Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
curl.25399
curl-CVE-2022-27782.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2022-27782.patch of Package curl.25399
From c3f8e4e2b4a334697e7ce3168495f20a46b398bd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 3 May 2022 09:31:11 +0200 Subject: [PATCH 1/2] tls: check more TLS details for connection reuse CVE-2022-27782 Reported-by: Harry Sintonen Bug: https://curl.se/docs/CVE-2022-27782.html --- lib/setopt.c | 29 +++++++++++++++++------------ lib/url.c | 23 ++++++++++++++++------- lib/urldata.h | 13 +++++++------ lib/vtls/gtls.c | 32 +++++++++++++++++--------------- lib/vtls/openssl.c | 10 +++++----- lib/vtls/vtls.c | 20 ++++++++++++++++++++ 6 files changed, 82 insertions(+), 45 deletions(-) Index: curl-7.60.0/lib/setopt.c =================================================================== --- curl-7.60.0.orig/lib/setopt.c +++ curl-7.60.0/lib/setopt.c @@ -2011,12 +2011,14 @@ CURLcode Curl_vsetopt(struct Curl_easy * case CURLOPT_SSL_OPTIONS: arg = va_arg(param, long); + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE; data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); break; case CURLOPT_PROXY_SSL_OPTIONS: arg = va_arg(param, long); + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); data->set.proxy_ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE; data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); break; @@ -2417,44 +2419,47 @@ CURLcode Curl_vsetopt(struct Curl_easy * case CURLOPT_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && + !data->set.ssl.primary.authtype) + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ break; case CURLOPT_PROXY_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], va_arg(param, char *)); if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + !data->set.proxy_ssl.primary.authtype) + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to + SRP */ break; case CURLOPT_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + if(data->set.str[STRING_TLSAUTH_PASSWORD_ORIG] && + !data->set.ssl.primary.authtype) + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; case CURLOPT_PROXY_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], va_arg(param, char *)); if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + !data->set.proxy_ssl.primary.authtype) + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; case CURLOPT_TLSAUTH_TYPE: argptr = va_arg(param, char *); if(!argptr || strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; else - data->set.ssl.authtype = CURL_TLSAUTH_NONE; + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; break; case CURLOPT_PROXY_TLSAUTH_TYPE: argptr = va_arg(param, char *); if(!argptr || strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; else - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; break; #endif case CURLOPT_DNS_SERVERS: Index: curl-7.60.0/lib/url.c =================================================================== --- curl-7.60.0.orig/lib/url.c +++ curl-7.60.0/lib/url.c @@ -464,7 +464,7 @@ CURLcode Curl_init_userdefined(struct Cu set->ssl.primary.verifypeer = TRUE; set->ssl.primary.verifyhost = TRUE; #ifdef USE_TLS_SRP - set->ssl.authtype = CURL_TLSAUTH_NONE; + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; #endif set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth type */ @@ -1040,6 +1040,12 @@ static size_t max_pipeline_length(struct return multi ? multi->max_pipeline_length : 0; } +static bool ssh_config_matches(struct connectdata *one, + struct connectdata *two) +{ + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); +} /* * Given one filled in connection struct (named needle), this function should @@ -1217,6 +1223,12 @@ ConnectionExists(struct Curl_easy *data, continue; #endif + if(get_protocol_family(needle->handler) == CURLPROTO_SFTP || + get_protocol_family(needle->handler) == CURLPROTO_SCP ) { + if(!ssh_config_matches(needle, check)) + continue; + } + if((needle->handler->flags&PROTOPT_SSL) != (check->handler->flags&PROTOPT_SSL)) /* don't do mixed SSL and non-SSL connections */ @@ -1887,10 +1899,12 @@ static struct connectdata *allocate_conn conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; + conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; conn->proxy_ssl_config.verifystatus = data->set.proxy_ssl.primary.verifystatus; conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; + conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; conn->ip_version = data->set.ipver; @@ -4356,8 +4370,9 @@ static CURLcode create_conn(struct Curl_ data->set.proxy_ssl.primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; + data->set.proxy_ssl.primary.CRLfile = + data->set.str[STRING_SSL_CRLFILE_PROXY]; data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; @@ -4371,10 +4386,10 @@ static CURLcode create_conn(struct Curl_ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; #ifdef USE_TLS_SRP - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; + data->set.proxy_ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; + data->set.proxy_ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; #endif if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, Index: curl-7.60.0/lib/urldata.h =================================================================== --- curl-7.60.0.orig/lib/urldata.h +++ curl-7.60.0/lib/urldata.h @@ -223,6 +223,13 @@ struct ssl_primary_config { char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ char *issuercert; /* optional issuer certificate filename */ + char *CRLfile; /* CRL to check certificate revocation */ +#ifdef USE_TLS_SRP + char *username; /* TLS username (for, e.g., SRP) */ + char *password; /* TLS password (for, e.g., SRP) */ + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +#endif + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ char *clientcert; char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ @@ -235,7 +242,6 @@ struct ssl_config_data { sake*/ bool no_revoke; /* disable SSL certificate revocation checks */ long certverifyresult; /* result from the certificate verification */ - char *CRLfile; /* CRL to check certificate revocation */ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ void *fsslctxp; /* parameter for call back */ bool certinfo; /* gather lots of certificate info */ @@ -246,12 +252,6 @@ struct ssl_config_data { char *key; /* private key file name */ char *key_type; /* format for private key (default: PEM) */ char *key_passwd; /* plain text private key password */ - -#ifdef USE_TLS_SRP - char *username; /* TLS username (for, e.g., SRP) */ - char *password; /* TLS password (for, e.g., SRP) */ - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -#endif }; struct ssl_general_config { Index: curl-7.60.0/lib/vtls/gtls.c =================================================================== --- curl-7.60.0.orig/lib/vtls/gtls.c +++ curl-7.60.0/lib/vtls/gtls.c @@ -536,8 +536,8 @@ gtls_connect_step1(struct connectdata *c } #ifdef USE_TLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { - infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(primary.username)); rc = gnutls_srp_allocate_client_credentials( &BACKEND->srp_client_cred); @@ -548,8 +548,8 @@ gtls_connect_step1(struct connectdata *c } rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred, - SSL_SET_OPTION(username), - SSL_SET_OPTION(password)); + SSL_SET_OPTION(primary.username), + SSL_SET_OPTION(primary.password)); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); @@ -603,19 +603,19 @@ gtls_connect_step1(struct connectdata *c } #endif - if(SSL_SET_OPTION(CRLfile)) { + if(SSL_SET_OPTION(primary.CRLfile)) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred, - SSL_SET_OPTION(CRLfile), + SSL_SET_OPTION(primary.CRLfile), GNUTLS_X509_FMT_PEM); if(rc < 0) { failf(data, "error reading crl file %s (%s)", - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); return CURLE_SSL_CRL_BADFILE; } else infof(data, "found %d CRL in %s\n", - rc, SSL_SET_OPTION(CRLfile)); + rc, SSL_SET_OPTION(primary.CRLfile)); } /* Initialize TLS session as a client */ @@ -824,7 +824,7 @@ gtls_connect_step1(struct connectdata *c #ifdef USE_TLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, BACKEND->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -1004,8 +1004,8 @@ gtls_connect_step3(struct connectdata *c SSL_CONN_CONFIG(verifyhost) || SSL_CONN_CONFIG(issuercert)) { #ifdef USE_TLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) != NULL && !SSL_CONN_CONFIG(verifypeer) && gnutls_cipher_get(session)) { /* no peer cert, but auth is ok if we have SRP user and cipher and no @@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *c failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); + SSL_SET_OPTION(primary.CRLfile)?SSL_SET_OPTION(primary.CRLfile):"none"); return CURLE_SSL_CACERT; } else @@ -1643,8 +1643,8 @@ static int Curl_gtls_shutdown(struct con gnutls_certificate_free_credentials(BACKEND->cred); #ifdef USE_TLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL) + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) != NULL) gnutls_srp_free_client_credentials(BACKEND->srp_client_cred); #endif Index: curl-7.60.0/lib/vtls/openssl.c =================================================================== --- curl-7.60.0.orig/lib/vtls/openssl.c +++ curl-7.60.0/lib/vtls/openssl.c @@ -2169,14 +2169,14 @@ static CURLcode ossl_connect_step1(struc &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; const long int ssl_version = SSL_CONN_CONFIG(version); #ifdef USE_TLS_SRP - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); #endif char * const ssl_cert = SSL_SET_OPTION(cert); const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); char error_buffer[256]; DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); @@ -2429,15 +2429,15 @@ static CURLcode ossl_connect_step1(struc #ifdef USE_TLS_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) { - char * const ssl_username = SSL_SET_OPTION(username); - + char * const ssl_username = SSL_SET_OPTION(primary.username); + char * const ssl_password = SSL_SET_OPTION(primary.password); infof(data, "Using TLS-SRP username: %s\n", ssl_username); if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) { failf(data, "Unable to set SRP user name"); return CURLE_BAD_FUNCTION_ARGUMENT; } - if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) { + if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) { failf(data, "failed setting SRP password"); return CURLE_BAD_FUNCTION_ARGUMENT; } Index: curl-7.60.0/lib/vtls/vtls.c =================================================================== --- curl-7.60.0.orig/lib/vtls/vtls.c +++ curl-7.60.0/lib/vtls/vtls.c @@ -88,6 +88,7 @@ Curl_ssl_config_matches(struct ssl_prima { if((data->version == needle->version) && (data->version_max == needle->version_max) && + (data->ssl_options == needle->ssl_options) && (data->verifypeer == needle->verifypeer) && (data->verifyhost == needle->verifyhost) && (data->verifystatus == needle->verifystatus) && @@ -97,6 +98,12 @@ Curl_ssl_config_matches(struct ssl_prima Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && Curl_safe_strcasecompare(data->random_file, needle->random_file) && Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && +#ifdef USE_TLS_SRP + Curl_safecmp(data->username, needle->username) && + Curl_safecmp(data->password, needle->password) && + (data->authtype == needle->authtype) && +#endif + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list)) return TRUE; @@ -113,6 +120,10 @@ Curl_clone_primary_ssl_config(struct ssl dest->verifyhost = source->verifyhost; dest->verifystatus = source->verifystatus; dest->sessionid = source->sessionid; + dest->ssl_options = source->ssl_options; +#ifdef USE_TLS_SRP + dest->authtype = source->authtype; +#endif CLONE_STRING(CApath); CLONE_STRING(CAfile); @@ -122,6 +133,12 @@ Curl_clone_primary_ssl_config(struct ssl CLONE_STRING(egdsocket); CLONE_STRING(cipher_list); + CLONE_STRING(CRLfile); +#ifdef USE_TLS_SRP + CLONE_STRING(username); + CLONE_STRING(password); +#endif + return TRUE; } @@ -134,6 +151,12 @@ void Curl_free_primary_ssl_config(struct Curl_safefree(sslc->random_file); Curl_safefree(sslc->egdsocket); Curl_safefree(sslc->cipher_list); + + Curl_safefree(sslc->CRLfile); +#ifdef USE_TLS_SRP + Curl_safefree(sslc->username); + Curl_safefree(sslc->password); +#endif } #ifdef USE_SSL Index: curl-7.60.0/lib/ssh.h =================================================================== --- curl-7.60.0.orig/lib/ssh.h +++ curl-7.60.0/lib/ssh.h @@ -117,8 +117,8 @@ struct ssh_conn { /* common */ const char *passphrase; /* pass-phrase to use */ - char *rsa_pub; /* path name */ - char *rsa; /* path name */ + char *rsa_pub; /* strdup'ed public key file */ + char *rsa; /* strdup'ed private key file */ bool authed; /* the connection has been authenticated fine */ sshstate state; /* always use ssh.c:state() to change state! */ sshstate nextstate; /* the state to goto after stopping */ Index: curl-7.60.0/lib/strcase.c =================================================================== --- curl-7.60.0.orig/lib/strcase.c +++ curl-7.60.0/lib/strcase.c @@ -175,3 +175,13 @@ int curl_strnequal(const char *first, co { return Curl_strncasecompare(first, second, max); } + +/* Compare case-sensitive NUL-terminated strings, taking care of possible + * null pointers. Return true if arguments match. + */ +bool Curl_safecmp(char *a, char *b) +{ + if(a && b) + return !strcmp(a, b); + return !a && !b; +} \ No newline at end of file Index: curl-7.60.0/lib/strcase.h =================================================================== --- curl-7.60.0.orig/lib/strcase.h +++ curl-7.60.0/lib/strcase.h @@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); void Curl_strntoupper(char *dest, const char *src, size_t n); char Curl_raw_toupper(char in); +bool Curl_safecmp(char *a, char *b); + #endif /* HEADER_CURL_STRCASE_H */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
