502 lines
21 KiB
Diff
502 lines
21 KiB
Diff
|
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||
|
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
|
||
|
|
||
|
CVE-2022-27782
|
||
|
|
||
|
Reported-by: Harry Sintonen
|
||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||
|
Closes #8825
|
||
|
|
||
|
Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/setopt.c | 29 +++++++++++++++++------------
|
||
|
lib/url.c | 23 ++++++++++++++++-------
|
||
|
lib/urldata.h | 13 +++++++------
|
||
|
lib/vtls/gtls.c | 19 ++++++++++---------
|
||
|
lib/vtls/mbedtls.c | 2 +-
|
||
|
lib/vtls/nss.c | 6 +++---
|
||
|
lib/vtls/openssl.c | 10 +++++-----
|
||
|
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
||
|
8 files changed, 80 insertions(+), 43 deletions(-)
|
||
|
|
||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||
|
index 8e1bf12..7aa6fdb 100644
|
||
|
--- a/lib/setopt.c
|
||
|
+++ b/lib/setopt.c
|
||
|
@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||
|
|
||
|
case CURLOPT_SSL_OPTIONS:
|
||
|
arg = va_arg(param, long);
|
||
|
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||
|
data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
|
||
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||
|
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||
|
@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
case CURLOPT_PROXY_SSL_OPTIONS:
|
||
|
arg = va_arg(param, long);
|
||
|
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||
|
data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
|
||
|
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||
|
data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||
|
@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||
|
case CURLOPT_TLSAUTH_USERNAME:
|
||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||
|
va_arg(param, char *));
|
||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||
|
+ !data->set.ssl.primary.authtype)
|
||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||
|
break;
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
||
|
va_arg(param, char *));
|
||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||
|
- !data->set.proxy_ssl.authtype)
|
||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
|
||
|
+ SRP */
|
||
|
break;
|
||
|
#endif
|
||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||
|
va_arg(param, char *));
|
||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||
|
+ !data->set.ssl.primary.authtype)
|
||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||
|
break;
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
||
|
va_arg(param, char *));
|
||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||
|
- !data->set.proxy_ssl.authtype)
|
||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||
|
break;
|
||
|
#endif
|
||
|
case CURLOPT_TLSAUTH_TYPE:
|
||
|
argptr = va_arg(param, char *);
|
||
|
if(!argptr ||
|
||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
|
||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||
|
else
|
||
|
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||
|
break;
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
case CURLOPT_PROXY_TLSAUTH_TYPE:
|
||
|
argptr = va_arg(param, char *);
|
||
|
if(!argptr ||
|
||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
|
||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||
|
else
|
||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
|
||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||
|
break;
|
||
|
#endif
|
||
|
#endif
|
||
|
diff --git a/lib/url.c b/lib/url.c
|
||
|
index 94e3406..5ebf5e2 100644
|
||
|
--- a/lib/url.c
|
||
|
+++ b/lib/url.c
|
||
|
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||
|
set->ssl.primary.verifypeer = TRUE;
|
||
|
set->ssl.primary.verifyhost = TRUE;
|
||
|
#ifdef USE_TLS_SRP
|
||
|
- set->ssl.authtype = CURL_TLSAUTH_NONE;
|
||
|
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||
|
#endif
|
||
|
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
||
|
type */
|
||
|
@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||
|
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
||
|
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
||
|
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
||
|
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+#endif
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
conn->proxy_ssl_config.verifystatus =
|
||
|
data->set.proxy_ssl.primary.verifystatus;
|
||
|
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
||
|
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
||
|
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+#endif
|
||
|
#endif
|
||
|
conn->ip_version = data->set.ipver;
|
||
|
conn->bits.connect_only = data->set.connect_only;
|
||
|
@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||
|
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||
|
data->set.proxy_ssl.primary.issuercert_blob =
|
||
|
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
||
|
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||
|
+ data->set.proxy_ssl.primary.CRLfile =
|
||
|
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||
|
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
||
|
@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||
|
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
||
|
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||
