Compare commits
34 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
4dd9624cd7 | ||
|
46b1c25738 | ||
|
8545535d63 | ||
|
f2473c9f84 | ||
|
1dc08c9d96 | ||
|
fa90718ce5 | ||
|
ff41f425b6 | ||
|
22ead1eab2 | ||
|
9aaddd4aa3 | ||
|
1ee2417a75 | ||
|
4c39814d7c | ||
|
a52387704a | ||
|
aa87f54d87 | ||
|
89e3fb5767 | ||
|
5470570402 | ||
|
2c28dfb932 | ||
|
840be82e6f | ||
|
b740a1ecc6 | ||
|
407d32e00a | ||
|
df63713984 | ||
|
87d774717a | ||
|
6071e0dd16 | ||
|
8c661bb9d7 | ||
|
c74a58b095 | ||
|
ce4949188b | ||
|
c88a6aff30 | ||
|
6a752013d0 | ||
|
53c8c93125 | ||
|
ac5c236f18 | ||
|
fbcad9a3a0 | ||
|
249d0aea51 | ||
|
83181bd6d3 | ||
|
dfb411a0a2 | ||
|
13f70ceee2 |
@ -1,316 +0,0 @@
|
||||
From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 13 Nov 2019 11:33:29 +0100
|
||||
Subject: [PATCH] curl: fix -T globbing
|
||||
|
||||
Regression from e59371a4936f8 (7.67.0)
|
||||
|
||||
Added test 490, 491 and 492 to verify the functionality.
|
||||
|
||||
Reported-by: Kamil Dudka
|
||||
Reported-by: Anderson Sasaki
|
||||
|
||||
Fixes #4588
|
||||
Closes #4591
|
||||
|
||||
Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_operate.c | 15 ++++---
|
||||
tests/data/Makefile.inc | 2 +
|
||||
tests/data/test490 | 68 +++++++++++++++++++++++++++++++
|
||||
tests/data/test491 | 64 +++++++++++++++++++++++++++++
|
||||
tests/data/test492 | 89 +++++++++++++++++++++++++++++++++++++++++
|
||||
5 files changed, 232 insertions(+), 6 deletions(-)
|
||||
create mode 100644 tests/data/test490
|
||||
create mode 100644 tests/data/test491
|
||||
create mode 100644 tests/data/test492
|
||||
|
||||
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
||||
index 3087d2d..4ecb1ed 100644
|
||||
--- a/src/tool_operate.c
|
||||
+++ b/src/tool_operate.c
|
||||
@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
|
||||
separator = ((!state->outfiles ||
|
||||
!strcmp(state->outfiles, "-")) && urlnum > 1);
|
||||
|
||||
- /* Here's looping around each globbed URL */
|
||||
-
|
||||
- if(state->li >= urlnum) {
|
||||
- state->li = 0;
|
||||
- state->up++;
|
||||
- }
|
||||
if(state->up < state->infilenum) {
|
||||
struct per_transfer *per;
|
||||
struct OutStruct *outs;
|
||||
@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
|
||||
per->retrystart = tvnow();
|
||||
|
||||
state->li++;
|
||||
+ /* Here's looping around each globbed URL */
|
||||
+ if(state->li >= urlnum) {
|
||||
+ state->li = 0;
|
||||
+ state->urlnum = 0; /* forced reglob of URLs */
|
||||
+ glob_cleanup(state->urls);
|
||||
+ state->urls = NULL;
|
||||
+ state->up++;
|
||||
+ Curl_safefree(state->uploadfile); /* clear it to get the next */
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
/* Free this URL node data without destroying the
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 557f928..212900e 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -66,6 +66,8 @@ test393 test394 test395 \
|
||||
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
||||
test409 \
|
||||
\
|
||||
+test490 test491 test492 \
|
||||
+\
|
||||
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
||||
test509 test510 test511 test512 test513 test514 test515 test516 test517 \
|
||||
test518 test519 test520 test521 test522 test523 test524 test525 test526 \
|
||||
diff --git a/tests/data/test490 b/tests/data/test490
|
||||
new file mode 100644
|
||||
index 0000000..a3383a9
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test490
|
||||
@@ -0,0 +1,68 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HTTP PUT
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
+ETag: "21025-dc7-39462498"
|
||||
+Accept-Ranges: bytes
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+-foo-
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+Two globbed HTTP PUTs
|
||||
+ </name>
|
||||
+ <command>
|
||||
+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
|
||||
+</command>
|
||||
+<file name="log/in490">
|
||||
+surprise!
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<strip>
|
||||
+^User-Agent:.*
|
||||
+</strip>
|
||||
+<protocol>
|
||||
+PUT /490 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Content-Length: 10
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+surprise!
|
||||
+PUT /490 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Content-Length: 10
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+surprise!
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test491 b/tests/data/test491
|
||||
new file mode 100644
|
||||
index 0000000..b49c06c
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test491
|
||||
@@ -0,0 +1,64 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HTTP PUT
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
+ETag: "21025-dc7-39462498"
|
||||
+Accept-Ranges: bytes
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+-foo-
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+Two globbed HTTP PUTs, the second upload file is missing
|
||||
+ </name>
|
||||
+ <command>
|
||||
+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
|
||||
+</command>
|
||||
+<file name="log/in491">
|
||||
+surprise!
