summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2021-06-21 10:35:09 +0200
committerDaniel Stenberg <daniel@haxx.se>2021-07-20 09:36:06 +0200
commitfd9b40bf8dfd43edcbc0d254d613d95a11061c05 (patch)
tree52ce0e2b50704e0ea2ce720b95340ead01508171 /lib
parent894f6ec730597eb243618d33cc84d71add8d6a8a (diff)
downloadcurl-fd9b40bf8dfd43edcbc0d254d613d95a11061c05.tar.gz
sectransp: check for client certs by name first, then file
CVE-2021-22926 Bug: https://curl.se/docs/CVE-2021-22926.html Assisted-by: Daniel Gustafsson Reported-by: Harry Sintonen
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/sectransp.c33
1 files changed, 19 insertions, 14 deletions
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 21ca0824b..26b833dd2 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -32,6 +32,7 @@
#include "curl_base64.h"
#include "strtok.h"
#include "multiif.h"
+#include "strcase.h"
#ifdef USE_SECTRANSP
@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
SecIdentityRef cert_and_key = NULL;
- /* User wants to authenticate with a client cert. Look for it:
- If we detect that this is a file on disk, then let's load it.
- Otherwise, assume that the user wants to use an identity loaded
- from the Keychain. */
- if(is_cert_file || is_cert_data) {
+ /* User wants to authenticate with a client cert. Look for it. Assume that
+ the user wants to use an identity loaded from the Keychain. If not, try
+ it as a file on disk */
+
+ if(!is_cert_data)
+ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
+ else
+ err = !noErr;
+ if((err != noErr) && (is_cert_file || is_cert_data)) {
if(!SSL_SET_OPTION(cert_type))
- infof(data, "WARNING: SSL: Certificate type not set, assuming "
- "PKCS#12 format.");
- else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
- strlen(SSL_SET_OPTION(cert_type))) != 0)
- infof(data, "WARNING: SSL: The Security framework only supports "
- "loading identities that are in PKCS#12 format.");
+ infof(data, "SSL: Certificate type not set, assuming "
+ "PKCS#12 format.");
+ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
+ failf(data, "SSL: The Security framework only supports "
+ "loading identities that are in PKCS#12 format.");
+ return CURLE_SSL_CERTPROBLEM;
+ }
err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
- SSL_SET_OPTION(key_passwd), &cert_and_key);
+ SSL_SET_OPTION(key_passwd),
+ &cert_and_key);
}
- else
- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
if(err == noErr && cert_and_key) {
SecCertificateRef cert = NULL;