|
#endif
|
||
|
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||
|
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||
|
data->set.ssl.key = data->set.str[STRING_KEY];
|
||
|
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||
|
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
||
|
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||
|
#ifdef USE_TLS_SRP
|
||
|
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||
|
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||
|
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||
|
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||
|
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||
|
+ data->set.proxy_ssl.primary.username =
|
||
|
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||
|
+ data->set.proxy_ssl.primary.password =
|
||
|
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||
|
#endif
|
||
|
#endif
|
||
|
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||
|
index 5218f76..e006495 100644
|
||
|
--- a/lib/urldata.h
|
||
|
+++ b/lib/urldata.h
|
||
|
@@ -253,10 +253,17 @@ struct ssl_primary_config {
|
||
|
char *cipher_list; /* list of ciphers to use */
|
||
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||
|
char *pinned_key;
|
||
|
+ char *CRLfile; /* CRL to check certificate revocation */
|
||
|
struct curl_blob *cert_blob;
|
||
|
struct curl_blob *ca_info_blob;
|
||
|
struct curl_blob *issuercert_blob;
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+ char *username; /* TLS username (for, e.g., SRP) */
|
||
|
+ char *password; /* TLS password (for, e.g., SRP) */
|
||
|
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||
|
+#endif
|
||
|
char *curves; /* list of curves to use */
|
||
|
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
|
||
|
BIT(verifypeer); /* set TRUE if this is desired */
|
||
|
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
||
|
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
||
|
@@ -266,7 +273,6 @@ struct ssl_primary_config {
|
||
|
struct ssl_config_data {
|
||
|
struct ssl_primary_config primary;
|
||
|
long certverifyresult; /* result from the certificate verification */
|
||
|
- char *CRLfile; /* CRL to check certificate revocation */
|
||
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||
|
void *fsslctxp; /* parameter for call back */
|
||
|
char *cert_type; /* format for certificate (default: PEM)*/
|
||
|
@@ -274,11 +280,6 @@ struct ssl_config_data {
|
||
|
struct curl_blob *key_blob;
|
||
|
char *key_type; /* format for private key (default: PEM) */
|
||
|
char *key_passwd; /* plain text private key password */
|
||
|
-#ifdef USE_TLS_SRP
|
||
|
- char *username; /* TLS username (for, e.g., SRP) */
|
||
|
- char *password; /* TLS password (for, e.g., SRP) */
|
||
|
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||
|
-#endif
|
||
|
BIT(certinfo); /* gather lots of certificate info */
|
||
|
BIT(falsestart);
|
||
|
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||
|
index 5749376..ec6be16 100644
|
||
|
--- a/lib/vtls/gtls.c
|
||
|
+++ b/lib/vtls/gtls.c
|
||
|
@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data,
|
||
|
}
|
||
|
|
||
|
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
|
||
|
- SSL_SET_OPTION(username),
|
||
|
- SSL_SET_OPTION(password));
|
||
|
+ SSL_SET_OPTION(primary.username),
|
||
|
+ SSL_SET_OPTION(primary.password));
|
||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||
|
failf(data, "gnutls_srp_set_client_cred() failed: %s",
|
||
|
gnutls_strerror(rc));
|
||
|
@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data,
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
- if(SSL_SET_OPTION(CRLfile)) {
|
||
|
+ if(SSL_SET_OPTION(primary.CRLfile)) {
|
||
|
/* set the CRL list file */
|
||
|
rc = gnutls_certificate_set_x509_crl_file(backend->cred,
|
||
|
- SSL_SET_OPTION(CRLfile),
|
||
|
+ SSL_SET_OPTION(primary.CRLfile),
|
||
|
GNUTLS_X509_FMT_PEM);
|
||
|
if(rc < 0) {
|
||
|
failf(data, "error reading crl file %s (%s)",
|
||
|
- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
|
||
|
+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
|
||
|
return CURLE_SSL_CRL_BADFILE;
|
||
|
}
|
||
|
else
|
||
|
infof(data, "found %d CRL in %s",
|
||
|
- rc, SSL_SET_OPTION(CRLfile));
|
||
|
+ rc, SSL_SET_OPTION(primary.CRLfile));
|
||
|
}
|
||
|
|
||
|
/* Initialize TLS session as a client */
|
||
|
@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||
|
#ifdef HAVE_GNUTLS_SRP
|
||
|
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||
|
* GnuTLS will disable TLS 1.3 support. */
|
||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||
|
size_t len = strlen(prioritylist);
|
||
|
|
||
|
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
|
||
|
@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||
|
|
||
|
#ifdef HAVE_GNUTLS_SRP
|
||
|
/* put the credentials to the current session */
|
||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||
|
backend->srp_client_cred);
|
||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||
|
@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||
|
failf(data, "server certificate verification failed. CAfile: %s "
|
||
|
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
|
||
|
"none",
|
||
|
- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
|
||
|
+ SSL_SET_OPTION(primary.CRLfile) ?