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<strip>
|
||||
+^User-Agent:.*
|
||||
+</strip>
|
||||
+<protocol>
|
||||
+PUT /491 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Content-Length: 10
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+surprise!
|
||||
+</protocol>
|
||||
+<errorcode>
|
||||
+26
|
||||
+</errorcode>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test492 b/tests/data/test492
|
||||
new file mode 100644
|
||||
index 0000000..12edd8b
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test492
|
||||
@@ -0,0 +1,89 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HTTP PUT
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
+ETag: "21025-dc7-39462498"
|
||||
+Accept-Ranges: bytes
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+-foo-
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+Two globbed HTTP PUTs to two globbed URLs
|
||||
+ </name>
|
||||
+ <command>
|
||||
+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
|
||||
+</command>
|
||||
+<file name="log/first492">
|
||||
+first 492 contents
|
||||
+</file>
|
||||
+<file1 name="log/second492">
|
||||
+second 492 contents
|
||||
+</file1>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<strip>
|
||||
+^User-Agent:.*
|
||||
+</strip>
|
||||
+<protocol>
|
||||
+PUT /one/first492 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Testno: 492
|
||||
+Content-Length: 19
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+first 492 contents
|
||||
+PUT /two/first492 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Testno: 492
|
||||
+Content-Length: 19
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+first 492 contents
|
||||
+PUT /one/second492 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Testno: 492
|
||||
+Content-Length: 20
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+second 492 contents
|
||||
+PUT /two/second492 HTTP/1.1
|
||||
+Host: 127.0.0.1:8990
|
||||
+Accept: */*
|
||||
+Testno: 492
|
||||
+Content-Length: 20
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+second 492 contents
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.20.1
|
||||
|
65
0001-curl-7.71.1-tool-krb-opt.patch
Normal file
65
0001-curl-7.71.1-tool-krb-opt.patch
Normal file
@ -0,0 +1,65 @@
|
||||
From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 17:41:37 +0200
|
||||
Subject: [PATCH 1/2] tool_getparam: make --krb option work again
|
||||
|
||||
It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
|
||||
|
||||
Bug: https://bugzilla.redhat.com/1833193
|
||||
Closes #5640
|
||||
|
||||
Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_getparam.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
||||
index 3409621..9c6bc8a 100644
|
||||
--- a/src/tool_getparam.c
|
||||
+++ b/src/tool_getparam.c
|
||||
@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
||||
break;
|
||||
case 'x': /* --krb */
|
||||
/* kerberos level string */
|
||||
- if(curlinfo->features & CURL_VERSION_KERBEROS4)
|
||||
+ if(curlinfo->features & CURL_VERSION_SPNEGO)
|
||||
GetStr(&config->krblevel, nextarg);
|
||||
else
|
||||
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||
--
|
||||
2.21.3
|
||||
|
||||
|
||||
From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 2 Jul 2020 23:46:40 +0200
|
||||
Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
|
||||
|
||||
This came up in #5640. It make sense to clarify this in the docs!
|
||||
|
||||
Reminded-by: Kamil Dudka
|
||||
Closes #5642
|
||||
|
||||
Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/curl_version_info.3 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
|
||||
index 2d21dfb..0d26e87 100644
|
||||
--- a/docs/libcurl/curl_version_info.3
|
||||
+++ b/docs/libcurl/curl_version_info.3
|
||||
@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
|
||||
.IP CURL_VERSION_IPV6
|
||||
supports IPv6
|
||||
.IP CURL_VERSION_KERBEROS4
|
||||
-supports Kerberos V4 (when using FTP)
|
||||
+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
|
||||
.IP CURL_VERSION_KERBEROS5
|
||||
supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
|
||||
(Added in 7.40.0)
|
||||
--
|
||||
2.21.3
|
||||
|
148
0002-curl-7.71.1-unset-nobody.patch
Normal file
148
0002-curl-7.71.1-unset-nobody.patch
Normal file
@ -0,0 +1,148 @@
|
||||
From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 11:44:01 +0200
|
||||
Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
|
||||
|
||||
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
|
||||
action but before 7.71.0 that used to switch back to GET and with this
|
||||
change (assuming the method is still set to HEAD) this behavior is
|
||||
brought back.
|
||||
|
||||
Reported-by: causal-agent on github
|
||||
Fixes #5725
|
||||
Closes #5728
|
||||
|
||||
Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/setopt.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 90edf6a..d621335 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
if(data->set.opt_no_body)
|
||||
/* in HTTP lingo, no body means using the HEAD request... */
|
||||
data->set.method = HTTPREQ_HEAD;
|
||||
+ else if(data->set.method == HTTPREQ_HEAD)
|
||||
+ data->set.method = HTTPREQ_GET;
|
||||
break;
|
||||
case CURLOPT_FAILONERROR:
|
||||
/*
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 11:54:29 +0200
|
||||
Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
|
||||
|
||||
... and mention that HTTP with other methods than HEAD might get a body and
|
||||
there's no option available to stop that.
|
||||
|
||||
Closes #5729
|
||||
|
||||
Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
index f720f49..3674dde 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
|
||||
libcurl do a HEAD request. For most other protocols it means just not asking
|
||||
to transfer the body data.
