cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: pinnedpubkey unsupported behavior

From: moparisthebest <admin_at_moparisthebest.com>
Date: Fri, 22 Apr 2016 14:37:39 -0400

On 04/22/2016 01:21 PM, Patrick Monnerat wrote:
> - The GSKit library supports SSL/TLS, not crypto. On OS400, there is a
> crypto library called QC3 that supports all these kind of algorithms,
> but is specific to this platform.

That is interesting to know, then I guess I would suggest a code change
like so:

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 69fb70f..37ffbf7 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -815,9 +815,9 @@ CURLcode Curl_pin_peer_pubkey(struct SessionHandle
*data,
   if(!pubkey || !pubkeylen)
     return result;

-#ifdef curlssl_sha256sum
   /* only do this if pinnedpubkey starts with "sha256//", length 8 */
   if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
+#ifdef curlssl_sha256sum
     /* compute sha256sum of public key */
     sha256sumdigest = malloc(SHA256_DIGEST_LENGTH);
     if(!sha256sumdigest)
@@ -870,11 +870,11 @@ CURLcode Curl_pin_peer_pubkey(struct SessionHandle
*data,
     } while(end_pos && begin_pos);
     Curl_safefree(encoded);
     Curl_safefree(pinkeycopy);
- return result;
- }
 #else
- (void)data;
+ (void)data;
 #endif
+ return result;
+ }

   fp = fopen(pinnedpubkey, "rb");
   if(!fp)

So that whenever a backend didn't have that function, it would fail when
provided with a sha256// hash?

> 2) Provide missing crypto algorithms locally, as it is already the
> case for md5.
> 3) Update the GSKit backend to provide these crypto algorithm via QC3
> calls: of course this will move GSKit towards a more OS400 specific
> version.

I think maybe a combo, in the specific case of GSKit, could you define
that function only where it is available on the OS400 and then hashes
just wouldn't work where QC3 was not available? #ifdef OS400 or similar?

You could additionally pull in a sha256 lib ONLY for GSKit and ONLY
where QC3 was not available, since all other backends (so far) support
it. I'm not sure if that would be worth it or not though?

I think I originally mentioned pulling in a similarly licensed sha256.c
to bagder on IRC when I first started adding hash support, but he
rightly mentioned that to do pretty much any modern TLS crypto most
algorithms have to support that in one way or another anyway, so I used
them.

Thanks for the feedback, as far as I know you are the only one who knows
anything about GSKit :),
Travis
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-22