fix build failure with gnutls backend enabled
Although Fedora curl packages are compiled with OpenSSL backend, some developers rebuild them with gnutls backend in their own COPRs. This commit makes the source code compile again with gnutls while it does not affect the official Fedora (binary) RPMs.
This commit is contained in:
parent
9b08152998
commit
f5e5013744
|
@ -1,7 +1,131 @@
|
||||||
|
From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jay Satiro <raysatiro@yahoo.com>
|
||||||
|
Date: Thu, 17 Mar 2022 15:31:10 -0400
|
||||||
|
Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP
|
||||||
|
|
||||||
|
Prior to this change if, at build time, the GnuTLS backend was found to
|
||||||
|
have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
|
||||||
|
via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
|
||||||
|
|
||||||
|
Bug: https://curl.se/mail/lib-2022-03/0046.html
|
||||||
|
Reported-by: Robert Brose
|
||||||
|
|
||||||
|
Closes https://github.com/curl/curl/pull/8604
|
||||||
|
|
||||||
|
Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/gtls.c | 26 +++++++++++++++++---------
|
||||||
|
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index 5749376..bc8ef68 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -55,6 +55,14 @@
|
||||||
|
/* The last #include file should be: */
|
||||||
|
#include "memdebug.h"
|
||||||
|
|
||||||
|
+#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+/* the function exists */
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+/* the functionality is not disabled */
|
||||||
|
+#define USE_GNUTLS_SRP
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Enable GnuTLS debugging by defining GTLSDEBUG */
|
||||||
|
/*#define GTLSDEBUG */
|
||||||
|
|
||||||
|
@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE;
|
||||||
|
struct ssl_backend_data {
|
||||||
|
gnutls_session_t session;
|
||||||
|
gnutls_certificate_credentials_t cred;
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
gnutls_srp_client_credentials_t srp_client_cred;
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
|
||||||
|
|
||||||
|
@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||||||
|
* GnuTLS will disable TLS 1.3 support. */
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
infof(data, "GnuTLS ciphers: %s", prioritylist);
|
||||||
|
rc = gnutls_priority_set_direct(session, prioritylist, &err);
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
/* put the credentials to the current session */
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||||
|
@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL
|
||||||
|
&& !SSL_CONN_CONFIG(verifypeer)
|
||||||
|
@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
failf(data, "failed to get server cert");
|
||||||
|
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
|
||||||
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl)
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
backend->cred = NULL;
|
||||||
|
}
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(backend->srp_client_cred) {
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
backend->srp_client_cred = NULL;
|
||||||
|
@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
}
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL)
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 9 May 2022 23:13:53 +0200
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
|
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
|
||||||
|
|
||||||
CVE-2022-27782
|
CVE-2022-27782
|
||||||
|
|
||||||
|
@ -15,12 +139,12 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
lib/setopt.c | 29 +++++++++++++++++------------
|
lib/setopt.c | 29 +++++++++++++++++------------
|
||||||
lib/url.c | 23 ++++++++++++++++-------
|
lib/url.c | 23 ++++++++++++++++-------
|
||||||
lib/urldata.h | 13 +++++++------
|
lib/urldata.h | 13 +++++++------
|
||||||
lib/vtls/gtls.c | 19 ++++++++++---------
|
lib/vtls/gtls.c | 32 +++++++++++++++++---------------
|
||||||
lib/vtls/mbedtls.c | 2 +-
|
lib/vtls/mbedtls.c | 2 +-
|
||||||
lib/vtls/nss.c | 6 +++---
|
lib/vtls/nss.c | 6 +++---
|
||||||
lib/vtls/openssl.c | 10 +++++-----
|
lib/vtls/openssl.c | 10 +++++-----
|
||||||
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
||||||
8 files changed, 80 insertions(+), 43 deletions(-)
|
8 files changed, 87 insertions(+), 49 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
index 8e1bf12..7aa6fdb 100644
|
index 8e1bf12..7aa6fdb 100644
|
||||||
|
@ -220,7 +344,19 @@ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
