gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnurl] 32/222: url: only reuse TLS connections with matching pinning

From: gnunet
Subject: [gnurl] 32/222: url: only reuse TLS connections with matching pinning
Date: Thu, 07 Nov 2019 00:08:48 +0100 
This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit 3c5f9ba899ace6a0a406e421c4c1f6e626a95d05
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Sep 13 16:38:58 2019 +0200

    url: only reuse TLS connections with matching pinning
    
    If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
    connection should not be reused.
    
    Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
    Reported-by: Sebastian Haglund
    
    Closes #4347
---
 lib/url.c       | 4 ++++
 lib/urldata.h   | 1 +
 lib/vtls/vtls.c | 5 ++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/url.c b/lib/url.c
index 572cd9c68..391087d34 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3526,6 +3526,10 @@ static CURLcode create_conn(struct Curl_easy *data,
     data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
   data->set.proxy_ssl.primary.cipher_list13 =
     data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
+  data->set.ssl.primary.pinned_key =
+    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+  data->set.proxy_ssl.primary.pinned_key =
+    data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
 
   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
diff --git a/lib/urldata.h b/lib/urldata.h
index acc1fd1b9..cb527918c 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -222,6 +222,7 @@ struct ssl_primary_config {
   char *egdsocket;       /* path to file containing the EGD daemon socket */
   char *cipher_list;     /* list of ciphers to use */
   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+  char *pinned_key;
   bit verifypeer:1;      /* set TRUE if this is desired */
   bit verifyhost:1;      /* set TRUE if CN/SAN must match hostname */
   bit verifystatus:1;    /* set TRUE if certificate status must be checked */
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 422819899..e6d756225 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -97,7 +97,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
      Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
      Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
-     Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
+     Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+     Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
     return TRUE;
 
   return FALSE;
@@ -121,6 +122,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config 
*source,
   CLONE_STRING(egdsocket);
   CLONE_STRING(cipher_list);
   CLONE_STRING(cipher_list13);
+  CLONE_STRING(pinned_key);
 
   return TRUE;
 }
@@ -134,6 +136,7 @@ void Curl_free_primary_ssl_config(struct 
ssl_primary_config* sslc)
   Curl_safefree(sslc->egdsocket);
   Curl_safefree(sslc->cipher_list);
   Curl_safefree(sslc->cipher_list13);
+  Curl_safefree(sslc->pinned_key);
 }
 
 #ifdef USE_SSL

-- 
To stop receiving notification emails like this one, please contact
address@hidden.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]