1 files changed, 131 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8286.patch b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
new file mode 100644
index 0000000000..8c75cba844
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
@@ -0,0 +1,131 @@
+From 5d3b28deac44c19e4d73fc80e4917d42ee43adfe Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Dec 2020 23:01:11 +0100
+Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
+CVE-2020-8286
+Reported by anonymous
+Bug: https://curl.se/docs/CVE-2020-8286.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit/d9d01672785b]
+CVE: CVE-2020-8286
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ lib/vtls/openssl.c | 83 +++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 54 insertions(+), 29 deletions(-)
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1685a4a..22cbfe7 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -1777,6 +1777,11 @@ static CURLcode verifystatus(struct connectdata *conn,
+   X509_STORE     *st = NULL;
+   STACK_OF(X509) *ch = NULL;
+   struct ssl_backend_data *backend = connssl->backend;
+  X509 *cert;
+  OCSP_CERTID *id = NULL;
+  int cert_status, crl_reason;
+  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+  int ret;
+ 
+   long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
+ 
+@@ -1845,43 +1850,63 @@ static CURLcode verifystatus(struct connectdata *conn,
+     goto end;
+   }
+ 
+-  for(i = 0; i < OCSP_resp_count(br); i++) {
+-    int cert_status, crl_reason;
+-    OCSP_SINGLERESP *single = NULL;
+-
+-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+  /* Compute the certificate's ID */
+  cert = SSL_get_peer_certificate(backend->handle);
+  if(!cert) {
+    failf(data, "Error getting peer certficate");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    single = OCSP_resp_get0(br, i);
+-    if(!single)
+-      continue;
+  for(i = 0; i < sk_X509_num(ch); i++) {
+    X509 *issuer = sk_X509_value(ch, i);
+    if(X509_check_issued(issuer, cert) == X509_V_OK) {
+      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+      break;
+    }
+  }
+  X509_free(cert);
+ 
+-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+-                                          &thisupd, &nextupd);
+  if(!id) {
+    failf(data, "Error computing OCSP ID");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+-      failf(data, "OCSP response has expired");
+-      result = CURLE_SSL_INVALIDCERTSTATUS;
+-      goto end;
+-    }
+  /* Find the single OCSP response corresponding to the certificate ID */
+  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
+                              &thisupd, &nextupd);
+  OCSP_CERTID_free(id);
+  if(ret != 1) {
+    failf(data, "Could not find certificate ID in OCSP response");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    infof(data, "SSL certificate status: %s (%d)\n",
+-          OCSP_cert_status_str(cert_status), cert_status);
+  /* Validate the corresponding single OCSP response */
+  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+    failf(data, "OCSP response has expired");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    switch(cert_status) {
+-      case V_OCSP_CERTSTATUS_GOOD:
+-        break;
+  infof(data, "SSL certificate status: %s (%d)\n",
+        OCSP_cert_status_str(cert_status), cert_status);
+ 
+-      case V_OCSP_CERTSTATUS_REVOKED:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+  switch(cert_status) {
+  case V_OCSP_CERTSTATUS_GOOD:
+    break;
+ 
+-        failf(data, "SSL certificate revocation reason: %s (%d)",
+-              OCSP_crl_reason_str(crl_reason), crl_reason);
+-        goto end;
+  case V_OCSP_CERTSTATUS_REVOKED:
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    failf(data, "SSL certificate revocation reason: %s (%d)",
+          OCSP_crl_reason_str(crl_reason), crl_reason);
+    goto end;
+ 
+-      case V_OCSP_CERTSTATUS_UNKNOWN:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+-        goto end;
+-    }
+  case V_OCSP_CERTSTATUS_UNKNOWN:
+  default:
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+   }
+ 
+ end:

diff --git a/meta/recipes-support/curl/curl/CVE-2020-8286.patch b/meta/recipes-support/curl/curl/CVE-2020-8286.patch new file mode 100644 index 0000000000..8c75cba844 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
