Mercurial > trustbridge
annotate patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch @ 1243:cf5784d2c3a8
(issue54) Safeguard to prohibit starting the application as root
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Wed, 24 Sep 2014 19:22:47 +0200 |
parents | 93325618ac7b |
children |
rev | line source |
---|---|
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
1 From e5c7feec5151299975fe03184cc322ea51fb45c2 Mon Sep 17 00:00:00 2001 |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
2 From: Andre Heinecke <aheinecke@intevation.de> |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
3 Date: Fri, 12 Sep 2014 13:01:07 +0200 |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
4 Subject: [PATCH 2/2] Add CURLOPT_PEERCERT option to pin a peer cert |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
5 |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
6 This is only implemented for a specific usecase with polarssl |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
7 --- |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
8 include/curl/curl.h | 3 +++ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
9 include/curl/typecheck-gcc.h | 1 + |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
10 lib/url.c | 8 ++++++++ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
11 lib/urldata.h | 1 + |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
12 lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++++ |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
13 5 files changed, 54 insertions(+) |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
14 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
15 diff --git a/include/curl/curl.h b/include/curl/curl.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
16 index d40b2db..20a9d82 100644 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
17 --- a/include/curl/curl.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
18 +++ b/include/curl/curl.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
19 @@ -1611,6 +1611,9 @@ typedef enum { |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
20 /* Pass in a bitmask of "header options" */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
21 CINIT(HEADEROPT, LONG, 229), |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
22 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
23 + /* Peer certificate */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
24 + CINIT(PEERCERT, OBJECTPOINT, 230), |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
25 + |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
26 CURLOPT_LASTENTRY /* the last unused */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
27 } CURLoption; |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
28 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
29 diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
30 index 69d41a2..241529d 100644 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
31 --- a/include/curl/typecheck-gcc.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
32 +++ b/include/curl/typecheck-gcc.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
33 @@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
34 (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
35 (option) == CURLOPT_CRLFILE || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
36 (option) == CURLOPT_ISSUERCERT || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
37 + (option) == CURLOPT_PEERCERT || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
38 (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
39 (option) == CURLOPT_SSH_KNOWNHOSTS || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
40 (option) == CURLOPT_MAIL_FROM || \ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
41 diff --git a/lib/url.c b/lib/url.c |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
42 index 67126ab3..5721ee2 100644 |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
43 --- a/lib/url.c |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
44 +++ b/lib/url.c |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
45 @@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
46 result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
47 va_arg(param, char *)); |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
48 break; |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
49 + case CURLOPT_PEERCERT: |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
50 + /* |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
51 + * Set peer certificate file |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
52 + * to check peer certificate against |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
53 + */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
54 + result = setstropt(&data->set.str[STRING_SSL_PEERCERT], |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
55 + va_arg(param, char *)); |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
56 + break; |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
57 case CURLOPT_TELNETOPTIONS: |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
58 /* |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
59 * Set a linked list of telnet options |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
60 diff --git a/lib/urldata.h b/lib/urldata.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
61 index 8594c2f..a6dc1ae 100644 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
62 --- a/lib/urldata.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
63 +++ b/lib/urldata.h |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
64 @@ -1391,6 +1391,7 @@ enum dupstring { |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
65 STRING_USERAGENT, /* User-Agent string */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
66 STRING_SSL_CRLFILE, /* crl file to check certificate */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
67 STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
68 + STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
69 STRING_USERNAME, /* <username>, if used */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
70 STRING_PASSWORD, /* <password>, if used */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
71 STRING_OPTIONS, /* <options>, if used */ |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
72 diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
73 index 08dc4c6..8f34901 100644 |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
74 --- a/lib/vtls/polarssl.c |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
75 +++ b/lib/vtls/polarssl.c |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
76 @@ -403,6 +403,44 @@ polarssl_connect_step1(struct connectdata *conn, |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
77 return CURLE_OK; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
78 } |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
79 |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
80 +static int |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
81 +pinned_verify(void *pinned_cert_file_name, x509_crt *crt, |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
82 + int depth, int *flags) |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
83 +{ |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
84 + x509_crt pinned_cert; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
85 + x509_crt *leaf = crt; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
86 + unsigned int i; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
87 + int ret; |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
88 + |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
89 + if (pinned_cert_file_name == NULL || crt == NULL) { |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
90 + *flags |= BADCERT_NOT_TRUSTED; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
91 + return *flags; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
92 + } |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
93 + |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
94 + x509_crt_init(&pinned_cert); |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
95 + ret = x509_crt_parse_file(&pinned_cert, pinned_cert_file_name); |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
96 + |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
97 + if(ret) { |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
98 + x509_crt_free(&pinned_cert); |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
99 + *flags |= BADCERT_NOT_TRUSTED; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
100 + return *flags; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
101 + } |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
102 + |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
103 + while (leaf->next) { |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
104 + leaf = leaf->next; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
105 + } |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
106 + |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
107 + ret = memcmp(pinned_cert.raw.p, leaf->raw.p, pinned_cert.raw.len); |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
108 + x509_crt_free(&pinned_cert); |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
109 + if (ret == 0) { |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
110 + *flags = 0; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
111 + return 0; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
112 + } |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
113 + |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
114 + *flags |= BADCERT_NOT_TRUSTED; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
115 + return *flags; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
116 +} |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
117 + |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
118 static CURLcode |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
119 polarssl_connect_step2(struct connectdata *conn, |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
120 int sockindex) |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
121 @@ -422,6 +460,9 @@ polarssl_connect_step2(struct connectdata *conn, |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
122 conn->recv[sockindex] = polarssl_recv; |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
123 conn->send[sockindex] = polarssl_send; |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
124 |
1086
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
125 + if(data->set.str[STRING_SSL_PEERCERT]) |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
126 + ssl_set_verify (&connssl->ssl, pinned_verify, data->set.str[STRING_SSL_PEERCERT]); |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
127 + |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
128 for(;;) { |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
129 if(!(ret = ssl_handshake(&connssl->ssl))) |
93325618ac7b
(issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
998
diff
changeset
|
130 break; |
998
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
131 -- |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
132 1.9.1 |
0570b1e562c2
(issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
133 |