On 4/21/2016 3:25 PM, moparisthebest wrote:
> Hi all,
>
> I was talking to a friend using OSX about --pinnedpubkey support, I
> mentioned that it wasn't supported in the darwinssl/SecureTransport back
> end, but the option was there and he tried it and successfully connected
> with a bad key. This got me thinking about failure modes:
>
> $ echo bob > bad.key
> $ curl --pinnedpubkey bad.key https://google.com/
> curl: (90) SSL: public key does not match pinned public key!
>
> Is how it behaves when --pinnedpubkey support is there, from
> https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
> today:
>
>> Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for
>> NSS and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support
>> added in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other
>> SSL backends not supported.
> So wherever there is no support, it 'fails open', I guess, in that it
> just goes ahead and connects whether the public key matches or not.
>
> There is one backend, GSKit, that supports der/pem files but not sha256
> hashes (no curlssl_sha256sum defined), that 'fails closed' because it
> thinks the hashes are a file, can't find them (or they don't match), and
> it fails to connect.
>
> As an aside, I notice it doesn't really say if mbedtls supports sha256
> hashes, but I see it does in the code.
>
> So:
> 1. Should unsupported backends 'fail open', if not is this a security issue?
> 2. Should --pinnedpubkey just not show up and be an unknown option if
> compiled with an unsupported backend?
> 3. Should it just be left as-is today? (know your curl?)
>
> Thanks for feedback,
> Travis Burtrum
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

In the future if you think you have a security issue e-mail
curl-security at haxx.se.

I see what you're saying. The easiest way to fix it would be require a
symbol that is defined only when the feature is available and put that
in the header of each vtls that is supported, and wrap all the pubkey
code. Only axtls, darwin and schannel are not supported I think.
(Someone was working on schannel though so that may change.) Like this

#define have_curlssl_pinnedpubkey

Then in each file guard it with that and in setopt do something like:

diff --git a/lib/url.c b/lib/url.c
index 792ce77..9700373 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2072,12 +2072,16 @@ CURLcode Curl_setopt(struct SessionHandle *data,
CURLopt
  #endif
      break;
    case CURLOPT_PINNEDPUBLICKEY:
+#ifdef have_curlssl_pinnedpubkey /* not supported by all backends */
      /*
       * Set pinned public key for SSL connection.
       * Specify file name of the public key in DER format.
       */
      result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
                         va_arg(param, char *));
+#else
+ result = CURLE_NOT_BUILT_IN;
+#endif
      break;
    case CURLOPT_CAINFO:
      /*

The error looks like
curl: (4) A requested feature, protocol or option was not found built-in
in this libcurl due to a build-time decision.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-21