diff options
author | Daniel Stenberg <daniel@haxx.se> | 2021-06-21 10:35:09 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-07-20 09:36:06 +0200 |
commit | fd9b40bf8dfd43edcbc0d254d613d95a11061c05 (patch) | |
tree | 52ce0e2b50704e0ea2ce720b95340ead01508171 /lib | |
parent | 894f6ec730597eb243618d33cc84d71add8d6a8a (diff) | |
download | curl-fd9b40bf8dfd43edcbc0d254d613d95a11061c05.tar.gz |
sectransp: check for client certs by name first, then file
CVE-2021-22926
Bug: https://curl.se/docs/CVE-2021-22926.html
Assisted-by: Daniel Gustafsson
Reported-by: Harry Sintonen
Diffstat (limited to 'lib')
-rw-r--r-- | lib/vtls/sectransp.c | 33 |
1 files changed, 19 insertions, 14 deletions
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 21ca0824b..26b833dd2 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -32,6 +32,7 @@ #include "curl_base64.h" #include "strtok.h" #include "multiif.h" +#include "strcase.h" #ifdef USE_SECTRANSP @@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); SecIdentityRef cert_and_key = NULL; - /* User wants to authenticate with a client cert. Look for it: - If we detect that this is a file on disk, then let's load it. - Otherwise, assume that the user wants to use an identity loaded - from the Keychain. */ - if(is_cert_file || is_cert_data) { + /* User wants to authenticate with a client cert. Look for it. Assume that + the user wants to use an identity loaded from the Keychain. If not, try + it as a file on disk */ + + if(!is_cert_data) + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); + else + err = !noErr; + if((err != noErr) && (is_cert_file || is_cert_data)) { if(!SSL_SET_OPTION(cert_type)) - infof(data, "WARNING: SSL: Certificate type not set, assuming " - "PKCS#12 format."); - else if(strncmp(SSL_SET_OPTION(cert_type), "P12", - strlen(SSL_SET_OPTION(cert_type))) != 0) - infof(data, "WARNING: SSL: The Security framework only supports " - "loading identities that are in PKCS#12 format."); + infof(data, "SSL: Certificate type not set, assuming " + "PKCS#12 format."); + else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { + failf(data, "SSL: The Security framework only supports " + "loading identities that are in PKCS#12 format."); + return CURLE_SSL_CERTPROBLEM; + } err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, - SSL_SET_OPTION(key_passwd), &cert_and_key); + SSL_SET_OPTION(key_passwd), + &cert_and_key); } - else - err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); if(err == noErr && cert_and_key) { SecCertificateRef cert = NULL; |