Overview

File curl-CVE-2024-8096.patch of Package curl.35519

From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Aug 2024 16:14:39 +0200
Subject: [PATCH] gtls: fix OCSP stapling management

Reported-by: Hiroki Kurosawa
Closes #14642
---
 lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
 1 file changed, 73 insertions(+), 73 deletions(-)

Index: curl-7.66.0/lib/vtls/gtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/gtls.c
+++ curl-7.66.0/lib/vtls/gtls.c
@@ -671,6 +671,13 @@ gtls_connect_step1(struct connectdata *c
   init_flags |= GNUTLS_NO_TICKETS;
 #endif
 
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+  if(!config->verifystatus)
+    /* Disable the "status_request" TLS extension, enabled by default since
+       GnuTLS 3.8.0. */
+    init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
   rc = gnutls_init(&BACKEND->session, init_flags);
   if(rc != GNUTLS_E_SUCCESS) {
     failf(data, "gnutls_init() failed: %d", rc);
@@ -1135,8 +1142,6 @@ gtls_connect_step3(struct connectdata *c
 
       rc = gnutls_ocsp_status_request_get(session, &status_request);
 
-      infof(data, "\t server certificate status verification FAILED\n");
-
       if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
         failf(data, "No OCSP response received");
         return CURLE_SSL_INVALIDCERTSTATUS;
@@ -1219,11 +1224,11 @@ gtls_connect_step3(struct connectdata *c
       }
 
       gnutls_ocsp_resp_deinit(ocsp_resp);
+      if(status != GNUTLS_OCSP_CERT_GOOD)
+        return CURLE_SSL_INVALIDCERTSTATUS;
 
       return CURLE_SSL_INVALIDCERTSTATUS;
     }
-    else
-      infof(data, "\t server certificate status verification OK\n");
   }
   else
     infof(data, "\t server certificate status verification SKIPPED\n");
openSUSE Build Service is sponsored by
Places