Blame SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch

6c1422
From 2470bc91f62cc9b0ab1deac60a67f87b7cc95f6e Mon Sep 17 00:00:00 2001
6c1422
From: Daniel Stenberg <daniel@haxx.se>
6c1422
Date: Wed, 2 Dec 2020 23:01:11 +0100
6c1422
Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
6c1422
6c1422
CVE-2020-8286
6c1422
6c1422
Reported by anonymous
6c1422
6c1422
Bug: https://curl.se/docs/CVE-2020-8286.html
6c1422
6c1422
Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
6c1422
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
6c1422
---
6c1422
 lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
6c1422
 1 file changed, 54 insertions(+), 29 deletions(-)
6c1422
6c1422
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
6c1422
index 9476773..35cd652 100644
6c1422
--- a/lib/vtls/openssl.c
6c1422
+++ b/lib/vtls/openssl.c
6c1422
@@ -1659,6 +1659,11 @@ static CURLcode verifystatus(struct connectdata *conn,
6c1422
   OCSP_BASICRESP *br = NULL;
6c1422
   X509_STORE     *st = NULL;
6c1422
   STACK_OF(X509) *ch = NULL;
6c1422
+  X509 *cert;
6c1422
+  OCSP_CERTID *id = NULL;
6c1422
+  int cert_status, crl_reason;
6c1422
+  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
6c1422
+  int ret;
6c1422
 
6c1422
   long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
6c1422
 
6c1422
@@ -1727,43 +1732,63 @@ static CURLcode verifystatus(struct connectdata *conn,
6c1422
     goto end;
6c1422
   }
6c1422
 
6c1422
-  for(i = 0; i < OCSP_resp_count(br); i++) {
6c1422
-    int cert_status, crl_reason;
6c1422
-    OCSP_SINGLERESP *single = NULL;
6c1422
-
6c1422
-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
6c1422
+  /* Compute the certificate's ID */
6c1422
+  cert = SSL_get_peer_certificate(BACKEND->handle);
6c1422
+  if(!cert) {
6c1422
+    failf(data, "Error getting peer certficate");
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    goto end;
6c1422
+  }
6c1422
 
6c1422
-    single = OCSP_resp_get0(br, i);
6c1422
-    if(!single)
6c1422
-      continue;
6c1422
+  for(i = 0; i < sk_X509_num(ch); i++) {
6c1422
+    X509 *issuer = sk_X509_value(ch, i);
6c1422
+    if(X509_check_issued(issuer, cert) == X509_V_OK) {
6c1422
+      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
6c1422
+      break;
6c1422
+    }
6c1422
+  }
6c1422
+  X509_free(cert);
6c1422
 
6c1422
-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
6c1422
-                                          &thisupd, &nextupd);
6c1422
+  if(!id) {
6c1422
+    failf(data, "Error computing OCSP ID");
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    goto end;
6c1422
+  }
6c1422
 
6c1422
-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
6c1422
-      failf(data, "OCSP response has expired");
6c1422
-      result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
-      goto end;
6c1422
-    }
6c1422
+  /* Find the single OCSP response corresponding to the certificate ID */
6c1422
+  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
6c1422
+                              &thisupd, &nextupd);
6c1422
+  OCSP_CERTID_free(id);
6c1422
+  if(ret != 1) {
6c1422
+    failf(data, "Could not find certificate ID in OCSP response");
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    goto end;
6c1422
+  }
6c1422
 
6c1422
-    infof(data, "SSL certificate status: %s (%d)\n",
6c1422
-          OCSP_cert_status_str(cert_status), cert_status);
6c1422
+  /* Validate the corresponding single OCSP response */
6c1422
+  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
6c1422
+    failf(data, "OCSP response has expired");
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    goto end;
6c1422
+  }
6c1422
 
6c1422
-    switch(cert_status) {
6c1422
-      case V_OCSP_CERTSTATUS_GOOD:
6c1422
-        break;
6c1422
+  infof(data, "SSL certificate status: %s (%d)\n",
6c1422
+        OCSP_cert_status_str(cert_status), cert_status);
6c1422
 
6c1422
-      case V_OCSP_CERTSTATUS_REVOKED:
6c1422
-        result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+  switch(cert_status) {
6c1422
+  case V_OCSP_CERTSTATUS_GOOD:
6c1422
+    break;
6c1422
 
6c1422
-        failf(data, "SSL certificate revocation reason: %s (%d)",
6c1422
-              OCSP_crl_reason_str(crl_reason), crl_reason);
6c1422
-        goto end;
6c1422
+  case V_OCSP_CERTSTATUS_REVOKED:
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    failf(data, "SSL certificate revocation reason: %s (%d)",
6c1422
+          OCSP_crl_reason_str(crl_reason), crl_reason);
6c1422
+    goto end;
6c1422
 
6c1422
-      case V_OCSP_CERTSTATUS_UNKNOWN:
6c1422
-        result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
-        goto end;
6c1422
-    }
6c1422
+  case V_OCSP_CERTSTATUS_UNKNOWN:
6c1422
+  default:
6c1422
+    result = CURLE_SSL_INVALIDCERTSTATUS;
6c1422
+    goto end;
6c1422
   }
6c1422
 
6c1422
 end:
6c1422
-- 
6c1422
2.26.2
6c1422