diff options
author | Robert Joslyn <robert.joslyn@redrectangle.org> | 2022-05-22 14:15:29 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-25 22:45:50 +0100 |
commit | ee8d859d053bad8274e085b4b46ab52e4025c212 (patch) | |
tree | feea443f964028548ca7532ab0029a3e84d1b6a2 /meta/recipes-support | |
parent | 03cc5f63bc89aa6ef7c3e52400606c4db30da8f7 (diff) | |
download | poky-ee8d859d053bad8274e085b4b46ab52e4025c212.tar.gz |
curl: Backport CVE fixes
Backport patches to address the following CVEs:
* https://curl.se/docs/CVE-2022-22576.html
* https://curl.se/docs/CVE-2022-27775.html
* https://curl.se/docs/CVE-2022-27776.html
* https://curl.se/docs/CVE-2022-27774.html
* https://curl.se/docs/CVE-2022-30115.html
* https://curl.se/docs/CVE-2022-27780.html
* https://curl.se/docs/CVE-2022-27781.html
* https://curl.se/docs/CVE-2022-27779.html
* https://curl.se/docs/CVE-2022-27782.html
(From OE-Core rev: b83c7ae43c372c1870d13ae25ebfad9c68a0928d)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-22576.patch | 145 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27774-1.patch | 45 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27774-2.patch | 80 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27774-3.patch | 83 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27774-4.patch | 35 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27775.patch | 37 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27776.patch | 115 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27779.patch | 42 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27780.patch | 33 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27781.patch | 43 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27782-1.patch | 458 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27782-2.patch | 71 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-30115.patch | 82 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 16 |
14 files changed, 1284 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..469cf220ba --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Mon, 25 Apr 2022 11:44:05 +0200 | ||
4 | Subject: [PATCH] url: check sasl additional parameters for connection reuse. | ||
5 | |||
6 | Also move static function safecmp() as non-static Curl_safecmp() since | ||
7 | its purpose is needed at several places. | ||
8 | |||
9 | Bug: https://curl.se/docs/CVE-2022-22576.html | ||
10 | |||
11 | CVE-2022-22576 | ||
12 | |||
13 | Closes #8746 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] | ||
16 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
17 | --- | ||
18 | lib/strcase.c | 10 ++++++++++ | ||
19 | lib/strcase.h | 2 ++ | ||
20 | lib/url.c | 13 ++++++++++++- | ||
21 | lib/urldata.h | 1 + | ||
22 | lib/vtls/vtls.c | 21 ++++++--------------- | ||
23 | 5 files changed, 31 insertions(+), 16 deletions(-) | ||
24 | |||
25 | diff --git a/lib/strcase.c b/lib/strcase.c | ||
26 | index dd46ca1..692a3f1 100644 | ||
27 | --- a/lib/strcase.c | ||
28 | +++ b/lib/strcase.c | ||
29 | @@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) | ||
30 | } while(*src++ && --n); | ||
31 | } | ||
32 | |||
33 | +/* Compare case-sensitive NUL-terminated strings, taking care of possible | ||
34 | + * null pointers. Return true if arguments match. | ||
35 | + */ | ||
36 | +bool Curl_safecmp(char *a, char *b) | ||
37 | +{ | ||
38 | + if(a && b) | ||
39 | + return !strcmp(a, b); | ||
40 | + return !a && !b; | ||
41 | +} | ||
42 | + | ||
43 | /* --- public functions --- */ | ||
44 | |||
45 | int curl_strequal(const char *first, const char *second) | ||
46 | diff --git a/lib/strcase.h b/lib/strcase.h | ||
47 | index b628656..382b80a 100644 | ||
48 | --- a/lib/strcase.h | ||
49 | +++ b/lib/strcase.h | ||
50 | @@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); | ||
51 | void Curl_strntoupper(char *dest, const char *src, size_t n); | ||
52 | void Curl_strntolower(char *dest, const char *src, size_t n); | ||
53 | |||
54 | +bool Curl_safecmp(char *a, char *b); | ||
55 | + | ||
56 | #endif /* HEADER_CURL_STRCASE_H */ | ||
57 | diff --git a/lib/url.c b/lib/url.c | ||
58 | index adef2cd..94e3406 100644 | ||
59 | --- a/lib/url.c | ||
60 | +++ b/lib/url.c | ||
61 | @@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) | ||
62 | Curl_safefree(conn->passwd); | ||
63 | Curl_safefree(conn->sasl_authzid); | ||
64 | Curl_safefree(conn->options); | ||
65 | + Curl_safefree(conn->oauth_bearer); | ||
66 | Curl_dyn_free(&conn->trailer); | ||
67 | Curl_safefree(conn->host.rawalloc); /* host name buffer */ | ||
68 | Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ | ||
69 | @@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, | ||
70 | /* This protocol requires credentials per connection, | ||
71 | so verify that we're using the same name and password as well */ | ||
72 | if(strcmp(needle->user, check->user) || | ||
73 | - strcmp(needle->passwd, check->passwd)) { | ||
74 | + strcmp(needle->passwd, check->passwd) || | ||
75 | + !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || | ||
76 | + !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
77 | /* one of them was different */ | ||
78 | continue; | ||
79 | } | ||
80 | @@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
81 | } | ||
82 | } | ||
83 | |||
84 | + if(data->set.str[STRING_BEARER]) { | ||
85 | + conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); | ||
86 | + if(!conn->oauth_bearer) { | ||
87 | + result = CURLE_OUT_OF_MEMORY; | ||
88 | + goto out; | ||
89 | + } | ||
90 | + } | ||
91 | + | ||
92 | #ifdef USE_UNIX_SOCKETS | ||
93 | if(data->set.str[STRING_UNIX_SOCKET_PATH]) { | ||
94 | conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); | ||
95 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
96 | index cc8a600..03da59a 100644 | ||
97 | --- a/lib/urldata.h | ||
98 | +++ b/lib/urldata.h | ||
99 | @@ -984,6 +984,7 @@ struct connectdata { | ||
100 | char *passwd; /* password string, allocated */ | ||
101 | char *options; /* options string, allocated */ | ||
102 | char *sasl_authzid; /* authorisation identity string, allocated */ | ||
103 | + char *oauth_bearer; /* OAUTH2 bearer, allocated */ | ||
104 | unsigned char httpversion; /* the HTTP version*10 reported by the server */ | ||
105 | struct curltime now; /* "current" time */ | ||
106 | struct curltime created; /* creation time */ | ||
107 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
108 | index 03b85ba..a40ac06 100644 | ||
109 | --- a/lib/vtls/vtls.c | ||
110 | +++ b/lib/vtls/vtls.c | ||
111 | @@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) | ||
112 | return !memcmp(first->data, second->data, first->len); /* same data */ | ||
113 | } | ||
114 | |||
115 | -static bool safecmp(char *a, char *b) | ||
116 | -{ | ||
117 | - if(a && b) | ||
118 | - return !strcmp(a, b); | ||
119 | - else if(!a && !b) | ||
120 | - return TRUE; /* match */ | ||
121 | - return FALSE; /* no match */ | ||
122 | -} | ||
123 | - | ||
124 | |||
125 | bool | ||
126 | Curl_ssl_config_matches(struct ssl_primary_config *data, | ||
127 | @@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, | ||
