Getting CURLE_OK with wrong pinned public key after using the correct.

Fri, 13 Sep 2019 07:13:10 -0700 

Hi,

While adding public key pinning to a cURL c++ wrapper, I discovered that
setting the wrong public key after using the correct still yields OK result
(expected CURLE_SSL_PINNEDPUBKEYNOTMATCH).
It seems to be related to re-using the curl multi stack
after curl_multi_perform().

The c++ wrapper queues up requests, adds them to the multi stack and calls
curl_multi_perform() / curl_multi_info_read() when fetching the results.
The code below is a simplification of how it works.

Am I missing something or just using curl_multi the wrong way?

Regards,
Sebastian

#include <stdio.h>
#include <unistd.h>
#include <curl/curl.h>
#include <curl/multi.h>

void perform(CURLM* curlm)
{
    int r = 0;
    curl_multi_perform(curlm, &r);

    while(r)
    {
        usleep(10*1000);
        curl_multi_perform(curlm, &r);
    }

    CURLMsg *msg;
    int msgs;
    while((msg = curl_multi_info_read(curlm, &msgs)))
    {
        if (msg->msg == CURLMSG_DONE)
        {
            char* private;
            curl_easy_getinfo(msg->easy_handle, CURLINFO_PRIVATE, &private);
            printf("%s (expected: %s)\n", msg->data.result?"NOK":"OK",
private);
            curl_easy_cleanup(msg->easy_handle);
            curl_multi_remove_handle(curlm, msg->easy_handle);
        }
    }
}

void test_pubkey_pinning(CURLM* curlm, const char* url, const char* pubkey,
const char* msg)
{
    CURL* curl = curl_easy_init();
    if (curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, url);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1l);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2l);
        curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, pubkey);
        curl_easy_setopt(curl, CURLOPT_PRIVATE, msg);
        curl_multi_add_handle(curlm, curl);
        perform(curlm);
    }
}

int main(void)
{
    curl_global_init(CURL_GLOBAL_ALL);
    CURLM* curlm = curl_multi_init();
    if (curlm)
    {
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200";,
"sha256//9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=", "NOK");
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200";,
"sha256//Yvh6l+lXgqrBJrCtxwr9r/vbERE37/5/p6AaRRsiboQ=", "OK");
        test_pubkey_pinning(curlm, "https://httpbin.org/status/200";,
"sha256//9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=", "NOK");
        curl_multi_cleanup(curlm);
    }
    curl_global_cleanup();
}

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to