|
||||
|
||||
-Enabling this option means asking for a download but without a body.
|
||||
+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
+option (with 0) will make it a GET again - only if the method is still set to
|
||||
+be HEAD. The proper way to get back to a GET request is to set
|
||||
+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
+options.
|
||||
+
|
||||
+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
+
|
||||
+If you do a transfer with HTTP that involves a method other than HEAD, you
|
||||
+will get a body (unless the resource and server sends a zero byte body for the
|
||||
+specific URL you request).
|
||||
.SH DEFAULT
|
||||
0, the body is transferred
|
||||
.SH PROTOCOLS
|
||||
@@ -43,9 +53,9 @@ Most
|
||||
.nf
|
||||
curl = curl_easy_init();
|
||||
if(curl) {
|
||||
- curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
|
||||
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
|
||||
|
||||
- /* get us the resource without a body! */
|
||||
+ /* get us the resource without a body - use HEAD! */
|
||||
curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
|
||||
|
||||
/* Perform the request */
|
||||
@@ -57,5 +67,5 @@ Always
|
||||
.SH RETURN VALUE
|
||||
Returns CURLE_OK
|
||||
.SH "SEE ALSO"
|
||||
-.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
|
||||
-.BR CURLOPT_REQUEST_TARGET "(3), "
|
||||
+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
|
||||
+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 23:59:00 +0200
|
||||
Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
|
||||
|
||||
As test 1140 fails otherwise!
|
||||
|
||||
Follow-up to e1bac81cc815
|
||||
|
||||
Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
index 3674dde..112fb1a 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
|
||||
libcurl do a HEAD request. For most other protocols it means just not asking
|
||||
to transfer the body data.
|
||||
|
||||
-For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
option (with 0) will make it a GET again - only if the method is still set to
|
||||
be HEAD. The proper way to get back to a GET request is to set
|
||||
-\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
options.
|
||||
|
||||
-Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
|
||||
If you do a transfer with HTTP that involves a method other than HEAD, you
|
||||
will get a body (unless the resource and server sends a zero byte body for the
|
||||
--
|
||||
2.25.4
|
||||
|
281
0004-curl-7.71.1-CVE-2020-8231.patch
Normal file
281
0004-curl-7.71.1-CVE-2020-8231.patch
Normal file
@ -0,0 +1,281 @@
|
||||
From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001
|
||||
From: Marc Aldorasi <marc@groundctl.com>
|
||||
Date: Thu, 30 Jul 2020 14:16:17 -0400
|
||||
Subject: [PATCH 1/2] multi_remove_handle: close unused connect-only
|
||||
connections
|
||||
|
||||
Previously any connect-only connections in a multi handle would be kept
|
||||
alive until the multi handle was closed. Since these connections cannot
|
||||
be re-used, they can be marked for closure when the associated easy
|
||||
handle is removed from the multi handle.
|
||||
|
||||
Closes #5749
|
||||
|
||||
Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/multi.c | 34 ++++++++++++++++++++++++++++++----
|
||||
tests/data/test1554 | 6 ++++++
|
||||
2 files changed, 36 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/multi.c b/lib/multi.c
|
||||
index 249e360..f1371bd 100644
|
||||
--- a/lib/multi.c
|
||||
+++ b/lib/multi.c
|
||||
@@ -689,6 +689,26 @@ static CURLcode multi_done(struct Curl_easy *data,
|
||||
return result;
|
||||
}
|
||||
|
||||
+static int close_connect_only(struct connectdata *conn, void *param)
|
||||
+{
|
||||
+ struct Curl_easy *data = param;
|
||||
+
|
||||
+ if(data->state.lastconnect != conn)
|
||||
+ return 0;
|
||||
+
|
||||
+ if(conn->data != data)
|
||||
+ return 1;
|
||||
+ conn->data = NULL;
|
||||
+
|
||||
+ if(!conn->bits.connect_only)
|
||||
+ return 1;
|
||||
+
|
||||
+ connclose(conn, "Removing connect-only easy handle");
|
||||
+ conn->bits.connect_only = FALSE;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
|
||||
struct Curl_easy *data)
|
||||
{
|
||||
@@ -776,10 +796,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
|
||||
multi_done() as that may actually call Curl_expire that uses this */
|
||||
Curl_llist_destroy(&data->state.timeoutlist, NULL);
|
||||
|
||||
- /* as this was using a shared connection cache we clear the pointer to that
|
||||
- since we're not part of that multi handle anymore */
|
||||
- data->state.conn_cache = NULL;
|
||||
-
|
||||
/* change state without using multistate(), only to make singlesocket() do
|
||||
what we want */
|
||||
data->mstate = CURLM_STATE_COMPLETED;
|
||||
@@ -789,12 +805,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
|
||||
/* Remove the association between the connection and the handle */
|
||||
Curl_detach_connnection(data);
|
||||
|
||||
+ if(data->state.lastconnect) {
|
||||
+ /* Mark any connect-only connection for closure */
|
||||
+ Curl_conncache_foreach(data, data->state.conn_cache,
|
||||
+ data, &close_connect_only);
|
||||
+ }
|
||||
+
|
||||
#ifdef USE_LIBPSL
|
||||
/* Remove the PSL association. */
|
||||
if(data->psl == &multi->psl)
|
||||
data->psl = NULL;
|
||||
#endif
|
||||
|
||||
+ /* as this was using a shared connection cache we clear the pointer to that
|
||||
+ since we're not part of that multi handle anymore */
|
||||
+ data->state.conn_cache = NULL;
|
||||
+
|
||||
data->multi = NULL; /* clear the association to this multi handle */
|
||||
|
||||
/* make sure there's no pending message in the queue sent from this easy
|
||||
diff --git a/tests/data/test1554 b/tests/data/test1554
|
||||
index d3926d9..fffa6ad 100644
|
||||
--- a/tests/data/test1554
|
||||
+++ b/tests/data/test1554
|
||||
@@ -50,6 +50,8 @@ run 1: foobar and so on fun!
