ISSUERCERT 3 "24 Jun 2020" "libcurl 7.71.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_PROXY_ISSUERCERT \- proxy issuer SSL certificate filename +.SH SYNOPSIS +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_ISSUERCERT, char *file); +.SH DESCRIPTION +Pass a char * to a zero terminated string naming a \fIfile\fP holding a CA +certificate in PEM format. If the option is set, an additional check against +the peer certificate is performed to verify the issuer of the the HTTPS proxy +is indeed the one associated with the certificate provided by the option. +This additional check is useful in multi-level PKI where one needs to enforce +that the peer certificate is from a specific branch of the tree. + +This option makes sense only when used in combination with the +\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP option. Otherwise, the result of the +check is not considered as failure. + +A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, +which is returned if the setup of the SSL/TLS session has failed due to a +mismatch with the issuer of peer certificate +(\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP has to be set too for the check to +fail). + +The application does not have to keep the string around after setting this +option. +.SH DEFAULT +NULL +.SH PROTOCOLS +All TLS-based protocols +.SH EXAMPLE +.nf +CURL *curl = curl_easy_init(); +if(curl) { + curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); + /* using an HTTPS proxy */ + curl_easy_setopt(curl, CURLOPT_PROXY, "https://localhost:443"); + curl_easy_setopt(curl, CURLOPT_PROXY_ISSUERCERT, "/etc/certs/cacert.pem"); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); +} +.fi +.SH AVAILABILITY +Added in libcurl 7.71.0. This option is supported by the OpenSSL backends. +.SH RETURN VALUE +Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. +.SH "SEE ALSO" +.BR CURLOPT_PROXY_SSL_VERIFYPEER "(3), " CURLOPT_PROXY_SSL_VERIFYHOST "(3), " +.BR CURLOPT_SSL_VERIFYPEER "(3), " CURLOPT_SSL_VERIFYHOST "(3), " diff --git a/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT_BLOB.3 b/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT_BLOB.3 new file mode 100644 index 000000000..857fffde9 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_PROXY_ISSUERCERT_BLOB.3 @@ -0,0 +1,85 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_PROXY_ISSUERCERT_BLOB 3 "24 Jun 2020" "libcurl 7.71.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_ISSUERCERT_BLOB \- proxy issuer SSL certificate from memory blob +.SH SYNOPSIS +.nf +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_ISSUERCERT_BLOB, + struct curl_blob *blob); +.fi +.SH DESCRIPTION +Pass a pointer to a curl_blob struct, which contains information (pointer and +size) about a memory block with binary data of a CA certificate in PEM +format. If the option is set, an additional check against the peer certificate +is performed to verify the issuer of the the HTTPS proxy is indeed the one +associated with the certificate provided by the option. This additional check +is useful in multi-level PKI where one needs to enforce that the peer +certificate is from a specific branch of the tree. + +This option should be used in combination with the +\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP option. Otherwise, the result of the +check is not considered as failure. + +A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, +which is returned if the setup of the SSL/TLS session has failed due to a +mismatch with the issuer of peer certificate +(\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP has to be set too for the check to +fail). + +If the blob is initialized with the flags member of struct curl_blob set to +CURL_BLOB_COPY, the application does not have to keep the buffer around after +setting this. + +This option is an alternative to \fICURLOPT_PROXY_ISSUERCERT(3)\fP which +instead expects a file name as input. +.SH DEFAULT +NULL +.SH PROTOCOLS +All TLS-based protocols +.SH EXAMPLE +.nf +CURL *curl = curl_easy_init(); +if(curl) { + struct curl_blob blob; + curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); + /* using an HTTPS proxy */ + curl_easy_setopt(curl, CURLOPT_PROXY, "https://localhost:443"); + blob.data = certificateData; + blob.len = filesize; + blob.flags = CURL_BLOB_COPY; + curl_easy_setopt(curl, CURLOPT_PROXY_ISSUERCERT_BLOB, &blob); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); +} +.fi +.SH AVAILABILITY +Added in libcurl 7.71.0. This option is supported by the OpenSSL backends. +.SH RETURN VALUE +Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. +.SH "SEE ALSO" +.BR CURLOPT_PROXY_SSL_VERIFYPEER "(3), " CURLOPT_PROXY_SSL_VERIFYHOST "(3), " +.BR CURLOPT_SSL_VERIFYPEER "(3), " CURLOPT_SSL_VERIFYHOST "(3), " diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc index 21e14fc95..c60b486d1 100644 --- a/docs/libcurl/opts/Makefile.inc +++ b/docs/libcurl/opts/Makefile.inc @@ -258,6 +258,8 @@ man_MANS = \ CURLOPT_PROXY_CAPATH.3 \ CURLOPT_PROXY_CRLFILE.3 \ CURLOPT_PROXY_KEYPASSWD.3 \ + CURLOPT_PROXY_ISSUERCERT.3 \ + CURLOPT_PROXY_ISSUERCERT_BLOB.3 \ CURLOPT_PROXY_PINNEDPUBLICKEY.3 \ CURLOPT_PROXY_SERVICE_NAME.3 \ CURLOPT_PROXY_SSLCERT.3 \ diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 92159d02a..36126db09 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -516,6 +516,8 @@ CURLOPT_PROGRESSDATA 7.1 CURLOPT_PROGRESSFUNCTION 7.1 7.32.0 CURLOPT_PROTOCOLS 7.19.4 CURLOPT_PROXY 7.1 +CURLOPT_PROXY_ISSUERCERT 7.71.0 +CURLOPT_PROXY_ISSUERCERT_BLOB 7.71.0 CURLOPT_PROXYAUTH 7.10.7 CURLOPT_PROXYHEADER 7.37.0 CURLOPT_PROXYPASSWORD 7.19.1 diff --git a/include/curl/curl.h b/include/curl/curl.h index 17d0384f0..d5f8817d5 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1967,6 +1967,10 @@ typedef enum { CURLOPT(CURLOPT_PROXY_SSLKEY_BLOB, CURLOPTTYPE_BLOB, 294), CURLOPT(CURLOPT_ISSUERCERT_BLOB, CURLOPTTYPE_BLOB, 295), + /* Issuer certificate for proxy */ + CURLOPT(CURLOPT_PROXY_ISSUERCERT, CURLOPTTYPE_STRINGPOINT, 296), + CURLOPT(CURLOPT_PROXY_ISSUERCERT_BLOB, CURLOPTTYPE_BLOB, 297), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/setopt.c b/lib/setopt.c index 4570cc06a..72704127c 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -2036,6 +2036,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG], va_arg(param, struct curl_blob *)); break; +#ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_ISSUERCERT: + /* + * Set Issuer certificate file + * to check certificates issuer + */ + result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_PROXY], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_ISSUERCERT_BLOB: + /* + * Blob that holds Issuer certificate to check certificates issuer + */ + result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY], + va_arg(param, struct curl_blob *)); + break; +#endif #ifndef CURL_DISABLE_TELNET case CURLOPT_TELNETOPTIONS: /* diff --git a/lib/urldata.h b/lib/urldata.h index 9b4ce5f5b..9c50c261f 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1589,6 +1589,7 @@ enum dupblob { BLOB_KEY_ORIG, BLOB_KEY_PROXY, BLOB_SSL_ISSUERCERT_ORIG, + BLOB_SSL_ISSUERCERT_PROXY, BLOB_LAST }; -- cgit v1.2.1