128 | blobcmp(data->cert_blob, needle->cert_blob) && | ||
129 | blobcmp(data->ca_info_blob, needle->ca_info_blob) && | ||
130 | blobcmp(data->issuercert_blob, needle->issuercert_blob) && | ||
131 | - safecmp(data->CApath, needle->CApath) && | ||
132 | - safecmp(data->CAfile, needle->CAfile) && | ||
133 | - safecmp(data->issuercert, needle->issuercert) && | ||
134 | - safecmp(data->clientcert, needle->clientcert) && | ||
135 | - safecmp(data->random_file, needle->random_file) && | ||
136 | - safecmp(data->egdsocket, needle->egdsocket) && | ||
137 | + Curl_safecmp(data->CApath, needle->CApath) && | ||
138 | + Curl_safecmp(data->CAfile, needle->CAfile) && | ||
139 | + Curl_safecmp(data->issuercert, needle->issuercert) && | ||
140 | + Curl_safecmp(data->clientcert, needle->clientcert) && | ||
141 | + Curl_safecmp(data->random_file, needle->random_file) && | ||
142 | + Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
143 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
144 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
145 | Curl_safe_strcasecompare(data->curves, needle->curves) && | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch new file mode 100644 index 0000000000..f24003fd79 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 16:24:33 +0200 | ||
4 | Subject: [PATCH] connect: store "conn_remote_port" in the info struct | ||
5 | |||
6 | To make it available after the connection ended. | ||
7 | |||
8 | Prerequisite for the patches that address CVE-2022-27774. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] | ||
11 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
12 | --- | ||
13 | lib/connect.c | 1 + | ||
14 | lib/urldata.h | 6 +++++- | ||
15 | 2 files changed, 6 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/lib/connect.c b/lib/connect.c | ||
18 | index 64f9511..7518807 100644 | ||
19 | --- a/lib/connect.c | ||
20 | +++ b/lib/connect.c | ||
21 | @@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, | ||
22 | data->info.conn_scheme = conn->handler->scheme; | ||
23 | data->info.conn_protocol = conn->handler->protocol; | ||
24 | data->info.conn_primary_port = conn->port; | ||
25 | + data->info.conn_remote_port = conn->remote_port; | ||
26 | data->info.conn_local_port = local_port; | ||
27 | } | ||
28 | |||
29 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
30 | index f92052a..5218f76 100644 | ||
31 | --- a/lib/urldata.h | ||
32 | +++ b/lib/urldata.h | ||
33 | @@ -1160,7 +1160,11 @@ struct PureInfo { | ||
34 | reused, in the connection cache. */ | ||
35 | |||
36 | char conn_primary_ip[MAX_IPADR_LEN]; | ||
37 | - int conn_primary_port; | ||
38 | + int conn_primary_port; /* this is the destination port to the connection, | ||
39 | + which might have been a proxy */ | ||
40 | + int conn_remote_port; /* this is the "remote port", which is the port | ||
41 | + number of the used URL, independent of proxy or | ||
42 | + not */ | ||
43 | char conn_local_ip[MAX_IPADR_LEN]; | ||
44 | int conn_local_port; | ||
45 | const char *conn_scheme; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch new file mode 100644 index 0000000000..9739634dfe --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 16:24:33 +0200 | ||
4 | Subject: [PATCH] transfer: redirects to other protocols or ports clear auth | ||
5 | |||
6 | ... unless explicitly permitted. | ||
7 | |||
8 | Bug: https://curl.se/docs/CVE-2022-27774.html | ||
9 | Reported-by: Harry Sintonen | ||
10 | Closes #8748 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- | ||
16 | 1 file changed, 48 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
19 | index 1f8019b..752fe14 100644 | ||
20 | --- a/lib/transfer.c | ||
21 | +++ b/lib/transfer.c | ||
22 | @@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
23 | return CURLE_OUT_OF_MEMORY; | ||
24 | } | ||
25 | else { | ||
26 | - | ||
27 | uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); | ||
28 | if(uc) | ||
29 | return Curl_uc_to_curlcode(uc); | ||
30 | + | ||
31 | + /* Clear auth if this redirects to a different port number or protocol, | ||
32 | + unless permitted */ | ||
33 | + if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { | ||
34 | + char *portnum; | ||
35 | + int port; | ||
36 | + bool clear = FALSE; | ||
37 | + | ||
38 | + if(data->set.use_port && data->state.allow_port) | ||
39 | + /* a custom port is used */ | ||
40 | + port = (int)data->set.use_port; | ||
41 | + else { | ||
42 | + uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, | ||
43 | + CURLU_DEFAULT_PORT); | ||
44 | + if(uc) { | ||
45 | + free(newurl); | ||
46 | + return Curl_uc_to_curlcode(uc); | ||
47 | + } | ||
48 | + port = atoi(portnum); | ||
49 | + free(portnum); | ||
50 | + } | ||
51 | + if(port != data->info.conn_remote_port) { | ||
52 | + infof(data, "Clear auth, redirects to port from %u to %u", | ||
53 | + data->info.conn_remote_port, port); | ||
54 | + clear = TRUE; | ||
55 | + } | ||
56 | + else { | ||
57 | + char *scheme; | ||
58 | + const struct Curl_handler *p; | ||
59 | + uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); | ||
60 | + if(uc) { | ||
61 | + free(newurl); | ||
62 | + return Curl_uc_to_curlcode(uc); | ||
63 | + } | ||
64 | + | ||
65 | + p = Curl_builtin_scheme(scheme); | ||
66 | + if(p && (p->protocol != data->info.conn_protocol)) { | ||
67 | + infof(data, "Clear auth, redirects scheme from %s to %s", | ||
68 | + data->info.conn_scheme, scheme); | ||
69 | + clear = TRUE; | ||
70 | + } | ||
71 | + free(scheme); | ||
72 | + } | ||
73 | + if(clear) { | ||
74 | + Curl_safefree(data->state.aptr.user); | ||
75 | + Curl_safefree(data->state.aptr.passwd); | ||
76 | + } | ||
77 | + } | ||
78 | } | ||
79 | |||
80 | if(type == FOLLOW_FAKE) { | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch new file mode 100644 index 0000000000..e4e8c294a6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 17:59:15 +0200 | ||
4 | Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either | ||
5 | |||
6 | Follow-up to 620ea21410030 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #8751 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/http.c | 10 +++++----- | ||
15 | lib/http.h | 6 ++++++ | ||
16 | lib/vtls/openssl.c | 3 ++- | ||
17 | 3 files changed, 13 insertions(+), 6 deletions(-) | ||
18 | |||
19 | diff --git a/lib/http.c b/lib/http.c | ||
20 | index 0791dcf..4433824 100644 | ||
21 | --- a/lib/http.c | ||
22 | +++ b/lib/http.c | ||
23 | @@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, | ||
24 | } | ||
25 | |||
26 | /* | ||
27 | - * allow_auth_to_host() tells if autentication, cookies or other "sensitive | ||
28 | - * data" can (still) be sent to this host. | ||
29 | + * Curl_allow_auth_to_host() tells if authentication, cookies or other | ||
30 | + * "sensitive data" can (still) be sent to this host. | ||
31 | */ | ||
32 | -static bool allow_auth_to_host(struct Curl_easy *data) | ||
33 | +bool Curl_allow_auth_to_host(struct Curl_easy *data) | ||
34 | { | ||
35 | struct connectdata *conn = data->conn; | ||
36 | return (!data->state.this_is_a_follow || | ||
37 | @@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, | ||
