Mercurial > trustbridge
annotate patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch @ 1395:a2574a029322
Fix Base 64 signature size calculation.
If the signature byte size is not equally dividable
by three the base 64 encoding needs three additional bytes.
The value is now fixed to avoid such errors in the future.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 26 Jan 2015 13:17:32 +0100 |
| parents | 93325618ac7b |
| children |
| rev | line source |
|---|---|
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
1 From e5c7feec5151299975fe03184cc322ea51fb45c2 Mon Sep 17 00:00:00 2001 |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
2 From: Andre Heinecke <aheinecke@intevation.de> |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
3 Date: Fri, 12 Sep 2014 13:01:07 +0200 |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
4 Subject: [PATCH 2/2] Add CURLOPT_PEERCERT option to pin a peer cert |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
5 |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
6 This is only implemented for a specific usecase with polarssl |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
7 --- |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
8 include/curl/curl.h | 3 +++ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
9 include/curl/typecheck-gcc.h | 1 + |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
10 lib/url.c | 8 ++++++++ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
11 lib/urldata.h | 1 + |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
12 lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++++ |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
13 5 files changed, 54 insertions(+) |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
14 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
15 diff --git a/include/curl/curl.h b/include/curl/curl.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
16 index d40b2db..20a9d82 100644 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
17 --- a/include/curl/curl.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
18 +++ b/include/curl/curl.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
19 @@ -1611,6 +1611,9 @@ typedef enum { |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
20 /* Pass in a bitmask of "header options" */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
21 CINIT(HEADEROPT, LONG, 229), |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
22 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
23 + /* Peer certificate */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
24 + CINIT(PEERCERT, OBJECTPOINT, 230), |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
25 + |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
26 CURLOPT_LASTENTRY /* the last unused */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
27 } CURLoption; |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
28 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
29 diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
30 index 69d41a2..241529d 100644 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
31 --- a/include/curl/typecheck-gcc.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
32 +++ b/include/curl/typecheck-gcc.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
33 @@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
34 (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
35 (option) == CURLOPT_CRLFILE || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
36 (option) == CURLOPT_ISSUERCERT || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
37 + (option) == CURLOPT_PEERCERT || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
38 (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
39 (option) == CURLOPT_SSH_KNOWNHOSTS || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
40 (option) == CURLOPT_MAIL_FROM || \ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
41 diff --git a/lib/url.c b/lib/url.c |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
42 index 67126ab3..5721ee2 100644 |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
43 --- a/lib/url.c |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
44 +++ b/lib/url.c |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
45 @@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
46 result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
47 va_arg(param, char *)); |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
48 break; |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
49 + case CURLOPT_PEERCERT: |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
50 + /* |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
51 + * Set peer certificate file |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
52 + * to check peer certificate against |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
53 + */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
54 + result = setstropt(&data->set.str[STRING_SSL_PEERCERT], |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
55 + va_arg(param, char *)); |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
56 + break; |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
57 case CURLOPT_TELNETOPTIONS: |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
58 /* |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
59 * Set a linked list of telnet options |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
60 diff --git a/lib/urldata.h b/lib/urldata.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
61 index 8594c2f..a6dc1ae 100644 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
62 --- a/lib/urldata.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
63 +++ b/lib/urldata.h |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
64 @@ -1391,6 +1391,7 @@ enum dupstring { |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
65 STRING_USERAGENT, /* User-Agent string */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
66 STRING_SSL_CRLFILE, /* crl file to check certificate */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
67 STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
68 + STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
69 STRING_USERNAME, /* <username>, if used */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
70 STRING_PASSWORD, /* <password>, if used */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
71 STRING_OPTIONS, /* <options>, if used */ |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
72 diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
73 index 08dc4c6..8f34901 100644 |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
74 --- a/lib/vtls/polarssl.c |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
75 +++ b/lib/vtls/polarssl.c |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
76 @@ -403,6 +403,44 @@ polarssl_connect_step1(struct connectdata *conn, |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
77 return CURLE_OK; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
78 } |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
79 |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
80 +static int |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
81 +pinned_verify(void *pinned_cert_file_name, x509_crt *crt, |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
82 + int depth, int *flags) |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
83 +{ |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
84 + x509_crt pinned_cert; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
85 + x509_crt *leaf = crt; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
86 + unsigned int i; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
87 + int ret; |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
88 + |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
89 + if (pinned_cert_file_name == NULL || crt == NULL) { |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
90 + *flags |= BADCERT_NOT_TRUSTED; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
91 + return *flags; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
92 + } |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
93 + |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
94 + x509_crt_init(&pinned_cert); |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
95 + ret = x509_crt_parse_file(&pinned_cert, pinned_cert_file_name); |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
96 + |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
97 + if(ret) { |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
98 + x509_crt_free(&pinned_cert); |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
99 + *flags |= BADCERT_NOT_TRUSTED; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
100 + return *flags; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
101 + } |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
102 + |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
103 + while (leaf->next) { |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
104 + leaf = leaf->next; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
105 + } |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
106 + |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
107 + ret = memcmp(pinned_cert.raw.p, leaf->raw.p, pinned_cert.raw.len); |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
108 + x509_crt_free(&pinned_cert); |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
109 + if (ret == 0) { |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
110 + *flags = 0; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
111 + return 0; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
112 + } |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
113 + |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
114 + *flags |= BADCERT_NOT_TRUSTED; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
115 + return *flags; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
116 +} |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
117 + |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
118 static CURLcode |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
119 polarssl_connect_step2(struct connectdata *conn, |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
120 int sockindex) |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
121 @@ -422,6 +460,9 @@ polarssl_connect_step2(struct connectdata *conn, |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
122 conn->recv[sockindex] = polarssl_recv; |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
123 conn->send[sockindex] = polarssl_send; |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
124 |
|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
125 + if(data->set.str[STRING_SSL_PEERCERT]) |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
126 + ssl_set_verify (&connssl->ssl, pinned_verify, data->set.str[STRING_SSL_PEERCERT]); |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
127 + |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
128 for(;;) { |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
129 if(!(ret = ssl_handshake(&connssl->ssl))) |
|
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
130 break; |
|
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
131 -- |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
132 1.9.1 |
|
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
133 |