mirror of
https://git.yoctoproject.org/poky
synced 2026-05-07 16:59:22 +00:00
curl: fix CVE-2024-8096
Upstream-Status: Backport from https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f (From OE-Core rev: 6efcd8aea340186df484afc07a2b63a2c2a3af66) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
committed by
Steve Sakoman
Steve Sakoman
parent
2034fc38eb
commit
598e7d69d5
@@ -0,0 +1,207 @@
|
||||
From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 20 Aug 2024 16:14:39 +0200
|
||||
Subject: [PATCH] gtls: fix OCSP stapling management
|
||||
|
||||
Reported-by: Hiroki Kurosawa
|
||||
Closes #14642
|
||||
|
||||
Upstream-Status: Backport [https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f]
|
||||
CVE: CVE-2024-8096
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
|
||||
1 file changed, 73 insertions(+), 73 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||
index 6eaa6a8..7dd7df8 100644
|
||||
--- a/lib/vtls/gtls.c
|
||||
+++ b/lib/vtls/gtls.c
|
||||
@@ -538,6 +538,13 @@ CURLcode gtls_client_init(struct Curl_easy *data,
|
||||
init_flags |= GNUTLS_NO_TICKETS;
|
||||
#endif
|
||||
|
||||
+#if defined(GNUTLS_NO_STATUS_REQUEST)
|
||||
+ if(!config->verifystatus)
|
||||
+ /* Disable the "status_request" TLS extension, enabled by default since
|
||||
+ GnuTLS 3.8.0. */
|
||||
+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
|
||||
+#endif
|
||||
+
|
||||
rc = gnutls_init(>ls->session, init_flags);
|
||||
if(rc != GNUTLS_E_SUCCESS) {
|
||||
failf(data, "gnutls_init() failed: %d", rc);
|
||||
@@ -923,104 +930,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||
infof(data, " server certificate verification SKIPPED");
|
||||
|
||||
if(config->verifystatus) {
|
||||
- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
|
||||
- gnutls_datum_t status_request;
|
||||
- gnutls_ocsp_resp_t ocsp_resp;
|
||||
+ gnutls_datum_t status_request;
|
||||
+ gnutls_ocsp_resp_t ocsp_resp;
|
||||
+ gnutls_ocsp_cert_status_t status;
|
||||
+ gnutls_x509_crl_reason_t reason;
|
||||
|
||||
- gnutls_ocsp_cert_status_t status;
|
||||
- gnutls_x509_crl_reason_t reason;
|
||||
+ rc = gnutls_ocsp_status_request_get(session, &status_request);
|
||||
|
||||
- rc = gnutls_ocsp_status_request_get(session, &status_request);
|
||||
+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
||||
+ failf(data, "No OCSP response received");
|
||||
+ return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ }
|
||||
|
||||
- infof(data, " server certificate status verification FAILED");
|
||||
+ if(rc < 0) {
|
||||
+ failf(data, "Invalid OCSP response received");
|
||||
+ return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ }
|
||||
|
||||
- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
||||
- failf(data, "No OCSP response received");
|
||||
- return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- }
|
||||
+ gnutls_ocsp_resp_init(&ocsp_resp);
|
||||
|
||||
- if(rc < 0) {
|
||||
- failf(data, "Invalid OCSP response received");
|
||||
- return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- }
|
||||
+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
|
||||
+ if(rc < 0) {
|
||||
+ failf(data, "Invalid OCSP response received");
|
||||
+ return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ }
|
||||
|
||||
- gnutls_ocsp_resp_init(&ocsp_resp);
|
||||
+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
|
||||
+ &status, NULL, NULL, NULL, &reason);
|
||||
|
||||
- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
|
||||
- if(rc < 0) {
|
||||
- failf(data, "Invalid OCSP response received");
|
||||
- return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- }
|
||||
+ switch(status) {
|
||||
+ case GNUTLS_OCSP_CERT_GOOD:
|
||||
+ break;
|
||||
|
||||
- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
|
||||
- &status, NULL, NULL, NULL, &reason);
|
||||
+ case GNUTLS_OCSP_CERT_REVOKED: {
|
||||
+ const char *crl_reason;
|
||||
|
||||
- switch(status) {
|
||||
- case GNUTLS_OCSP_CERT_GOOD:
|
||||
+ switch(reason) {
|
||||
+ default:
|
||||
+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
|
||||
+ crl_reason = "unspecified reason";
|
||||
break;
|
||||
|
||||
- case GNUTLS_OCSP_CERT_REVOKED: {
|
||||
- const char *crl_reason;
|
||||
-
|
||||
- switch(reason) {
|
||||
- default:
|
||||
- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
|
||||
- crl_reason = "unspecified reason";
|
||||
- break;
|
||||
-
|
||||
- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
|
||||
- crl_reason = "private key compromised";
|
||||
- break;
|
||||
-
|
||||
- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
|
||||
- crl_reason = "CA compromised";
|
||||
- break;
|
||||
-
|
||||
- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
|
||||
- crl_reason = "affiliation has changed";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
|
||||
+ crl_reason = "private key compromised";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_SUPERSEDED:
|
||||
- crl_reason = "certificate superseded";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
|
||||
+ crl_reason = "CA compromised";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
|
||||
- crl_reason = "operation has ceased";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
|
||||
+ crl_reason = "affiliation has changed";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
|
||||
- crl_reason = "certificate is on hold";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
|
||||
+ crl_reason = "certificate superseded";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
|
||||
- crl_reason = "will be removed from delta CRL";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
|
||||
+ crl_reason = "operation has ceased";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
|
||||
- crl_reason = "privilege withdrawn";
|
||||
- break;
|
||||
+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
|
||||
+ crl_reason = "certificate is on hold";
|
||||
+ break;
|
||||
|
||||
- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
|
||||
- crl_reason = "AA compromised";
|
||||
- break;
|
||||
- }
|
||||
+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
|
||||
+ crl_reason = "will be removed from delta CRL";
|
||||
+ break;
|
||||
|
||||
- failf(data, "Server certificate was revoked: %s", crl_reason);
|
||||
+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
|
||||
+ crl_reason = "privilege withdrawn";
|
||||
break;
|
||||
- }
|
||||
|
||||
- default:
|
||||
- case GNUTLS_OCSP_CERT_UNKNOWN:
|
||||
- failf(data, "Server certificate status is unknown");
|
||||
+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
|
||||
+ crl_reason = "AA compromised";
|
||||
break;
|
||||
}
|
||||
|
||||
- gnutls_ocsp_resp_deinit(ocsp_resp);
|
||||
+ failf(data, "Server certificate was revoked: %s", crl_reason);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ default:
|
||||
+ case GNUTLS_OCSP_CERT_UNKNOWN:
|
||||
+ failf(data, "Server certificate status is unknown");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
+ gnutls_ocsp_resp_deinit(ocsp_resp);
|
||||
+ if(status != GNUTLS_OCSP_CERT_GOOD)
|
||||
return CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- }
|
||||
- else
|
||||
- infof(data, " server certificate status verification OK");
|
||||
}
|
||||
else
|
||||
infof(data, " server certificate status verification SKIPPED");
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -18,6 +18,7 @@ SRC_URI = " \
|
||||
file://CVE-2024-6197.patch \
|
||||
file://CVE-2024-7264-1.patch \
|
||||
file://CVE-2024-7264-2.patch \
|
||||
file://CVE-2024-8096.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user