38 | |||
39 | /* To prevent the user+password to get sent to other than the original host | ||
40 | due to a location-follow */ | ||
41 | - if(allow_auth_to_host(data) | ||
42 | + if(Curl_allow_auth_to_host(data) | ||
43 | #ifndef CURL_DISABLE_NETRC | ||
44 | || conn->bits.netrc | ||
45 | #endif | ||
46 | @@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, | ||
47 | checkprefix("Cookie:", compare)) && | ||
48 | /* be careful of sending this potentially sensitive header to | ||
49 | other hosts */ | ||
50 | - !allow_auth_to_host(data)) | ||
51 | + !Curl_allow_auth_to_host(data)) | ||
52 | ; | ||
53 | else { | ||
54 | #ifdef USE_HYPER | ||
55 | diff --git a/lib/http.h b/lib/http.h | ||
56 | index 07e963d..9000bae 100644 | ||
57 | --- a/lib/http.h | ||
58 | +++ b/lib/http.h | ||
59 | @@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, | ||
60 | bool proxytunnel); /* TRUE if this is the request setting | ||
61 | up the proxy tunnel */ | ||
62 | |||
63 | +/* | ||
64 | + * Curl_allow_auth_to_host() tells if authentication, cookies or other | ||
65 | + * "sensitive data" can (still) be sent to this host. | ||
66 | + */ | ||
67 | +bool Curl_allow_auth_to_host(struct Curl_easy *data); | ||
68 | + | ||
69 | #endif /* HEADER_CURL_HTTP_H */ | ||
70 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
71 | index 616a510..e8633f4 100644 | ||
72 | --- a/lib/vtls/openssl.c | ||
73 | +++ b/lib/vtls/openssl.c | ||
74 | @@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | ||
75 | #endif | ||
76 | |||
77 | #ifdef USE_OPENSSL_SRP | ||
78 | - if(ssl_authtype == CURL_TLSAUTH_SRP) { | ||
79 | + if((ssl_authtype == CURL_TLSAUTH_SRP) && | ||
80 | + Curl_allow_auth_to_host(data)) { | ||
81 | char * const ssl_username = SSL_SET_OPTION(username); | ||
82 | |||
83 | infof(data, "Using TLS-SRP username: %s", ssl_username); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..a642336797 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 26 Apr 2022 07:46:19 +0200 | ||
4 | Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects | ||
5 | |||
6 | Follow-up to 620ea21410030 and 139a54ed0a172a | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #8752 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/vtls/gtls.c | 6 +++--- | ||
15 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
16 | |||
17 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
18 | index 5749376..fe45b3a 100644 | ||
19 | --- a/lib/vtls/gtls.c | ||
20 | +++ b/lib/vtls/gtls.c | ||
21 | @@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, | ||
22 | } | ||
23 | |||
24 | #ifdef HAVE_GNUTLS_SRP | ||
25 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
26 | + if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && | ||
27 | + Curl_allow_auth_to_host(data)) { | ||
28 | infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); | ||
29 | |||
30 | - rc = gnutls_srp_allocate_client_credentials( | ||
31 | - &backend->srp_client_cred); | ||
32 | + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); | ||
33 | if(rc != GNUTLS_E_SUCCESS) { | ||
34 | failf(data, "gnutls_srp_allocate_client_cred() failed: %s", | ||
35 | gnutls_strerror(rc)); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch new file mode 100644 index 0000000000..666a906352 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 11:48:00 +0200 | ||
4 | Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey | ||
5 | |||
6 | Make connections to two separate IPv6 zone ids create separate | ||
7 | connections. | ||
8 | |||
9 | Reported-by: Harry Sintonen | ||
10 | Bug: https://curl.se/docs/CVE-2022-27775.html | ||
11 | Closes #8747 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705] | ||
14 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
15 | --- | ||
16 | lib/conncache.c | 8 ++++++-- | ||
17 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/lib/conncache.c b/lib/conncache.c | ||
20 | index cd5756a..9b9f683 100644 | ||
21 | --- a/lib/conncache.c | ||
22 | +++ b/lib/conncache.c | ||
23 | @@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, | ||
24 | /* report back which name we used */ | ||
25 | *hostp = hostname; | ||
26 | |||
27 | - /* put the number first so that the hostname gets cut off if too long */ | ||
28 | - msnprintf(buf, len, "%ld%s", port, hostname); | ||
29 | + /* put the numbers first so that the hostname gets cut off if too long */ | ||
30 | +#ifdef ENABLE_IPV6 | ||
31 | + msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); | ||
32 | +#else | ||
33 | + msnprintf(buf, len, "%ld/%s", port, hostname); | ||
34 | +#endif | ||
35 | Curl_strntolower(buf, buf, len); | ||
36 | } | ||
37 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..2feee45200 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch | |||
@@ -0,0 +1,115 @@ | |||
1 | From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 13:05:40 +0200 | ||
4 | Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port | ||
5 | |||
6 | CVE-2022-27776 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27776.html | ||
10 | Closes #8749 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/http.c | 34 ++++++++++++++++++++++------------ | ||
16 | lib/urldata.h | 16 +++++++++------- | ||
17 | 2 files changed, 31 insertions(+), 19 deletions(-) | ||
18 | |||
19 | diff --git a/lib/http.c b/lib/http.c | ||
20 | index 799d4fb..0791dcf 100644 | ||
21 | --- a/lib/http.c | ||
22 | +++ b/lib/http.c | ||
23 | @@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, | ||
24 | return CURLE_OK; | ||
25 | } | ||
26 | |||
27 | +/* | ||
28 | + * allow_auth_to_host() tells if autentication, cookies or other "sensitive | ||
29 | + * data" can (still) be sent to this host. | ||
30 | + */ | ||
31 | +static bool allow_auth_to_host(struct Curl_easy *data) | ||
32 | +{ | ||
33 | + struct connectdata *conn = data->conn; | ||
34 | + return (!data->state.this_is_a_follow || | ||
35 | + data->set.allow_auth_to_other_hosts || | ||
36 | + (data->state.first_host && | ||
37 | + strcasecompare(data->state.first_host, conn->host.name) && | ||
38 | + (data->state.first_remote_port == conn->remote_port) && | ||
39 | + (data->state.first_remote_protocol == conn->handler->protocol))); | ||
40 | +} | ||
41 | + | ||
42 | /** | ||
43 | * Curl_http_output_auth() setups the authentication headers for the | ||
44 | * host/proxy and the correct authentication | ||
45 | @@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, | ||
46 | with it */ | ||
47 | authproxy->done = TRUE; | ||
48 | |||
49 | - /* To prevent the user+password to get sent to other than the original | ||
50 | - host due to a location-follow, we do some weirdo checks here */ | ||
51 | - if(!data->state.this_is_a_follow || | ||
52 | + /* To prevent the user+password to get sent to other than the original host | ||
53 | + due to a location-follow */ | ||
54 | + if(allow_auth_to_host(data) | ||
55 | #ifndef CURL_DISABLE_NETRC | ||
56 | - conn->bits.netrc || | ||
57 | + || conn->bits.netrc | ||
58 | #endif | ||
59 | - !data->state.first_host || | ||
60 | - data->set.allow_auth_to_other_hosts || | ||
