aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorPatrick Monnerat <pm@datasphere.ch>2014-10-14 14:58:26 +0200
committerPatrick Monnerat <pm@datasphere.ch>2014-10-14 14:58:26 +0200
commit473322ec66a0969c3c59e8006f9ac72768b91adf (patch)
tree1964192f49e48045e13d4d97f247893ef7e22de5 /lib/vtls
parent89e543f3830bb8d821fedaa6ca4fb6d776e601b8 (diff)
Implement pinned public key in GSKit backend
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/gskit.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 0f8b08f2c..ae878c7bc 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -804,6 +804,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
const gsk_cert_data_elem *p;
const char *cert = (const char *) NULL;
const char *certend;
+ const char *ptr;
int i;
CURLcode cc;
@@ -857,6 +858,23 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
}
}
+ /* Check pinned public key. */
+ ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ if(cc == CURLE_OK && ptr) {
+ curl_X509certificate x509;
+ curl_asn1Element *p;
+
+ if(!cert)
+ return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
+ Curl_parseX509(&x509, cert, certend);
+ p = &x509.subjectPublicKeyInfo;
+ cc = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header);
+ if(cc != CURLE_OK) {
+ failf(data, "SSL: public key does not match pinned public key!");
+ return cc;
+ }
+ }
+
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}