#include "tpkp_logger.h"
#include "tpkp_client_cache.h"
-namespace {
-
-using Decision = TPKP::ClientCache::Decision;
-
-TPKP::ClientCache g_cache;
-
-inline CURLcode err_tpkp_to_curle(tpkp_e err) noexcept
-{
- switch (err) {
- case TPKP_E_NONE: return CURLE_OK;
- case TPKP_E_MEMORY: return CURLE_OUT_OF_MEMORY;
- case TPKP_E_INVALID_URL: return CURLE_URL_MALFORMAT;
- case TPKP_E_NO_URL_DATA: return CURLE_SSL_CERTPROBLEM;
- case TPKP_E_PUBKEY_MISMATCH: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
- case TPKP_E_INVALID_CERT:
- case TPKP_E_INVALID_PEER_CERT_CHAIN:
- case TPKP_E_FAILED_GET_PUBKEY_HASH: return CURLE_PEER_FAILED_VERIFICATION;
- case TPKP_E_STD_EXCEPTION:
- case TPKP_E_INTERNAL:
- default: return CURLE_UNKNOWN_OPTION;
- }
-}
-
-TPKP::RawBuffer getPubkeyHash(X509 *cert, TPKP::HashAlgo algo)
-{
- std::unique_ptr<EVP_PKEY, void(*)(EVP_PKEY *)>
- pubkeyPtr(X509_get_pubkey(cert), EVP_PKEY_free);
-
- TPKP_CHECK_THROW_EXCEPTION(pubkeyPtr,
- TPKP_E_INVALID_CERT, "Failed to get pubkey from cert.");
-
- unsigned char *der = nullptr;
- auto len = i2d_PUBKEY(pubkeyPtr.get(), &der);
- TPKP_CHECK_THROW_EXCEPTION(len > 0,
- TPKP_E_INVALID_CERT, "Failed to convert pem pubkey to der.");
-
- TPKP::RawBuffer pubkeyder(der, der + len);
- free(der);
- unsigned char *hashResult = nullptr;
- TPKP::RawBuffer out;
- switch (algo) {
- case TPKP::HashAlgo::SHA1:
- out.resize(TPKP::typeCast(TPKP::HashSize::SHA1), 0x00);
- hashResult = SHA1(pubkeyder.data(), pubkeyder.size(), out.data());
- break;
-
- case TPKP::HashAlgo::SHA256:
- out.resize(TPKP::typeCast(TPKP::HashSize::SHA256), 0x00);
- hashResult = SHA256(pubkeyder.data(), pubkeyder.size(), out.data());
- break;
-
- default:
- TPKP_CHECK_THROW_EXCEPTION(false,
- TPKP_E_INTERNAL, "Invalid hash algo type in get_pubkey_hash");
- }
-
- TPKP_CHECK_THROW_EXCEPTION(hashResult,
- TPKP_E_FAILED_GET_PUBKEY_HASH, "Failed to get pubkey hash by openssl.");
-
- return out;
-}
-
-} // anonymous namespace
+// namespace {
+
+// using Decision = TPKP::ClientCache::Decision;
+
+// TPKP::ClientCache g_cache;
+
+// inline CURLcode err_tpkp_to_curle(tpkp_e err) noexcept
+// {
+// switch (err) {
+// case TPKP_E_NONE: return CURLE_OK;
+// case TPKP_E_MEMORY: return CURLE_OUT_OF_MEMORY;
+// case TPKP_E_INVALID_URL: return CURLE_URL_MALFORMAT;
+// case TPKP_E_NO_URL_DATA: return CURLE_SSL_CERTPROBLEM;
+// case TPKP_E_PUBKEY_MISMATCH: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
+// case TPKP_E_INVALID_CERT:
+// case TPKP_E_INVALID_PEER_CERT_CHAIN:
+// case TPKP_E_FAILED_GET_PUBKEY_HASH: return CURLE_PEER_FAILED_VERIFICATION;
+// case TPKP_E_STD_EXCEPTION:
+// case TPKP_E_INTERNAL:
+// default: return CURLE_UNKNOWN_OPTION;
+// }
+// }
+
+// TPKP::RawBuffer getPubkeyHash(X509 *cert, TPKP::HashAlgo algo)
+// {
+// std::unique_ptr<EVP_PKEY, void(*)(EVP_PKEY *)>
+// pubkeyPtr(X509_get_pubkey(cert), EVP_PKEY_free);