|
||||
<- Mutex unlock
|
||||
-> Mutex lock
|
||||
<- Mutex unlock
|
||||
+-> Mutex lock
|
||||
+<- Mutex unlock
|
||||
run 1: foobar and so on fun!
|
||||
-> Mutex lock
|
||||
<- Mutex unlock
|
||||
@@ -65,6 +67,8 @@ run 1: foobar and so on fun!
|
||||
<- Mutex unlock
|
||||
-> Mutex lock
|
||||
<- Mutex unlock
|
||||
+-> Mutex lock
|
||||
+<- Mutex unlock
|
||||
run 1: foobar and so on fun!
|
||||
-> Mutex lock
|
||||
<- Mutex unlock
|
||||
@@ -74,6 +78,8 @@ run 1: foobar and so on fun!
|
||||
<- Mutex unlock
|
||||
-> Mutex lock
|
||||
<- Mutex unlock
|
||||
+-> Mutex lock
|
||||
+<- Mutex unlock
|
||||
</datacheck>
|
||||
</reply>
|
||||
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 16 Aug 2020 11:34:35 +0200
|
||||
Subject: [PATCH 2/2] Curl_easy: remember last connection by id, not by pointer
|
||||
|
||||
CVE-2020-8231
|
||||
|
||||
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
|
||||
|
||||
Reported-by: Marc Aldorasi
|
||||
Closes #5824
|
||||
|
||||
Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/connect.c | 19 ++++++++++---------
|
||||
lib/easy.c | 3 +--
|
||||
lib/multi.c | 9 +++++----
|
||||
lib/url.c | 2 +-
|
||||
lib/urldata.h | 2 +-
|
||||
5 files changed, 18 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/lib/connect.c b/lib/connect.c
|
||||
index 29293f0..e1c5662 100644
|
||||
--- a/lib/connect.c
|
||||
+++ b/lib/connect.c
|
||||
@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
|
||||
}
|
||||
|
||||
struct connfind {
|
||||
- struct connectdata *tofind;
|
||||
- bool found;
|
||||
+ long id_tofind;
|
||||
+ struct connectdata *found;
|
||||
};
|
||||
|
||||
static int conn_is_conn(struct connectdata *conn, void *param)
|
||||
{
|
||||
struct connfind *f = (struct connfind *)param;
|
||||
- if(conn == f->tofind) {
|
||||
- f->found = TRUE;
|
||||
+ if(conn->connection_id == f->id_tofind) {
|
||||
+ f->found = conn;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
|
||||
* - that is associated with a multi handle, and whose connection
|
||||
* was detached with CURLOPT_CONNECT_ONLY
|
||||
*/
|
||||
- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
|
||||
- struct connectdata *c = data->state.lastconnect;
|
||||
+ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
|
||||
+ struct connectdata *c;
|
||||
struct connfind find;
|
||||
- find.tofind = data->state.lastconnect;
|
||||
- find.found = FALSE;
|
||||
+ find.id_tofind = data->state.lastconnect_id;
|
||||
+ find.found = NULL;
|
||||
|
||||
Curl_conncache_foreach(data, data->multi_easy?
