From 4f8b17743d7c55a0bfb48463238c88564875ae47 Mon Sep 17 00:00:00 2001 From: Thomas Glanzmann Date: Fri, 25 Nov 2016 10:47:25 +0100 Subject: HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY --- lib/url.c | 14 +++++++++++++- lib/urldata.h | 3 ++- lib/vtls/cyassl.c | 8 ++++++-- lib/vtls/gskit.c | 3 ++- lib/vtls/gtls.c | 3 ++- lib/vtls/mbedtls.c | 8 +++++--- lib/vtls/nss.c | 6 +++++- lib/vtls/openssl.c | 3 ++- lib/vtls/polarssl.c | 8 ++++++-- 9 files changed, 43 insertions(+), 13 deletions(-) (limited to 'lib') diff --git a/lib/url.c b/lib/url.c index 8b404ba6b..675d7ee57 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2181,7 +2181,19 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * Set pinned public key for SSL connection. * Specify file name of the public key in DER format. */ - result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], + result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG], + va_arg(param, char *)); +#else + result = CURLE_NOT_BUILT_IN; +#endif + break; + case CURLOPT_PROXY_PINNEDPUBLICKEY: +#ifdef have_curlssl_pinnedpubkey /* only by supported backends */ + /* + * Set pinned public key for SSL connection. + * Specify file name of the public key in DER format. + */ + result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY], va_arg(param, char *)); #else result = CURLE_NOT_BUILT_IN; diff --git a/lib/urldata.h b/lib/urldata.h index 05f600319..ccad53e04 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1471,7 +1471,8 @@ enum dupstring { STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */ STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */ STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */ - STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */ + STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */ + STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 5570760d4..db5ce2756 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -424,6 +424,10 @@ cyassl_connect_step2(struct connectdata *conn, conn->host.name; const char * const dispname = SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + conn->http_proxy.host.dispname : conn->host.dispname; conn->recv[sockindex] = cyassl_recv; conn->send[sockindex] = cyassl_send; @@ -497,7 +501,7 @@ cyassl_connect_step2(struct connectdata *conn, } } - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { #ifdef KEEP_PEER_CERT X509 *x509; const char *x509_der; @@ -529,7 +533,7 @@ cyassl_connect_step2(struct connectdata *conn, } result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, (const unsigned char *)pubkey->header, (size_t)(pubkey->end - pubkey->header)); if(result) { diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 6cac9573c..fccbe508e 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -1096,7 +1096,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } /* Check pinned public key. */ - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(!result && ptr) { curl_X509certificate x509; curl_asn1Element *p; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5249dd49d..c3bfeed51 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1229,7 +1229,8 @@ gtls_connect_step3(struct connectdata *conn, infof(data, "\t server certificate activation date OK\n"); } - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(ptr) { result = pkp_pin_peer_pubkey(data, x509_cert, ptr); if(result != CURLE_OK) { diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index c428a210d..8bcaddd25 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -171,7 +171,6 @@ mbed_connect_step1(struct connectdata *conn, const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; - int ret = -1; char errorbuf[128]; errorbuf[0]=0; @@ -453,6 +452,9 @@ mbed_connect_step2(struct connectdata *conn, struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; const mbedtls_x509_crt *peercert; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; #ifdef HAS_ALPN const char *next_protocol; @@ -524,7 +526,7 @@ mbed_connect_step2(struct connectdata *conn, free(buffer); } - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { int size; CURLcode result; mbedtls_x509_crt *p; @@ -563,7 +565,7 @@ mbed_connect_step2(struct connectdata *conn, /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { mbedtls_x509_crt_free(p); diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 91b8e05cc..efb19e6e7 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1926,6 +1926,10 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) PRUint32 timeout; long * const certverifyresult = SSL_IS_PROXY() ? &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + /* check timeout situation */ const long time_left = Curl_timeleft(data, NULL, TRUE); @@ -1971,7 +1975,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) } } - result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + result = cmp_peer_pubkey(connssl, pinnedpubkey); if(result) /* status already printed */ goto error; diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1d7892550..8507f866f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2891,7 +2891,8 @@ static CURLcode servercert(struct connectdata *conn, /* when not strict, we don't bother about the verify cert problems */ result = CURLE_OK; - ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(!result && ptr) { result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr); if(result) diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index f2f973c50..4bba3e3f2 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -397,6 +397,10 @@ polarssl_connect_step2(struct connectdata *conn, struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; char buffer[1024]; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; + char errorbuf[128]; errorbuf[0] = 0; @@ -458,7 +462,7 @@ polarssl_connect_step2(struct connectdata *conn, } /* adapted from mbedtls.c */ - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(pinnedpubkey) { int size; CURLcode result; x509_crt *p; @@ -500,7 +504,7 @@ polarssl_connect_step2(struct connectdata *conn, /* pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, - data->set.str[STRING_SSL_PINNEDPUBLICKEY], + pinnedpubkey, &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { x509_crt_free(p); -- cgit v1.2.3