+
+// TPKP_CHECK_THROW_EXCEPTION(pubkeyPtr,
+// TPKP_E_INVALID_CERT, "Failed to get pubkey from cert.");
+
+// unsigned char *der = nullptr;
+// auto len = i2d_PUBKEY(pubkeyPtr.get(), &der);
+// TPKP_CHECK_THROW_EXCEPTION(len > 0,
+// TPKP_E_INVALID_CERT, "Failed to convert pem pubkey to der.");
+
+// TPKP::RawBuffer pubkeyder(der, der + len);
+// free(der);
+// unsigned char *hashResult = nullptr;
+// TPKP::RawBuffer out;
+// switch (algo) {
+// case TPKP::HashAlgo::SHA1:
+// out.resize(TPKP::typeCast(TPKP::HashSize::SHA1), 0x00);
+// hashResult = SHA1(pubkeyder.data(), pubkeyder.size(), out.data());
+// break;
+
+// case TPKP::HashAlgo::SHA256:
+// out.resize(TPKP::typeCast(TPKP::HashSize::SHA256), 0x00);
+// hashResult = SHA256(pubkeyder.data(), pubkeyder.size(), out.data());
+// break;
+
+// default:
+// TPKP_CHECK_THROW_EXCEPTION(false,
+// TPKP_E_INTERNAL, "Invalid hash algo type in get_pubkey_hash");
+// }
+
+// TPKP_CHECK_THROW_EXCEPTION(hashResult,
+// TPKP_E_FAILED_GET_PUBKEY_HASH, "Failed to get pubkey hash by openssl.");
+
+// return out;
+// }
+
+// } // anonymous namespace
EXPORT_API
int tpkp_curl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
- tpkp_e res = TPKP::ExceptionSafe([&]{
- TPKP_CHECK_THROW_EXCEPTION(preverify_ok != 0,
- TPKP_E_INTERNAL, "verify callback already failed before enter tpkp_curl callback");
+ (void) preverify_ok;
+ (void) x509_ctx;
+ return 1;
- std::string url = g_cache.getUrl();
+ // tpkp_e res = TPKP::ExceptionSafe([&]{
+ // TPKP_CHECK_THROW_EXCEPTION(preverify_ok != 0,
+ // TPKP_E_INTERNAL, "verify callback already failed before enter tpkp_curl callback");
- TPKP_CHECK_THROW_EXCEPTION(!url.empty(),
- TPKP_E_NO_URL_DATA, "No url in client cache!!");
+ // std::string url = g_cache.getUrl();
- switch (g_cache.getDecision(url)) {
- case Decision::ALLOWED:
- SLOGD("allow decision exist on url[%s]", url.c_str());
- return;
+ // TPKP_CHECK_THROW_EXCEPTION(!url.empty(),
+ // TPKP_E_NO_URL_DATA, "No url in client cache!!");
- case Decision::DENIED:
- TPKP_THROW_EXCEPTION(TPKP_E_PUBKEY_MISMATCH,
- "deny decision exist on url: " << url);
+ // switch (g_cache.getDecision(url)) {
+ // case Decision::ALLOWED:
+ // SLOGD("allow decision exist on url[%s]", url.c_str());
+ // return;
- default:
- break; /* go ahead to make decision */
- }
+ // case Decision::DENIED:
+ // TPKP_THROW_EXCEPTION(TPKP_E_PUBKEY_MISMATCH,
+ // "deny decision exist on url: " << url);
- TPKP::Context ctx(url);
- if (!ctx.hasPins()) {
- SLOGI("Skip. No static pin data for url: %s", url.c_str());
- return;
- }
+ // default:
+ // break; /* go ahead to make decision */
+ // }
- auto chain = X509_STORE_CTX_get1_chain(x509_ctx);
- int num = sk_X509_num(chain);
- TPKP_CHECK_THROW_EXCEPTION(num != -1,
- TPKP_E_INVALID_PEER_CERT_CHAIN,
- "Invalid cert chain from x509_ctx in verify callback.");
