curl: add --proxy-pinnedpubkey

To verify a proxy's public key. For when using HTTPS proxies.

Fixes #2192
Closes #2268

diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index e8f46410bc538e4d0fce0cbda0cf23a91f9bb2a1..9891f3717e9d43435e8acf21c5ec3fed7fefa304 100644 (file)
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -34,7 +34,7 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
   remote-name-all.d remote-name.d remote-time.d request.d resolve.d     \
   retry-connrefused.d retry.d retry-delay.d retry-max-time.d sasl-ir.d  \
   service-name.d show-error.d silent.d socks4a.d socks4.d socks5.d      \
-  socks5-basic.d socks5-gssapi.d                                        \
+  socks5-basic.d socks5-gssapi.d proxy-pinnedpubkey.d                   \
   socks5-gssapi-nec.d socks5-gssapi-service.d socks5-hostname.d         \
   speed-limit.d speed-time.d ssl-allow-beast.d ssl.d ssl-no-revoke.d    \
   ssl-reqd.d sslv2.d sslv3.d stderr.d suppress-connect-headers.d        \

diff --git a/docs/cmdline-opts/proxy-pinnedpubkey.d b/docs/cmdline-opts/proxy-pinnedpubkey.d
new file mode 100644 (file)
index 0000000..abd6dc4
--- /dev/null
+++ b/docs/cmdline-opts/proxy-pinnedpubkey.d
@@ -0,0 +1,16 @@
+Long: proxy-pinnedpubkey
+Arg: <hashes>
+Help: FILE/HASHES public key to verify proxy with
+Protocols: TLS
+---
+Tells curl to use the specified public key file (or hashes) to verify the
+proxy. This can be a path to a file which contains a single public key in PEM
+or DER format, or any number of base64 encoded sha256 hashes preceded by
+\'sha256//\' and separated by \';\'
+
+When negotiating a TLS or SSL connection, the server sends a certificate
+indicating its identity. A public key is extracted from this certificate and
+if it does not exactly match the public key provided to this option, curl will
+abort the connection before sending or receiving any data.
+
+If this option is used several times, the last one will be used.

diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
index 755195cedfbc12e95bc1aee4d7f87c49433febbd..d774881666105c9c217cc098660563d7248a77b6 100644 (file)
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -113,6 +113,7 @@ static void free_config_fields(struct OperationConfig *config)
   Curl_safefree(config->proxy_capath);
   Curl_safefree(config->crlfile);
   Curl_safefree(config->pinnedpubkey);
+  Curl_safefree(config->proxy_pinnedpubkey);
   Curl_safefree(config->proxy_crlfile);
   Curl_safefree(config->key);
   Curl_safefree(config->proxy_key);

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index ddfc9bfcee7a374f88c56be29dd5a6a753abfec6..713739e7a64de49a1047ce10aff9b25476527504 100644 (file)
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -128,6 +128,7 @@ struct OperationConfig {
   char *crlfile;
   char *proxy_crlfile;
   char *pinnedpubkey;
+  char *proxy_pinnedpubkey;
   char *key;
   char *proxy_key;
   char *key_type;

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 3f404641730a343662ea1d90f10486bb3f5c5ad3..015d635517d983de2fdab2941b846fb73759ca82 100644 (file)
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -232,6 +232,7 @@ static const struct LongShort aliases[]= {
   {"En", "ssl-allow-beast",          ARG_BOOL},
   {"Eo", "login-options",            ARG_STRING},
   {"Ep", "pinnedpubkey",             ARG_STRING},
+  {"EP", "proxy-pinnedpubkey",       ARG_STRING},
   {"Eq", "cert-status",              ARG_BOOL},
   {"Er", "false-start",              ARG_BOOL},
   {"Es", "ssl-no-revoke",            ARG_BOOL},
@@ -1500,6 +1501,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         GetStr(&config->pinnedpubkey, nextarg);
         break;
 
+      case 'P': /* proxy pinned public key */
+        GetStr(&config->proxy_pinnedpubkey, nextarg);
+        break;
+
       case 'q': /* --cert-status */
         config->verifystatus = TRUE;
         break;

diff --git a/src/tool_help.c b/src/tool_help.c
index 9dc59cb3e7c8cafd65a8b8311391435e0246a8a3..70b2e8a1bff9a2edc4c125c671c2681343919ce3 100644 (file)
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -314,6 +314,8 @@ static const struct helptxt helptext[] = {
    "Use NTLM authentication on the proxy"},
   {"    --proxy-pass <phrase>",
    "Pass phrase for the private key for HTTPS proxy"},
+  {"    --proxy-pinnedpubkey <hashes>",
+   "FILE/HASHES public key to verify proxy with"},
   {"    --proxy-service-name <name>",
    "SPNEGO proxy service name"},
   {"    --proxy-ssl-allow-beast",