|
||
|
+ SSL_SET_OPTION(primary.CRLfile) : "none");
|
||
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||
|
}
|
||
|
else
|
||
|
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
||
|
index b9fd26a..bd4ad8f 100644
|
||
|
--- a/lib/vtls/mbedtls.c
|
||
|
+++ b/lib/vtls/mbedtls.c
|
||
|
@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
||
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||
|
const char * const hostname = SSL_HOST_NAME();
|
||
|
#ifndef CURL_DISABLE_VERBOSE_STRINGS
|
||
|
const long int port = SSL_HOST_PORT();
|
||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||
|
index 558e3be..892e7d8 100644
|
||
|
--- a/lib/vtls/nss.c
|
||
|
+++ b/lib/vtls/nss.c
|
||
|
@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- if(SSL_SET_OPTION(CRLfile)) {
|
||
|
- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
|
||
|
+ if(SSL_SET_OPTION(primary.CRLfile)) {
|
||
|
+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
|
||
|
if(rv) {
|
||
|
result = rv;
|
||
|
goto error;
|
||
|
}
|
||
|
- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile));
|
||
|
+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
|
||
|
}
|
||
|
|
||
|
if(SSL_SET_OPTION(primary.clientcert)) {
|
||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||
|
index 97c5666..a4ef9d1 100644
|
||
|
--- a/lib/vtls/openssl.c
|
||
|
+++ b/lib/vtls/openssl.c
|
||
|
@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||
|
#endif
|
||
|
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||
|
#ifdef USE_OPENSSL_SRP
|
||
|
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
||
|
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
|
||
|
#endif
|
||
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||
|
@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||
|
(ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
|
||
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||
|
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
|
||
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||
|
char error_buffer[256];
|
||
|
struct ssl_backend_data *backend = connssl->backend;
|
||
|
bool imported_native_ca = false;
|
||
|
@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||
|
#ifdef USE_OPENSSL_SRP
|
||
|
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||
|
Curl_allow_auth_to_host(data)) {
|
||
|
- char * const ssl_username = SSL_SET_OPTION(username);
|
||
|
-
|
||
|
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
|
||
|
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
|
||
|
infof(data, "Using TLS-SRP username: %s", ssl_username);
|
||
|
|
||
|
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
|
||
|
failf(data, "Unable to set SRP user name");
|
||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||
|
}
|
||
|
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
|
||
|
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
|
||
|
failf(data, "failed setting SRP password");
|
||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||
|
}
|
||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||
|
index a40ac06..e2d3438 100644
|
||
|
--- a/lib/vtls/vtls.c
|
||
|
+++ b/lib/vtls/vtls.c
|
||
|
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||
|
{
|
||
|
if((data->version == needle->version) &&
|
||
|
(data->version_max == needle->version_max) &&
|
||
|
+ (data->ssl_options == needle->ssl_options) &&
|
||
|
(data->verifypeer == needle->verifypeer) &&
|
||
|
(data->verifyhost == needle->verifyhost) &&
|
||
|
(data->verifystatus == needle->verifystatus) &&
|
||
|
@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||
|
Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||
|
Curl_safecmp(data->random_file, needle->random_file) &&
|
||
|
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+ Curl_safecmp(data->username, needle->username) &&
|
||
|
+ Curl_safecmp(data->password, needle->password) &&