61 | - strcasecompare(data->state.first_host, conn->host.name)) { | ||
62 | + ) | ||
63 | result = output_auth_headers(data, conn, authhost, request, path, FALSE); | ||
64 | - } | ||
65 | else | ||
66 | authhost->done = TRUE; | ||
67 | |||
68 | @@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, | ||
69 | checkprefix("Cookie:", compare)) && | ||
70 | /* be careful of sending this potentially sensitive header to | ||
71 | other hosts */ | ||
72 | - (data->state.this_is_a_follow && | ||
73 | - data->state.first_host && | ||
74 | - !data->set.allow_auth_to_other_hosts && | ||
75 | - !strcasecompare(data->state.first_host, conn->host.name))) | ||
76 | + !allow_auth_to_host(data)) | ||
77 | ; | ||
78 | else { | ||
79 | #ifdef USE_HYPER | ||
80 | @@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) | ||
81 | return CURLE_OUT_OF_MEMORY; | ||
82 | |||
83 | data->state.first_remote_port = conn->remote_port; | ||
84 | + data->state.first_remote_protocol = conn->handler->protocol; | ||
85 | } | ||
86 | Curl_safefree(data->state.aptr.host); | ||
87 | |||
88 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
89 | index 03da59a..f92052a 100644 | ||
90 | --- a/lib/urldata.h | ||
91 | +++ b/lib/urldata.h | ||
92 | @@ -1329,14 +1329,16 @@ struct UrlState { | ||
93 | char *ulbuf; /* allocated upload buffer or NULL */ | ||
94 | curl_off_t current_speed; /* the ProgressShow() function sets this, | ||
95 | bytes / second */ | ||
96 | - char *first_host; /* host name of the first (not followed) request. | ||
97 | - if set, this should be the host name that we will | ||
98 | - sent authorization to, no else. Used to make Location: | ||
99 | - following not keep sending user+password... This is | ||
100 | - strdup() data. | ||
101 | - */ | ||
102 | + | ||
103 | + /* host name, port number and protocol of the first (not followed) request. | ||
104 | + if set, this should be the host name that we will sent authorization to, | ||
105 | + no else. Used to make Location: following not keep sending user+password. | ||
106 | + This is strdup()ed data. */ | ||
107 | + char *first_host; | ||
108 | + int first_remote_port; | ||
109 | + unsigned int first_remote_protocol; | ||
110 | + | ||
111 | int retrycount; /* number of retries on a new connection */ | ||
112 | - int first_remote_port; /* remote port of the first (not followed) request */ | ||
113 | struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ | ||
114 | long sessionage; /* number of the most recent session */ | ||
115 | struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27779.patch b/meta/recipes-support/curl/curl/CVE-2022-27779.patch new file mode 100644 index 0000000000..235be900a3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27779.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 16:47:06 +0200 | ||
4 | Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine | ||
5 | |||
6 | The check for a dot in the domain must not consider a single trailing | ||
7 | dot to be fine, as then TLD + trailing dot is fine and curl will accept | ||
8 | setting cookies for it. | ||
9 | |||
10 | CVE-2022-27779 | ||
11 | |||
12 | Reported-by: Axel Chong | ||
13 | Bug: https://curl.se/docs/CVE-2022-27779.html | ||
14 | Closes #8820 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] | ||
17 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
18 | --- | ||
19 | lib/cookie.c | 10 +++++++++- | ||
20 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
23 | index d418efa..1b8c8f9 100644 | ||
24 | --- a/lib/cookie.c | ||
25 | +++ b/lib/cookie.c | ||
26 | @@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) | ||
27 | /* Make sure domain contains a dot or is localhost. */ | ||
28 | static bool bad_domain(const char *domain) | ||
29 | { | ||
30 | - return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); | ||
31 | + if(strcasecompare(domain, "localhost")) | ||
32 | + return FALSE; | ||
33 | + else { | ||
34 | + /* there must be a dot present, but that dot must not be a trailing dot */ | ||
35 | + char *dot = strchr(domain, '.'); | ||
36 | + if(dot) | ||
37 | + return dot[1] ? FALSE : TRUE; | ||
38 | + } | ||
39 | + return TRUE; | ||
40 | } | ||
41 | |||
42 | /* | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27780.patch b/meta/recipes-support/curl/curl/CVE-2022-27780.patch new file mode 100644 index 0000000000..8820af3f74 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27780.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 08:19:38 +0200 | ||
4 | Subject: [PATCH] urlapi: reject percent-decoding host name into separator | ||
5 | bytes | ||
6 | |||
7 | CVE-2022-27780 | ||
8 | |||
9 | Reported-by: Axel Chong | ||
10 | Bug: https://curl.se/docs/CVE-2022-27780.html | ||
11 | Closes #8826 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] | ||
14 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
15 | --- | ||
16 | lib/urlapi.c | 4 ++-- | ||
17 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/lib/urlapi.c b/lib/urlapi.c | ||
20 | index ff00ee4..00222fc 100644 | ||
21 | --- a/lib/urlapi.c | ||
22 | +++ b/lib/urlapi.c | ||
23 | @@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) | ||
24 | #endif | ||
25 | } | ||
26 | else { | ||
27 | - /* letters from the second string is not ok */ | ||
28 | - len = strcspn(hostname, " \r\n"); | ||
29 | + /* letters from the second string are not ok */ | ||
30 | + len = strcspn(hostname, " \r\n\t/:#?!@"); | ||
31 | if(hlen != len) | ||
32 | /* hostname with bad content */ | ||
33 | return CURLUE_BAD_HOSTNAME; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch new file mode 100644 index 0000000000..52f39a0cc5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 10:07:15 +0200 | ||
4 | Subject: [PATCH] nss: return error if seemingly stuck in a cert loop | ||
5 | |||
6 | CVE-2022-27781 | ||
7 | |||
8 | Reported-by: Florian Kohnhäuser | ||
9 | Bug: https://curl.se/docs/CVE-2022-27781.html | ||
10 | Closes #8822 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/vtls/nss.c | 8 ++++++++ | ||
16 | 1 file changed, 8 insertions(+) | ||
17 | |||
18 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
19 | index 558e3be..52f2060 100644 | ||
20 | --- a/lib/vtls/nss.c | ||
21 | +++ b/lib/vtls/nss.c | ||
22 | @@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, | ||
23 | PR_Free(common_name); | ||
24 | } | ||
25 | |||
26 | +/* A number of certs that will never occur in a real server handshake */ | ||
27 | +#define TOO_MANY_CERTS 300 | ||
28 | + | ||
29 | static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) | ||
30 | { | ||
31 | CURLcode result = CURLE_OK; | ||
32 | @@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) | ||
33 | cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); | ||
34 | while(cert2) { | ||
35 | i++; | ||
36 | + if(i >= TOO_MANY_CERTS) { | ||
37 | + CERT_DestroyCertificate(cert2); | ||
38 | + failf(data, "certificate loop"); | ||
39 | + return CURLE_SSL_CERTPROBLEM; | ||
40 | + } | ||
41 | if(cert2->isRoot) { | ||
42 | CERT_DestroyCertificate(cert2); | ||
43 | break; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..ce2599be81 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch | |||
