From 1e9c1e8f2ea0e4456dcfeabda866545f8f7d2bd8 Mon Sep 17 00:00:00 2001
From: Jan Venekamp <1422460+jan2000@users.noreply.github.com>
Date: Wed, 7 Aug 2024 14:09:04 +0200
Subject: [PATCH] curl: fix --proxy-pinnedpubkey

This option was added in #2268 but never connected in
tool_operate.c.

Closes #14438
---
 docs/cmdline-opts/proxy-pinnedpubkey.md | 2 ++
 src/tool_operate.c                      | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/docs/cmdline-opts/proxy-pinnedpubkey.md b/docs/cmdline-opts/proxy-pinnedpubkey.md
index 6f0b52d3e6..df0b0bb907 100644
--- a/docs/cmdline-opts/proxy-pinnedpubkey.md
+++ b/docs/cmdline-opts/proxy-pinnedpubkey.md
@@ -27,3 +27,5 @@ When negotiating a TLS or SSL connection, the server sends a certificate
 indicating its identity. A public key is extracted from this certificate and
 if it does not exactly match the public key provided to this option, curl
 aborts the connection before sending or receiving any data.
+
+Before curl 8.10.0 this option did not work due to a bug.
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 90380063b1..681c83e714 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1750,6 +1750,13 @@ static CURLcode single_transfer(struct GlobalConfig *global,
             warnf(global, "ignoring %s, not supported by libcurl with %s",
                   "--pinnedpubkey", ssl_ver);
         }
+        if(config->proxy_pinnedpubkey) {
+          result = res_setopt_str(curl, CURLOPT_PROXY_PINNEDPUBLICKEY,
+                                  config->proxy_pinnedpubkey);
+          if(result == CURLE_NOT_BUILT_IN)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--proxy-pinnedpubkey", ssl_ver);
+        }
 
         if(config->ssl_ec_curves)
           my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves);
-- 
2.47.3