diff options
author | Patrick Monnerat <pm@datasphere.ch> | 2014-10-14 14:58:26 +0200 |
---|---|---|
committer | Patrick Monnerat <pm@datasphere.ch> | 2014-10-14 14:58:26 +0200 |
commit | 473322ec66a0969c3c59e8006f9ac72768b91adf (patch) | |
tree | 1964192f49e48045e13d4d97f247893ef7e22de5 | |
parent | 89e543f3830bb8d821fedaa6ca4fb6d776e601b8 (diff) |
Implement pinned public key in GSKit backend
-rw-r--r-- | lib/vtls/gskit.c | 20 | ||||
-rw-r--r-- | lib/x509asn1.c | 15 | ||||
-rw-r--r-- | lib/x509asn1.h | 4 |
3 files changed, 34 insertions, 5 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 0f8b08f2c..ae878c7bc 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -804,6 +804,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) const gsk_cert_data_elem *p; const char *cert = (const char *) NULL; const char *certend; + const char *ptr; int i; CURLcode cc; @@ -857,6 +858,23 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } } + /* Check pinned public key. */ + ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(cc == CURLE_OK && ptr) { + curl_X509certificate x509; + curl_asn1Element *p; + + if(!cert) + return CURLE_SSL_PINNEDPUBKEYNOTMATCH; + Curl_parseX509(&x509, cert, certend); + p = &x509.subjectPublicKeyInfo; + cc = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header); + if(cc != CURLE_OK) { + failf(data, "SSL: public key does not match pinned public key!"); + return cc; + } + } + connssl->connecting_state = ssl_connect_done; return CURLE_OK; } diff --git a/lib/x509asn1.c b/lib/x509asn1.c index 31ea5de00..e100e07f4 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -122,6 +122,7 @@ const char * Curl_getASN1Element(curl_asn1Element * elem, return (const char *) NULL; /* Process header byte. */ + elem->header = beg; b = (unsigned char) *beg++; elem->constructed = (b & 0x20) != 0; elem->class = (b >> 6) & 3; @@ -682,6 +683,7 @@ void Curl_parseX509(curl_X509certificate * cert, Syntax is assumed to have already been checked by the SSL backend. See RFC 5280. */ + cert->certificate.header = NULL; cert->certificate.beg = beg; cert->certificate.end = end; @@ -701,6 +703,7 @@ void Curl_parseX509(curl_X509certificate * cert, beg = tbsCertificate.beg; end = tbsCertificate.end; /* Get optional version, get serialNumber. */ + cert->version.header = NULL; cert->version.beg = &defaultVersion; cert->version.end = &defaultVersion + sizeof defaultVersion;; beg = Curl_getASN1Element(&elem, beg, end); @@ -720,15 +723,19 @@ void Curl_parseX509(curl_X509certificate * cert, /* Get subject. */ beg = Curl_getASN1Element(&cert->subject, beg, end); /* Get subjectPublicKeyAlgorithm and subjectPublicKey. */ - beg = Curl_getASN1Element(&elem, beg, end); + beg = Curl_getASN1Element(&cert->subjectPublicKeyInfo, beg, end); ccp = Curl_getASN1Element(&cert->subjectPublicKeyAlgorithm, - elem.beg, elem.end); - Curl_getASN1Element(&cert->subjectPublicKey, ccp, elem.end); + cert->subjectPublicKeyInfo.beg, + cert->subjectPublicKeyInfo.end); + Curl_getASN1Element(&cert->subjectPublicKey, ccp, + cert->subjectPublicKeyInfo.end); /* Get optional issuerUiqueID, subjectUniqueID and extensions. */ cert->issuerUniqueID.tag = cert->subjectUniqueID.tag = 0; cert->extensions.tag = elem.tag = 0; + cert->issuerUniqueID.header = cert->subjectUniqueID.header = NULL; cert->issuerUniqueID.beg = cert->issuerUniqueID.end = ""; cert->subjectUniqueID.beg = cert->subjectUniqueID.end = ""; + cert->extensions.header = NULL; cert->extensions.beg = cert->extensions.end = ""; if(beg < end) beg = Curl_getASN1Element(&elem, beg, end); @@ -771,6 +778,7 @@ static const char * dumpAlgo(curl_asn1Element * param, /* Get algorithm parameters and return algorithm name. */ beg = Curl_getASN1Element(&oid, beg, end); + param->header = NULL; param->tag = 0; param->beg = param->end = end; if(beg < end) @@ -1140,6 +1148,7 @@ CURLcode Curl_verifyhost(struct connectdata * conn, } /* Process subject. */ + name.header = NULL; name.beg = name.end = ""; q = cert.subject.beg; /* we have to look to the last occurrence of a commonName in the diff --git a/lib/x509asn1.h b/lib/x509asn1.h index 274d728b7..075c424f3 100644 --- a/lib/x509asn1.h +++ b/lib/x509asn1.h @@ -76,8 +76,9 @@ /* ASN.1 parsed element. */ typedef struct { + const char * header; /* Pointer to header byte. */ const char * beg; /* Pointer to element data. */ - const char * end; /* Pointer to 1st byte after element data. */ + const char * end; /* Pointer to 1st byte after element. */ unsigned char class; /* ASN.1 element class. */ unsigned char tag; /* ASN.1 element tag. */ bool constructed; /* Element is constructed. */ @@ -102,6 +103,7 @@ typedef struct { curl_asn1Element notBefore; curl_asn1Element notAfter; curl_asn1Element subject; + curl_asn1Element subjectPublicKeyInfo; curl_asn1Element subjectPublicKeyAlgorithm; curl_asn1Element subjectPublicKey; curl_asn1Element issuerUniqueID; |