index 5749376..ec6be16 100644
|
index 5749376..ec6be16 100644
|
||||||
--- a/lib/vtls/gtls.c
|
--- a/lib/vtls/gtls.c
|
||||||
+++ b/lib/vtls/gtls.c
|
+++ b/lib/vtls/gtls.c
|
||||||
@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data,
|
@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
+ infof(data, "Using TLS-SRP username: %s",
|
||||||
|
+ SSL_SET_OPTION(primary.username));
|
||||||
|
|
||||||
|
rc = gnutls_srp_allocate_client_credentials(
|
||||||
|
&backend->srp_client_cred);
|
||||||
|
@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
|
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
|
||||||
|
@ -231,7 +367,7 @@ index 5749376..ec6be16 100644
|
||||||
if(rc != GNUTLS_E_SUCCESS) {
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
failf(data, "gnutls_srp_set_client_cred() failed: %s",
|
failf(data, "gnutls_srp_set_client_cred() failed: %s",
|
||||||
gnutls_strerror(rc));
|
gnutls_strerror(rc));
|
||||||
@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data,
|
@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -255,8 +391,8 @@ index 5749376..ec6be16 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Initialize TLS session as a client */
|
/* Initialize TLS session as a client */
|
||||||
@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
#ifdef HAVE_GNUTLS_SRP
|
#ifdef USE_GNUTLS_SRP
|
||||||
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||||||
* GnuTLS will disable TLS 1.3 support. */
|
* GnuTLS will disable TLS 1.3 support. */
|
||||||
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
@ -264,16 +400,27 @@ index 5749376..ec6be16 100644
|
||||||
size_t len = strlen(prioritylist);
|
size_t len = strlen(prioritylist);
|
||||||
|
|
||||||
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
|
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
|
||||||
@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
|
||||||
#ifdef HAVE_GNUTLS_SRP
|
#ifdef USE_GNUTLS_SRP
|
||||||
/* put the credentials to the current session */
|
/* put the credentials to the current session */
|
||||||
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||||||
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||||
backend->srp_client_cred);
|
backend->srp_client_cred);
|
||||||
if(rc != GNUTLS_E_SUCCESS) {
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
- && SSL_SET_OPTION(username) != NULL
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
|
||||||
|
+ && SSL_SET_OPTION(primary.username) != NULL
|
||||||
|
&& !SSL_CONN_CONFIG(verifypeer)
|
||||||
|
&& gnutls_cipher_get(session)) {
|
||||||
|
/* no peer cert, but auth is ok if we have SRP user and cipher and no
|
||||||
|
@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
failf(data, "server certificate verification failed. CAfile: %s "
|
failf(data, "server certificate verification failed. CAfile: %s "
|
||||||
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
|
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
|
||||||
"none",
|
"none",
|
||||||
|
@ -283,6 +430,17 @@ index 5749376..ec6be16 100644
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
- && SSL_SET_OPTION(username) != NULL)
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
|
||||||
|
+ && SSL_SET_OPTION(primary.username) != NULL)
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
#endif
|
||||||
|
|
||||||
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
||||||
index b9fd26a..bd4ad8f 100644
|
index b9fd26a..bd4ad8f 100644
|
||||||
--- a/lib/vtls/mbedtls.c
|
--- a/lib/vtls/mbedtls.c
|
||||||
|
@ -428,7 +586,7 @@ index a40ac06..e2d3438 100644
|
||||||
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 9 May 2022 23:13:53 +0200
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
Subject: [PATCH 2/2] url: check SSH config match on connection reuse
|
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
|
||||||
|
|
||||||
CVE-2022-27782
|
CVE-2022-27782
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.82.0
|
Version: 7.82.0
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||||
|
@ -463,6 +463,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-7
|
||||||
|
- fix build failure with gnutls backend enabled
|
||||||
|
|
||||||
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
||||||
- fix unpreserved file permissions (CVE-2022-32207)
|
- fix unpreserved file permissions (CVE-2022-32207)
|
||||||
- fix Set-Cookie denial of service (CVE-2022-32205)
|
- fix Set-Cookie denial of service (CVE-2022-32205)
|
||||||
|
|
Loading…
Reference in New Issue