projects / curl / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4c134bc)
Check CA certificate in curl_darwinssl.c.
authorVilmos Nebehaj <v.nebehaj@gmail.com>
Sun, 31 Aug 2014 22:17:25 +0000 (00:17 +0200)
committerVilmos Nebehaj <v.nebehaj@gmail.com>
Sun, 31 Aug 2014 22:34:37 +0000 (00:34 +0200)
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
if the buffer holds an invalid or corrupt certificate. Call
SecCertificateCopyPublicKey() to make sure cacert is a valid
certificate.

lib/vtls/curl_darwinssl.c patch | blob | history

diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index 9ba287d0e91ee470fad880a5aa7d7981a9cfdeb1..3726357472fc3f5d01e6a5959a20c121ba6a0966 100644 (file)
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1671,6 +1671,16 @@ static int append_cert_to_array(struct SessionHandle *data,
       return CURLE_SSL_CACERT;
     }
 
+    /* Check if cacert is valid. */
+    SecKeyRef key;
+    OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);
+    if(ret != noErr) {
+      CFRelease(cacert);
+      failf(data, "SSL: invalid CA certificate");
+      return CURLE_SSL_CACERT;
+    }
+    CFRelease(key);
+
     CFArrayAppendValue(array, cacert);
     CFRelease(cacert);
 
Unnamed repository; edit this file 'description' to name the repository.