R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix CVE-2020-8286

Browse Source 
Merge: curl/curl@d9d0167278
This commit is contained in:
Kawe Mazidjatari 2023-06-13 01:35:15 +02:00
parent c38a5f214f
commit d177ecdb0a
1 changed files with 57 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
r5dev/thirdparty/curl/vtls/openssl.c vendored
View File

@ -1336,6 +1336,11 @@ static CURLcode verifystatus(struct connectdata *conn,
OCSP_BASICRESP *br = NULL; OCSP_BASICRESP *br = NULL;
X509_STORE *st = NULL; X509_STORE *st = NULL;
STACK_OF(X509) *ch = NULL; STACK_OF(X509) *ch = NULL;
X509 *cert;
OCSP_CERTID *id = NULL;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
int cert_status, crl_reason;
int ret;
long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p); long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
@ -1403,47 +1408,68 @@ static CURLcode verifystatus(struct connectdata *conn,
goto end; goto end;
} }
for(i = 0; i < OCSP_resp_count(br); i++) { /* Compute the certificate's ID */
int cert_status, crl_reason; cert = SSL_get_peer_certificate(connssl->handle);
OCSP_SINGLERESP *single = NULL; if(!cert) {
failf(data, "Error getting peer certficate");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; for(i = 0; i < sk_X509_num(ch); i++) {
X509 *issuer = sk_X509_value(ch, i);
single = OCSP_resp_get0(br, i); if(X509_check_issued(issuer, cert) == X509_V_OK) {
if(!single) id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
continue; break;
cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
&thisupd, &nextupd);
if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
failf(data, "OCSP response has expired");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
} }
}
X509_free(cert);
infof(data, "SSL certificate status: %s (%d)\n", if(!id) {
OCSP_cert_status_str(cert_status), cert_status); failf(data, "Error computing OCSP ID");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
switch(cert_status) { /* Find the single OCSP response corresponding to the certificate ID */
case V_OCSP_CERTSTATUS_GOOD: ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
break; &thisupd, &nextupd);
OCSP_CERTID_free(id);
if(ret != 1) {
failf(data, "Could not find certificate ID in OCSP response");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
case V_OCSP_CERTSTATUS_REVOKED: /* Validate the corresponding single OCSP response */
result = CURLE_SSL_INVALIDCERTSTATUS; if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
failf(data, "OCSP response has expired");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
failf(data, "SSL certificate revocation reason: %s (%d)", infof(data, "SSL certificate status: %s (%d)\n",
OCSP_crl_reason_str(crl_reason), crl_reason); OCSP_cert_status_str(cert_status), cert_status);
goto end;
case V_OCSP_CERTSTATUS_UNKNOWN: switch(cert_status) {
result = CURLE_SSL_INVALIDCERTSTATUS; case V_OCSP_CERTSTATUS_GOOD:
goto end; break;
}
case V_OCSP_CERTSTATUS_REVOKED:
result = CURLE_SSL_INVALIDCERTSTATUS;
failf(data, "SSL certificate revocation reason: %s (%d)",
OCSP_crl_reason_str(crl_reason), crl_reason);
goto end;
case V_OCSP_CERTSTATUS_UNKNOWN:
default:
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
} }
end: end:
if(br) OCSP_BASICRESP_free(br); if(br)
OCSP_BASICRESP_free(br);
OCSP_RESPONSE_free(rsp); OCSP_RESPONSE_free(rsp);
return result; return result;