cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: pinnedpubkey unsupported behavior

From: moparisthebest <admin_at_moparisthebest.com>
Date: Fri, 22 Apr 2016 10:29:08 -0400

On 04/21/2016 03:58 PM, Ray Satiro via curl-library wrote:
> In the future if you think you have a security issue e-mail
> curl-security at haxx.se.

Sorry about that, I glanced at curl.haxx.se and the git repo for
something like that and couldn't find it. Now I searched the FAQ page
and see it there. Also I wasn't convinced it was a security issue,
backend support is documented everywhere for this option.

It looks like, as of right now (commit
c67d7b940592a8a8f52b78052e911c3077db30a0), these backends
implementations are unsupported:

axtls.c
darwinssl.c
polarssl.c
schannel.c

and these have partial support:

cyassl.c only support #ifdef KEEP_PEER_CERT
gskit.c only support pem/der, needs curlssl_sha256sum defined for hash
support

of course that leaves these with full support:

gtls.c
mbedtls.c
nss.c
openssl.c

So #define have_curlssl_pinnedpubkey needs to happen inside the ones
with full support, gskit.c (which will fail-closed when a sha256// hash
is entered, unless it exists on the filesystem...), and cyassl.c but
only if KEEP_PEER_CERT is defined.

Would you want to build that patch? I can do it if you wish but it
looks like you are 99.9% of the way there?

> diff --git a/lib/url.c b/lib/url.c
> index 792ce77..9700373 100644
> --- a/lib/url.c
> +++ b/lib/url.c
> @@ -2072,12 +2072,16 @@ CURLcode Curl_setopt(struct SessionHandle *data,
> CURLopt
> #endif
> break;
> case CURLOPT_PINNEDPUBLICKEY:
> +#ifdef have_curlssl_pinnedpubkey /* not supported by all backends */
> /*
> * Set pinned public key for SSL connection.
> * Specify file name of the public key in DER format.
> */
> result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
> va_arg(param, char *));
> +#else
> + result = CURLE_NOT_BUILT_IN;
> +#endif
> break;
> case CURLOPT_CAINFO:
> /*

Now I'm wondering if gskit.c should instead have special code that does:

if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
        /* hashes are not supported in gskit without curlssl_sha256sum defined */
        return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
}

Just to keep everything 100% on the same page?

Thanks much,
Travis Burtrum
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-22