diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-21 13:57:04 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-26 15:38:17 +0200 |
commit | a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (patch) | |
tree | 93cf2f03a7284485bd632366133f1c3ee35053cd /recipes-support/curl | |
parent | fc56bc51ea79b613d64b0389bf7b4877d3e45cbb (diff) | |
download | meta-el-common-a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2.tar.gz |
curl: CVE-2017-7468
TLS session resumption client cert bypass (again)
References:
https://curl.haxx.se/docs/adv_20170419.html
https://curl.haxx.se/CVE-2017-7468.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support/curl')
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-7468.patch | 299 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 5 |
2 files changed, 304 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-7468.patch b/recipes-support/curl/curl/CVE-2017-7468.patch new file mode 100644 index 0000000..184ed51 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-7468.patch | |||
@@ -0,0 +1,299 @@ | |||
1 | From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jay Satiro <raysatiro@yahoo.com> | ||
3 | Date: Wed, 22 Mar 2017 01:59:49 -0400 | ||
4 | Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is | ||
5 | used | ||
6 | |||
7 | Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl | ||
8 | will each have their own sessionid flag. | ||
9 | |||
10 | Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that | ||
11 | this issue had been fixed in 247d890, CVE-2016-5419. | ||
12 | |||
13 | Bug: https://github.com/curl/curl/issues/1341 | ||
14 | Reported-by: lijian996@users.noreply.github.com | ||
15 | |||
16 | CVE: CVE-2017-7468 | ||
17 | Upstream-Status: Backport [backport from curl-7_54_1] | ||
18 | |||
19 | The new incarnation of this bug is called CVE-2017-7468 and is documented | ||
20 | here: https://curl.haxx.se/docs/adv_20170419.html | ||
21 | |||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | lib/url.c | 5 +++-- | ||
25 | lib/urldata.h | 2 +- | ||
26 | lib/vtls/axtls.c | 4 ++-- | ||
27 | lib/vtls/cyassl.c | 4 ++-- | ||
28 | lib/vtls/darwinssl.c | 2 +- | ||
29 | lib/vtls/gtls.c | 4 ++-- | ||
30 | lib/vtls/mbedtls.c | 4 ++-- | ||
31 | lib/vtls/nss.c | 2 +- | ||
32 | lib/vtls/openssl.c | 4 ++-- | ||
33 | lib/vtls/polarssl.c | 4 ++-- | ||
34 | lib/vtls/schannel.c | 4 ++-- | ||
35 | lib/vtls/vtls.c | 9 ++++++--- | ||
36 | 12 files changed, 26 insertions(+), 22 deletions(-) | ||
37 | |||
38 | diff --git a/lib/url.c b/lib/url.c | ||
39 | index 4609f4f..caa28f5 100644 | ||
40 | --- a/lib/url.c | ||
41 | +++ b/lib/url.c | ||
42 | @@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) | ||
43 | #endif | ||
44 | set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth | ||
45 | type */ | ||
46 | - set->general_ssl.sessionid = TRUE; /* session ID caching enabled by | ||
47 | + set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by | ||
48 | default */ | ||
49 | set->proxy_ssl = set->ssl; | ||
50 | |||
51 | @@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, | ||
52 | break; | ||
53 | |||
54 | case CURLOPT_SSL_SESSIONID_CACHE: | ||
55 | - data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ? | ||
56 | + data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ? | ||
57 | TRUE : FALSE; | ||
58 | + data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid; | ||
59 | break; | ||
60 | |||
61 | #ifdef USE_LIBSSH2 | ||
62 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
63 | index bd7d25d..3c94553 100644 | ||
64 | --- a/lib/urldata.h | ||
65 | +++ b/lib/urldata.h | ||
66 | @@ -360,6 +360,7 @@ struct ssl_primary_config { | ||
67 | char *random_file; /* path to file containing "random" data */ | ||
68 | char *egdsocket; /* path to file containing the EGD daemon socket */ | ||
69 | char *cipher_list; /* list of ciphers to use */ | ||
70 | + bool sessionid; /* cache session IDs or not */ | ||
71 | }; | ||
72 | |||
73 | struct ssl_config_data { | ||
74 | @@ -389,7 +390,6 @@ struct ssl_config_data { | ||
75 | }; | ||
76 | |||
77 | struct ssl_general_config { | ||
78 | - bool sessionid; /* cache session IDs or not */ | ||
79 | size_t max_ssl_sessions; /* SSL session id cache size */ | ||
80 | }; | ||
81 | |||
82 | diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c | ||
83 | index af01fe3..f0e3766 100644 | ||
84 | --- a/lib/vtls/axtls.c | ||
85 | +++ b/lib/vtls/axtls.c | ||
86 | @@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) | ||
87 | * 2) setting up callbacks. these seem gnutls specific | ||
88 | */ | ||
89 | |||
90 | - if(data->set.general_ssl.sessionid) { | ||
