Commit 283babfa authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

tls: make setting pinnedkey option fail if not supported 

to make it obvious to users trying to use the feature with TLS backends
not supporting it.

Discussed in #781
Reported-by: Travis Burtrum
parent 100c7b47

lib/url.c

+4 −0
Original line number Diff line number Diff line
@@ -2072,12 +2072,16 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, 
#endif

    break;

  case CURLOPT_PINNEDPUBLICKEY:

#ifdef have_curlssl_pinnedpubkey /* only by supported backends */

    /*

     * Set pinned public key for SSL connection.

     * Specify file name of the public key in DER format.

     */

    result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],

                       va_arg(param, char *));

#else

    result = CURLE_NOT_BUILT_IN;

#endif

    break;

  case CURLOPT_CAINFO:

    /*

lib/vtls/cyassl.c

+3 −14
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -51,7 +51,6 @@ and that's a problem since options.h hasn't been included yet. */ 
#include "urldata.h"

#include "sendf.h"

#include "inet_pton.h"

#include "cyassl.h"

#include "vtls.h"

#include "parsedate.h"

#include "connect.h" /* for the connect timeout */
@@ -69,6 +68,8 @@ and that's a problem since options.h hasn't been included yet. */ 
#include <cyassl/ctaocrypt/random.h>

#include <cyassl/ctaocrypt/sha256.h>



#include "cyassl.h"



/* The last #include files should be: */

#include "curl_memory.h"

#include "memdebug.h"
@@ -100,18 +101,6 @@ and that's a problem since options.h hasn't been included yet. */ 
#endif

#endif



/* KEEP_PEER_CERT is a product of the presence of build time symbol

   OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is

   in wolfSSL's settings.h, and the latter two are build time symbols in

   options.h. */

#ifndef KEEP_PEER_CERT

#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \

    defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \

    (defined(OPENSSL_EXTRA) && !defined(NO_CERTS))

#define KEEP_PEER_CERT

#endif

#endif



/* HAVE_SUPPORTED_CURVES is wolfSSL's build time symbol for enabling the ECC

   supported curve extension in options.h. Note ECC is enabled separately. */

#ifndef HAVE_SUPPORTED_CURVES

lib/vtls/cyassl.h

+18 −1
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -25,6 +25,18 @@ 


#ifdef USE_CYASSL



/* KEEP_PEER_CERT is a product of the presence of build time symbol

   OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is

   in wolfSSL's settings.h, and the latter two are build time symbols in

   options.h. */

#ifndef KEEP_PEER_CERT

#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \

    defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \

    (defined(OPENSSL_EXTRA) && !defined(NO_CERTS))

#define KEEP_PEER_CERT

#endif

#endif



CURLcode Curl_cyassl_connect(struct connectdata *conn, int sockindex);

bool Curl_cyassl_data_pending(const struct connectdata* conn, int connindex);

int Curl_cyassl_shutdown(struct connectdata* conn, int sockindex);
@@ -53,6 +65,11 @@ void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */ 
/* this backend supports CURLOPT_SSL_CTX_* */

#define have_curlssl_ssl_ctx 1



#ifdef KEEP_PEER_CERT

/* this backend supports CURLOPT_PINNEDPUBLICKEY */

#define have_curlssl_pinnedpubkey 1

#endif



/* API setup for CyaSSL */

#define curlssl_init Curl_cyassl_init

#define curlssl_cleanup() Curl_nop_stmt

lib/vtls/gtls.h

+4 −1
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -64,6 +64,9 @@ bool Curl_gtls_cert_status_request(void); 
/* this backend supports CURLOPT_CERTINFO */

#define have_curlssl_certinfo 1



/* this backend supports CURLOPT_PINNEDPUBLICKEY */

#define have_curlssl_pinnedpubkey 1



/* API setup for GnuTLS */

#define curlssl_init Curl_gtls_init

#define curlssl_cleanup Curl_gtls_cleanup

lib/vtls/mbedtls.h

+3 −0
Original line number Diff line number Diff line
@@ -50,6 +50,9 @@ void Curl_mbedtls_session_free(void *ptr); 
size_t Curl_mbedtls_version(char *buffer, size_t size);

int Curl_mbedtls_shutdown(struct connectdata *conn, int sockindex);



/* this backends supports CURLOPT_PINNEDPUBLICKEY */

#define have_curlssl_pinnedpubkey 1



/* API setup for mbedTLS */

#define curlssl_init() Curl_mbedtls_init()

#define curlssl_cleanup() Curl_mbedtls_cleanup()