poky/meta/recipes-support/curl/curl/CVE-2021-22926.patch - openbmc/openbmc - Gitiles

 From 6180ef7c19defa9f77ae166acb8b63ed98a9c09a Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Wed, 4 Aug 2021 03:05:45 +0000
 Subject: [PATCH] sectransp: check for client certs by name first, then file

 CVE-2021-22926

 Bug: https://curl.se/docs/CVE-2021-22926.html

 Assisted-by: Daniel Gustafsson
 Reported-by: Harry Sintonen

 CVE: CVE-2021-22926

 Upstream-Status: Backport [https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05]

 Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
 ---
  lib/vtls/sectransp.c | 33 +++++++++++++++++++--------------
  1 file changed, 19 insertions(+), 14 deletions(-)

 diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
 index 37b41f8..f8effde 100644
 --- a/lib/vtls/sectransp.c
 +++ b/lib/vtls/sectransp.c
 @@ -32,6 +32,7 @@
  #include "curl_base64.h"
  #include "strtok.h"
  #include "multiif.h"
 +#include "strcase.h"

  #ifdef USE_SECTRANSP

 @@ -1648,24 +1649,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
      bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
      SecIdentityRef cert_and_key = NULL;

 -    /* User wants to authenticate with a client cert. Look for it:
 -       If we detect that this is a file on disk, then let's load it.
 -       Otherwise, assume that the user wants to use an identity loaded
 -       from the Keychain. */
 -    if(is_cert_file || is_cert_data) {
 +    /* User wants to authenticate with a client cert. Look for it. Assume that
 +       the user wants to use an identity loaded from the Keychain. If not, try
 +       it as a file on disk */
 +
 +    if(!is_cert_data)
 +      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
 +    else
 +      err = !noErr;
 +    if((err != noErr) && (is_cert_file || is_cert_data)) {
        if(!SSL_SET_OPTION(cert_type))
 -        infof(data, "WARNING: SSL: Certificate type not set, assuming "
 -                    "PKCS#12 format.\n");
 -      else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
 -        strlen(SSL_SET_OPTION(cert_type))) != 0)
 -        infof(data, "WARNING: SSL: The Security framework only supports "
 -                    "loading identities that are in PKCS#12 format.\n");
 +        infof(data, "SSL: Certificate type not set, assuming "
 +              "PKCS#12 format.");
 +      else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
 +        failf(data, "SSL: The Security framework only supports "
 +              "loading identities that are in PKCS#12 format.");
 +        return CURLE_SSL_CERTPROBLEM;
 +      }

        err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
 -        SSL_SET_OPTION(key_passwd), &cert_and_key);
 +                                       SSL_SET_OPTION(key_passwd),
 +                                       &cert_and_key);
      }
 -    else
 -      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);

      if(err == noErr && cert_and_key) {
        SecCertificateRef cert = NULL;
 --
 2.31.1
	From 6180ef7c19defa9f77ae166acb8b63ed98a9c09a Mon Sep 17 00:00:00 2001
	From: Daniel Stenberg <daniel@haxx.se>
	Date: Wed, 4 Aug 2021 03:05:45 +0000
	Subject: [PATCH] sectransp: check for client certs by name first, then file

	CVE-2021-22926

	Bug: https://curl.se/docs/CVE-2021-22926.html

	Assisted-by: Daniel Gustafsson
	Reported-by: Harry Sintonen

	CVE: CVE-2021-22926

	Upstream-Status: Backport [https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05]

	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
	---
	lib/vtls/sectransp.c \| 33 +++++++++++++++++++--------------
	1 file changed, 19 insertions(+), 14 deletions(-)

	diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
	index 37b41f8..f8effde 100644
	--- a/lib/vtls/sectransp.c
	+++ b/lib/vtls/sectransp.c
	@@ -32,6 +32,7 @@
	#include "curl_base64.h"
	#include "strtok.h"
	#include "multiif.h"
	+#include "strcase.h"

	#ifdef USE_SECTRANSP

	@@ -1648,24 +1649,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
	bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
	SecIdentityRef cert_and_key = NULL;

	- /* User wants to authenticate with a client cert. Look for it:
	- If we detect that this is a file on disk, then let's load it.
	- Otherwise, assume that the user wants to use an identity loaded
	- from the Keychain. */
	- if(is_cert_file \|\| is_cert_data) {
	+ /* User wants to authenticate with a client cert. Look for it. Assume that
	+ the user wants to use an identity loaded from the Keychain. If not, try
	+ it as a file on disk */
	+
	+ if(!is_cert_data)
	+ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
	+ else
	+ err = !noErr;
	+ if((err != noErr) && (is_cert_file \|\| is_cert_data)) {
	if(!SSL_SET_OPTION(cert_type))
	- infof(data, "WARNING: SSL: Certificate type not set, assuming "
	- "PKCS#12 format.\n");
	- else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
	- strlen(SSL_SET_OPTION(cert_type))) != 0)
	- infof(data, "WARNING: SSL: The Security framework only supports "
	- "loading identities that are in PKCS#12 format.\n");
	+ infof(data, "SSL: Certificate type not set, assuming "
	+ "PKCS#12 format.");
	+ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
	+ failf(data, "SSL: The Security framework only supports "
	+ "loading identities that are in PKCS#12 format.");
	+ return CURLE_SSL_CERTPROBLEM;
	+ }

	err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
	- SSL_SET_OPTION(key_passwd), &cert_and_key);
	+ SSL_SET_OPTION(key_passwd),
	+ &cert_and_key);
	}
	- else
	- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);

	if(err == noErr && cert_and_key) {
	SecCertificateRef cert = NULL;
	--
	2.31.1