91 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
92 | const uint8_t *ssl_sessionid; | ||
93 | size_t ssl_idsize; | ||
94 | |||
95 | @@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex) | ||
96 | conn->send[sockindex] = axtls_send; | ||
97 | |||
98 | /* Put our freshly minted SSL session in cache */ | ||
99 | - if(data->set.general_ssl.sessionid) { | ||
100 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
101 | const uint8_t *ssl_sessionid = ssl_get_session_id(ssl); | ||
102 | size_t ssl_idsize = ssl_get_session_id_size(ssl); | ||
103 | Curl_ssl_sessionid_lock(conn); | ||
104 | diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c | ||
105 | index 2dfd79d..5f51ad5 100644 | ||
106 | --- a/lib/vtls/cyassl.c | ||
107 | +++ b/lib/vtls/cyassl.c | ||
108 | @@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn, | ||
109 | #endif /* HAVE_ALPN */ | ||
110 | |||
111 | /* Check if there's a cached ID we can/should use here! */ | ||
112 | - if(data->set.general_ssl.sessionid) { | ||
113 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
114 | void *ssl_sessionid = NULL; | ||
115 | |||
116 | Curl_ssl_sessionid_lock(conn); | ||
117 | @@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn, | ||
118 | |||
119 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
120 | |||
121 | - if(data->set.general_ssl.sessionid) { | ||
122 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
123 | bool incache; | ||
124 | SSL_SESSION *our_ssl_sessionid; | ||
125 | void *old_ssl_sessionid = NULL; | ||
126 | diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c | ||
127 | index f8697cc..5533dfe 100644 | ||
128 | --- a/lib/vtls/darwinssl.c | ||
129 | +++ b/lib/vtls/darwinssl.c | ||
130 | @@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | ||
131 | #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ | ||
132 | |||
133 | /* Check if there's a cached ID we can/should use here! */ | ||
134 | - if(data->set.general_ssl.sessionid) { | ||
135 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
136 | char *ssl_sessionid; | ||
137 | size_t ssl_sessionid_len; | ||
138 | |||
139 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
140 | index 51a5aa8..0230778 100644 | ||
141 | --- a/lib/vtls/gtls.c | ||
142 | +++ b/lib/vtls/gtls.c | ||
143 | @@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn, | ||
144 | |||
145 | /* This might be a reconnect, so we check for a session ID in the cache | ||
146 | to speed up things */ | ||
147 | - if(data->set.general_ssl.sessionid) { | ||
148 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
149 | void *ssl_sessionid; | ||
150 | size_t ssl_idsize; | ||
151 | |||
152 | @@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn, | ||
153 | conn->recv[sockindex] = gtls_recv; | ||
154 | conn->send[sockindex] = gtls_send; | ||
155 | |||
156 | - if(data->set.general_ssl.sessionid) { | ||
157 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
158 | /* we always unconditionally get the session id here, as even if we | ||
159 | already got it from the cache and asked to use it in the connection, it | ||
160 | might've been rejected and then a new one is in use now and we need to | ||
161 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
162 | index edf30db..3ffa957 100644 | ||
163 | --- a/lib/vtls/mbedtls.c | ||
164 | +++ b/lib/vtls/mbedtls.c | ||
165 | @@ -430,7 +430,7 @@ mbed_connect_step1(struct connectdata *conn, | ||
166 | #endif | ||
167 | |||
168 | /* Check if there's a cached ID we can/should use here! */ | ||
169 | - if(data->set.general_ssl.sessionid) { | ||
170 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
171 | void *old_session = NULL; | ||
172 | |||
173 | Curl_ssl_sessionid_lock(conn); | ||
174 | @@ -684,7 +684,7 @@ mbed_connect_step3(struct connectdata *conn, | ||
175 | |||
176 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
177 | |||
178 | - if(data->set.general_ssl.sessionid) { | ||
179 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
180 | int ret; | ||
181 | mbedtls_ssl_session *our_ssl_sessionid; | ||
182 | void *old_ssl_sessionid = NULL; | ||
183 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
184 | index 1d7047a..4898511 100644 | ||
185 | --- a/lib/vtls/nss.c | ||
186 | +++ b/lib/vtls/nss.c | ||
187 | @@ -1720,7 +1720,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) | ||
188 | goto error; | ||
189 | |||
190 | /* do not use SSL cache if disabled or we are not going to verify peer */ | ||
191 | - ssl_no_cache = (data->set.general_ssl.sessionid | ||
192 | + ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) | ||
193 | && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; | ||
