From: Dongsun Lee <ds73.lee@samsung.com>
Date: Mon, 7 Nov 2022 09:57:05 +0000 (+0900)
Subject: disable pubkey-pinning
X-Git-Tag: submit/tizen_5.5/20221109.232029^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_5.5;p=platform%2Fcore%2Fsecurity%2Fpubkey-pinning.git

disable pubkey-pinning

Change-Id: I710c3b4fc519a02a6ec6feb7d27592e32c28d4d6
---

diff --git a/src/curl/tpkp_curl.cpp b/src/curl/tpkp_curl.cpp
index 2e7dd0a..e85dd80 100644
--- a/src/curl/tpkp_curl.cpp
+++ b/src/curl/tpkp_curl.cpp
@@ -32,163 +32,177 @@
 #include "tpkp_logger.h"
 #include "tpkp_client_cache.h"
 
-namespace {
-
-using Decision = TPKP::ClientCache::Decision;
-
-TPKP::ClientCache g_cache;
-
-inline CURLcode err_tpkp_to_curle(tpkp_e err) noexcept
-{
-	switch (err) {
-	case TPKP_E_NONE:                    return CURLE_OK;
-	case TPKP_E_MEMORY:                  return CURLE_OUT_OF_MEMORY;
-	case TPKP_E_INVALID_URL:             return CURLE_URL_MALFORMAT;
-	case TPKP_E_NO_URL_DATA:             return CURLE_SSL_CERTPROBLEM;
-	case TPKP_E_PUBKEY_MISMATCH:         return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
-	case TPKP_E_INVALID_CERT:
-	case TPKP_E_INVALID_PEER_CERT_CHAIN:
-	case TPKP_E_FAILED_GET_PUBKEY_HASH:  return CURLE_PEER_FAILED_VERIFICATION;
-	case TPKP_E_STD_EXCEPTION:
-	case TPKP_E_INTERNAL:
-	default:                             return CURLE_UNKNOWN_OPTION;
-	}
-}
-
-TPKP::RawBuffer getPubkeyHash(X509 *cert, TPKP::HashAlgo algo)
-{
-	std::unique_ptr<EVP_PKEY, void(*)(EVP_PKEY *)>
-		pubkeyPtr(X509_get_pubkey(cert), EVP_PKEY_free);
-
-	TPKP_CHECK_THROW_EXCEPTION(pubkeyPtr,
-		TPKP_E_INVALID_CERT, "Failed to get pubkey from cert.");
-
-	unsigned char *der = nullptr;
-	auto len = i2d_PUBKEY(pubkeyPtr.get(), &der);
-	TPKP_CHECK_THROW_EXCEPTION(len > 0,
-		TPKP_E_INVALID_CERT, "Failed to convert pem pubkey to der.");
-
-	TPKP::RawBuffer pubkeyder(der, der + len);
-	free(der);
-	unsigned char *hashResult = nullptr;
-	TPKP::RawBuffer out;
-	switch (algo) {
-	case TPKP::HashAlgo::SHA1:
-		out.resize(TPKP::typeCast(TPKP::HashSize::SHA1), 0x00);
-		hashResult = SHA1(pubkeyder.data(), pubkeyder.size(), out.data());
-		break;
-
-	case TPKP::HashAlgo::SHA256:
-		out.resize(TPKP::typeCast(TPKP::HashSize::SHA256), 0x00);
-		hashResult = SHA256(pubkeyder.data(), pubkeyder.size(), out.data());
-		break;
-
-	default:
-		TPKP_CHECK_THROW_EXCEPTION(false,
-			TPKP_E_INTERNAL, "Invalid hash algo type in get_pubkey_hash");
-	}
-
-	TPKP_CHECK_THROW_EXCEPTION(hashResult,
-		TPKP_E_FAILED_GET_PUBKEY_HASH, "Failed to get pubkey hash by openssl.");
-
-	return out;
-}
-
-} // anonymous namespace
+// namespace {
+
+// using Decision = TPKP::ClientCache::Decision;
+
+// TPKP::ClientCache g_cache;
+
+// inline CURLcode err_tpkp_to_curle(tpkp_e err) noexcept
+// {
+// 	switch (err) {
+// 	case TPKP_E_NONE:                    return CURLE_OK;
+// 	case TPKP_E_MEMORY:                  return CURLE_OUT_OF_MEMORY;
+// 	case TPKP_E_INVALID_URL:             return CURLE_URL_MALFORMAT;
+// 	case TPKP_E_NO_URL_DATA:             return CURLE_SSL_CERTPROBLEM;
+// 	case TPKP_E_PUBKEY_MISMATCH:         return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
+// 	case TPKP_E_INVALID_CERT:
+// 	case TPKP_E_INVALID_PEER_CERT_CHAIN:
+// 	case TPKP_E_FAILED_GET_PUBKEY_HASH:  return CURLE_PEER_FAILED_VERIFICATION;
+// 	case TPKP_E_STD_EXCEPTION:
+// 	case TPKP_E_INTERNAL:
+// 	default:                             return CURLE_UNKNOWN_OPTION;
+// 	}
+// }
+
+// TPKP::RawBuffer getPubkeyHash(X509 *cert, TPKP::HashAlgo algo)
+// {
+// 	std::unique_ptr<EVP_PKEY, void(*)(EVP_PKEY *)>
+// 		pubkeyPtr(X509_get_pubkey(cert), EVP_PKEY_free);
+
+// 	TPKP_CHECK_THROW_EXCEPTION(pubkeyPtr,
+// 		TPKP_E_INVALID_CERT, "Failed to get pubkey from cert.");
+
+// 	unsigned char *der = nullptr;
+// 	auto len = i2d_PUBKEY(pubkeyPtr.get(), &der);
+// 	TPKP_CHECK_THROW_EXCEPTION(len > 0,
+// 		TPKP_E_INVALID_CERT, "Failed to convert pem pubkey to der.");
+
+// 	TPKP::RawBuffer pubkeyder(der, der + len);
+// 	free(der);
+// 	unsigned char *hashResult = nullptr;
+// 	TPKP::RawBuffer out;
+// 	switch (algo) {
+// 	case TPKP::HashAlgo::SHA1:
+// 		out.resize(TPKP::typeCast(TPKP::HashSize::SHA1), 0x00);
+// 		hashResult = SHA1(pubkeyder.data(), pubkeyder.size(), out.data());
+// 		break;
+
+// 	case TPKP::HashAlgo::SHA256:
+// 		out.resize(TPKP::typeCast(TPKP::HashSize::SHA256), 0x00);
+// 		hashResult = SHA256(pubkeyder.data(), pubkeyder.size(), out.data());
+// 		break;
+
+// 	default:
+// 		TPKP_CHECK_THROW_EXCEPTION(false,
+// 			TPKP_E_INTERNAL, "Invalid hash algo type in get_pubkey_hash");
+// 	}
+
+// 	TPKP_CHECK_THROW_EXCEPTION(hashResult,
+// 		TPKP_E_FAILED_GET_PUBKEY_HASH, "Failed to get pubkey hash by openssl.");
+
+// 	return out;
+// }
+
+// } // anonymous namespace
 
