annotate patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch @ 1243:cf5784d2c3a8

(issue54) Safeguard to prohibit starting the application as root
author Andre Heinecke <andre.heinecke@intevation.de>
date Wed, 24 Sep 2014 19:22:47 +0200
parents 93325618ac7b
children
rev   line source
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
1 From e5c7feec5151299975fe03184cc322ea51fb45c2 Mon Sep 17 00:00:00 2001
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
2 From: Andre Heinecke <aheinecke@intevation.de>
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
3 Date: Fri, 12 Sep 2014 13:01:07 +0200
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
4 Subject: [PATCH 2/2] Add CURLOPT_PEERCERT option to pin a peer cert
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
5
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
6 This is only implemented for a specific usecase with polarssl
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
7 ---
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
8 include/curl/curl.h | 3 +++
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
9 include/curl/typecheck-gcc.h | 1 +
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
10 lib/url.c | 8 ++++++++
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
11 lib/urldata.h | 1 +
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
12 lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++++
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
13 5 files changed, 54 insertions(+)
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
14
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
15 diff --git a/include/curl/curl.h b/include/curl/curl.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
16 index d40b2db..20a9d82 100644
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
17 --- a/include/curl/curl.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
18 +++ b/include/curl/curl.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
19 @@ -1611,6 +1611,9 @@ typedef enum {
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
20 /* Pass in a bitmask of "header options" */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
21 CINIT(HEADEROPT, LONG, 229),
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
22
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
23 + /* Peer certificate */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
24 + CINIT(PEERCERT, OBJECTPOINT, 230),
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
25 +
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
26 CURLOPT_LASTENTRY /* the last unused */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
27 } CURLoption;
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
28
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
29 diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
30 index 69d41a2..241529d 100644
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
31 --- a/include/curl/typecheck-gcc.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
32 +++ b/include/curl/typecheck-gcc.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
33 @@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist,
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
34 (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
35 (option) == CURLOPT_CRLFILE || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
36 (option) == CURLOPT_ISSUERCERT || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
37 + (option) == CURLOPT_PEERCERT || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
38 (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
39 (option) == CURLOPT_SSH_KNOWNHOSTS || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
40 (option) == CURLOPT_MAIL_FROM || \
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
41 diff --git a/lib/url.c b/lib/url.c
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
42 index 67126ab3..5721ee2 100644
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
43 --- a/lib/url.c
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
44 +++ b/lib/url.c
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
45 @@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
46 result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
47 va_arg(param, char *));
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
48 break;
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
49 + case CURLOPT_PEERCERT:
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
50 + /*
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
51 + * Set peer certificate file
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
52 + * to check peer certificate against
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
53 + */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
54 + result = setstropt(&data->set.str[STRING_SSL_PEERCERT],
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
55 + va_arg(param, char *));
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
56 + break;
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
57 case CURLOPT_TELNETOPTIONS:
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
58 /*
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
59 * Set a linked list of telnet options
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
60 diff --git a/lib/urldata.h b/lib/urldata.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
61 index 8594c2f..a6dc1ae 100644
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
62 --- a/lib/urldata.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
63 +++ b/lib/urldata.h
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
64 @@ -1391,6 +1391,7 @@ enum dupstring {
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
65 STRING_USERAGENT, /* User-Agent string */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
66 STRING_SSL_CRLFILE, /* crl file to check certificate */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
67 STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
68 + STRING_SSL_PEERCERT, /* issuer cert file to check certificate */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
69 STRING_USERNAME, /* <username>, if used */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
70 STRING_PASSWORD, /* <password>, if used */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
71 STRING_OPTIONS, /* <options>, if used */
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
72 diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
73 index 08dc4c6..8f34901 100644
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
74 --- a/lib/vtls/polarssl.c
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
75 +++ b/lib/vtls/polarssl.c
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
76 @@ -403,6 +403,44 @@ polarssl_connect_step1(struct connectdata *conn,
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
77 return CURLE_OK;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
78 }
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
79
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
80 +static int
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
81 +pinned_verify(void *pinned_cert_file_name, x509_crt *crt,
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
82 + int depth, int *flags)
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
83 +{
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
84 + x509_crt pinned_cert;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
85 + x509_crt *leaf = crt;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
86 + unsigned int i;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
87 + int ret;
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
88 +
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
89 + if (pinned_cert_file_name == NULL || crt == NULL) {
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
90 + *flags |= BADCERT_NOT_TRUSTED;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
91 + return *flags;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
92 + }
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
93 +
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
94 + x509_crt_init(&pinned_cert);
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
95 + ret = x509_crt_parse_file(&pinned_cert, pinned_cert_file_name);
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
96 +
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
97 + if(ret) {
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
98 + x509_crt_free(&pinned_cert);
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
99 + *flags |= BADCERT_NOT_TRUSTED;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
100 + return *flags;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
101 + }
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
102 +
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
103 + while (leaf->next) {
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
104 + leaf = leaf->next;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
105 + }
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
106 +
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
107 + ret = memcmp(pinned_cert.raw.p, leaf->raw.p, pinned_cert.raw.len);
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
108 + x509_crt_free(&pinned_cert);
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
109 + if (ret == 0) {
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
110 + *flags = 0;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
111 + return 0;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
112 + }
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
113 +
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
114 + *flags |= BADCERT_NOT_TRUSTED;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
115 + return *flags;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
116 +}
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
117 +
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
118 static CURLcode
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
119 polarssl_connect_step2(struct connectdata *conn,
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
120 int sockindex)
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
121 @@ -422,6 +460,9 @@ polarssl_connect_step2(struct connectdata *conn,
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
122 conn->recv[sockindex] = polarssl_recv;
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
123 conn->send[sockindex] = polarssl_send;
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
124
1086
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
125 + if(data->set.str[STRING_SSL_PEERCERT])
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
126 + ssl_set_verify (&connssl->ssl, pinned_verify, data->set.str[STRING_SSL_PEERCERT]);
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
127 +
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
128 for(;;) {
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
129 if(!(ret = ssl_handshake(&connssl->ssl)))
93325618ac7b (issue117) Set verify callback to abort the handshake earlier if the certificate does not match.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 998
diff changeset
130 break;
998
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
131 --
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
132 1.9.1
0570b1e562c2 (issue90) Add curl patches for the problems we had with curl.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff changeset
133

http://wald.intevation.org/projects/trustbridge/