194 | if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) | ||
195 | goto error; | ||
196 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
197 | index ee07615..58a014a 100644 | ||
198 | --- a/lib/vtls/openssl.c | ||
199 | +++ b/lib/vtls/openssl.c | ||
200 | @@ -2235,7 +2235,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
201 | #endif | ||
202 | |||
203 | /* Check if there's a cached ID we can/should use here! */ | ||
204 | - if(data->set.general_ssl.sessionid) { | ||
205 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
206 | void *ssl_sessionid = NULL; | ||
207 | |||
208 | Curl_ssl_sessionid_lock(conn); | ||
209 | @@ -2965,7 +2965,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) | ||
210 | |||
211 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
212 | |||
213 | - if(data->set.general_ssl.sessionid) { | ||
214 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
215 | bool incache; | ||
216 | SSL_SESSION *our_ssl_sessionid; | ||
217 | void *old_ssl_sessionid = NULL; | ||
218 | diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c | ||
219 | index e6ad525..669091c 100644 | ||
220 | --- a/lib/vtls/polarssl.c | ||
221 | +++ b/lib/vtls/polarssl.c | ||
222 | @@ -375,7 +375,7 @@ polarssl_connect_step1(struct connectdata *conn, | ||
223 | ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); | ||
224 | |||
225 | /* Check if there's a cached ID we can/should use here! */ | ||
226 | - if(data->set.general_ssl.sessionid) { | ||
227 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
228 | void *old_session = NULL; | ||
229 | |||
230 | Curl_ssl_sessionid_lock(conn); | ||
231 | @@ -603,7 +603,7 @@ polarssl_connect_step3(struct connectdata *conn, | ||
232 | |||
233 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
234 | |||
235 | - if(data->set.general_ssl.sessionid) { | ||
236 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
237 | int ret; | ||
238 | ssl_session *our_ssl_sessionid; | ||
239 | void *old_ssl_sessionid = NULL; | ||
240 | diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c | ||
241 | index e0fb2d5..c9b5132 100644 | ||
242 | --- a/lib/vtls/schannel.c | ||
243 | +++ b/lib/vtls/schannel.c | ||
244 | @@ -188,7 +188,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) | ||
245 | connssl->cred = NULL; | ||
246 | |||
247 | /* check for an existing re-usable credential handle */ | ||
248 | - if(data->set.general_ssl.sessionid) { | ||
249 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
250 | Curl_ssl_sessionid_lock(conn); | ||
251 | if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { | ||
252 | connssl->cred = old_cred; | ||
253 | @@ -757,7 +757,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
254 | #endif | ||
255 | |||
256 | /* save the current session data for possible re-use */ | ||
257 | - if(data->set.general_ssl.sessionid) { | ||
258 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
259 | bool incache; | ||
260 | struct curl_schannel_cred *old_cred = NULL; | ||
261 | |||
262 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
263 | index c6935b5..d5d0971 100644 | ||
264 | --- a/lib/vtls/vtls.c | ||
265 | +++ b/lib/vtls/vtls.c | ||
266 | @@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
267 | CLONE_STRING(egdsocket); | ||
268 | CLONE_STRING(random_file); | ||
269 | CLONE_STRING(clientcert); | ||
270 | + | ||
271 | + /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ | ||
272 | + dest->sessionid = (dest->clientcert ? false : source->sessionid); | ||
273 | return TRUE; | ||
274 | } | ||
275 | |||
276 | @@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
277 | int port = isProxy ? (int)conn->port : conn->remote_port; | ||
278 | *ssl_sessionid = NULL; | ||
279 | |||
280 | - DEBUGASSERT(data->set.general_ssl.sessionid); | ||
281 | + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
282 | |||
283 | - if(!data->set.general_ssl.sessionid) | ||
284 | + if(!SSL_SET_OPTION(primary.sessionid)) | ||
285 | /* session ID re-use is disabled */ | ||
286 | return TRUE; | ||
287 | |||
288 | @@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
289 | &conn->proxy_ssl_config : | ||
290 | &conn->ssl_config; | ||
291 | |||
292 | - DEBUGASSERT(data->set.general_ssl.sessionid); | ||
293 | + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
294 | |||
295 | clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); | ||
296 | if(!clone_host) | ||
297 | -- | ||
298 | 1.9.1 | ||
299 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend new file mode 100644 index 0000000..ec4f997 --- /dev/null +++ b/recipes-support/curl/curl_%.bbappend | |||
@@ -0,0 +1,5 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-7468.patch \ | ||
5 | " | ||