cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Pinned public key hash support

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 29 Jun 2015 16:14:34 +0200 (CEST)

On Mon, 1 Jun 2015, moparisthebest wrote:

> Attached is my second go at a patch for pinning public keys with a hash.

Nice! Sorry for dropping the ball here, hopefully I'll be faster now.

>> 1. Is it safe to re-use the existing curlopt, the code treats it as a hash
>> only if it starts with "sha256/" and nothing else, and then will not look
>> on the filesystem for a file at all. I suppose this could break systems
>> where a der/pem is in a folder named 'sha256/' with no leading path parts,
>> but I feel like that's a safe bet?

First, your patch actually uses strstr() which scans for that substring. You
want plain memcmp() or strncmp().

Then, as we're introducing a new prefix to activate this magic we can probably
make it even less likely to be a subdir, by for example using double slashes
or something: "sha256//".

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-06-29

This message: [ Message body ]
Next message: Daniel Stenberg: "[SECURITY NOTICE] libidn with bad UTF8 input"
Previous message: bch: "Re: SSL "host endpoint""
In reply to: moparisthebest: "Re: [PATCH] Pinned public key hash support"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]