curl: add --proxy-pinnedpubkey

To verify a proxy's public key. For when using HTTPS proxies. Fixes #2192 Closes #2268
2025-02-28 09:21:50 -05:00 · 2018-01-28 14:15:56 +01:00 · 2018-01-28 14:15:56 +01:00 · fecec1d8ae
commit fecec1d8ae
parent b7db284266
6 changed files with 29 additions and 4 deletions
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@ -34,7 +34,7 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
  remote-name-all.d remote-name.d remote-time.d request.d resolve.d     \
  retry-connrefused.d retry.d retry-delay.d retry-max-time.d sasl-ir.d  \
  service-name.d show-error.d silent.d socks4a.d socks4.d socks5.d      \
-  socks5-basic.d socks5-gssapi.d                                        \
+  socks5-basic.d socks5-gssapi.d proxy-pinnedpubkey.d                   \
  socks5-gssapi-nec.d socks5-gssapi-service.d socks5-hostname.d         \
  speed-limit.d speed-time.d ssl-allow-beast.d ssl.d ssl-no-revoke.d    \
  ssl-reqd.d sslv2.d sslv3.d stderr.d suppress-connect-headers.d        \
--- a/docs/cmdline-opts/proxy-pinnedpubkey.d
+++ b/docs/cmdline-opts/proxy-pinnedpubkey.d
@ -0,0 +1,16 @@
 Long: proxy-pinnedpubkey
 Arg: <hashes>
 Help: FILE/HASHES public key to verify proxy with
 Protocols: TLS
 ---
 Tells curl to use the specified public key file (or hashes) to verify the
 proxy. This can be a path to a file which contains a single public key in PEM
 or DER format, or any number of base64 encoded sha256 hashes preceded by
 \'sha256//\' and separated by \';\'
 When negotiating a TLS or SSL connection, the server sends a certificate
 indicating its identity. A public key is extracted from this certificate and
 if it does not exactly match the public key provided to this option, curl will
 abort the connection before sending or receiving any data.
 If this option is used several times, the last one will be used.
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -113,6 +113,7 @@ static void free_config_fields(struct OperationConfig *config)
  Curl_safefree(config->proxy_capath);
  Curl_safefree(config->crlfile);
  Curl_safefree(config->pinnedpubkey);
  Curl_safefree(config->proxy_pinnedpubkey);
  Curl_safefree(config->proxy_crlfile);
  Curl_safefree(config->key);
  Curl_safefree(config->proxy_key);
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -128,6 +128,7 @@ struct OperationConfig {
  char *crlfile;
  char *proxy_crlfile;
  char *pinnedpubkey;
  char *proxy_pinnedpubkey;
  char *key;
  char *proxy_key;
  char *key_type;
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -232,6 +232,7 @@ static const struct LongShort aliases[]= {
  {"En", "ssl-allow-beast",          ARG_BOOL},
  {"Eo", "login-options",            ARG_STRING},
  {"Ep", "pinnedpubkey",             ARG_STRING},
  {"EP", "proxy-pinnedpubkey",       ARG_STRING},
  {"Eq", "cert-status",              ARG_BOOL},
  {"Er", "false-start",              ARG_BOOL},
  {"Es", "ssl-no-revoke",            ARG_BOOL},
@ -1500,6 +1501,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
        GetStr(&config->pinnedpubkey, nextarg);
        break;
      case 'P': /* proxy pinned public key */
        GetStr(&config->proxy_pinnedpubkey, nextarg);
        break;
      case 'q': /* --cert-status */
        config->verifystatus = TRUE;
        break;
--- a/src/tool_help.c
+++ b/src/tool_help.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -314,6 +314,8 @@ static const struct helptxt helptext[] = {
   "Use NTLM authentication on the proxy"},
  {"    --proxy-pass <phrase>",
   "Pass phrase for the private key for HTTPS proxy"},
  {"    --proxy-pinnedpubkey <hashes>",
   "FILE/HASHES public key to verify proxy with"},
  {"    --proxy-service-name <name>",
   "SPNEGO proxy service name"},
  {"    --proxy-ssl-allow-beast",