Mercurial > trustbridge
comparison patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch @ 1008:2fb6071c6669
Merged
author | Emanuel Schuetze <emanuel@intevation.de> |
---|---|
date | Tue, 02 Sep 2014 11:55:15 +0200 |
parents | 0570b1e562c2 |
children | 93325618ac7b |
comparison
equal
deleted
inserted
replaced
1007:b75bd6686f43 | 1008:2fb6071c6669 |
---|---|
1 From c57d951c3bda8b1ca66cac45dfd6270fa34b01d3 Mon Sep 17 00:00:00 2001 | |
2 From: Andre Heinecke <aheinecke@intevation.de> | |
3 Date: Mon, 1 Sep 2014 16:55:40 +0200 | |
4 Subject: [PATCH 2/3] Add CURLOPT_PEERCERT option to pin a peer cert | |
5 | |
6 Only implemented for a specific usecase with polarssl | |
7 --- | |
8 include/curl/curl.h | 3 +++ | |
9 include/curl/typecheck-gcc.h | 1 + | |
10 lib/url.c | 8 ++++++++ | |
11 lib/urldata.h | 1 + | |
12 lib/vtls/polarssl.c | 42 ++++++++++++++++++++++++++++++++++++++++-- | |
13 5 files changed, 53 insertions(+), 2 deletions(-) | |
14 | |
15 diff --git a/include/curl/curl.h b/include/curl/curl.h | |
16 index d40b2db..20a9d82 100644 | |
17 --- a/include/curl/curl.h | |
18 +++ b/include/curl/curl.h | |
19 @@ -1611,6 +1611,9 @@ typedef enum { | |
20 /* Pass in a bitmask of "header options" */ | |
21 CINIT(HEADEROPT, LONG, 229), | |
22 | |
23 + /* Peer certificate */ | |
24 + CINIT(PEERCERT, OBJECTPOINT, 230), | |
25 + | |
26 CURLOPT_LASTENTRY /* the last unused */ | |
27 } CURLoption; | |
28 | |
29 diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h | |
30 index 69d41a2..241529d 100644 | |
31 --- a/include/curl/typecheck-gcc.h | |
32 +++ b/include/curl/typecheck-gcc.h | |
33 @@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, | |
34 (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ | |
35 (option) == CURLOPT_CRLFILE || \ | |
36 (option) == CURLOPT_ISSUERCERT || \ | |
37 + (option) == CURLOPT_PEERCERT || \ | |
38 (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ | |
39 (option) == CURLOPT_SSH_KNOWNHOSTS || \ | |
40 (option) == CURLOPT_MAIL_FROM || \ | |
41 diff --git a/lib/url.c b/lib/url.c | |
42 index 89c3fd5..b089cdf 100644 | |
43 --- a/lib/url.c | |
44 +++ b/lib/url.c | |
45 @@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, | |
46 result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], | |
47 va_arg(param, char *)); | |
48 break; | |
49 + case CURLOPT_PEERCERT: | |
50 + /* | |
51 + * Set peer certificate file | |
52 + * to check peer certificate against | |
53 + */ | |
54 + result = setstropt(&data->set.str[STRING_SSL_PEERCERT], | |
55 + va_arg(param, char *)); | |
56 + break; | |
57 case CURLOPT_TELNETOPTIONS: | |
58 /* | |
59 * Set a linked list of telnet options | |
60 diff --git a/lib/urldata.h b/lib/urldata.h | |
61 index 8594c2f..a6dc1ae 100644 | |
62 --- a/lib/urldata.h | |
63 +++ b/lib/urldata.h | |
64 @@ -1391,6 +1391,7 @@ enum dupstring { | |
65 STRING_USERAGENT, /* User-Agent string */ | |
66 STRING_SSL_CRLFILE, /* crl file to check certificate */ | |
67 STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ | |
68 + STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ | |
69 STRING_USERNAME, /* <username>, if used */ | |
70 STRING_PASSWORD, /* <password>, if used */ | |
71 STRING_OPTIONS, /* <options>, if used */ | |
72 diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c | |
73 index e18cadf..2c40e36 100644 | |
74 --- a/lib/vtls/polarssl.c | |
75 +++ b/lib/vtls/polarssl.c | |
76 @@ -360,6 +360,7 @@ polarssl_connect_step2(struct connectdata *conn, | |
77 #ifdef HAS_ALPN | |
78 const char* next_protocol; | |
79 #endif | |
80 + const x509_crt *peer_cert = NULL; | |
81 | |
82 char errorbuf[128]; | |
83 memset(errorbuf, 0, sizeof(errorbuf)); | |
84 @@ -419,12 +420,49 @@ polarssl_connect_step2(struct connectdata *conn, | |
85 return CURLE_PEER_FAILED_VERIFICATION; | |
86 } | |
87 | |
88 - if(ssl_get_peer_cert(&(connssl->ssl))) { | |
89 + peer_cert = ssl_get_peer_cert(&(connssl->ssl)); | |
90 + if(peer_cert) { | |
91 + if(data->set.str[STRING_SSL_PEERCERT]) { | |
92 + x509_crt pinned_cert; | |
93 + unsigned int i; | |
94 + | |
95 + /* Handle pinned certificate */ | |
96 + x509_crt_init(&pinned_cert); | |
97 + ret = x509_crt_parse_file(&pinned_cert, | |
98 + data->set.str[STRING_SSL_PEERCERT]); | |
99 + | |
100 + if(ret) { | |
101 +#ifdef POLARSSL_ERROR_C | |
102 + error_strerror(ret, errorbuf, sizeof(errorbuf)); | |
103 +#endif /* POLARSSL_ERROR_C */ | |
104 + failf(data, "Error reading peer cert file %s - PolarSSL: (-0x%04X) %s", | |
105 + data->set.str[STRING_SSL_PEERCERT], -ret, errorbuf); | |
106 + | |
107 + x509_crt_free(&pinned_cert); | |
108 + return CURLE_PEER_FAILED_VERIFICATION; | |
109 + } | |
110 + | |
111 + if (peer_cert->raw.len == 0 || | |
112 + peer_cert->raw.len != pinned_cert.raw.len) { | |
113 + failf(data, "Error validating peer certificate. Size does " | |
114 + "not match the certificate set with PEERCERT option.\n"); | |
115 + x509_crt_free(&pinned_cert); | |
116 + return CURLE_PEER_FAILED_VERIFICATION; | |
117 + } | |
118 + for (i = 0; i < peer_cert->raw.len; i++) { | |
119 + if (peer_cert->raw.p[i] != pinned_cert.raw.p[i]) { | |
120 + failf(data, "Error validating peer certificate. Does " | |
121 + "not match the certificate set with PEERCERT option.\n"); | |
122 + return CURLE_PEER_FAILED_VERIFICATION; | |
123 + } | |
124 + } | |
125 + } | |
126 + | |
127 /* If the session was resumed, there will be no peer certs */ | |
128 memset(buffer, 0, sizeof(buffer)); | |
129 | |
130 if(x509_crt_info(buffer, sizeof(buffer), (char *)"* ", | |
131 - ssl_get_peer_cert(&(connssl->ssl))) != -1) | |
132 + peer_cert) != -1) | |
133 infof(data, "Dumping cert info:\n%s\n", buffer); | |
134 } | |
135 | |
136 -- | |
137 1.9.1 | |
138 |