From a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 21 Sep 2017 13:57:04 +0200 Subject: curl: CVE-2017-7468 TLS session resumption client cert bypass (again) References: https://curl.haxx.se/docs/adv_20170419.html https://curl.haxx.se/CVE-2017-7468.patch Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-support/curl/curl/CVE-2017-7468.patch | 299 ++++++++++++++++++++++++++ recipes-support/curl/curl_%.bbappend | 5 + 2 files changed, 304 insertions(+) create mode 100644 recipes-support/curl/curl/CVE-2017-7468.patch create mode 100644 recipes-support/curl/curl_%.bbappend (limited to 'recipes-support') diff --git a/recipes-support/curl/curl/CVE-2017-7468.patch b/recipes-support/curl/curl/CVE-2017-7468.patch new file mode 100644 index 0000000..184ed51 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-7468.patch @@ -0,0 +1,299 @@ +From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Wed, 22 Mar 2017 01:59:49 -0400 +Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is + used + +Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl +will each have their own sessionid flag. + +Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that +this issue had been fixed in 247d890, CVE-2016-5419. + +Bug: https://github.com/curl/curl/issues/1341 +Reported-by: lijian996@users.noreply.github.com + +CVE: CVE-2017-7468 +Upstream-Status: Backport [backport from curl-7_54_1] + +The new incarnation of this bug is called CVE-2017-7468 and is documented +here: https://curl.haxx.se/docs/adv_20170419.html + +Signed-off-by: Sona Sarmadi +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/axtls.c | 4 ++-- + lib/vtls/cyassl.c | 4 ++-- + lib/vtls/darwinssl.c | 2 +- + lib/vtls/gtls.c | 4 ++-- + lib/vtls/mbedtls.c | 4 ++-- + lib/vtls/nss.c | 2 +- + lib/vtls/openssl.c | 4 ++-- + lib/vtls/polarssl.c | 4 ++-- + lib/vtls/schannel.c | 4 ++-- + lib/vtls/vtls.c | 9 ++++++--- + 12 files changed, 26 insertions(+), 22 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 4609f4f..caa28f5 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +- set->general_ssl.sessionid = TRUE; /* session ID caching enabled by ++ set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by + default */ + set->proxy_ssl = set->ssl; + +@@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, + break; + + case CURLOPT_SSL_SESSIONID_CACHE: +- data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ? ++ data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ? + TRUE : FALSE; ++ data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid; + break; + + #ifdef USE_LIBSSH2 +diff --git a/lib/urldata.h b/lib/urldata.h +index bd7d25d..3c94553 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -360,6 +360,7 @@ struct ssl_primary_config { + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ + char *cipher_list; /* list of ciphers to use */ ++ bool sessionid; /* cache session IDs or not */ + }; + + struct ssl_config_data { +@@ -389,7 +390,6 @@ struct ssl_config_data { + }; + + struct ssl_general_config { +- bool sessionid; /* cache session IDs or not */ + size_t max_ssl_sessions; /* SSL session id cache size */ + }; + +diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c +index af01fe3..f0e3766 100644 +--- a/lib/vtls/axtls.c ++++ b/lib/vtls/axtls.c +@@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) + * 2) setting up callbacks. these seem gnutls specific + */ + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + const uint8_t *ssl_sessionid; + size_t ssl_idsize; + +@@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex) + conn->send[sockindex] = axtls_send; + + /* Put our freshly minted SSL session in cache */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + const uint8_t *ssl_sessionid = ssl_get_session_id(ssl); + size_t ssl_idsize = ssl_get_session_id_size(ssl); + Curl_ssl_sessionid_lock(conn); +diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c +index 2dfd79d..5f51ad5 100644 +--- a/lib/vtls/cyassl.c ++++ b/lib/vtls/cyassl.c +@@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn, + #endif /* HAVE_ALPN */ + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn, + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c +index f8697cc..5533dfe 100644 +--- a/lib/vtls/darwinssl.c ++++ b/lib/vtls/darwinssl.c +@@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + char *ssl_sessionid; + size_t ssl_sessionid_len; + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 51a5aa8..0230778 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn, + + /* This might be a reconnect, so we check for a session ID in the cache + to speed up things */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid; + size_t ssl_idsize; + +@@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn, + conn->recv[sockindex] = gtls_recv; + conn->send[sockindex] = gtls_send; + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + /* we always unconditionally get the session id here, as even if we + already got it from the cache and asked to use it in the connection, it + might've been rejected and then a new one is in use now and we need to +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index edf30db..3ffa957 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -430,7 +430,7 @@ mbed_connect_step1(struct connectdata *conn, + #endif + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -684,7 +684,7 @@ mbed_connect_step3(struct connectdata *conn, + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 1d7047a..4898511 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1720,7 +1720,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + goto error; + + /* do not use SSL cache if disabled or we are not going to verify peer */ +- ssl_no_cache = (data->set.general_ssl.sessionid ++ ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) + && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; + if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) + goto error; +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index ee07615..58a014a 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2235,7 +2235,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + #endif + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -2965,7 +2965,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index e6ad525..669091c 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -375,7 +375,7 @@ polarssl_connect_step1(struct connectdata *conn, + ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -603,7 +603,7 @@ polarssl_connect_step3(struct connectdata *conn, + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + int ret; + ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index e0fb2d5..c9b5132 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -188,7 +188,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) + connssl->cred = NULL; + + /* check for an existing re-usable credential handle */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + connssl->cred = old_cred; +@@ -757,7 +757,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) + #endif + + /* save the current session data for possible re-use */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + struct curl_schannel_cred *old_cred = NULL; + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index c6935b5..d5d0971 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(egdsocket); + CLONE_STRING(random_file); + CLONE_STRING(clientcert); ++ ++ /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ ++ dest->sessionid = (dest->clientcert ? false : source->sessionid); + return TRUE; + } + +@@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + int port = isProxy ? (int)conn->port : conn->remote_port; + *ssl_sessionid = NULL; + +- DEBUGASSERT(data->set.general_ssl.sessionid); ++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + +- if(!data->set.general_ssl.sessionid) ++ if(!SSL_SET_OPTION(primary.sessionid)) + /* session ID re-use is disabled */ + return TRUE; + +@@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + &conn->proxy_ssl_config : + &conn->ssl_config; + +- DEBUGASSERT(data->set.general_ssl.sessionid); ++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); + if(!clone_host) +-- +1.9.1 + diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend new file mode 100644 index 0000000..ec4f997 --- /dev/null +++ b/recipes-support/curl/curl_%.bbappend @@ -0,0 +1,5 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://CVE-2017-7468.patch \ + " -- cgit v1.2.3-54-g00ecf