diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2020-8286.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2020-8286.patch | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8286.patch b/meta/recipes-support/curl/curl/CVE-2020-8286.patch new file mode 100644 index 0000000000..8c75cba844 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8286.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From 5d3b28deac44c19e4d73fc80e4917d42ee43adfe Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 2 Dec 2020 23:01:11 +0100 | ||
4 | Subject: [PATCH] openssl: make the OCSP verification verify the certificate id | ||
5 | |||
6 | CVE-2020-8286 | ||
7 | |||
8 | Reported by anonymous | ||
9 | |||
10 | Bug: https://curl.se/docs/CVE-2020-8286.html | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/d9d01672785b] | ||
13 | |||
14 | CVE: CVE-2020-8286 | ||
15 | |||
16 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
17 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
18 | |||
19 | --- | ||
20 | lib/vtls/openssl.c | 83 +++++++++++++++++++++++++++++++++++------------------- | ||
21 | 1 file changed, 54 insertions(+), 29 deletions(-) | ||
22 | |||
23 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
24 | index 1685a4a..22cbfe7 100644 | ||
25 | --- a/lib/vtls/openssl.c | ||
26 | +++ b/lib/vtls/openssl.c | ||
27 | @@ -1777,6 +1777,11 @@ static CURLcode verifystatus(struct connectdata *conn, | ||
28 | X509_STORE *st = NULL; | ||
29 | STACK_OF(X509) *ch = NULL; | ||
30 | struct ssl_backend_data *backend = connssl->backend; | ||
31 | + X509 *cert; | ||
32 | + OCSP_CERTID *id = NULL; | ||
33 | + int cert_status, crl_reason; | ||
34 | + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; | ||
35 | + int ret; | ||
36 | |||
37 | long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status); | ||
38 | |||
39 | @@ -1845,43 +1850,63 @@ static CURLcode verifystatus(struct connectdata *conn, | ||
40 | goto end; | ||
41 | } | ||
42 | |||
43 | - for(i = 0; i < OCSP_resp_count(br); i++) { | ||
44 | - int cert_status, crl_reason; | ||
45 | - OCSP_SINGLERESP *single = NULL; | ||
46 | - | ||
47 | - ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; | ||
48 | + /* Compute the certificate's ID */ | ||
49 | + cert = SSL_get_peer_certificate(backend->handle); | ||
50 | + if(!cert) { | ||
51 | + failf(data, "Error getting peer certficate"); | ||
52 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
53 | + goto end; | ||
54 | + } | ||
55 | |||
56 | - single = OCSP_resp_get0(br, i); | ||
57 | - if(!single) | ||
58 | - continue; | ||
59 | + for(i = 0; i < sk_X509_num(ch); i++) { | ||
60 | + X509 *issuer = sk_X509_value(ch, i); | ||
61 | + if(X509_check_issued(issuer, cert) == X509_V_OK) { | ||
62 | + id = OCSP_cert_to_id(EVP_sha1(), cert, issuer); | ||
63 | + break; | ||
64 | + } | ||
65 | + } | ||
66 | + X509_free(cert); | ||
67 | |||
68 | - cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, | ||
69 | - &thisupd, &nextupd); | ||
70 | + if(!id) { | ||
71 | + failf(data, "Error computing OCSP ID"); | ||
72 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
73 | + goto end; | ||
74 | + } | ||
75 | |||
76 | - if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { | ||
77 | - failf(data, "OCSP response has expired"); | ||
78 | - result = CURLE_SSL_INVALIDCERTSTATUS; | ||
79 | - goto end; | ||
80 | - } | ||
81 | + /* Find the single OCSP response corresponding to the certificate ID */ | ||
82 | + ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev, | ||
83 | + &thisupd, &nextupd); | ||
84 | + OCSP_CERTID_free(id); | ||
85 | + if(ret != 1) { | ||
86 | + failf(data, "Could not find certificate ID in OCSP response"); | ||
87 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
88 | + goto end; | ||
89 | + } | ||
90 | |||
91 | - infof(data, "SSL certificate status: %s (%d)\n", | ||
92 | - OCSP_cert_status_str(cert_status), cert_status); | ||
93 | + /* Validate the corresponding single OCSP response */ | ||
94 | + if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { | ||
95 | + failf(data, "OCSP response has expired"); | ||
96 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
97 | + goto end; | ||
98 | + } | ||
99 | |||
100 | - switch(cert_status) { | ||
101 | - case V_OCSP_CERTSTATUS_GOOD: | ||
102 | - break; | ||
103 | + infof(data, "SSL certificate status: %s (%d)\n", | ||
104 | + OCSP_cert_status_str(cert_status), cert_status); | ||
105 | |||
106 | - case V_OCSP_CERTSTATUS_REVOKED: | ||
107 | - result = CURLE_SSL_INVALIDCERTSTATUS; | ||
108 | + switch(cert_status) { | ||
109 | + case V_OCSP_CERTSTATUS_GOOD: | ||
110 | + break; | ||
111 | |||
112 | - failf(data, "SSL certificate revocation reason: %s (%d)", | ||
113 | - OCSP_crl_reason_str(crl_reason), crl_reason); | ||
114 | - goto end; | ||
115 | + case V_OCSP_CERTSTATUS_REVOKED: | ||
116 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
117 | + failf(data, "SSL certificate revocation reason: %s (%d)", | ||
118 | + OCSP_crl_reason_str(crl_reason), crl_reason); | ||
119 | + goto end; | ||
120 | |||
121 | - case V_OCSP_CERTSTATUS_UNKNOWN: | ||
122 | - result = CURLE_SSL_INVALIDCERTSTATUS; | ||
123 | - goto end; | ||
124 | - } | ||
125 | + case V_OCSP_CERTSTATUS_UNKNOWN: | ||
126 | + default: | ||
127 | + result = CURLE_SSL_INVALIDCERTSTATUS; | ||
128 | + goto end; | ||
129 | } | ||
130 | |||
131 | end: | ||