diff options
| author | Niels Martignène <niels.martignene@protonmail.com> | 2022-01-11 03:25:00 -0500 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2022-01-15 16:57:36 -0500 |
| commit | 6c084fd47ca69e9d93c062ba76ce7f3c4b4f78a6 (patch) | |
| tree | 28c16246ae53ed0ef2375bdddb3c54ac5360f757 | |
| parent | 3aee3612b466418612c685cc9dfb2878ff3ad89c (diff) | |
| download | curl-6c084fd47ca69e9d93c062ba76ce7f3c4b4f78a6.tar.gz | |
mbedtls: fix CURLOPT_SSLCERT_BLOB (again)
- Increase the buffer length passed to mbedtls_x509_crt_parse to account
for the null byte appended to the temporary blob.
Follow-up to 867ad1c which uses a null terminated copy of the
certificate blob, because mbedtls_x509_crt_parse requires PEM data
to be null terminated.
Ref: https://github.com/curl/curl/commit/867ad1c#r63439893
Ref: https://github.com/curl/curl/pull/8146
Closes https://github.com/curl/curl/pull/8260
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 | 9 | ||||
| -rw-r--r-- | lib/vtls/mbedtls.c | 2 |
2 files changed, 6 insertions, 5 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 b/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 index 41a7562ae..994c52b9f 100644 --- a/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 +++ b/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 @@ -33,8 +33,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERT_BLOB, .SH DESCRIPTION Pass a pointer to a curl_blob structure, which contains (pointer and size) a client certificate. The format must be "P12" on Secure Transport or -Schannel. The format must be "P12" or "PEM" on OpenSSL. The string "P12" or -"PEM" must be specified with \fICURLOPT_SSLCERTTYPE(3)\fP. +Schannel. The format must be "P12" or "PEM" on OpenSSL. The format must be +"DER" or "PEM" on mbedTLS. The format must be specified with +\fICURLOPT_SSLCERTTYPE(3)\fP. If the blob is initialized with the flags member of struct curl_blob set to CURL_BLOB_COPY, the application does not have to keep the buffer around after @@ -63,8 +64,8 @@ if(curl) { } .fi .SH AVAILABILITY -Added in 7.71.0. This option is supported by the OpenSSL, Secure Transport and -Schannel backends. +Added in 7.71.0. This option is supported by the OpenSSL, Secure Transport, +Schannel and mbedTLS (since 7.78.0) backends. .SH RETURN VALUE Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 2d0e875e4..4dd7efa2b 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -388,7 +388,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len); newblob[ssl_cert_blob->len] = 0; /* null terminate */ ret = mbedtls_x509_crt_parse(&backend->clicert, newblob, - ssl_cert_blob->len); + ssl_cert_blob->len + 1); free(newblob); if(ret) { |