|
||||
&data->multi_easy->conn_cache:
|
||||
&data->multi->conn_cache, &find, conn_is_conn);
|
||||
|
||||
if(!find.found) {
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
return CURL_SOCKET_BAD;
|
||||
}
|
||||
|
||||
+ c = find.found;
|
||||
if(connp) {
|
||||
/* only store this if the caller cares for it */
|
||||
*connp = c;
|
||||
diff --git a/lib/easy.c b/lib/easy.c
|
||||
index 292cca7..a69eb9e 100644
|
||||
--- a/lib/easy.c
|
||||
+++ b/lib/easy.c
|
||||
@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
|
||||
|
||||
/* the connection cache is setup on demand */
|
||||
outcurl->state.conn_cache = NULL;
|
||||
-
|
||||
- outcurl->state.lastconnect = NULL;
|
||||
+ outcurl->state.lastconnect_id = -1;
|
||||
|
||||
outcurl->progress.flags = data->progress.flags;
|
||||
outcurl->progress.callback = data->progress.callback;
|
||||
diff --git a/lib/multi.c b/lib/multi.c
|
||||
index f1371bd..778c537 100644
|
||||
--- a/lib/multi.c
|
||||
+++ b/lib/multi.c
|
||||
@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
|
||||
data->state.conn_cache = &data->share->conn_cache;
|
||||
else
|
||||
data->state.conn_cache = &multi->conn_cache;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
|
||||
#ifdef USE_LIBPSL
|
||||
/* Do the same for PSL. */
|
||||
@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data,
|
||||
CONNCACHE_UNLOCK(data);
|
||||
if(Curl_conncache_return_conn(data, conn)) {
|
||||
/* remember the most recently used connection */
|
||||
- data->state.lastconnect = conn;
|
||||
+ data->state.lastconnect_id = conn->connection_id;
|
||||
infof(data, "%s\n", buffer);
|
||||
}
|
||||
else
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
}
|
||||
|
||||
Curl_safefree(data->state.buffer);
|
||||
@@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param)
|
||||
{
|
||||
struct Curl_easy *data = param;
|
||||
|
||||
- if(data->state.lastconnect != conn)
|
||||
+ if(data->state.lastconnect_id != conn->connection_id)
|
||||
return 0;
|
||||
|
||||
if(conn->data != data)
|
||||
@@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
|
||||
/* Remove the association between the connection and the handle */
|
||||
Curl_detach_connnection(data);
|
||||
|
||||
- if(data->state.lastconnect) {
|
||||
+ if(data->state.lastconnect_id != -1) {
|
||||
/* Mark any connect-only connection for closure */
|
||||
Curl_conncache_foreach(data, data->state.conn_cache,
|
||||
data, &close_connect_only);
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index a1a6b69..2919a3d 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
|
||||
Curl_initinfo(data);
|
||||
|
||||
/* most recent connection is not yet defined */
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
|
||||
data->progress.flags |= PGRS_HIDE;
|
||||
data->state.current_speed = -1; /* init to negative == impossible */
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index f80a02d..6d8eb69 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1300,7 +1300,7 @@ struct UrlState {
|
||||
/* buffers to store authentication data in, as parsed from input options */
|
||||
struct curltime keeps_speed; /* for the progress meter really */
|
||||
|
||||
- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
|
||||
+ long lastconnect_id; /* The last connection, -1 if undefined */
|
||||
struct dynbuf headerb; /* buffer to store headers in */
|
||||
|
||||
char *buffer; /* download buffer */
|
||||
--
|
||||
2.25.4
|
||||
|
208
0005-curl-7.71.1-CVE-2020-8284.patch
Normal file
208
0005-curl-7.71.1-CVE-2020-8284.patch
Normal file
@ -0,0 +1,208 @@
|
||||
From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 24 Nov 2020 14:56:57 +0100
|
||||
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
|
||||
|
||||
The command line tool also independently sets --ftp-skip-pasv-ip by
|
||||
default.
|
||||
|
||||
Ten test cases updated to adapt the modified --libcurl output.
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2020-8284.html
|
||||
CVE-2020-8284
|
||||
|
||||
Reported-by: Varnavas Papaioannou
|
||||
|
||||
Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
|
||||
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
|
||||
lib/url.c | 1 +
|
||||
src/tool_cfgable.c | 1 +
|
||||
tests/data/test1400 | 1 +
|
||||
tests/data/test1401 | 1 +
|
||||
tests/data/test1402 | 1 +
|
||||
tests/data/test1403 | 1 +
|
||||
tests/data/test1404 | 1 +
|
||||
tests/data/test1405 | 1 +
|
||||
tests/data/test1406 | 1 +
|
||||
tests/data/test1407 | 1 +
|
||||
tests/data/test1420 | 1 +
|
||||
13 files changed, 18 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
index da6ab11..4be8b43 100644
|
||||
--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
|
||||
will re-use the same IP address it already uses for the control
|
||||
connection.
|
||||
|
||||
+Since curl 7.74.0 this option is enabled by default.
|
||||
+
|
||||
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
index e68d2e7..29bc672 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
|
||||
number from the 227-response.
|
||||
|
||||
This option thus allows libcurl to work around broken server installations
|
||||
-that due to NATs, firewalls or incompetence report the wrong IP address back.
|
||||
+that due to NATs, firewalls or incompetence report the wrong IP address
|
||||
+back. Setting the option also reduces the risk for various sorts of client
|
||||
+abuse by malicious servers.
|
||||
|
||||
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||
.SH DEFAULT
|
||||
-0
|
||||
+1 since 7.74.0, was 0 before then.
