granicus.if.org Git - curl/commit

author	Jay Satiro <raysatiro@yahoo.com>
	Mon, 18 Jan 2016 08:48:10 +0000 (03:48 -0500)
committer	Jay Satiro <raysatiro@yahoo.com>
	Mon, 18 Jan 2016 08:48:10 +0000 (03:48 -0500)
commit	d58ba66eeceb5a290ecd50f596606a7f77d68b4b
tree	d9d56a027821f1e3d7dc8c77ad6a05b282a4adb7	tree \| snapshot
parent	d56637113092ebc6721601812510ef5e3e5126e4	commit \| diff

mbedtls: Fix pinned key return value on fail

- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601