@@ -0,0 +1,458 @@ | |||
1 | From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 23:13:53 +0200 | ||
4 | Subject: [PATCH] tls: check more TLS details for connection reuse | ||
5 | |||
6 | CVE-2022-27782 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27782.html | ||
10 | Closes #8825 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/setopt.c | 29 +++++++++++++++++------------ | ||
16 | lib/url.c | 23 ++++++++++++++++------- | ||
17 | lib/urldata.h | 13 +++++++------ | ||
18 | lib/vtls/gtls.c | 32 +++++++++++++++++--------------- | ||
19 | lib/vtls/mbedtls.c | 2 +- | ||
20 | lib/vtls/nss.c | 6 +++--- | ||
21 | lib/vtls/openssl.c | 10 +++++----- | ||
22 | lib/vtls/vtls.c | 21 +++++++++++++++++++++ | ||
23 | 8 files changed, 87 insertions(+), 49 deletions(-) | ||
24 | |||
25 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
26 | index 8e1bf12..7aa6fdb 100644 | ||
27 | --- a/lib/setopt.c | ||
28 | +++ b/lib/setopt.c | ||
29 | @@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
30 | |||
31 | case CURLOPT_SSL_OPTIONS: | ||
32 | arg = va_arg(param, long); | ||
33 | + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
34 | data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); | ||
35 | data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
36 | data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); | ||
37 | @@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
38 | #ifndef CURL_DISABLE_PROXY | ||
39 | case CURLOPT_PROXY_SSL_OPTIONS: | ||
40 | arg = va_arg(param, long); | ||
41 | + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
42 | data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); | ||
43 | data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
44 | data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); | ||
45 | @@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
46 | case CURLOPT_TLSAUTH_USERNAME: | ||
47 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], | ||
48 | va_arg(param, char *)); | ||
49 | - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) | ||
50 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
51 | + if(data->set.str[STRING_TLSAUTH_USERNAME] && | ||
52 | + !data->set.ssl.primary.authtype) | ||
53 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
54 | break; | ||
55 | #ifndef CURL_DISABLE_PROXY | ||
56 | case CURLOPT_PROXY_TLSAUTH_USERNAME: | ||
57 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], | ||
58 | va_arg(param, char *)); | ||
59 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
60 | - !data->set.proxy_ssl.authtype) | ||
61 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
62 | + !data->set.proxy_ssl.primary.authtype) | ||
63 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to | ||
64 | + SRP */ | ||
65 | break; | ||
66 | #endif | ||
67 | case CURLOPT_TLSAUTH_PASSWORD: | ||
68 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], | ||
69 | va_arg(param, char *)); | ||
70 | - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) | ||
71 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
72 | + if(data->set.str[STRING_TLSAUTH_USERNAME] && | ||
73 | + !data->set.ssl.primary.authtype) | ||
74 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ | ||
75 | break; | ||
76 | #ifndef CURL_DISABLE_PROXY | ||
77 | case CURLOPT_PROXY_TLSAUTH_PASSWORD: | ||
78 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], | ||
79 | va_arg(param, char *)); | ||
80 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
81 | - !data->set.proxy_ssl.authtype) | ||
82 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
83 | + !data->set.proxy_ssl.primary.authtype) | ||
84 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ | ||
85 | break; | ||
86 | #endif | ||
87 | case CURLOPT_TLSAUTH_TYPE: | ||
88 | argptr = va_arg(param, char *); | ||
89 | if(!argptr || | ||
90 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
91 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; | ||
92 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
93 | else | ||
94 | - data->set.ssl.authtype = CURL_TLSAUTH_NONE; | ||
95 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
96 | break; | ||
97 | #ifndef CURL_DISABLE_PROXY | ||
98 | case CURLOPT_PROXY_TLSAUTH_TYPE: | ||
99 | argptr = va_arg(param, char *); | ||
100 | if(!argptr || | ||
101 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
102 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; | ||
103 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
104 | else | ||
105 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; | ||
106 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
107 | break; | ||
108 | #endif | ||
109 | #endif | ||
110 | diff --git a/lib/url.c b/lib/url.c | ||
111 | index 94e3406..5ebf5e2 100644 | ||
112 | --- a/lib/url.c | ||
113 | +++ b/lib/url.c | ||
114 | @@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) | ||
115 | set->ssl.primary.verifypeer = TRUE; | ||
116 | set->ssl.primary.verifyhost = TRUE; | ||
117 | #ifdef USE_TLS_SRP | ||
118 | - set->ssl.authtype = CURL_TLSAUTH_NONE; | ||
119 | + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
120 | #endif | ||
121 | set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth | ||
122 | type */ | ||
123 | @@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) | ||
124 | conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; | ||
125 | conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; | ||
126 | conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; | ||
127 | + conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; | ||
128 | +#ifdef USE_TLS_SRP | ||
129 | +#endif | ||
130 | #ifndef CURL_DISABLE_PROXY | ||
131 | conn->proxy_ssl_config.verifystatus = | ||
132 | data->set.proxy_ssl.primary.verifystatus; | ||
133 | conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; | ||
134 | conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; | ||
135 | + conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; | ||
136 | +#ifdef USE_TLS_SRP | ||
137 | +#endif | ||
138 | #endif | ||
139 | conn->ip_version = data->set.ipver; | ||
140 | conn->bits.connect_only = data->set.connect_only; | ||
141 | @@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
142 | data->set.str[STRING_SSL_ISSUERCERT_PROXY]; | ||
143 | data->set.proxy_ssl.primary.issuercert_blob = | ||
144 | data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; | ||
145 | - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
146 | + data->set.proxy_ssl.primary.CRLfile = | ||
147 | + data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
148 | data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; | ||
149 | data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; | ||
150 | data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; | ||
151 | @@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
152 | data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; | ||
153 | data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; | ||
154 | #endif | ||
155 | - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; | ||
