From: Jan Venekamp <1422460+jan2000@users.noreply.github.com>
Date: Wed, 7 Aug 2024 12:09:04 +0000 (+0200)
Subject: curl: fix --proxy-pinnedpubkey
X-Git-Tag: curl-8_10_0~334
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e9c1e8f2ea0e4456dcfeabda866545f8f7d2bd8;p=thirdparty%2Fcurl.git

curl: fix --proxy-pinnedpubkey

This option was added in #2268 but never connected in
tool_operate.c.

Closes #14438
---

diff --git a/docs/cmdline-opts/proxy-pinnedpubkey.md b/docs/cmdline-opts/proxy-pinnedpubkey.md
index 6f0b52d3e6..df0b0bb907 100644
--- a/docs/cmdline-opts/proxy-pinnedpubkey.md
+++ b/docs/cmdline-opts/proxy-pinnedpubkey.md
@@ -27,3 +27,5 @@ When negotiating a TLS or SSL connection, the server sends a certificate
 indicating its identity. A public key is extracted from this certificate and
 if it does not exactly match the public key provided to this option, curl
 aborts the connection before sending or receiving any data.
+
+Before curl 8.10.0 this option did not work due to a bug.
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 90380063b1..681c83e714 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1750,6 +1750,13 @@ static CURLcode single_transfer(struct GlobalConfig *global,
             warnf(global, "ignoring %s, not supported by libcurl with %s",
                   "--pinnedpubkey", ssl_ver);
         }
+        if(config->proxy_pinnedpubkey) {
+          result = res_setopt_str(curl, CURLOPT_PROXY_PINNEDPUBLICKEY,
+                                  config->proxy_pinnedpubkey);
+          if(result == CURLE_NOT_BUILT_IN)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--proxy-pinnedpubkey", ssl_ver);
+        }
 
         if(config->ssl_ec_curves)
           my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves);