File curl-CVE-2023-28321.patch of Package curl.30927

From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 24 Apr 2023 21:07:02 +0200
Subject: [PATCH] hostcheck: fix host name wildcard checking

The leftmost "label" of the host name can now only match against single
'*'. Like the browsers have worked for a long time.

- extended unit test 1397 for this
- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc

Reported-by: Hiroki Kurosawa
Closes #11018
---
 lib/hostcheck.c         |  50 +++++++--------
 tests/data/test1397     |  10 ++-
 tests/unit/Makefile.am  |  94 ----------------------------
 tests/unit/Makefile.inc |  94 ++++++++++++++++++++++++++++
 tests/unit/unit1397.c   | 134 ++++++++++++++++++++++++----------------
 5 files changed, 202 insertions(+), 180 deletions(-)

Index: curl-7.66.0/lib/hostcheck.c
===================================================================
--- curl-7.66.0.orig/lib/hostcheck.c
+++ curl-7.66.0/lib/hostcheck.c
@@ -58,15 +58,19 @@
  * apparent distinction between a name and an IP. We need to detect the use of
  * an IP address and not wildcard match on such names.
  *
+ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
+ * "*b".
+ *
+ * @unittest: 1397
+ *
  * NOTE: hostmatch() gets called with copied buffers so that it can modify the
  * contents at will.
  */
 
 static int hostmatch(char *hostname, char *pattern)
 {
-  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
-  int wildcard_enabled;
-  size_t prefixlen, suffixlen;
+  const char *pattern_label_end, *hostname_label_end;
+  size_t suffixlen;
   struct in_addr ignored;
 #ifdef ENABLE_IPV6
   struct sockaddr_in6 si6;
@@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha
   if(pattern[len-1]=='.')
     pattern[len-1] = 0;
 
-  pattern_wildcard = strchr(pattern, '*');
-  if(pattern_wildcard == NULL)
+  if(strncmp(pattern, "*.", 2))
     return strcasecompare(pattern, hostname) ?
       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 
   /* detect IP address as hostname and fail the match if so */
-  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+  else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
     return CURL_HOST_NOMATCH;
 #ifdef ENABLE_IPV6
   if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
@@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha
 
   /* We require at least 2 dots in pattern to avoid too wide wildcard
      match. */
-  wildcard_enabled = 1;
   pattern_label_end = strchr(pattern, '.');
-  if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
-     pattern_wildcard > pattern_label_end ||
-     strncasecompare(pattern, "xn--", 4)) {
-    wildcard_enabled = 0;
-  }
-  if(!wildcard_enabled)
+  if(pattern_label_end == NULL ||
+     strchr(pattern_label_end + 1, '.') == NULL)
     return strcasecompare(pattern, hostname) ?
       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 
@@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha
   if(hostname_label_end - hostname < pattern_label_end - pattern)
     return CURL_HOST_NOMATCH;
 
-  prefixlen = pattern_wildcard - pattern;
-  suffixlen = pattern_label_end - (pattern_wildcard + 1);
-  return strncasecompare(pattern, hostname, prefixlen) &&
-    strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
-                    suffixlen) ?
+  suffixlen = pattern_label_end - (pattern + 1);
+  return strncasecompare(pattern + 1, hostname_label_end - suffixlen,
+                         suffixlen) ?
     CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 }
 
Index: curl-7.66.0/tests/data/test1397
===================================================================
--- curl-7.66.0.orig/tests/data/test1397
+++ curl-7.66.0/tests/data/test1397
@@ -2,8 +2,7 @@
 <info>
 <keywords>
 unittest
-ssl
-wildcard
+Curl_cert_hostcheck
 </keywords>
 </info>
 
@@ -16,12 +15,11 @@ none
 <features>
 unittest
 </features>
- <name>
-Check wildcard certificate matching function Curl_cert_hostcheck
- </name>
+<name>
+Curl_cert_hostcheck unit tests
+</name>
 <tool>
 unit1397
 </tool>
 </client>
-
 </testcase>
Index: curl-7.66.0/tests/unit/unit1397.c
===================================================================
--- curl-7.66.0.orig/tests/unit/unit1397.c
+++ curl-7.66.0/tests/unit/unit1397.c
@@ -21,8 +21,6 @@
  ***************************************************************************/
 #include "curlcheck.h"
 
-#include "hostcheck.h" /* from the lib dir */
-
 static CURLcode unit_setup(void)
 {
   return CURLE_OK;
@@ -30,50 +28,92 @@ static CURLcode unit_setup(void)
 
 static void unit_stop(void)
 {
-  /* done before shutting down and exiting */
 }
 
-UNITTEST_START
-
 /* only these backends define the tested functions */
-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
+#include "hostcheck.h"
+struct testcase {
+  const char *host;
+  const char *pattern;
+  bool match;
+};
+
+static struct testcase tests[] = {
+  {"", "", FALSE},
+  {"a", "", FALSE},
+  {"", "b", FALSE},
+  {"a", "b", FALSE},
+  {"aa", "bb", FALSE},
+  {"\xff", "\xff", TRUE},
+  {"aa.aa.aa", "aa.aa.bb", FALSE},
+  {"aa.aa.aa", "aa.aa.aa", TRUE},
+  {"aa.aa.aa", "*.aa.bb", FALSE},
+  {"aa.aa.aa", "*.aa.aa", TRUE},
+  {"192.168.0.1", "192.168.0.1", TRUE},
+  {"192.168.0.1", "*.168.0.1", FALSE},
+  {"192.168.0.1", "*.0.1", FALSE},
+  {"h.ello", "*.ello", FALSE},
+  {"h.ello.", "*.ello", FALSE},
+  {"h.ello", "*.ello.", FALSE},
+  {"h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo", " *.e.llo", FALSE},
+  {" h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo", TRUE},
+  {"*.e.llo.", "*.e.llo", TRUE},
+  {"************.e.llo.", "*.e.llo", TRUE},
+  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
+   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
+   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+   ".e.llo.", "*.e.llo", TRUE},
+  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo.", TRUE},
+  {"h.e.llo", "*.e.llo.", TRUE},
+  {".h.e.llo", "*.e.llo.", FALSE},
+  {"h.e.llo", "*.*.llo.", FALSE},
+  {"h.e.llo", "h.*.llo", FALSE},
+  {"h.e.llo", "h.e.*", FALSE},
+  {"hello", "*.ello", FALSE},
+  {"hello", "**llo", FALSE},
+  {"bar.foo.example.com", "*.example.com", FALSE},
+  {"foo.example.com", "*.example.com", TRUE},
+  {"baz.example.net", "b*z.example.net", FALSE},
+  {"foobaz.example.net", "*baz.example.net", FALSE},
+  {"xn--l8j.example.local", "x*.example.local", FALSE},
+  {"xn--l8j.example.net", "*.example.net", TRUE},
+  {"xn--l8j.example.net", "*j.example.net", FALSE},
+  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
+  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
+  {"xl8j.example.net", "*.example.net", TRUE},
+  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
+  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
+  {NULL, NULL, FALSE}
+};
 
-  /* here you start doing things and checking that the results are good */
-
-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
-            "good 1");
-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
-            "good 2");
-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
-            "good 3");
-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
-            "good 4");
-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
-            "good 5");
-
-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
-
-#ifdef ENABLE_IPV6
-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
-                            "fe80::3285:a9ff:fe46:b619"), "bad 14");
-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
-                                "fe80::3285:a9ff:fe46:b619"), "good 6");
-#endif
+UNITTEST_START
+{
+  int i;
+  for(i = 0; tests[i].host; i++) {
+    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
+                                             tests[i].host)) {
+      fprintf(stderr,
+              "HOST: %s\n"
+              "PTRN: %s\n"
+              "did %sMATCH\n",
+              tests[i].host,
+              tests[i].pattern,
+              tests[i].match ? "NOT ": "");
+      unitfail++;
+    }
+  }
+}
 
-#endif
+UNITTEST_STOP
+#else
 
-  /* you end the test code like this: */
+UNITTEST_START
 
 UNITTEST_STOP
+#endif
openSUSE Build Service is sponsored by