rpms
/
curl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix build failure with gnutls backend enabled 

Although Fedora curl packages are compiled with OpenSSL backend, some
developers rebuild them with gnutls backend in their own COPRs.  This
commit makes the source code compile again with gnutls while it does
not affect the official Fedora (binary) RPMs.
This commit is contained in:
Kamil Dudka 2022-07-18 12:16:31 +02:00
parent 9b08152998
commit f5e5013744
2 changed files with 173 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
0009-curl-7.82.0-CVE-2022-27782.patch
View File

@ -1,7 +1,131 @@
From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Thu, 17 Mar 2022 15:31:10 -0400
Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP
Prior to this change if, at build time, the GnuTLS backend was found to
have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
Bug: https://curl.se/mail/lib-2022-03/0046.html
Reported-by: Robert Brose
Closes https://github.com/curl/curl/pull/8604
Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/gtls.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5749376..bc8ef68 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -55,6 +55,14 @@
/* The last #include file should be: */
#include "memdebug.h"
+#ifdef HAVE_GNUTLS_SRP
+/* the function exists */
+#ifdef USE_TLS_SRP
+/* the functionality is not disabled */
+#define USE_GNUTLS_SRP
+#endif
+#endif
+
/* Enable GnuTLS debugging by defining GTLSDEBUG */
/*#define GTLSDEBUG */
@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE;
struct ssl_backend_data {
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
gnutls_srp_client_credentials_t srp_client_cred;
#endif
};
@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data,
return CURLE_SSL_CONNECT_ERROR;
}
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data,
if(result)
return result;
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data,
#endif
infof(data, "GnuTLS ciphers: %s", prioritylist);
rc = gnutls_priority_set_direct(session, prioritylist, &err);
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
}
#endif
@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data,
}
}
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
/* put the credentials to the current session */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
if(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost) ||
SSL_CONN_CONFIG(issuercert)) {
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL
&& !SSL_CONN_CONFIG(verifypeer)
@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
failf(data, "failed to get server cert");
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
return CURLE_PEER_FAILED_VERIFICATION;
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
}
#endif
}
@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl)
gnutls_certificate_free_credentials(backend->cred);
backend->cred = NULL;
}
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
if(backend->srp_client_cred) {
gnutls_srp_free_client_credentials(backend->srp_client_cred);
backend->srp_client_cred = NULL;
@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
}
gnutls_certificate_free_credentials(backend->cred);
-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
--
2.35.3
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 23:13:53 +0200
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
CVE-2022-27782
@ -15,12 +139,12 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
lib/setopt.c | 29 +++++++++++++++++------------
lib/url.c | 23 ++++++++++++++++-------
lib/urldata.h | 13 +++++++------
lib/vtls/gtls.c | 19 ++++++++++---------
lib/vtls/gtls.c | 32 +++++++++++++++++---------------
lib/vtls/mbedtls.c | 2 +-
lib/vtls/nss.c | 6 +++---
lib/vtls/openssl.c | 10 +++++-----
lib/vtls/vtls.c | 21 +++++++++++++++++++++
8 files changed, 80 insertions(+), 43 deletions(-)
8 files changed, 87 insertions(+), 49 deletions(-)
diff --git a/lib/setopt.c b/lib/setopt.c
index 8e1bf12..7aa6fdb 100644
@ -220,7 +344,19 @@ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5749376..ec6be16 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data,
@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data,
}
#ifdef USE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+ infof(data, "Using TLS-SRP username: %s",
+ SSL_SET_OPTION(primary.username));
rc = gnutls_srp_allocate_client_credentials(
&backend->srp_client_cred);
@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data,
}
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
@ -231,7 +367,7 @@ index 5749376..ec6be16 100644
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data,
@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data,
}
#endif
@ -255,8 +391,8 @@ index 5749376..ec6be16 100644
}
/* Initialize TLS session as a client */
@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data,
#ifdef HAVE_GNUTLS_SRP
@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data,
#ifdef USE_GNUTLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
@ -264,16 +400,27 @@ index 5749376..ec6be16 100644
size_t len = strlen(prioritylist);
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data,
@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data,
#ifdef HAVE_GNUTLS_SRP
#ifdef USE_GNUTLS_SRP
/* put the credentials to the current session */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
backend->srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
SSL_CONN_CONFIG(verifyhost) ||
SSL_CONN_CONFIG(issuercert)) {
#ifdef USE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username) != NULL
&& !SSL_CONN_CONFIG(verifypeer)
&& gnutls_cipher_get(session)) {
/* no peer cert, but auth is ok if we have SRP user and cipher and no
@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
failf(data, "server certificate verification failed. CAfile: %s "
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
"none",
@ -283,6 +430,17 @@ index 5749376..ec6be16 100644
return CURLE_PEER_FAILED_VERIFICATION;
}
else
@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
gnutls_certificate_free_credentials(backend->cred);
#ifdef USE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL)
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
#endif
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index b9fd26a..bd4ad8f 100644
--- a/lib/vtls/mbedtls.c
@ -428,7 +586,7 @@ index a40ac06..e2d3438 100644
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 23:13:53 +0200
Subject: [PATCH 2/2] url: check SSH config match on connection reuse
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
CVE-2022-27782

5
curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.82.0
Release: 6%{?dist}
Release: 7%{?dist}
License: MIT
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -463,6 +463,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Mon Jul 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-7
- fix build failure with gnutls backend enabled
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
- fix unpreserved file permissions (CVE-2022-32207)
- fix Set-Cookie denial of service (CVE-2022-32205)