moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

sectransp: check for client certs by name first, then file 

CVE-2021-22926

Bug: https://curl.se/docs/CVE-2021-22926.html

Assisted-by: Daniel Gustafsson
Reported-by: Harry Sintonen
This commit is contained in:
Daniel Stenberg 2021-06-21 10:35:09 +02:00
parent 894f6ec730
commit fd9b40bf8d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
lib/vtls/sectransp.c
View File

@ -32,6 +32,7 @@
#include "curl_base64.h" #include "curl_base64.h"
#include "strtok.h" #include "strtok.h"
#include "multiif.h" #include "multiif.h"
#include "strcase.h"
#ifdef USE_SECTRANSP #ifdef USE_SECTRANSP
@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
SecIdentityRef cert_and_key = NULL; SecIdentityRef cert_and_key = NULL;
/* User wants to authenticate with a client cert. Look for it: /* User wants to authenticate with a client cert. Look for it. Assume that
If we detect that this is a file on disk, then let's load it. the user wants to use an identity loaded from the Keychain. If not, try
Otherwise, assume that the user wants to use an identity loaded it as a file on disk */
from the Keychain. */
if(is_cert_file || is_cert_data) { if(!is_cert_data)
err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
else
err = !noErr;
if((err != noErr) && (is_cert_file || is_cert_data)) {
if(!SSL_SET_OPTION(cert_type)) if(!SSL_SET_OPTION(cert_type))
infof(data, "WARNING: SSL: Certificate type not set, assuming " infof(data, "SSL: Certificate type not set, assuming "
"PKCS#12 format."); "PKCS#12 format.");
else if(strncmp(SSL_SET_OPTION(cert_type), "P12", else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
strlen(SSL_SET_OPTION(cert_type))) != 0) failf(data, "SSL: The Security framework only supports "
infof(data, "WARNING: SSL: The Security framework only supports "
"loading identities that are in PKCS#12 format."); "loading identities that are in PKCS#12 format.");
return CURLE_SSL_CERTPROBLEM;
}
err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
SSL_SET_OPTION(key_passwd), &cert_and_key); SSL_SET_OPTION(key_passwd),
&cert_and_key);
} }
else
err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
if(err == noErr && cert_and_key) { if(err == noErr && cert_and_key) {
SecCertificateRef cert = NULL; SecCertificateRef cert = NULL;