|
||||
.SH PROTOCOLS
|
||||
FTP
|
||||
.SH EXAMPLE
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 2919a3d..41029d6 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -480,6 +480,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
|
||||
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
|
||||
set->ftp_filemethod = FTPFILE_MULTICWD;
|
||||
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
|
||||
#endif
|
||||
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
|
||||
|
||||
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
|
||||
index 63bdeaa..22770c4 100644
|
||||
--- a/src/tool_cfgable.c
|
||||
+++ b/src/tool_cfgable.c
|
||||
@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config)
|
||||
config->tcp_nodelay = TRUE; /* enabled by default */
|
||||
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
|
||||
config->http09_allowed = FALSE;
|
||||
+ config->ftp_skip_ip = TRUE;
|
||||
}
|
||||
|
||||
static void free_config_fields(struct OperationConfig *config)
|
||||
diff --git a/tests/data/test1400 b/tests/data/test1400
|
||||
index c0d409b..ade50d4 100644
|
||||
--- a/tests/data/test1400
|
||||
+++ b/tests/data/test1400
|
||||
@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1401 b/tests/data/test1401
|
||||
index ec3b25c..a2e9ef2 100644
|
||||
--- a/tests/data/test1401
|
||||
+++ b/tests/data/test1401
|
||||
@@ -90,6 +90,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
|
||||
(long)CURLPROTO_FTP |
|
||||
diff --git a/tests/data/test1402 b/tests/data/test1402
|
||||
index bf7eb7b..99d4b70 100644
|
||||
--- a/tests/data/test1402
|
||||
+++ b/tests/data/test1402
|
||||
@@ -81,6 +81,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1403 b/tests/data/test1403
|
||||
index 731d274..90f9b4e 100644
|
||||
--- a/tests/data/test1403
|
||||
+++ b/tests/data/test1403
|
||||
@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1404 b/tests/data/test1404
|
||||
index d3c66a9..d351c3e 100644
|
||||
--- a/tests/data/test1404
|
||||
+++ b/tests/data/test1404
|
||||
@@ -147,6 +147,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1405 b/tests/data/test1405
|
||||
index dcc8f80..d1ebb7c 100644
|
||||
--- a/tests/data/test1405
|
||||
+++ b/tests/data/test1405
|
||||
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
|
||||
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1406 b/tests/data/test1406
|
||||
index 8803c84..31db82a 100644
|
||||
--- a/tests/data/test1406
|
||||
+++ b/tests/data/test1406
|
||||
@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
|
||||
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
|
||||
diff --git a/tests/data/test1407 b/tests/data/test1407
|
||||
index 917a5de..d329509 100644
|
||||
--- a/tests/data/test1407
|
||||
+++ b/tests/data/test1407
|
||||
@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1420 b/tests/data/test1420
|
||||
index 03c4584..c1ba190 100644
|
||||
--- a/tests/data/test1420
|
||||
+++ b/tests/data/test1420
|
||||
@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
|
||||
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
--
|
||||
2.26.2
|
||||
|
1864
0006-curl-7.71.1-CVE-2020-8285.patch
Normal file
1864
0006-curl-7.71.1-CVE-2020-8285.patch
Normal file
File diff suppressed because it is too large
Load Diff
129
0007-curl-7.71.1-CVE-2020-8286.patch
Normal file
129
0007-curl-7.71.1-CVE-2020-8286.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From 2ad3b3d39e45a9eeaf6845f393928ef0095893e7 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 2 Dec 2020 23:01:11 +0100
|
||||
Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
|
||||
|
||||
CVE-2020-8286
|
||||
|
||||
Reported by anonymous
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2020-8286.html
|
||||
|
||||
Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 54 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 2e9f900..5803fd1 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -1775,6 +1775,11 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
X509_STORE *st = NULL;
|
||||
STACK_OF(X509) *ch = NULL;
|
||||
struct ssl_backend_data *backend = connssl->backend;
|
||||
+ X509 *cert;
|
||||
+ OCSP_CERTID *id = NULL;
|
||||
+ int cert_status, crl_reason;
|
||||
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||
+ int ret;
|
||||
|
||||
long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
|
||||
|
||||
@@ -1843,43 +1848,63 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
goto end;
|
||||
}
|
||||
|
||||
- for(i = 0; i < OCSP_resp_count(br); i++) {
|
||||
- int cert_status, crl_reason;
|
||||
- OCSP_SINGLERESP *single = NULL;
|
||||
-
|
||||
- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||
+ /* Compute the certificate's ID */
|
||||
+ cert = SSL_get_peer_certificate(backend->handle);
|
||||
+ if(!cert) {
|
||||
+ failf(data, "Error getting peer certficate");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- single = OCSP_resp_get0(br, i);
|
||||
- if(!single)
|
||||
- continue;
|
||||
+ for(i = 0; i < sk_X509_num(ch); i++) {
|
||||
+ X509 *issuer = sk_X509_value(ch, i);
|
||||
+ if(X509_check_issued(issuer, cert) == X509_V_OK) {
|
||||
+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ X509_free(cert);
|
||||
|
||||
- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
|
||||
- &thisupd, &nextupd);
|
||||
+ if(!id) {
|
||||
+ failf(data, "Error computing OCSP ID");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||
- failf(data, "OCSP response has expired");
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- goto end;
|
||||
- }
|
||||
+ /* Find the single OCSP response corresponding to the certificate ID */
|
||||
+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
|
||||
+ &thisupd, &nextupd);
|
||||
+ OCSP_CERTID_free(id);
|
||||
+ if(ret != 1) {
|
||||
+ failf(data, "Could not find certificate ID in OCSP response");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- infof(data, "SSL certificate status: %s (%d)\n",
|
||||
- OCSP_cert_status_str(cert_status), cert_status);
|
||||
+ /* Validate the corresponding single OCSP response */
|
||||
+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||
+ failf(data, "OCSP response has expired");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- switch(cert_status) {
|
||||
- case V_OCSP_CERTSTATUS_GOOD:
|
||||
- break;
|
||||
+ infof(data, "SSL certificate status: %s (%d)\n",
|
||||
+ OCSP_cert_status_str(cert_status), cert_status);
|
||||
|
||||
- case V_OCSP_CERTSTATUS_REVOKED:
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ switch(cert_status) {
|
||||
+ case V_OCSP_CERTSTATUS_GOOD:
|
||||
+ break;
|
||||
|
||||
- failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||
- OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||
- goto end;
|
||||
+ case V_OCSP_CERTSTATUS_REVOKED:
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||
+ OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||
+ goto end;
|
||||
|
||||
- case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- goto end;
|
||||
- }
|
||||
+ case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||
+ default:
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
end:
|
||||
--
|
||||
2.26.2
|
||||
|
64
0008-curl-7.71.1-CVE-2021-22876.patch
Normal file
64
0008-curl-7.71.1-CVE-2021-22876.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Szakats <commit@vsz.me>
|
||||
Date: Tue, 23 Feb 2021 14:54:46 +0100
|
||||
Subject: [PATCH] transfer: strip credentials from the auto-referer header
|
||||
field
|
||||
|
||||
Added test 2081 to verify.
