curl: add --proxy-pinnedpubkey

To verify a proxy's public key. For when using HTTPS proxies.

Fixes #2192
Closes #2268

src/tool_cfgable.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -113,6 +113,7 @@ static void free_config_fields(struct OperationConfig *config)
   Curl_safefree(config->proxy_capath);
   Curl_safefree(config->crlfile);
   Curl_safefree(config->pinnedpubkey);
+  Curl_safefree(config->proxy_pinnedpubkey);
   Curl_safefree(config->proxy_crlfile);
   Curl_safefree(config->key);
   Curl_safefree(config->proxy_key);

src/tool_cfgable.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -128,6 +128,7 @@ struct OperationConfig {
   char *crlfile;
   char *proxy_crlfile;
   char *pinnedpubkey;
+  char *proxy_pinnedpubkey;
   char *key;
   char *proxy_key;
   char *key_type;

src/tool_getparam.c

@@ -232,6 +232,7 @@ static const struct LongShort aliases[]= {
   {"En", "ssl-allow-beast",          ARG_BOOL},
   {"Eo", "login-options",            ARG_STRING},
   {"Ep", "pinnedpubkey",             ARG_STRING},
+  {"EP", "proxy-pinnedpubkey",       ARG_STRING},
   {"Eq", "cert-status",              ARG_BOOL},
   {"Er", "false-start",              ARG_BOOL},
   {"Es", "ssl-no-revoke",            ARG_BOOL},
@@ -1500,6 +1501,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         GetStr(&config->pinnedpubkey, nextarg);
         break;
 
+      case 'P': /* proxy pinned public key */
+        GetStr(&config->proxy_pinnedpubkey, nextarg);
+        break;
+
       case 'q': /* --cert-status */
         config->verifystatus = TRUE;
         break;

src/tool_help.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -314,6 +314,8 @@ static const struct helptxt helptext[] = {
    "Use NTLM authentication on the proxy"},
   {"    --proxy-pass <phrase>",
    "Pass phrase for the private key for HTTPS proxy"},
+  {"    --proxy-pinnedpubkey <hashes>",
+   "FILE/HASHES public key to verify proxy with"},
   {"    --proxy-service-name <name>",
    "SPNEGO proxy service name"},
   {"    --proxy-ssl-allow-beast",