156 | + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; | ||
157 | data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; | ||
158 | data->set.ssl.key = data->set.str[STRING_KEY]; | ||
159 | data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; | ||
160 | data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; | ||
161 | data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; | ||
162 | #ifdef USE_TLS_SRP | ||
163 | - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; | ||
164 | - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; | ||
165 | + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; | ||
166 | + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; | ||
167 | #ifndef CURL_DISABLE_PROXY | ||
168 | - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
169 | - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
170 | + data->set.proxy_ssl.primary.username = | ||
171 | + data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
172 | + data->set.proxy_ssl.primary.password = | ||
173 | + data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
174 | #endif | ||
175 | #endif | ||
176 | data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; | ||
177 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
178 | index 5218f76..e006495 100644 | ||
179 | --- a/lib/urldata.h | ||
180 | +++ b/lib/urldata.h | ||
181 | @@ -253,10 +253,17 @@ struct ssl_primary_config { | ||
182 | char *cipher_list; /* list of ciphers to use */ | ||
183 | char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ | ||
184 | char *pinned_key; | ||
185 | + char *CRLfile; /* CRL to check certificate revocation */ | ||
186 | struct curl_blob *cert_blob; | ||
187 | struct curl_blob *ca_info_blob; | ||
188 | struct curl_blob *issuercert_blob; | ||
189 | +#ifdef USE_TLS_SRP | ||
190 | + char *username; /* TLS username (for, e.g., SRP) */ | ||
191 | + char *password; /* TLS password (for, e.g., SRP) */ | ||
192 | + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
193 | +#endif | ||
194 | char *curves; /* list of curves to use */ | ||
195 | + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ | ||
196 | BIT(verifypeer); /* set TRUE if this is desired */ | ||
197 | BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ | ||
198 | BIT(verifystatus); /* set TRUE if certificate status must be checked */ | ||
199 | @@ -266,7 +273,6 @@ struct ssl_primary_config { | ||
200 | struct ssl_config_data { | ||
201 | struct ssl_primary_config primary; | ||
202 | long certverifyresult; /* result from the certificate verification */ | ||
203 | - char *CRLfile; /* CRL to check certificate revocation */ | ||
204 | curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ | ||
205 | void *fsslctxp; /* parameter for call back */ | ||
206 | char *cert_type; /* format for certificate (default: PEM)*/ | ||
207 | @@ -274,11 +280,6 @@ struct ssl_config_data { | ||
208 | struct curl_blob *key_blob; | ||
209 | char *key_type; /* format for private key (default: PEM) */ | ||
210 | char *key_passwd; /* plain text private key password */ | ||
211 | -#ifdef USE_TLS_SRP | ||
212 | - char *username; /* TLS username (for, e.g., SRP) */ | ||
213 | - char *password; /* TLS password (for, e.g., SRP) */ | ||
214 | - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
215 | -#endif | ||
216 | BIT(certinfo); /* gather lots of certificate info */ | ||
217 | BIT(falsestart); | ||
218 | BIT(enable_beast); /* allow this flaw for interoperability's sake*/ | ||
219 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
220 | index fe45b3a..3c31782 100644 | ||
221 | --- a/lib/vtls/gtls.c | ||
222 | +++ b/lib/vtls/gtls.c | ||
223 | @@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, | ||
224 | } | ||
225 | |||
226 | #ifdef HAVE_GNUTLS_SRP | ||
227 | - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && | ||
228 | + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && | ||
229 | Curl_allow_auth_to_host(data)) { | ||
230 | - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); | ||
231 | + infof(data, "Using TLS-SRP username: %s", | ||
232 | + SSL_SET_OPTION(primary.username)); | ||
233 | |||
234 | rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); | ||
235 | if(rc != GNUTLS_E_SUCCESS) { | ||
236 | @@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, | ||
237 | } | ||
238 | |||
239 | rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, | ||
240 | - SSL_SET_OPTION(username), | ||
241 | - SSL_SET_OPTION(password)); | ||
242 | + SSL_SET_OPTION(primary.username), | ||
243 | + SSL_SET_OPTION(primary.password)); | ||
244 | if(rc != GNUTLS_E_SUCCESS) { | ||
245 | failf(data, "gnutls_srp_set_client_cred() failed: %s", | ||
246 | gnutls_strerror(rc)); | ||
247 | @@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, | ||
248 | } | ||
249 | #endif | ||
250 | |||
251 | - if(SSL_SET_OPTION(CRLfile)) { | ||
252 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
253 | /* set the CRL list file */ | ||
254 | rc = gnutls_certificate_set_x509_crl_file(backend->cred, | ||
255 | - SSL_SET_OPTION(CRLfile), | ||
256 | + SSL_SET_OPTION(primary.CRLfile), | ||
257 | GNUTLS_X509_FMT_PEM); | ||
258 | if(rc < 0) { | ||
259 | failf(data, "error reading crl file %s (%s)", | ||
260 | - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); | ||
261 | + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); | ||
262 | return CURLE_SSL_CRL_BADFILE; | ||
263 | } | ||
264 | else | ||
265 | infof(data, "found %d CRL in %s", | ||
266 | - rc, SSL_SET_OPTION(CRLfile)); | ||
267 | + rc, SSL_SET_OPTION(primary.CRLfile)); | ||
268 | } | ||
269 | |||
270 | /* Initialize TLS session as a client */ | ||
271 | @@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, | ||
272 | #ifdef HAVE_GNUTLS_SRP | ||
273 | /* Only add SRP to the cipher list if SRP is requested. Otherwise | ||
274 | * GnuTLS will disable TLS 1.3 support. */ | ||
275 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
276 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { | ||
277 | size_t len = strlen(prioritylist); | ||
278 | |||
279 | char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); | ||
280 | @@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, | ||
281 | |||
282 | #ifdef HAVE_GNUTLS_SRP | ||
283 | /* put the credentials to the current session */ | ||
284 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
285 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { | ||
286 | rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, | ||
287 | backend->srp_client_cred); | ||
288 | if(rc != GNUTLS_E_SUCCESS) { | ||
289 | @@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, | ||
290 | SSL_CONN_CONFIG(verifyhost) || | ||
291 | SSL_CONN_CONFIG(issuercert)) { | ||
292 | #ifdef HAVE_GNUTLS_SRP | ||
293 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
294 | - && SSL_SET_OPTION(username) != NULL | ||
295 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
296 | + && SSL_SET_OPTION(primary.username) | ||
297 | && !SSL_CONN_CONFIG(verifypeer) | ||
298 | && gnutls_cipher_get(session)) { | ||
