curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Getting CURLE_OK with wrong pinned public key after using the correct.

From: Sebastian Haglund via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 13 Sep 2019 15:56:40 +0200

Hi,

While adding public key pinning to a cURL c++ wrapper, I discovered that
setting the wrong public key after using the correct still yields OK result
(expected CURLE_SSL_PINNEDPUBKEYNOTMATCH).
It seems to be related to re-using the curl multi stack
after curl_multi_perform().

The c++ wrapper queues up requests, adds them to the multi stack and calls
curl_multi_perform() / curl_multi_info_read() when fetching the results.
The code below is a simplification of how it works.

Am I missing something or just using curl_multi the wrong way?

Regards,
Sebastian

#include <stdio.h>
#include <unistd.h>
#include <curl/curl.h>
#include <curl/multi.h>

void perform(CURLM* curlm)
{
    int r = 0;
    curl_multi_perform(curlm, &r);

    while(r)
    {
        usleep(10*1000);
        curl_multi_perform(curlm, &r);
    }

    CURLMsg *msg;
    int msgs;
    while((msg = curl_multi_info_read(curlm, &msgs)))
    {
        if (msg->msg == CURLMSG_DONE)
        {
            char* private;
            curl_easy_getinfo(msg->easy_handle, CURLINFO_PRIVATE, &private);
            printf("%s (expected: %s)\n", msg->data.result?"NOK":"OK",
private);
            curl_easy_cleanup(msg->easy_handle);
            curl_multi_remove_handle(curlm, msg->easy_handle);
        }
    }
}

void test_pubkey_pinning(CURLM* curlm, const char* url, const char* pubkey,
const char* msg)
{
    CURL* curl = curl_easy_init();
    if (curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, url);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1l);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2l);
        curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, pubkey);
        curl_easy_setopt(curl, CURLOPT_PRIVATE, msg);
        curl_multi_add_handle(curlm, curl);
        perform(curlm);
    }
}

int main(void)
{
    curl_global_init(CURL_GLOBAL_ALL);
    CURLM* curlm = curl_multi_init();
    if (curlm)
    {
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200",
"sha256//9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=", "NOK");
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200",
"sha256//Yvh6l+lXgqrBJrCtxwr9r/vbERE37/5/p6AaRRsiboQ=", "OK");
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200",
"sha256//9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=", "NOK");
        curl_multi_cleanup(curlm);
    }
    curl_global_cleanup();
}

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-13