+ // TPKP::Context ctx(url);
+ // if (!ctx.hasPins()) {
+ // SLOGI("Skip. No static pin data for url: %s", url.c_str());
+ // return;
+ // }
- for (int i = 0; i < num; i++)
- ctx.addPubkeyHash(
- TPKP::HashAlgo::DEFAULT,
- getPubkeyHash(sk_X509_value(chain, i), TPKP::HashAlgo::DEFAULT));
+ // auto chain = X509_STORE_CTX_get1_chain(x509_ctx);
+ // int num = sk_X509_num(chain);
+ // TPKP_CHECK_THROW_EXCEPTION(num != -1,
+ // TPKP_E_INVALID_PEER_CERT_CHAIN,
+ // "Invalid cert chain from x509_ctx in verify callback.");
- sk_X509_pop_free(chain, X509_free);
+ // for (int i = 0; i < num; i++)
+ // ctx.addPubkeyHash(
+ // TPKP::HashAlgo::DEFAULT,
+ // getPubkeyHash(sk_X509_value(chain, i), TPKP::HashAlgo::DEFAULT));
- bool isMatched = ctx.checkPubkeyPins();
+ // sk_X509_pop_free(chain, X509_free);
- /* update decision cache */
- g_cache.setDecision(url, isMatched ? Decision::ALLOWED : Decision::DENIED);
+ // bool isMatched = ctx.checkPubkeyPins();
- TPKP_CHECK_THROW_EXCEPTION(isMatched,
- TPKP_E_PUBKEY_MISMATCH, "The pubkey mismatched with pinned data!");
- });
+ // /* update decision cache */
+ // g_cache.setDecision(url, isMatched ? Decision::ALLOWED : Decision::DENIED);
- return (res == TPKP_E_NONE) ? 1 : 0;
+ // TPKP_CHECK_THROW_EXCEPTION(isMatched,
+ // TPKP_E_PUBKEY_MISMATCH, "The pubkey mismatched with pinned data!");
+ // });
+
+ // return (res == TPKP_E_NONE) ? 1 : 0;
}
EXPORT_API
tpkp_e tpkp_curl_set_url_data(CURL *curl)
{
- return TPKP::ExceptionSafe([&]{
- char *url = nullptr;
- curl_easy_getinfo(curl, CURLINFO_EFFECTIVE_URL, &url);
+ (void) curl;
+ return TPKP_E_NONE;
+
+ // return TPKP::ExceptionSafe([&]{
+ // char *url = nullptr;
+ // curl_easy_getinfo(curl, CURLINFO_EFFECTIVE_URL, &url);
- g_cache.setUrl(url);
- });
+ // g_cache.setUrl(url);
+ // });
}
EXPORT_API
tpkp_e tpkp_curl_set_verify(CURL *curl, SSL_CTX *ssl_ctx)
{
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, tpkp_curl_verify_callback);
- return tpkp_curl_set_url_data(curl);
+ (void) curl;
+ (void) ssl_ctx;
+ return TPKP_E_NONE;
+
+ // SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, tpkp_curl_verify_callback);
+ // return tpkp_curl_set_url_data(curl);
}
EXPORT_API
CURLcode tpkp_curl_ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *)
{
- return err_tpkp_to_curle(tpkp_curl_set_verify(curl, (SSL_CTX *)ssl_ctx));
+ (void) curl;
+ (void) ssl_ctx;
+ return CURLE_OK;
+ // return err_tpkp_to_curle(tpkp_curl_set_verify(curl, (SSL_CTX *)ssl_ctx));
}
EXPORT_API
void tpkp_curl_cleanup(void)
{
- tpkp_e res = TPKP::ExceptionSafe([&]{
- g_cache.eraseUrl();
- });
+ // tpkp_e res = TPKP::ExceptionSafe([&]{
+ // g_cache.eraseUrl();
+ // });
- (void) res;
+ // (void) res;
}
EXPORT_API
void tpkp_curl_cleanup_all(void)
{
- g_cache.eraseUrlAll();
+ // g_cache.eraseUrlAll();
}
projects / platform / core / security / pubkey-pinning.git / commitdiff