From f5e50137446cf90d988516e738df49c708e18e48 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 18 Jul 2022 12:16:31 +0200 Subject: [PATCH] fix build failure with gnutls backend enabled Although Fedora curl packages are compiled with OpenSSL backend, some developers rebuild them with gnutls backend in their own COPRs. This commit makes the source code compile again with gnutls while it does not affect the official Fedora (binary) RPMs. --- 0009-curl-7.82.0-CVE-2022-27782.patch | 180 ++++++++++++++++++++++++-- curl.spec | 5 +- 2 files changed, 173 insertions(+), 12 deletions(-) diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch index 0c9d21c..b6b55d2 100644 --- a/0009-curl-7.82.0-CVE-2022-27782.patch +++ b/0009-curl-7.82.0-CVE-2022-27782.patch @@ -1,7 +1,131 @@ +From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 17 Mar 2022 15:31:10 -0400 +Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP + +Prior to this change if, at build time, the GnuTLS backend was found to +have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl +via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. + +Bug: https://curl.se/mail/lib-2022-03/0046.html +Reported-by: Robert Brose + +Closes https://github.com/curl/curl/pull/8604 + +Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a +Signed-off-by: Kamil Dudka +--- + lib/vtls/gtls.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..bc8ef68 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -55,6 +55,14 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++#ifdef HAVE_GNUTLS_SRP ++/* the function exists */ ++#ifdef USE_TLS_SRP ++/* the functionality is not disabled */ ++#define USE_GNUTLS_SRP ++#endif ++#endif ++ + /* Enable GnuTLS debugging by defining GTLSDEBUG */ + /*#define GTLSDEBUG */ + +@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE; + struct ssl_backend_data { + gnutls_session_t session; + gnutls_certificate_credentials_t cred; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + gnutls_srp_client_credentials_t srp_client_cred; + #endif + }; +@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data, + return CURLE_SSL_CONNECT_ERROR; + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data, + if(result) + return result; + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data, + #endif + infof(data, "GnuTLS ciphers: %s", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + +@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* put the credentials to the current session */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, +@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL + && !SSL_CONN_CONFIG(verifypeer) +@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "failed to get server cert"); + *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; + return CURLE_PEER_FAILED_VERIFICATION; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + } +@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl) + gnutls_certificate_free_credentials(backend->cred); + backend->cred = NULL; + } +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(backend->srp_client_cred) { + gnutls_srp_free_client_credentials(backend->srp_client_cred); + backend->srp_client_cred = NULL; +@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + } + gnutls_certificate_free_credentials(backend->cred); + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); +-- +2.35.3 + + From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 1/2] tls: check more TLS details for connection reuse +Subject: [PATCH 2/3] tls: check more TLS details for connection reuse CVE-2022-27782 @@ -15,12 +139,12 @@ Signed-off-by: Kamil Dudka lib/setopt.c | 29 +++++++++++++++++------------ lib/url.c | 23 ++++++++++++++++------- lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 19 ++++++++++--------- + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- lib/vtls/mbedtls.c | 2 +- lib/vtls/nss.c | 6 +++--- lib/vtls/openssl.c | 10 +++++----- lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 80 insertions(+), 43 deletions(-) + 8 files changed, 87 insertions(+), 49 deletions(-) diff --git a/lib/setopt.c b/lib/setopt.c index 8e1bf12..7aa6fdb 100644 @@ -220,7 +344,19 @@ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5749376..ec6be16 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c -@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials( + &backend->srp_client_cred); +@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, } rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, @@ -231,7 +367,7 @@ index 5749376..ec6be16 100644 if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); -@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, } #endif @@ -255,8 +391,8 @@ index 5749376..ec6be16 100644 } /* Initialize TLS session as a client */ -@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP +@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { @@ -264,16 +400,27 @@ index 5749376..ec6be16 100644 size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP + #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { -@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, +@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", @@ -283,6 +430,17 @@ index 5749376..ec6be16 100644 return CURLE_PEER_FAILED_VERIFICATION; } else +@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + gnutls_certificate_free_credentials(backend->cred); + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index b9fd26a..bd4ad8f 100644 --- a/lib/vtls/mbedtls.c @@ -428,7 +586,7 @@ index a40ac06..e2d3438 100644 From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 2/2] url: check SSH config match on connection reuse +Subject: [PATCH 3/3] url: check SSH config match on connection reuse CVE-2022-27782 diff --git a/curl.spec b/curl.spec index 38436c2..4af70aa 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -463,6 +463,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 18 2022 Kamil Dudka - 7.82.0-7 +- fix build failure with gnutls backend enabled + * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 - fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205)