-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedtls: Fix pinned key return value on fail. draft1 #601
Conversation
- Switch from verifying a pinned public key in a callback to right after the certificate verification.
This works for me. And it fixes the problem with checking the cert after resumption and makes it possible to disable verifypeer by also using certificate pinning. I tested it since it was created in my binary and had no issues with it. |
- A copy of the const peercert must be made in order to pass a non-const public key to mbedtls_pk_write_pubkey_der. FAIL: Currently this runs but all pinned key verification fails. I have yet to debug it.
Before this goes in it must be fixed so that the input for |
- More correct cleanup pattern for the copy of peer cert *p. - Add some descriptive error messages where appropriate. - Change name ret => result to eliminate variable shadowing warning. - Remove comment about no peer cert on session resume, since that's not true of mbedTLS (the comment was carried over from PolarSSL code). - Allocate cert info buffer on heap instead of stack. Prior to these changes: In draft 2 the code worked fine, however I marked it as 'FAIL' because all my tests failed due to what I later realized was just a copy&paste error on my part: I hadn't enabled curlssl_sha256sum even though I was running the sha256// tests.
727d7ff
to
5972e52
Compare
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: #601
@sithglan This landed in d58ba66, thanks for your help. All the SSLpinning tests pass now.
|
the certificate verification.