|
||||
|
||||
CVE-2021-22876
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2021-22876.html
|
||||
|
||||
Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/transfer.c | 24 ++++++++++++++++++++++--
|
||||
1 file changed, 22 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||
index 44104ab..3325a0e 100644
|
||||
--- a/lib/transfer.c
|
||||
+++ b/lib/transfer.c
|
||||
@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||
data->set.followlocation++; /* count location-followers */
|
||||
|
||||
if(data->set.http_auto_referer) {
|
||||
+ CURLU *u;
|
||||
+ char *referer;
|
||||
+
|
||||
/* We are asked to automatically set the previous URL as the referer
|
||||
when we get the next URL. We pick the ->url field, which may or may
|
||||
not be 100% correct */
|
||||
@@ -1591,9 +1594,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||
data->change.referer_alloc = FALSE;
|
||||
}
|
||||
|
||||
- data->change.referer = strdup(data->change.url);
|
||||
- if(!data->change.referer)
|
||||
+ /* Make a copy of the URL without crenditals and fragment */
|
||||
+ u = curl_url();
|
||||
+ if(!u)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+
|
||||
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
|
||||
+ if(!uc)
|
||||
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
|
||||
+ if(!uc)
|
||||
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
|
||||
+ if(!uc)
|
||||
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
|
||||
+ if(!uc)
|
||||
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
|
||||
+
|
||||
+ curl_url_cleanup(u);
|
||||
+
|
||||
+ if(uc || referer == NULL)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
+ data->change.referer = referer;
|
||||
data->change.referer_alloc = TRUE; /* yes, free this later */
|
||||
}
|
||||
}
|
||||
--
|
||||
2.26.3
|
||||
|
217
0009-curl-7.71.1-CVE-2021-22890.patch
Normal file
217
0009-curl-7.71.1-CVE-2021-22890.patch
Normal file
@ -0,0 +1,217 @@
|
||||
From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Fri, 19 Mar 2021 12:38:49 +0100
|
||||
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
|
||||
|
||||
To make sure we set and extract the correct session.
|
||||
|
||||
Reported-by: Mingtao Yang
|
||||
Bug: https://curl.se/docs/CVE-2021-22890.html
|
||||
|
||||
CVE-2021-22890
|
||||
|
||||
Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
|
||||
lib/vtls/vtls.c | 12 ++++++++---
|
||||
lib/vtls/vtls.h | 2 ++
|
||||
3 files changed, 51 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 5803fd1..16276f3 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void)
|
||||
*/
|
||||
static int ossl_get_ssl_sockindex_index(void)
|
||||
{
|
||||
- static int ssl_ex_data_sockindex_index = -1;
|
||||
- if(ssl_ex_data_sockindex_index < 0) {
|
||||
- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
|
||||
- NULL);
|
||||
+ static int sockindex_index = -1;
|
||||
+ if(sockindex_index < 0) {
|
||||
+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||
}
|
||||
- return ssl_ex_data_sockindex_index;
|
||||
+ return sockindex_index;
|
||||
+}
|
||||
+
|
||||
+/* Return an extra data index for proxy boolean.
|
||||
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
|
||||
+ */
|
||||
+static int ossl_get_proxy_index(void)
|
||||
+{
|
||||
+ static int proxy_index = -1;
|
||||
+ if(proxy_index < 0) {
|
||||
+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||
+ }
|
||||
+ return proxy_index;
|
||||
}
|
||||
|
||||
static int passwd_callback(char *buf, int num, int encrypting,
|
||||
@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void)
|
||||
Curl_tls_keylog_open();
|
||||
|
||||
/* Initialize the extra data indexes */
|
||||
- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
|
||||
+ if(ossl_get_ssl_conn_index() < 0 ||
|
||||
+ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
||||
curl_socket_t *sockindex_ptr;
|
||||
int connectdata_idx = ossl_get_ssl_conn_index();
|
||||
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
||||
+ int proxy_idx = ossl_get_proxy_index();
|
||||
+ bool isproxy;
|
||||
|
||||
- if(connectdata_idx < 0 || sockindex_idx < 0)
|
||||
+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
|
||||
return 0;
|
||||
|
||||
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
|
||||
@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
||||
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
|
||||
sockindex = (int)(sockindex_ptr - conn->sock);
|
||||
|
||||
+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
|
||||
+
|
||||
if(SSL_SET_OPTION(primary.sessionid)) {
|
||||
bool incache;
|
||||
void *old_ssl_sessionid = NULL;
|
||||
|
||||
Curl_ssl_sessionid_lock(conn);
|
||||
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
|
||||
- sockindex));
|
||||
+ if(isproxy)
|
||||
+ incache = FALSE;
|
||||
+ else
|
||||
+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
|
||||
+ &old_ssl_sessionid, NULL, sockindex));
|
||||
if(incache) {
|
||||
if(old_ssl_sessionid != ssl_sessionid) {
|
||||
infof(data, "old SSL session ID is stale, removing\n");
|
||||
@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
||||
}
|
||||
|
||||
if(!incache) {
|
||||
- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
|
||||
+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
|
||||
0 /* unknown size */, sockindex)) {
|
||||
/* the session has been put into the session cache */
|
||||
res = 1;
|
||||
@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
void *ssl_sessionid = NULL;
|
||||
int connectdata_idx = ossl_get_ssl_conn_index();
|
||||
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
||||
+ int proxy_idx = ossl_get_proxy_index();
|
||||
|
||||
- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
|
||||
+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
|
||||
/* Store the data needed for the "new session" callback.