@@ -0,0 +1,131 @@
	1	From 5d3b28deac44c19e4d73fc80e4917d42ee43adfe Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Wed, 2 Dec 2020 23:01:11 +0100
	4	Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
	5
	6	CVE-2020-8286
	7
	8	Reported by anonymous
	9
	10	Bug: https://curl.se/docs/CVE-2020-8286.html
	11
	12	Upstream-Status: Backport [https://github.com/curl/curl/commit/d9d01672785b]
	13
	14	CVE: CVE-2020-8286
	15
	16	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
	17	Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
	18
	19	---
	20	lib/vtls/openssl.c \| 83 +++++++++++++++++++++++++++++++++++-------------------
	21	1 file changed, 54 insertions(+), 29 deletions(-)
	22
	23	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	24	index 1685a4a..22cbfe7 100644
	25	--- a/lib/vtls/openssl.c
	26	+++ b/lib/vtls/openssl.c
	27	@@ -1777,6 +1777,11 @@ static CURLcode verifystatus(struct connectdata *conn,
	28	X509_STORE *st = NULL;
	29	STACK_OF(X509) *ch = NULL;
	30	struct ssl_backend_data *backend = connssl->backend;
	31	+ X509 *cert;
	32	+ OCSP_CERTID *id = NULL;
	33	+ int cert_status, crl_reason;
	34	+ ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
	35	+ int ret;
	36
	37	long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
	38
	39	@@ -1845,43 +1850,63 @@ static CURLcode verifystatus(struct connectdata *conn,
	40	goto end;
	41	}
	42
	43	- for(i = 0; i < OCSP_resp_count(br); i++) {
	44	- int cert_status, crl_reason;
	45	- OCSP_SINGLERESP *single = NULL;
	46	-
	47	- ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
	48	+ /* Compute the certificate's ID */
	49	+ cert = SSL_get_peer_certificate(backend->handle);
	50	+ if(!cert) {
	51	+ failf(data, "Error getting peer certficate");
	52	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	53	+ goto end;
	54	+ }
	55
	56	- single = OCSP_resp_get0(br, i);
	57	- if(!single)
	58	- continue;
	59	+ for(i = 0; i < sk_X509_num(ch); i++) {
	60	+ X509 *issuer = sk_X509_value(ch, i);
	61	+ if(X509_check_issued(issuer, cert) == X509_V_OK) {
	62	+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
	63	+ break;
	64	+ }
	65	+ }
	66	+ X509_free(cert);
	67
	68	- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
	69	- &thisupd, &nextupd);
	70	+ if(!id) {
	71	+ failf(data, "Error computing OCSP ID");
	72	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	73	+ goto end;
	74	+ }
	75
	76	- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
	77	- failf(data, "OCSP response has expired");
	78	- result = CURLE_SSL_INVALIDCERTSTATUS;
	79	- goto end;
	80	- }
	81	+ /* Find the single OCSP response corresponding to the certificate ID */
	82	+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
	83	+ &thisupd, &nextupd);
	84	+ OCSP_CERTID_free(id);
	85	+ if(ret != 1) {
	86	+ failf(data, "Could not find certificate ID in OCSP response");
	87	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	88	+ goto end;
	89	+ }
	90
	91	- infof(data, "SSL certificate status: %s (%d)\n",
	92	- OCSP_cert_status_str(cert_status), cert_status);
	93	+ /* Validate the corresponding single OCSP response */
	94	+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
	95	+ failf(data, "OCSP response has expired");
	96	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	97	+ goto end;
	98	+ }
	99
	100	- switch(cert_status) {
	101	- case V_OCSP_CERTSTATUS_GOOD:
	102	- break;
	103	+ infof(data, "SSL certificate status: %s (%d)\n",
	104	+ OCSP_cert_status_str(cert_status), cert_status);
	105
	106	- case V_OCSP_CERTSTATUS_REVOKED:
	107	- result = CURLE_SSL_INVALIDCERTSTATUS;
	108	+ switch(cert_status) {
	109	+ case V_OCSP_CERTSTATUS_GOOD:
	110	+ break;
	111
	112	- failf(data, "SSL certificate revocation reason: %s (%d)",
	113	- OCSP_crl_reason_str(crl_reason), crl_reason);
	114	- goto end;
	115	+ case V_OCSP_CERTSTATUS_REVOKED:
	116	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	117	+ failf(data, "SSL certificate revocation reason: %s (%d)",
	118	+ OCSP_crl_reason_str(crl_reason), crl_reason);
	119	+ goto end;
	120
	121	- case V_OCSP_CERTSTATUS_UNKNOWN:
	122	- result = CURLE_SSL_INVALIDCERTSTATUS;
	123	- goto end;
	124	- }
	125	+ case V_OCSP_CERTSTATUS_UNKNOWN:
	126	+ default:
	127	+ result = CURLE_SSL_INVALIDCERTSTATUS;
	128	+ goto end;
	129	}
	130
	131	end: