[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 402/411: openssl: make the OCSP verification verify the certific
|
From: |
gnunet |
|
Subject: |
[gnurl] 402/411: openssl: make the OCSP verification verify the certificate id |
|
Date: |
Wed, 13 Jan 2021 01:23:37 +0100 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit d9d01672785b8ac04aab1abb6de95fe3072ae199
Author: Daniel Stenberg <daniel@haxx.se>
AuthorDate: Wed Dec 2 23:01:11 2020 +0100
openssl: make the OCSP verification verify the certificate id
CVE-2020-8286
Reported by anonymous
Bug: https://curl.se/docs/CVE-2020-8286.html
---
lib/vtls/openssl.c | 83 +++++++++++++++++++++++++++++++++++-------------------
1 file changed, 54 insertions(+), 29 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c905465a0..e9c535f8f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1795,6 +1795,11 @@ static CURLcode verifystatus(struct connectdata *conn,
X509_STORE *st = NULL;
STACK_OF(X509) *ch = NULL;
struct ssl_backend_data *backend = connssl->backend;
+ X509 *cert;
+ OCSP_CERTID *id = NULL;
+ int cert_status, crl_reason;
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+ int ret;
long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
@@ -1863,43 +1868,63 @@ static CURLcode verifystatus(struct connectdata *conn,
goto end;
}
- for(i = 0; i < OCSP_resp_count(br); i++) {
- int cert_status, crl_reason;
- OCSP_SINGLERESP *single = NULL;
-
- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+ /* Compute the certificate's ID */
+ cert = SSL_get_peer_certificate(backend->handle);
+ if(!cert) {
+ failf(data, "Error getting peer certficate");
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ goto end;
+ }
- single = OCSP_resp_get0(br, i);
- if(!single)
- continue;
+ for(i = 0; i < sk_X509_num(ch); i++) {
+ X509 *issuer = sk_X509_value(ch, i);
+ if(X509_check_issued(issuer, cert) == X509_V_OK) {
+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+ break;
+ }
+ }
+ X509_free(cert);
- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
- &thisupd, &nextupd);
+ if(!id) {
+ failf(data, "Error computing OCSP ID");
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ goto end;
+ }
- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
- failf(data, "OCSP response has expired");
- result = CURLE_SSL_INVALIDCERTSTATUS;
- goto end;
- }
+ /* Find the single OCSP response corresponding to the certificate ID */
+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
+ &thisupd, &nextupd);
+ OCSP_CERTID_free(id);
+ if(ret != 1) {
+ failf(data, "Could not find certificate ID in OCSP response");
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ goto end;
+ }
- infof(data, "SSL certificate status: %s (%d)\n",
- OCSP_cert_status_str(cert_status), cert_status);
+ /* Validate the corresponding single OCSP response */
+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+ failf(data, "OCSP response has expired");
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ goto end;
+ }
- switch(cert_status) {
- case V_OCSP_CERTSTATUS_GOOD:
- break;
+ infof(data, "SSL certificate status: %s (%d)\n",
+ OCSP_cert_status_str(cert_status), cert_status);
- case V_OCSP_CERTSTATUS_REVOKED:
- result = CURLE_SSL_INVALIDCERTSTATUS;
+ switch(cert_status) {
+ case V_OCSP_CERTSTATUS_GOOD:
+ break;
- failf(data, "SSL certificate revocation reason: %s (%d)",
- OCSP_crl_reason_str(crl_reason), crl_reason);
- goto end;
+ case V_OCSP_CERTSTATUS_REVOKED:
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ failf(data, "SSL certificate revocation reason: %s (%d)",
+ OCSP_crl_reason_str(crl_reason), crl_reason);
+ goto end;
- case V_OCSP_CERTSTATUS_UNKNOWN:
- result = CURLE_SSL_INVALIDCERTSTATUS;
- goto end;
- }
+ case V_OCSP_CERTSTATUS_UNKNOWN:
+ default:
+ result = CURLE_SSL_INVALIDCERTSTATUS;
+ goto end;
}
end:
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnurl] 307/411: travis: use ninja-build for CMake builds, (continued)
- [gnurl] 307/411: travis: use ninja-build for CMake builds, gnunet, 2021/01/12
- [gnurl] 287/411: tests: fix some http/2 tests for older versions of nghttpx, gnunet, 2021/01/12
- [gnurl] 408/411: gnurl adjustments (paths), gnunet, 2021/01/12
- [gnurl] 405/411: urldata: restore comment on ssl_connect_data.use, gnunet, 2021/01/12
- [gnurl] 396/411: scripts/completion.pl: parse all opts, gnunet, 2021/01/12
- [gnurl] 388/411: cmake: check for linux/tcp.h, gnunet, 2021/01/12
- [gnurl] 401/411: ftp: make wc_statemach loop instead of recurse, gnunet, 2021/01/12
- [gnurl] 395/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 390/411: quiche: close the connection, gnunet, 2021/01/12
- [gnurl] 404/411: VERSIONS: refreshed, gnunet, 2021/01/12
- [gnurl] 402/411: openssl: make the OCSP verification verify the certificate id,
gnunet <=
- [gnurl] 400/411: ftp: CURLOPT_FTP_SKIP_PASV_IP by default, gnunet, 2021/01/12
- [gnurl] 407/411: Merge tag 'curl-7_74_0', gnunet, 2021/01/12
- [gnurl] 381/411: tests/server/tftpd.c: close upload file in case of abort, gnunet, 2021/01/12
- [gnurl] 389/411: ngtcp2: Fix build error due to symbol name change, gnunet, 2021/01/12
- [gnurl] 281/411: curl.1: add an "OUTPUT" section at the top of the manpage, gnunet, 2021/01/12