On Mon, 1 Jun 2015, moparisthebest wrote:
Attached is my second go at a patch for pinning public keys with a hash.
Nice! Sorry for dropping the ball here, hopefully I'll be faster now.
1. Is it safe to re-use the existing curlopt, the code treats it as a hash only if it starts with "sha256/" and nothing else, and then will not look on the filesystem for a file at all. I suppose this could break systems where a der/pem is in a folder named 'sha256/' with no leading path parts, but I feel like that's a safe bet?
First, your patch actually uses strstr() which scans for that substring. You want plain memcmp() or strncmp().
Then, as we're introducing a new prefix to activate this magic we can probably make it even less likely to be a subdir, by for example using double slashes or something: "sha256//".
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