299 | /* no peer cert, but auth is ok if we have SRP user and cipher and no | ||
300 | @@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, | ||
301 | failf(data, "server certificate verification failed. CAfile: %s " | ||
302 | "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): | ||
303 | "none", | ||
304 | - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); | ||
305 | + SSL_SET_OPTION(primary.CRLfile) ? | ||
306 | + SSL_SET_OPTION(primary.CRLfile) : "none"); | ||
307 | return CURLE_PEER_FAILED_VERIFICATION; | ||
308 | } | ||
309 | else | ||
310 | @@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, | ||
311 | gnutls_certificate_free_credentials(backend->cred); | ||
312 | |||
313 | #ifdef HAVE_GNUTLS_SRP | ||
314 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
315 | - && SSL_SET_OPTION(username) != NULL) | ||
316 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
317 | + && SSL_SET_OPTION(primary.username) != NULL) | ||
318 | gnutls_srp_free_client_credentials(backend->srp_client_cred); | ||
319 | #endif | ||
320 | |||
321 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
322 | index b9fd26a..bd4ad8f 100644 | ||
323 | --- a/lib/vtls/mbedtls.c | ||
324 | +++ b/lib/vtls/mbedtls.c | ||
325 | @@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, | ||
326 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
327 | char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); | ||
328 | const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); | ||
329 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
330 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
331 | const char * const hostname = SSL_HOST_NAME(); | ||
332 | #ifndef CURL_DISABLE_VERBOSE_STRINGS | ||
333 | const long int port = SSL_HOST_PORT(); | ||
334 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
335 | index 52f2060..959e23e 100644 | ||
336 | --- a/lib/vtls/nss.c | ||
337 | +++ b/lib/vtls/nss.c | ||
338 | @@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, | ||
339 | } | ||
340 | } | ||
341 | |||
342 | - if(SSL_SET_OPTION(CRLfile)) { | ||
343 | - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); | ||
344 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
345 | + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); | ||
346 | if(rv) { | ||
347 | result = rv; | ||
348 | goto error; | ||
349 | } | ||
350 | - infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); | ||
351 | + infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); | ||
352 | } | ||
353 | |||
354 | if(SSL_SET_OPTION(primary.clientcert)) { | ||
355 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
356 | index e8633f4..d98bbcb 100644 | ||
357 | --- a/lib/vtls/openssl.c | ||
358 | +++ b/lib/vtls/openssl.c | ||
359 | @@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | ||
360 | #endif | ||
361 | const long int ssl_version = SSL_CONN_CONFIG(version); | ||
362 | #ifdef USE_OPENSSL_SRP | ||
363 | - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); | ||
364 | + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); | ||
365 | #endif | ||
366 | char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); | ||
367 | const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); | ||
368 | @@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | ||
369 | (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); | ||
370 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
371 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
372 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
373 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
374 | char error_buffer[256]; | ||
375 | struct ssl_backend_data *backend = connssl->backend; | ||
376 | bool imported_native_ca = false; | ||
377 | @@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | ||
378 | #ifdef USE_OPENSSL_SRP | ||
379 | if((ssl_authtype == CURL_TLSAUTH_SRP) && | ||
380 | Curl_allow_auth_to_host(data)) { | ||
381 | - char * const ssl_username = SSL_SET_OPTION(username); | ||
382 | - | ||
383 | + char * const ssl_username = SSL_SET_OPTION(primary.username); | ||
384 | + char * const ssl_password = SSL_SET_OPTION(primary.password); | ||
385 | infof(data, "Using TLS-SRP username: %s", ssl_username); | ||
386 | |||
387 | if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { | ||
388 | failf(data, "Unable to set SRP user name"); | ||
389 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
390 | } | ||
391 | - if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { | ||
392 | + if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { | ||
393 | failf(data, "failed setting SRP password"); | ||
394 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
395 | } | ||
396 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
397 | index a40ac06..e2d3438 100644 | ||
398 | --- a/lib/vtls/vtls.c | ||
399 | +++ b/lib/vtls/vtls.c | ||
400 | @@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, | ||
401 | { | ||
402 | if((data->version == needle->version) && | ||
403 | (data->version_max == needle->version_max) && | ||
404 | + (data->ssl_options == needle->ssl_options) && | ||
405 | (data->verifypeer == needle->verifypeer) && | ||
406 | (data->verifyhost == needle->verifyhost) && | ||
407 | (data->verifystatus == needle->verifystatus) && | ||
408 | @@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, | ||
409 | Curl_safecmp(data->clientcert, needle->clientcert) && | ||
410 | Curl_safecmp(data->random_file, needle->random_file) && | ||
411 | Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
412 | +#ifdef USE_TLS_SRP | ||
413 | + Curl_safecmp(data->username, needle->username) && | ||
414 | + Curl_safecmp(data->password, needle->password) && | ||
415 | + (data->authtype == needle->authtype) && | ||
416 | +#endif | ||
417 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
418 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
419 | Curl_safe_strcasecompare(data->curves, needle->curves) && | ||
420 | + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && | ||
421 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||
422 | return TRUE; | ||
423 | |||
424 | @@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
425 | dest->verifyhost = source->verifyhost; | ||
426 | dest->verifystatus = source->verifystatus; | ||
427 | dest->sessionid = source->sessionid; | ||
428 | + dest->ssl_options = source->ssl_options; | ||
429 | +#ifdef USE_TLS_SRP | ||
430 | + dest->authtype = source->authtype; | ||
431 | +#endif | ||
432 | |||
433 | CLONE_BLOB(cert_blob); | ||
434 | CLONE_BLOB(ca_info_blob); | ||
435 | @@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
436 | CLONE_STRING(cipher_list13); | ||
437 | CLONE_STRING(pinned_key); | ||
438 | CLONE_STRING(curves); | ||
439 | + CLONE_STRING(CRLfile); | ||
440 | +#ifdef USE_TLS_SRP | ||
441 | + CLONE_STRING(username); | ||
442 | + CLONE_STRING(password); | ||
443 | +#endif | ||
444 | |||
445 | return TRUE; | ||
446 | } | ||
447 | @@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) | ||
448 | Curl_safefree(sslc->ca_info_blob); | ||
449 | Curl_safefree(sslc->issuercert_blob); | ||