 
 EXPORT_API
 int tpkp_curl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
-	tpkp_e res = TPKP::ExceptionSafe([&]{
-		TPKP_CHECK_THROW_EXCEPTION(preverify_ok != 0,
-			TPKP_E_INTERNAL, "verify callback already failed before enter tpkp_curl callback");
+	(void) preverify_ok;
+	(void) x509_ctx;
+	return 1;
 
-		std::string url = g_cache.getUrl();
+	// tpkp_e res = TPKP::ExceptionSafe([&]{
+	// 	TPKP_CHECK_THROW_EXCEPTION(preverify_ok != 0,
+	// 		TPKP_E_INTERNAL, "verify callback already failed before enter tpkp_curl callback");
 
-		TPKP_CHECK_THROW_EXCEPTION(!url.empty(),
-			TPKP_E_NO_URL_DATA, "No url in client cache!!");
+	// 	std::string url = g_cache.getUrl();
 
-		switch (g_cache.getDecision(url)) {
-		case Decision::ALLOWED:
-			SLOGD("allow decision exist on url[%s]", url.c_str());
-			return;
+	// 	TPKP_CHECK_THROW_EXCEPTION(!url.empty(),
+	// 		TPKP_E_NO_URL_DATA, "No url in client cache!!");
 
-		case Decision::DENIED:
-			TPKP_THROW_EXCEPTION(TPKP_E_PUBKEY_MISMATCH,
-				"deny decision exist on url: " << url);
+	// 	switch (g_cache.getDecision(url)) {
+	// 	case Decision::ALLOWED:
+	// 		SLOGD("allow decision exist on url[%s]", url.c_str());
+	// 		return;
 
-		default:
-			break; /* go ahead to make decision */
-		}
+	// 	case Decision::DENIED:
+	// 		TPKP_THROW_EXCEPTION(TPKP_E_PUBKEY_MISMATCH,
+	// 			"deny decision exist on url: " << url);
 
-		TPKP::Context ctx(url);
-		if (!ctx.hasPins()) {
-			SLOGI("Skip. No static pin data for url: %s", url.c_str());
-			return;
-		}
+	// 	default:
+	// 		break; /* go ahead to make decision */
+	// 	}
 
