aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/url.c14
-rw-r--r--lib/urldata.h3
-rw-r--r--lib/vtls/cyassl.c8
-rw-r--r--lib/vtls/gskit.c3
-rw-r--r--lib/vtls/gtls.c3
-rw-r--r--lib/vtls/mbedtls.c8
-rw-r--r--lib/vtls/nss.c6
-rw-r--r--lib/vtls/openssl.c3
-rw-r--r--lib/vtls/polarssl.c8
9 files changed, 43 insertions, 13 deletions
diff --git a/lib/url.c b/lib/url.c
index 8b404ba6b..675d7ee57 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2181,7 +2181,19 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
* Set pinned public key for SSL connection.
* Specify file name of the public key in DER format.
*/
- result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+ result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
+ va_arg(param, char *));
+#else
+ result = CURLE_NOT_BUILT_IN;
+#endif
+ break;
+ case CURLOPT_PROXY_PINNEDPUBLICKEY:
+#ifdef have_curlssl_pinnedpubkey /* only by supported backends */
+ /*
+ * Set pinned public key for SSL connection.
+ * Specify file name of the public key in DER format.
+ */
+ result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY],
va_arg(param, char *));
#else
result = CURLE_NOT_BUILT_IN;
diff --git a/lib/urldata.h b/lib/urldata.h
index 05f600319..ccad53e04 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1471,7 +1471,8 @@ enum dupstring {
STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
- STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
+ STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
+ STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 5570760d4..db5ce2756 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -424,6 +424,10 @@ cyassl_connect_step2(struct connectdata *conn,
conn->host.name;
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+ conn->http_proxy.host.dispname : conn->host.dispname;
conn->recv[sockindex] = cyassl_recv;
conn->send[sockindex] = cyassl_send;
@@ -497,7 +501,7 @@ cyassl_connect_step2(struct connectdata *conn,
}
}
- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
+ if(pinnedpubkey) {
#ifdef KEEP_PEER_CERT
X509 *x509;
const char *x509_der;
@@ -529,7 +533,7 @@ cyassl_connect_step2(struct connectdata *conn,
}
result = Curl_pin_peer_pubkey(data,
- data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+ pinnedpubkey,
(const unsigned char *)pubkey->header,
(size_t)(pubkey->end - pubkey->header));
if(result) {
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 6cac9573c..fccbe508e 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -1096,7 +1096,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
}
/* Check pinned public key. */
- ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
if(!result && ptr) {
curl_X509certificate x509;
curl_asn1Element *p;
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5249dd49d..c3bfeed51 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -1229,7 +1229,8 @@ gtls_connect_step3(struct connectdata *conn,
infof(data, "\t server certificate activation date OK\n");
}
- ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
if(ptr) {
result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
if(result != CURLE_OK) {
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index c428a210d..8bcaddd25 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -171,7 +171,6 @@ mbed_connect_step1(struct connectdata *conn,
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
-
int ret = -1;
char errorbuf[128];
errorbuf[0]=0;
@@ -453,6 +452,9 @@ mbed_connect_step2(struct connectdata *conn,
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
const mbedtls_x509_crt *peercert;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
#ifdef HAS_ALPN
const char *next_protocol;
@@ -524,7 +526,7 @@ mbed_connect_step2(struct connectdata *conn,
free(buffer);
}
- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
+ if(pinnedpubkey) {
int size;
CURLcode result;
mbedtls_x509_crt *p;
@@ -563,7 +565,7 @@ mbed_connect_step2(struct connectdata *conn,
/* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */
result = Curl_pin_peer_pubkey(data,
- data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+ pinnedpubkey,
&pubkey[PUB_DER_MAX_BYTES - size], size);
if(result) {
mbedtls_x509_crt_free(p);
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 91b8e05cc..efb19e6e7 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1926,6 +1926,10 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
PRUint32 timeout;
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+
/* check timeout situation */
const long time_left = Curl_timeleft(data, NULL, TRUE);
@@ -1971,7 +1975,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
}
}
- result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+ result = cmp_peer_pubkey(connssl, pinnedpubkey);
if(result)
/* status already printed */
goto error;
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1d7892550..8507f866f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2891,7 +2891,8 @@ static CURLcode servercert(struct connectdata *conn,
/* when not strict, we don't bother about the verify cert problems */
result = CURLE_OK;
- ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
if(!result && ptr) {
result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr);
if(result)
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index f2f973c50..4bba3e3f2 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -397,6 +397,10 @@ polarssl_connect_step2(struct connectdata *conn,
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
char buffer[1024];
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+
char errorbuf[128];
errorbuf[0] = 0;
@@ -458,7 +462,7 @@ polarssl_connect_step2(struct connectdata *conn,
}
/* adapted from mbedtls.c */
- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
+ if(pinnedpubkey) {
int size;
CURLcode result;
x509_crt *p;
@@ -500,7 +504,7 @@ polarssl_connect_step2(struct connectdata *conn,
/* pk_write_pubkey_der writes data at the end of the buffer. */
result = Curl_pin_peer_pubkey(data,
- data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+ pinnedpubkey,
&pubkey[PUB_DER_MAX_BYTES - size], size);
if(result) {
x509_crt_free(p);