450 | Curl_safefree(sslc->curves); | ||
451 | + Curl_safefree(sslc->CRLfile); | ||
452 | +#ifdef USE_TLS_SRP | ||
453 | + Curl_safefree(sslc->username); | ||
454 | + Curl_safefree(sslc->password); | ||
455 | +#endif | ||
456 | } | ||
457 | |||
458 | #ifdef USE_SSL | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..74fa7f85a9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 23:13:53 +0200 | ||
4 | Subject: [PATCH] url: check SSH config match on connection reuse | ||
5 | |||
6 | CVE-2022-27782 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27782.html | ||
10 | Closes #8825 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/url.c | 11 +++++++++++ | ||
16 | lib/vssh/ssh.h | 6 +++--- | ||
17 | 2 files changed, 14 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/lib/url.c b/lib/url.c | ||
20 | index 5ebf5e2..c713e54 100644 | ||
21 | --- a/lib/url.c | ||
22 | +++ b/lib/url.c | ||
23 | @@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) | ||
24 | } | ||
25 | } | ||
26 | |||
27 | +static bool ssh_config_matches(struct connectdata *one, | ||
28 | + struct connectdata *two) | ||
29 | +{ | ||
30 | + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && | ||
31 | + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); | ||
32 | +} | ||
33 | /* | ||
34 | * Given one filled in connection struct (named needle), this function should | ||
35 | * detect if there already is one that has all the significant details | ||
36 | @@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, | ||
37 | (data->state.httpwant < CURL_HTTP_VERSION_2_0)) | ||
38 | continue; | ||
39 | |||
40 | + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { | ||
41 | + if(!ssh_config_matches(needle, check)) | ||
42 | + continue; | ||
43 | + } | ||
44 | + | ||
45 | if((needle->handler->flags&PROTOPT_SSL) | ||
46 | #ifndef CURL_DISABLE_PROXY | ||
47 | || !needle->bits.httpproxy || needle->bits.tunnel_proxy | ||
48 | diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h | ||
49 | index 7972081..30d82e5 100644 | ||
50 | --- a/lib/vssh/ssh.h | ||
51 | +++ b/lib/vssh/ssh.h | ||
52 | @@ -7,7 +7,7 @@ | ||
53 | * | (__| |_| | _ <| |___ | ||
54 | * \___|\___/|_| \_\_____| | ||
55 | * | ||
56 | - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
57 | + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
58 | * | ||
59 | * This software is licensed as described in the file COPYING, which | ||
60 | * you should have received as part of this distribution. The terms | ||
61 | @@ -131,8 +131,8 @@ struct ssh_conn { | ||
62 | |||
63 | /* common */ | ||
64 | const char *passphrase; /* pass-phrase to use */ | ||
65 | - char *rsa_pub; /* path name */ | ||
66 | - char *rsa; /* path name */ | ||
67 | + char *rsa_pub; /* strdup'ed public key file */ | ||
68 | + char *rsa; /* strdup'ed private key file */ | ||
69 | bool authed; /* the connection has been authenticated fine */ | ||
70 | bool acceptfail; /* used by the SFTP_QUOTE (continue if | ||
71 | quote command fails) */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-30115.patch b/meta/recipes-support/curl/curl/CVE-2022-30115.patch new file mode 100644 index 0000000000..96839cf204 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-30115.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 08:13:55 +0200 | ||
4 | Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names | ||
5 | |||
6 | CVE-2022-30115 | ||
7 | |||
8 | Reported-by: Axel Chong | ||
9 | Bug: https://curl.se/docs/CVE-2022-30115.html | ||
10 | Closes #8821 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/hsts.c | 30 +++++++++++++++++++++++++----- | ||
16 | 1 file changed, 25 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/lib/hsts.c b/lib/hsts.c | ||
19 | index 03fcc9e..b9fa6f7 100644 | ||
20 | --- a/lib/hsts.c | ||
21 | +++ b/lib/hsts.c | ||
22 | @@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, | ||
23 | curl_off_t expires) | ||
24 | { | ||
25 | struct stsentry *sts = hsts_entry(); | ||
26 | + char *duphost; | ||
27 | + size_t hlen; | ||
28 | if(!sts) | ||
29 | return CURLE_OUT_OF_MEMORY; | ||
30 | |||
31 | - sts->expires = expires; | ||
32 | - sts->includeSubDomains = subdomains; | ||
33 | - sts->host = strdup(hostname); | ||
34 | - if(!sts->host) { | ||
35 | + duphost = strdup(hostname); | ||
36 | + if(!duphost) { | ||
37 | free(sts); | ||
38 | return CURLE_OUT_OF_MEMORY; | ||
39 | } | ||
40 | + | ||
41 | + hlen = strlen(duphost); | ||
42 | + if(duphost[hlen - 1] == '.') | ||
43 | + /* strip off trailing any dot */ | ||
44 | + duphost[--hlen] = 0; | ||
45 | + | ||
46 | + sts->host = duphost; | ||
47 | + sts->expires = expires; | ||
48 | + sts->includeSubDomains = subdomains; | ||
49 | Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); | ||
50 | return CURLE_OK; | ||
51 | } | ||
52 | @@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, | ||
53 | bool subdomain) | ||
54 | { | ||
55 | if(h) { | ||
56 | + char buffer[MAX_HSTS_HOSTLEN + 1]; | ||
57 | time_t now = time(NULL); | ||
58 | size_t hlen = strlen(hostname); | ||
59 | struct Curl_llist_element *e; | ||
60 | struct Curl_llist_element *n; | ||
61 | + | ||
62 | + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) | ||
63 | + return NULL; | ||
64 | + memcpy(buffer, hostname, hlen); | ||
65 | + if(hostname[hlen-1] == '.') | ||
66 | + /* remove the trailing dot */ | ||
67 | + --hlen; | ||
68 | + buffer[hlen] = 0; | ||
69 | + hostname = buffer; | ||
70 | + | ||
71 | for(e = h->list.head; e; e = n) { | ||
72 | struct stsentry *sts = e->ptr; | ||
73 | n = e->next; | ||
74 | @@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) | ||
75 | CURLSTScode sc; | ||
76 | DEBUGASSERT(h); | ||
77 | do { | ||
78 | - char buffer[257]; | ||
79 | + char buffer[MAX_HSTS_HOSTLEN + 1]; | ||
80 | struct curl_hstsentry e; | ||
81 | e.name = buffer; | ||
82 | e.namelen = sizeof(buffer)-1; | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 23bd7eaa52..ba3fd11820 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -9,7 +9,21 @@ SECTION = "console/network" | |||
9 | LICENSE = "MIT-open-group" | 9 | LICENSE = "MIT-open-group" |
10 | LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" | 10 | LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" |
11 | 11 | ||
12 | SRC_URI = "https://curl.se/download/${BP}.tar.xz" | 12 | SRC_URI = "https://curl.se/download/${BP}.tar.xz \ |
13 | file://CVE-2022-22576.patch \ | ||
14 | file://CVE-2022-27775.patch \ | ||
15 | file://CVE-2022-27776.patch \ | ||
16 | file://CVE-2022-27774-1.patch \ | ||
17 | file://CVE-2022-27774-2.patch \ | ||
18 | file://CVE-2022-27774-3.patch \ | ||
19 | file://CVE-2022-27774-4.patch \ | ||
20 | file://CVE-2022-30115.patch \ | ||
21 | file://CVE-2022-27780.patch \ | ||
22 | file://CVE-2022-27781.patch \ | ||
23 | file://CVE-2022-27779.patch \ | ||
24 | file://CVE-2022-27782-1.patch \ | ||
25 | file://CVE-2022-27782-2.patch \ | ||
26 | " | ||
13 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 27 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
14 | 28 | ||
15 | # Curl has used many names over the years... | 29 | # Curl has used many names over the years... |