mirror of https://github.com/moparisthebest/curl
sectransp: check for client certs by name first, then file
CVE-2021-22926 Bug: https://curl.se/docs/CVE-2021-22926.html Assisted-by: Daniel Gustafsson Reported-by: Harry Sintonen
This commit is contained in:
parent
894f6ec730
commit
fd9b40bf8d
|
@ -32,6 +32,7 @@
|
||||||
#include "curl_base64.h"
|
#include "curl_base64.h"
|
||||||
#include "strtok.h"
|
#include "strtok.h"
|
||||||
#include "multiif.h"
|
#include "multiif.h"
|
||||||
|
#include "strcase.h"
|
||||||
|
|
||||||
#ifdef USE_SECTRANSP
|
#ifdef USE_SECTRANSP
|
||||||
|
|
||||||
|
@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
||||||
bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
|
bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
|
||||||
SecIdentityRef cert_and_key = NULL;
|
SecIdentityRef cert_and_key = NULL;
|
||||||
|
|
||||||
/* User wants to authenticate with a client cert. Look for it:
|
/* User wants to authenticate with a client cert. Look for it. Assume that
|
||||||
If we detect that this is a file on disk, then let's load it.
|
the user wants to use an identity loaded from the Keychain. If not, try
|
||||||
Otherwise, assume that the user wants to use an identity loaded
|
it as a file on disk */
|
||||||
from the Keychain. */
|
|
||||||
if(is_cert_file || is_cert_data) {
|
if(!is_cert_data)
|
||||||
|
err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
|
||||||
|
else
|
||||||
|
err = !noErr;
|
||||||
|
if((err != noErr) && (is_cert_file || is_cert_data)) {
|
||||||
if(!SSL_SET_OPTION(cert_type))
|
if(!SSL_SET_OPTION(cert_type))
|
||||||
infof(data, "WARNING: SSL: Certificate type not set, assuming "
|
infof(data, "SSL: Certificate type not set, assuming "
|
||||||
"PKCS#12 format.");
|
"PKCS#12 format.");
|
||||||
else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
|
else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
|
||||||
strlen(SSL_SET_OPTION(cert_type))) != 0)
|
failf(data, "SSL: The Security framework only supports "
|
||||||
infof(data, "WARNING: SSL: The Security framework only supports "
|
|
||||||
"loading identities that are in PKCS#12 format.");
|
"loading identities that are in PKCS#12 format.");
|
||||||
|
return CURLE_SSL_CERTPROBLEM;
|
||||||
|
}
|
||||||
|
|
||||||
err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
|
err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
|
||||||
SSL_SET_OPTION(key_passwd), &cert_and_key);
|
SSL_SET_OPTION(key_passwd),
|
||||||
|
&cert_and_key);
|
||||||
}
|
}
|
||||||
else
|
|
||||||
err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
|
|
||||||
|
|
||||||
if(err == noErr && cert_and_key) {
|
if(err == noErr && cert_and_key) {
|
||||||
SecCertificateRef cert = NULL;
|
SecCertificateRef cert = NULL;
|
||||||
|
|
Loading…
Reference in New Issue