romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-03 07:04:16 +03:00
Code Issues Projects Releases Packages Wiki Activity
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful features
38836 commits 20 branches 229 tags 262 MiB
Find a file
Joshua Rogers be6c4ee7fa
gtls: verify OCSP response signature in gtls_verify_ocsp_status 
Since aeb1a281ca ("gtls: fix OCSP stapling management"), the function
parses the stapled OCSP response and reads the certificate status via
gnutls_ocsp_resp_get_single(), but never calls gnutls_ocsp_resp_verify()
or gnutls_ocsp_resp_verify_direct(). A response with a forged or
corrupted signature is accepted without question.

Fix by calling gnutls_ocsp_resp_verify() against the trust list obtained
from the session credentials immediately after gnutls_ocsp_resp_import().
This handles both directly-signed responses and delegated OCSP responders
without requiring the issuer certificate to be present in the peer chain.

The missing check only affects the CURLOPT_SSL_VERIFYSTATUS code path
when CURLOPT_SSL_VERIFYPEER is disabled. With peer verification enabled,
gnutls_certificate_verify_peers2() independently catches the invalid
response via GNUTLS_CERT_INVALID_OCSP_STATUS before
gtls_verify_ocsp_status() is reached. As a result, no attack is possible
that is not already trivially achievable without OCSP stapling when peer
verification is off. This is a correctness and consistency fix, not a
security vulnerability.

Reported-by: Joshua Rogers

Closes #21677
2026-06-02 13:30:35 +02:00
.circleci runtests: detect bad libssh differently for test 1459 (fixing CircleCI libssh job) 2025-11-16 23:28:44 +01:00
.github tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
CMake tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
docs KNOWN_BUGS: Digest does not care for 'domain' 2026-06-02 11:17:48 +02:00
include badwords: prefer 'workaround' (without hyphen) 2026-05-31 22:05:54 +02:00
lib gtls: verify OCSP response signature in gtls_verify_ocsp_status 2026-06-02 13:30:35 +02:00
LICENSES spacecheck: check long lines and repeat spaces, fix fallouts 2026-03-25 11:02:08 +01:00
m4 tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
projects os400sys: fix theoretical length overflows 2026-06-02 10:05:39 +02:00
scripts tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
src tool_operhlp: avoid NULL to %s 2026-06-02 08:48:19 +02:00
tests lib1560: verify a few more URL variations 2026-06-02 11:31:46 +02:00
.clang-tidy.yml clang-tidy: enable more checks, fix fallouts 2026-04-14 02:20:16 +02:00
.dir-locals.el copyright: update all copyright lines and remove year ranges 2023-01-03 09:19:21 +01:00
.editorconfig .editorconfig: add 2025-09-02 08:36:40 +02:00
.git-blame-ignore-revs copyright: update all copyright lines and remove year ranges 2023-01-03 09:19:21 +01:00
.gitattributes buildconf: remove 2026-04-04 11:35:24 +02:00
.gitignore build: drop the winbuild build system 2025-09-20 01:20:25 +02:00
.mailmap mailmap: cmeister2@gmail is primary for Max Dymond 2026-05-24 12:02:26 +02:00
acinclude.m4 tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
appveyor.sh appveyor: bump to OpenSSL 3.6 2026-04-22 09:29:05 +02:00
appveyor.yml CI: set DO_NOT_TRACK=1 2026-04-23 11:22:35 +02:00
CHANGES.md CHANGES: fix typo in filename 2026-01-01 12:20:10 +01:00
CMakeLists.txt build: say Quiche support is experimental, where missing 2026-06-01 22:33:57 +02:00
configure.ac build: say Quiche support is experimental, where missing 2026-06-01 22:33:57 +02:00
COPYING COPYING: bump copyright year range to 1996 - 2026 2026-01-08 23:19:44 +01:00
curl-config.in autotools: tidy-up if expressions 2025-12-10 22:29:19 +01:00
Dockerfile Dockerfile: fix typo in variable name 2026-05-20 13:01:56 +02:00
GIT-INFO.md REUSE: add copyright header to two files 2025-11-03 16:08:52 +01:00
libcurl.pc.in configure: do not echo most inherited LDFLAGS to config files 2024-11-14 09:55:45 +01:00
Makefile.am rtmp: drop support 2026-03-21 14:56:06 +01:00
README BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 2026-01-26 08:26:28 +01:00
README.md rtmp: drop support 2026-03-21 14:56:06 +01:00
RELEASE-NOTES RELEASE-NOTES: synced 2026-06-01 08:50:11 +02:00
renovate.json renovate: use standard bump formula for OpenSSL 2026-04-15 10:17:33 +02:00
REUSE.toml tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
SECURITY.md stop using the word 'just' 2026-03-03 15:30:22 +01:00

README.md

curl logo

curl is a command-line tool for transferring data from or to a server using URLs. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.

Learn how to use curl by reading the man page or everything curl.

Find out how to install curl by reading the INSTALL document.

libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl man page to learn how.

Open Source

curl is Open Source and is distributed under an MIT-like license.

Contact

Contact us on a suitable mailing list or use GitHub issues/ pull requests/ discussions.

All contributors to the project are listed in the THANKS document.

Commercial support

For commercial support, maybe private and dedicated help with your problems or applications using (lib)curl visit the support page.

Website

Visit the curl website for the latest news and downloads.

Source code

Download the latest source from the Git server:

git clone https://github.com/curl/curl

Security problems

Report suspected security problems privately and not in public.

Backers

Thank you to all our backers 🙏 Become a backer.

Sponsors

Support this project by becoming a sponsor.