|
||
|
+ (data->authtype == needle->authtype) &&
|
||
|
+#endif
|
||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||
|
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
|
||
|
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
||
|
return TRUE;
|
||
|
|
||
|
@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||
|
dest->verifyhost = source->verifyhost;
|
||
|
dest->verifystatus = source->verifystatus;
|
||
|
dest->sessionid = source->sessionid;
|
||
|
+ dest->ssl_options = source->ssl_options;
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+ dest->authtype = source->authtype;
|
||
|
+#endif
|
||
|
|
||
|
CLONE_BLOB(cert_blob);
|
||
|
CLONE_BLOB(ca_info_blob);
|
||
|
@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||
|
CLONE_STRING(cipher_list13);
|
||
|
CLONE_STRING(pinned_key);
|
||
|
CLONE_STRING(curves);
|
||
|
+ CLONE_STRING(CRLfile);
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+ CLONE_STRING(username);
|
||
|
+ CLONE_STRING(password);
|
||
|
+#endif
|
||
|
|
||
|
return TRUE;
|
||
|
}
|
||
|
@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||
|
Curl_safefree(sslc->ca_info_blob);
|
||
|
Curl_safefree(sslc->issuercert_blob);
|
||
|
Curl_safefree(sslc->curves);
|
||
|
+ Curl_safefree(sslc->CRLfile);
|
||
|
+#ifdef USE_TLS_SRP
|
||
|
+ Curl_safefree(sslc->username);
|
||
|
+ Curl_safefree(sslc->password);
|
||
|
+#endif
|
||
|
}
|
||
|
|
||
|
#ifdef USE_SSL
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||
|
Subject: [PATCH 2/2] url: check SSH config match on connection reuse
|
||
|
|
||
|
CVE-2022-27782
|
||
|
|
||
|
Reported-by: Harry Sintonen
|
||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||
|
Closes #8825
|
||
|
|
||
|
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/url.c | 11 +++++++++++
|
||
|
lib/vssh/ssh.h | 6 +++---
|
||
|
2 files changed, 14 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/lib/url.c b/lib/url.c
|
||
|
index 5ebf5e2..c713e54 100644
|
||
|
--- a/lib/url.c
|
||
|
+++ b/lib/url.c
|
||
|
@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+static bool ssh_config_matches(struct connectdata *one,
|
||
|
+ struct connectdata *two)
|
||
|
+{
|
||
|
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
|
||
|
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
|
||
|
+}
|
||
|
/*
|
||
|
* Given one filled in connection struct (named needle), this function should
|
||
|
* detect if there already is one that has all the significant details
|
||
|
@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
|
||
|
(data->state.httpwant < CURL_HTTP_VERSION_2_0))
|
||
|
continue;
|
||
|
|
||
|
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
|
||
|
+ if(!ssh_config_matches(needle, check))
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+
|
||
|
if((needle->handler->flags&PROTOPT_SSL)
|
||
|
#ifndef CURL_DISABLE_PROXY
|
||
|
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
|
||
|
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
|
||
|
index 7972081..30d82e5 100644
|
||
|
--- a/lib/vssh/ssh.h
|
||
|
+++ b/lib/vssh/ssh.h
|
||
|
@@ -7,7 +7,7 @@
|
||
|
* | (__| |_| | _ <| |___
|
||
|
* \___|\___/|_| \_\_____|
|
||
|
*
|
||
|
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
*
|
||
|
* This software is licensed as described in the file COPYING, which
|
||
|
* you should have received as part of this distribution. The terms
|
||
|
@@ -131,8 +131,8 @@ struct ssh_conn {
|
||
|
|
||
|
/* common */
|
||
|
const char *passphrase; /* pass-phrase to use */
|
||
|
- char *rsa_pub; /* path name */
|
||
|
- char *rsa; /* path name */
|
||
|
+ char *rsa_pub; /* strdup'ed public key file */
|
||
|
+ char *rsa; /* strdup'ed private key file */
|
||
|
bool authed; /* the connection has been authenticated fine */
|
||
|
bool acceptfail; /* used by the SFTP_QUOTE (continue if
|
||
|
quote command fails) */
|
||
|
--
|
||
|
2.34.1
|
||
|
|