From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 21 Jun 2021 10:35:09 +0200 Subject: sectransp: check for client certs by name first, then file CVE-2021-22926 Bug: https://curl.se/docs/CVE-2021-22926.html Assisted-by: Daniel Gustafsson Reported-by: Harry Sintonen --- lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 21ca0824b..26b833dd2 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -32,6 +32,7 @@ #include "curl_base64.h" #include "strtok.h" #include "multiif.h" +#include "strcase.h" #ifdef USE_SECTRANSP @@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); SecIdentityRef cert_and_key = NULL; - /* User wants to authenticate with a client cert. Look for it: - If we detect that this is a file on disk, then let's load it. - Otherwise, assume that the user wants to use an identity loaded - from the Keychain. */ - if(is_cert_file || is_cert_data) { + /* User wants to authenticate with a client cert. Look for it. Assume that + the user wants to use an identity loaded from the Keychain. If not, try + it as a file on disk */ + + if(!is_cert_data) + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); + else + err = !noErr; + if((err != noErr) && (is_cert_file || is_cert_data)) { if(!SSL_SET_OPTION(cert_type)) - infof(data, "WARNING: SSL: Certificate type not set, assuming " - "PKCS#12 format."); - else if(strncmp(SSL_SET_OPTION(cert_type), "P12", - strlen(SSL_SET_OPTION(cert_type))) != 0) - infof(data, "WARNING: SSL: The Security framework only supports " - "loading identities that are in PKCS#12 format."); + infof(data, "SSL: Certificate type not set, assuming " + "PKCS#12 format."); + else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { + failf(data, "SSL: The Security framework only supports " + "loading identities that are in PKCS#12 format."); + return CURLE_SSL_CERTPROBLEM; + } err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, - SSL_SET_OPTION(key_passwd), &cert_and_key); + SSL_SET_OPTION(key_passwd), + &cert_and_key); } - else - err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); if(err == noErr && cert_and_key) { SecCertificateRef cert = NULL; -- cgit v1.2.1