Mercurial > trustbridge
view patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch @ 1243:cf5784d2c3a8
(issue54) Safeguard to prohibit starting the application as root
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Wed, 24 Sep 2014 19:22:47 +0200 |
parents | 93325618ac7b |
children |
line wrap: on
line source
From e5c7feec5151299975fe03184cc322ea51fb45c2 Mon Sep 17 00:00:00 2001 From: Andre Heinecke <aheinecke@intevation.de> Date: Fri, 12 Sep 2014 13:01:07 +0200 Subject: [PATCH 2/2] Add CURLOPT_PEERCERT option to pin a peer cert This is only implemented for a specific usecase with polarssl --- include/curl/curl.h | 3 +++ include/curl/typecheck-gcc.h | 1 + lib/url.c | 8 ++++++++ lib/urldata.h | 1 + lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 54 insertions(+) diff --git a/include/curl/curl.h b/include/curl/curl.h index d40b2db..20a9d82 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1611,6 +1611,9 @@ typedef enum { /* Pass in a bitmask of "header options" */ CINIT(HEADEROPT, LONG, 229), + /* Peer certificate */ + CINIT(PEERCERT, OBJECTPOINT, 230), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index 69d41a2..241529d 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ (option) == CURLOPT_CRLFILE || \ (option) == CURLOPT_ISSUERCERT || \ + (option) == CURLOPT_PEERCERT || \ (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ (option) == CURLOPT_SSH_KNOWNHOSTS || \ (option) == CURLOPT_MAIL_FROM || \ diff --git a/lib/url.c b/lib/url.c index 67126ab3..5721ee2 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], va_arg(param, char *)); break; + case CURLOPT_PEERCERT: + /* + * Set peer certificate file + * to check peer certificate against + */ + result = setstropt(&data->set.str[STRING_SSL_PEERCERT], + va_arg(param, char *)); + break; case CURLOPT_TELNETOPTIONS: /* * Set a linked list of telnet options diff --git a/lib/urldata.h b/lib/urldata.h index 8594c2f..a6dc1ae 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1391,6 +1391,7 @@ enum dupstring { STRING_USERAGENT, /* User-Agent string */ STRING_SSL_CRLFILE, /* crl file to check certificate */ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ + STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ STRING_USERNAME, /* <username>, if used */ STRING_PASSWORD, /* <password>, if used */ STRING_OPTIONS, /* <options>, if used */ diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 08dc4c6..8f34901 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -403,6 +403,44 @@ polarssl_connect_step1(struct connectdata *conn, return CURLE_OK; } +static int +pinned_verify(void *pinned_cert_file_name, x509_crt *crt, + int depth, int *flags) +{ + x509_crt pinned_cert; + x509_crt *leaf = crt; + unsigned int i; + int ret; + + if (pinned_cert_file_name == NULL || crt == NULL) { + *flags |= BADCERT_NOT_TRUSTED; + return *flags; + } + + x509_crt_init(&pinned_cert); + ret = x509_crt_parse_file(&pinned_cert, pinned_cert_file_name); + + if(ret) { + x509_crt_free(&pinned_cert); + *flags |= BADCERT_NOT_TRUSTED; + return *flags; + } + + while (leaf->next) { + leaf = leaf->next; + } + + ret = memcmp(pinned_cert.raw.p, leaf->raw.p, pinned_cert.raw.len); + x509_crt_free(&pinned_cert); + if (ret == 0) { + *flags = 0; + return 0; + } + + *flags |= BADCERT_NOT_TRUSTED; + return *flags; +} + static CURLcode polarssl_connect_step2(struct connectdata *conn, int sockindex) @@ -422,6 +460,9 @@ polarssl_connect_step2(struct connectdata *conn, conn->recv[sockindex] = polarssl_recv; conn->send[sockindex] = polarssl_send; + if(data->set.str[STRING_SSL_PEERCERT]) + ssl_set_verify (&connssl->ssl, pinned_verify, data->set.str[STRING_SSL_PEERCERT]); + for(;;) { if(!(ret = ssl_handshake(&connssl->ssl))) break; -- 1.9.1