diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-09-13 16:38:58 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-19 14:58:24 +0200 |
commit | 3c5f9ba899ace6a0a406e421c4c1f6e626a95d05 (patch) | |
tree | 3f638d88dec62621d804a2e516eef55492b529ea | |
parent | fafad1496b036577d68bfc8db688fbcd7930819a (diff) |
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.
Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund
Closes #4347
-rw-r--r-- | lib/url.c | 4 | ||||
-rw-r--r-- | lib/urldata.h | 1 | ||||
-rw-r--r-- | lib/vtls/vtls.c | 5 |
3 files changed, 9 insertions, 1 deletions
@@ -3526,6 +3526,10 @@ static CURLcode create_conn(struct Curl_easy *data, data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; data->set.proxy_ssl.primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; + data->set.ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; diff --git a/lib/urldata.h b/lib/urldata.h index acc1fd1b9..cb527918c 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -222,6 +222,7 @@ struct ssl_primary_config { char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; bit verifypeer:1; /* set TRUE if this is desired */ bit verifyhost:1; /* set TRUE if CN/SAN must match hostname */ bit verifystatus:1; /* set TRUE if certificate status must be checked */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 422819899..e6d756225 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -97,7 +97,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, Curl_safe_strcasecompare(data->random_file, needle->random_file) && Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13)) + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) return TRUE; return FALSE; @@ -121,6 +122,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, CLONE_STRING(egdsocket); CLONE_STRING(cipher_list); CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); return TRUE; } @@ -134,6 +136,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) Curl_safefree(sslc->egdsocket); Curl_safefree(sslc->cipher_list); Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); } #ifdef USE_SSL |