首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 6

ZoeDong/curl

forked from OpenCloudOS Stream/curl 
代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
CVE-2024-8096.patch 6.51 KB
一键复制 编辑 原始数据 按行查看 历史
ZoeDong 提交于 2024-09-18 20:45 . Fix CVE-2024-7264-2, CVE-2024-8096
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Tue, 20 Aug 2024 16:14:39 +0200

Subject: [PATCH] gtls: fix OCSP stapling management



Reported-by: Hiroki Kurosawa

Closes #14642

---

 lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------

 1 file changed, 73 insertions(+), 73 deletions(-)



diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c

index 03d6fcc038aac3..c7589d9d39bc81 100644

--- a/lib/vtls/gtls.c

+++ b/lib/vtls/gtls.c

@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,

   init_flags |= GNUTLS_NO_TICKETS;

 #endif

 

+#if defined(GNUTLS_NO_STATUS_REQUEST)

+  if(!config->verifystatus)

+    /* Disable the "status_request" TLS extension, enabled by default since

+       GnuTLS 3.8.0. */

+    init_flags |= GNUTLS_NO_STATUS_REQUEST;

+#endif

+

   rc = gnutls_init(&gtls->session, init_flags);

   if(rc != GNUTLS_E_SUCCESS) {

     failf(data, "gnutls_init() failed: %d", rc);

@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,

     infof(data, "  server certificate verification SKIPPED");

 

   if(config->verifystatus) {

-    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {

-      gnutls_datum_t status_request;

-      gnutls_ocsp_resp_t ocsp_resp;

+    gnutls_datum_t status_request;

+    gnutls_ocsp_resp_t ocsp_resp;

+    gnutls_ocsp_cert_status_t status;

+    gnutls_x509_crl_reason_t reason;

 

-      gnutls_ocsp_cert_status_t status;

-      gnutls_x509_crl_reason_t reason;

+    rc = gnutls_ocsp_status_request_get(session, &status_request);

 

-      rc = gnutls_ocsp_status_request_get(session, &status_request);

+    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

+      failf(data, "No OCSP response received");

+      return CURLE_SSL_INVALIDCERTSTATUS;

+    }

 

-      infof(data, " server certificate status verification FAILED");

+    if(rc < 0) {

+      failf(data, "Invalid OCSP response received");

+      return CURLE_SSL_INVALIDCERTSTATUS;

+    }

 

-      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

-        failf(data, "No OCSP response received");

-        return CURLE_SSL_INVALIDCERTSTATUS;

-      }

+    gnutls_ocsp_resp_init(&ocsp_resp);

 

-      if(rc < 0) {

-        failf(data, "Invalid OCSP response received");

-        return CURLE_SSL_INVALIDCERTSTATUS;

-      }

+    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);

+    if(rc < 0) {

+      failf(data, "Invalid OCSP response received");

+      return CURLE_SSL_INVALIDCERTSTATUS;

+    }

 

-      gnutls_ocsp_resp_init(&ocsp_resp);

+    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,

+                                      &status, NULL, NULL, NULL, &reason);

 

-      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);

-      if(rc < 0) {

-        failf(data, "Invalid OCSP response received");

-        return CURLE_SSL_INVALIDCERTSTATUS;

-      }

+    switch(status) {

+    case GNUTLS_OCSP_CERT_GOOD:

+      break;

 

-      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,

-                                        &status, NULL, NULL, NULL, &reason);

+    case GNUTLS_OCSP_CERT_REVOKED: {

+      const char *crl_reason;

 

-      switch(status) {

-      case GNUTLS_OCSP_CERT_GOOD:

+      switch(reason) {

+      default:

+      case GNUTLS_X509_CRLREASON_UNSPECIFIED:

+        crl_reason = "unspecified reason";

         break;

 

-      case GNUTLS_OCSP_CERT_REVOKED: {

-        const char *crl_reason;

-

-        switch(reason) {

-          default:

-          case GNUTLS_X509_CRLREASON_UNSPECIFIED:

-            crl_reason = "unspecified reason";

-            break;

-

-          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:

-            crl_reason = "private key compromised";

-            break;

-

-          case GNUTLS_X509_CRLREASON_CACOMPROMISE:

-            crl_reason = "CA compromised";

-            break;

-

-          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:

-            crl_reason = "affiliation has changed";

-            break;

+      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:

+        crl_reason = "private key compromised";

+        break;

 

-          case GNUTLS_X509_CRLREASON_SUPERSEDED:

-            crl_reason = "certificate superseded";

-            break;

+      case GNUTLS_X509_CRLREASON_CACOMPROMISE:

+        crl_reason = "CA compromised";

+        break;

 

-          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:

-            crl_reason = "operation has ceased";

-            break;

+      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:

+        crl_reason = "affiliation has changed";

+        break;

 

-          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:

-            crl_reason = "certificate is on hold";

-            break;

+      case GNUTLS_X509_CRLREASON_SUPERSEDED:

+        crl_reason = "certificate superseded";

+        break;

 

-          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:

-            crl_reason = "will be removed from delta CRL";

-            break;

+      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:

+        crl_reason = "operation has ceased";

+        break;

 

-          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:

-            crl_reason = "privilege withdrawn";

-            break;

+      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:

+        crl_reason = "certificate is on hold";

+        break;

 

-          case GNUTLS_X509_CRLREASON_AACOMPROMISE:

-            crl_reason = "AA compromised";

-            break;

-        }

+      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:

+        crl_reason = "will be removed from delta CRL";

+        break;

 

-        failf(data, "Server certificate was revoked: %s", crl_reason);

+      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:

+        crl_reason = "privilege withdrawn";

         break;

-      }

 

-      default:

-      case GNUTLS_OCSP_CERT_UNKNOWN:

-        failf(data, "Server certificate status is unknown");

+      case GNUTLS_X509_CRLREASON_AACOMPROMISE:

+        crl_reason = "AA compromised";

         break;

       }

 

-      gnutls_ocsp_resp_deinit(ocsp_resp);

+      failf(data, "Server certificate was revoked: %s", crl_reason);

+      break;

+    }

 

-      return CURLE_SSL_INVALIDCERTSTATUS;

+    default:

+    case GNUTLS_OCSP_CERT_UNKNOWN:

+      failf(data, "Server certificate status is unknown");

+      break;

     }

-    else

-      infof(data, "  server certificate status verification OK");

+

+    gnutls_ocsp_resp_deinit(ocsp_resp);

+    if(status != GNUTLS_OCSP_CERT_GOOD)

+      return CURLE_SSL_INVALIDCERTSTATUS;

   }

   else

     infof(data, "  server certificate status verification SKIPPED");
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化