Overview

File curl-CVE-2025-14819.patch of Package curl.42129

From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 17 Dec 2025 10:54:16 +0100
Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
 different CA cache

Reported-by: Stanislav Fort

Closes #20009
---
 lib/vtls/openssl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Index: curl-8.14.1/lib/vtls/openssl.c
===================================================================
--- curl-8.14.1.orig/lib/vtls/openssl.c
+++ curl-8.14.1/lib/vtls/openssl.c
@@ -3457,6 +3457,7 @@ struct ossl_x509_share {
   char *CAfile;         /* CAfile path used to generate X509 store */
   X509_STORE *store;    /* cached X509 store or NULL if none */
   struct curltime time; /* when the cached store was created */
+  BIT(no_partialchain); /* keep partial chain state */
 };
 
 static void oss_x509_share_free(void *key, size_t key_len, void *p)
@@ -3491,9 +3492,14 @@ ossl_cached_x509_store_expired(const str
 
 static bool
 ossl_cached_x509_store_different(struct Curl_cfilter *cf,
+                                 const struct Curl_easy *data,
                                  const struct ossl_x509_share *mb)
 {
   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
+  struct ssl_config_data *ssl_config =
+    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+  if(mb->no_partialchain != ssl_config->no_partialchain)
+    return TRUE;
   if(!mb->CAfile || !conn_config->CAfile)
     return mb->CAfile != conn_config->CAfile;
 
@@ -3513,7 +3519,7 @@ static X509_STORE *ossl_get_cached_x509_
                                  sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL;
   if(share && share->store &&
      !ossl_cached_x509_store_expired(data, share) &&
-     !ossl_cached_x509_store_different(cf, share)) {
+     !ossl_cached_x509_store_different(cf, data, share)) {
     store = share->store;
   }
 
@@ -3550,6 +3556,8 @@ static void ossl_set_cached_x509_store(s
 
   if(X509_STORE_up_ref(store)) {
     char *CAfile = NULL;
+    struct ssl_config_data *ssl_config =
+      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
 
     if(conn_config->CAfile) {
       CAfile = strdup(conn_config->CAfile);
@@ -3567,6 +3575,7 @@ static void ossl_set_cached_x509_store(s
     share->time = curlx_now();
     share->store = store;
     share->CAfile = CAfile;
+    share->no_partialchain = ssl_config->no_partialchain;
   }
 }
openSUSE Build Service is sponsored by
Places