ssl: add server cert's "sha256//" hash to verbose (30c131f5) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/vtls/cyassl.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -434,7 +434,8 @@ cyassl_connect_step2(struct connectdata *conn,
		return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
		}

		result = Curl_pin_peer_pubkey(data->set.str[STRING_SSL_PINNEDPUBLICKEY],
		result = Curl_pin_peer_pubkey(data,
		data->set.str[STRING_SSL_PINNEDPUBLICKEY],
		(const unsigned char *)pubkey->header,
		(size_t)(pubkey->end - pubkey->header));
		if(result) {

+1 −1

Original line number	Diff line number	Diff line
		@@ -874,7 +874,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
		return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
		Curl_parseX509(&x509, cert, certend);
		p = &x509.subjectPublicKeyInfo;
		result = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header);
		result = Curl_pin_peer_pubkey(data, ptr, p->header, p->end - p->header);
		if(result) {
		failf(data, "SSL: public key does not match pinned public key!");
		return result;

+4 −3

Original line number	Diff line number	Diff line
		@@ -724,7 +724,8 @@ gtls_connect_step1(struct connectdata *conn,
		return CURLE_OK;
		}

		static CURLcode pkp_pin_peer_pubkey(gnutls_x509_crt_t cert,
		static CURLcode pkp_pin_peer_pubkey(struct SessionHandle *data,
		gnutls_x509_crt_t cert,
		const char *pinnedpubkey)
		{
		/* Scratch */
		@@ -769,7 +770,7 @@ static CURLcode pkp_pin_peer_pubkey(gnutls_x509_crt_t cert,
		/* End Gyrations */

		/* The one good exit point */
		result = Curl_pin_peer_pubkey(pinnedpubkey, buff1, len1);
		result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
		} while(0);

		if(NULL != key)
		@@ -1152,7 +1153,7 @@ gtls_connect_step3(struct connectdata *conn,

		ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
		if(ptr) {
		result = pkp_pin_peer_pubkey(x509_cert, ptr);
		result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
		if(result != CURLE_OK) {
		failf(data, "SSL: public key does not match pinned public key!");
		gnutls_x509_crt_deinit(x509_cert);

+1 −2

Original line number	Diff line number	Diff line
		@@ -973,8 +973,7 @@ static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl,
		SECItem *cert_der = PK11_DEREncodePublicKey(pubkey);
		if(cert_der) {
		/* compare the public key with the pinned public key */
		result = Curl_pin_peer_pubkey(pinnedpubkey,
		cert_der->data,
		result = Curl_pin_peer_pubkey(data, pinnedpubkey, cert_der->data,
		cert_der->len);
		SECITEM_FreeItem(cert_der, PR_TRUE);
		}

+4 −3

Original line number	Diff line number	Diff line
		@@ -2420,7 +2420,8 @@ static CURLcode get_cert_chain(struct connectdata *conn,
		* Heavily modified from:
		* https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
		*/
		static CURLcode pkp_pin_peer_pubkey(X509* cert, const char *pinnedpubkey)
		static CURLcode pkp_pin_peer_pubkey(struct SessionHandle data, X509 cert,
		const char *pinnedpubkey)
		{
		/* Scratch */
		int len1 = 0, len2 = 0;
		@@ -2465,7 +2466,7 @@ static CURLcode pkp_pin_peer_pubkey(X509* cert, const char *pinnedpubkey)
		/* End Gyrations */

		/* The one good exit point */
		result = Curl_pin_peer_pubkey(pinnedpubkey, buff1, len1);
		result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
		} while(0);

		/* https://www.openssl.org/docs/crypto/buffer.html */
		@@ -2629,7 +2630,7 @@ static CURLcode servercert(struct connectdata *conn,

		ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
		if(!result && ptr) {
		result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
		result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr);
		if(result)
		failf(data, "SSL: public key does not match pinned public key!");
		}