[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 32/222: url: only reuse TLS connections with matching pinning
From: |
gnunet |
Subject: |
[gnurl] 32/222: url: only reuse TLS connections with matching pinning |
Date: |
Thu, 07 Nov 2019 00:08:48 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 3c5f9ba899ace6a0a406e421c4c1f6e626a95d05
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Sep 13 16:38:58 2019 +0200
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.
Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund
Closes #4347
---
lib/url.c | 4 ++++
lib/urldata.h | 1 +
lib/vtls/vtls.c | 5 ++++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/url.c b/lib/url.c
index 572cd9c68..391087d34 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3526,6 +3526,10 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
data->set.proxy_ssl.primary.cipher_list13 =
data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
+ data->set.ssl.primary.pinned_key =
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+ data->set.proxy_ssl.primary.pinned_key =
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
diff --git a/lib/urldata.h b/lib/urldata.h
index acc1fd1b9..cb527918c 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -222,6 +222,7 @@ struct ssl_primary_config {
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
+ char *pinned_key;
bit verifypeer:1; /* set TRUE if this is desired */
bit verifyhost:1; /* set TRUE if CN/SAN must match hostname */
bit verifystatus:1; /* set TRUE if certificate status must be checked */
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 422819899..e6d756225 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -97,7 +97,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
- Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
return TRUE;
return FALSE;
@@ -121,6 +122,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config
*source,
CLONE_STRING(egdsocket);
CLONE_STRING(cipher_list);
CLONE_STRING(cipher_list13);
+ CLONE_STRING(pinned_key);
return TRUE;
}
@@ -134,6 +136,7 @@ void Curl_free_primary_ssl_config(struct
ssl_primary_config* sslc)
Curl_safefree(sslc->egdsocket);
Curl_safefree(sslc->cipher_list);
Curl_safefree(sslc->cipher_list13);
+ Curl_safefree(sslc->pinned_key);
}
#ifdef USE_SSL
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 14/222: FTP: allow "rubbish" prepended to the SIZE response, (continued)
- [gnurl] 14/222: FTP: allow "rubbish" prepended to the SIZE response, gnunet, 2019/11/06
- [gnurl] 22/222: quiche: persist connection details, gnunet, 2019/11/06
- [gnurl] 19/222: doh: fix (harmless) buffer overrun, gnunet, 2019/11/06
- [gnurl] 24/222: unit1655: make it C90 compliant, gnunet, 2019/11/06
- [gnurl] 21/222: openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version, gnunet, 2019/11/06
- [gnurl] 16/222: CI: inintial github action job, gnunet, 2019/11/06
- [gnurl] 20/222: doh: fix undefined behaviour and open up for gcc and clang optimization, gnunet, 2019/11/06
- [gnurl] 26/222: http2: relax verification of :authority in push promise requests, gnunet, 2019/11/06
- [gnurl] 27/222: url: cleanup dangling DOH request headers too, gnunet, 2019/11/06
- [gnurl] 28/222: mime: when disabled, avoid C99 macro, gnunet, 2019/11/06
- [gnurl] 32/222: url: only reuse TLS connections with matching pinning,
gnunet <=
- [gnurl] 39/222: ftp: Expression 'ftpc->wait_data_conn' is always true, gnunet, 2019/11/06
- [gnurl] 46/222: easy: part of conditional expression is always true: !result, gnunet, 2019/11/06
- [gnurl] 30/222: http: merge two "case" statements, gnunet, 2019/11/06
- [gnurl] 36/222: doh: avoid truncating DNS QTYPE to lower octet, gnunet, 2019/11/06
- [gnurl] 29/222: FTP: remove trailing slash from path for LIST/MLSD, gnunet, 2019/11/06
- [gnurl] 43/222: url: remove dead code, gnunet, 2019/11/06
- [gnurl] 42/222: url: part of expression is always true: (bundle->multiuse == 0), gnunet, 2019/11/06
- [gnurl] 44/222: version: Expression 'left > 1' is always true, gnunet, 2019/11/06
- [gnurl] 34/222: version: next release will be 7.67.0, gnunet, 2019/11/06
- [gnurl] 33/222: RELEASE-NOTES: synced, gnunet, 2019/11/06