| From 6180ef7c19defa9f77ae166acb8b63ed98a9c09a Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Wed, 4 Aug 2021 03:05:45 +0000 |
| Subject: [PATCH] sectransp: check for client certs by name first, then file |
| |
| CVE-2021-22926 |
| |
| Bug: https://curl.se/docs/CVE-2021-22926.html |
| |
| Assisted-by: Daniel Gustafsson |
| Reported-by: Harry Sintonen |
| |
| CVE: CVE-2021-22926 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05] |
| |
| Signed-off-by: Mingli Yu <mingli.yu@windriver.com> |
| --- |
| lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- |
| 1 file changed, 19 insertions(+), 14 deletions(-) |
| |
| diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c |
| index 37b41f8..f8effde 100644 |
| --- a/lib/vtls/sectransp.c |
| +++ b/lib/vtls/sectransp.c |
| @@ -32,6 +32,7 @@ |
| #include "curl_base64.h" |
| #include "strtok.h" |
| #include "multiif.h" |
| +#include "strcase.h" |
| |
| #ifdef USE_SECTRANSP |
| |
| @@ -1648,24 +1649,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, |
| bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); |
| SecIdentityRef cert_and_key = NULL; |
| |
| - /* User wants to authenticate with a client cert. Look for it: |
| - If we detect that this is a file on disk, then let's load it. |
| - Otherwise, assume that the user wants to use an identity loaded |
| - from the Keychain. */ |
| - if(is_cert_file || is_cert_data) { |
| + /* User wants to authenticate with a client cert. Look for it. Assume that |
| + the user wants to use an identity loaded from the Keychain. If not, try |
| + it as a file on disk */ |
| + |
| + if(!is_cert_data) |
| + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); |
| + else |
| + err = !noErr; |
| + if((err != noErr) && (is_cert_file || is_cert_data)) { |
| if(!SSL_SET_OPTION(cert_type)) |
| - infof(data, "WARNING: SSL: Certificate type not set, assuming " |
| - "PKCS#12 format.\n"); |
| - else if(strncmp(SSL_SET_OPTION(cert_type), "P12", |
| - strlen(SSL_SET_OPTION(cert_type))) != 0) |
| - infof(data, "WARNING: SSL: The Security framework only supports " |
| - "loading identities that are in PKCS#12 format.\n"); |
| + infof(data, "SSL: Certificate type not set, assuming " |
| + "PKCS#12 format."); |
| + else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { |
| + failf(data, "SSL: The Security framework only supports " |
| + "loading identities that are in PKCS#12 format."); |
| + return CURLE_SSL_CERTPROBLEM; |
| + } |
| |
| err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, |
| - SSL_SET_OPTION(key_passwd), &cert_and_key); |
| + SSL_SET_OPTION(key_passwd), |
| + &cert_and_key); |
| } |
| - else |
| - err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); |
| |
| if(err == noErr && cert_and_key) { |
| SecCertificateRef cert = NULL; |
| -- |
| 2.31.1 |
| |