-		auto chain = X509_STORE_CTX_get1_chain(x509_ctx);
-		int num = sk_X509_num(chain);
-		TPKP_CHECK_THROW_EXCEPTION(num != -1,
-			TPKP_E_INVALID_PEER_CERT_CHAIN,
-			"Invalid cert chain from x509_ctx in verify callback.");
+	// 	TPKP::Context ctx(url);
+	// 	if (!ctx.hasPins()) {
+	// 		SLOGI("Skip. No static pin data for url: %s", url.c_str());
+	// 		return;
+	// 	}
 
-		for (int i = 0; i < num; i++)
-			ctx.addPubkeyHash(
-				TPKP::HashAlgo::DEFAULT,
-				getPubkeyHash(sk_X509_value(chain, i), TPKP::HashAlgo::DEFAULT));
+	// 	auto chain = X509_STORE_CTX_get1_chain(x509_ctx);
+	// 	int num = sk_X509_num(chain);
+	// 	TPKP_CHECK_THROW_EXCEPTION(num != -1,
+	// 		TPKP_E_INVALID_PEER_CERT_CHAIN,
+	// 		"Invalid cert chain from x509_ctx in verify callback.");
 
-		sk_X509_pop_free(chain, X509_free);
+	// 	for (int i = 0; i < num; i++)
+	// 		ctx.addPubkeyHash(
+	// 			TPKP::HashAlgo::DEFAULT,
+	// 			getPubkeyHash(sk_X509_value(chain, i), TPKP::HashAlgo::DEFAULT));
 
-		bool isMatched = ctx.checkPubkeyPins();
+	// 	sk_X509_pop_free(chain, X509_free);
 
-		/* update decision cache */
-		g_cache.setDecision(url, isMatched ? Decision::ALLOWED : Decision::DENIED);
+	// 	bool isMatched = ctx.checkPubkeyPins();
 
-		TPKP_CHECK_THROW_EXCEPTION(isMatched,
-			TPKP_E_PUBKEY_MISMATCH, "The pubkey mismatched with pinned data!");
-	});
+	// 	/* update decision cache */
+	// 	g_cache.setDecision(url, isMatched ? Decision::ALLOWED : Decision::DENIED);
 
-	return (res == TPKP_E_NONE) ? 1 : 0;
+	// 	TPKP_CHECK_THROW_EXCEPTION(isMatched,
+	// 		TPKP_E_PUBKEY_MISMATCH, "The pubkey mismatched with pinned data!");
+	// });
+
+	// return (res == TPKP_E_NONE) ? 1 : 0;
 }
 
 EXPORT_API
 tpkp_e tpkp_curl_set_url_data(CURL *curl)
 {
-	return TPKP::ExceptionSafe([&]{
-		char *url = nullptr;
-		curl_easy_getinfo(curl, CURLINFO_EFFECTIVE_URL, &url);
+	(void) curl;
+	return TPKP_E_NONE;
+
+	// return TPKP::ExceptionSafe([&]{
+	// 	char *url = nullptr;
+	// 	curl_easy_getinfo(curl, CURLINFO_EFFECTIVE_URL, &url);
 
-		g_cache.setUrl(url);
-	});
+	// 	g_cache.setUrl(url);
+	// });
 }
 
 EXPORT_API
 tpkp_e tpkp_curl_set_verify(CURL *curl, SSL_CTX *ssl_ctx)
 {
-	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, tpkp_curl_verify_callback);
-	return tpkp_curl_set_url_data(curl);
+	(void) curl;
+	(void) ssl_ctx;
+	return TPKP_E_NONE;
+
+	// SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, tpkp_curl_verify_callback);
+	// return tpkp_curl_set_url_data(curl);
 }
 
 EXPORT_API
 CURLcode tpkp_curl_ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *)
 {
-	return err_tpkp_to_curle(tpkp_curl_set_verify(curl, (SSL_CTX *)ssl_ctx));
+	(void) curl;
+	(void) ssl_ctx;
+	return CURLE_OK;
+	// return err_tpkp_to_curle(tpkp_curl_set_verify(curl, (SSL_CTX *)ssl_ctx));
 }
 
 EXPORT_API
 void tpkp_curl_cleanup(void)
 {
-	tpkp_e res = TPKP::ExceptionSafe([&]{
-		g_cache.eraseUrl();
-	});
+	// tpkp_e res = TPKP::ExceptionSafe([&]{
+	// 	g_cache.eraseUrl();
+	// });
 
-	(void) res;
+	// (void) res;
 }
 
 EXPORT_API
 void tpkp_curl_cleanup_all(void)
 {
-	g_cache.eraseUrlAll();
+	// g_cache.eraseUrlAll();
 }