|
||||
* The sockindex is stored as a pointer to an array element. */
|
||||
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
|
||||
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
|
||||
+#ifndef CURL_DISABLE_PROXY
|
||||
+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
|
||||
+ NULL);
|
||||
+#else
|
||||
+ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
|
||||
+#endif
|
||||
+
|
||||
}
|
||||
|
||||
Curl_ssl_sessionid_lock(conn);
|
||||
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
|
||||
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
|
||||
+ &ssl_sessionid, NULL, sockindex)) {
|
||||
/* we got a session id, use it! */
|
||||
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
||||
Curl_ssl_sessionid_unlock(conn);
|
||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||
index c3a55fb..e50fdd2 100644
|
||||
--- a/lib/vtls/vtls.c
|
||||
+++ b/lib/vtls/vtls.c
|
||||
@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
|
||||
* there's one suitable, it is provided. Returns TRUE when no entry matched.
|
||||
*/
|
||||
bool Curl_ssl_getsessionid(struct connectdata *conn,
|
||||
+ const bool isProxy,
|
||||
void **ssl_sessionid,
|
||||
size_t *idsize, /* set 0 if unknown */
|
||||
int sockindex)
|
||||
@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
||||
bool no_match = TRUE;
|
||||
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
- const bool isProxy = CONNECT_PROXY_SSL();
|
||||
struct ssl_primary_config * const ssl_config = isProxy ?
|
||||
&conn->proxy_ssl_config :
|
||||
&conn->ssl_config;
|
||||
@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
||||
struct ssl_primary_config * const ssl_config = &conn->ssl_config;
|
||||
const char * const name = conn->host.name;
|
||||
int port = conn->remote_port;
|
||||
- (void)sockindex;
|
||||
#endif
|
||||
+ (void)sockindex;
|
||||
*ssl_sessionid = NULL;
|
||||
|
||||
+#ifdef CURL_DISABLE_PROXY
|
||||
+ if(isProxy)
|
||||
+ return TRUE;
|
||||
+#endif
|
||||
+
|
||||
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
||||
|
||||
if(!SSL_SET_OPTION(primary.sessionid))
|
||||
@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
|
||||
* later on.
|
||||
*/
|
||||
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
||||
+ bool isProxy,
|
||||
void *ssl_sessionid,
|
||||
size_t idsize,
|
||||
int sockindex)
|
||||
@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
||||
int conn_to_port;
|
||||
long *general_age;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
- const bool isProxy = CONNECT_PROXY_SSL();
|
||||
struct ssl_primary_config * const ssl_config = isProxy ?
|
||||
&conn->proxy_ssl_config :
|
||||
&conn->ssl_config;
|
||||
@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
||||
const char *hostname = conn->host.name;
|
||||
(void)sockindex;
|
||||
#endif
|
||||
+ (void)sockindex;
|
||||
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
||||
|
||||
clone_host = strdup(hostname);
|
||||
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
|
||||
index bcc8444..343cad0 100644
|
||||
--- a/lib/vtls/vtls.h
|
||||
+++ b/lib/vtls/vtls.h
|
||||
@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
|
||||
* under sessionid mutex).
|
||||
*/
|
||||
bool Curl_ssl_getsessionid(struct connectdata *conn,
|
||||
+ const bool isproxy,
|
||||
void **ssl_sessionid,
|
||||
size_t *idsize, /* set 0 if unknown */
|
||||
int sockindex);
|
||||
@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
||||
* object with cache (e.g. incrementing refcount on success)
|
||||
*/
|
||||
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
||||
+ const bool isProxy,
|
||||
void *ssl_sessionid,
|
||||
size_t idsize,
|
||||
int sockindex);
|
||||
--
|
||||
2.26.3
|
||||
|
788
0010-curl-7.71.1-CVE-2021-22924.patch
Normal file
788
0010-curl-7.71.1-CVE-2021-22924.patch
Normal file
@ -0,0 +1,788 @@
|
||||
From c3e2c52593b94bd93775b50063e1d54bc7b1b911 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 18 Feb 2021 10:13:56 +0100
|
||||
Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names
|
||||
|
||||
It doesn't provide any useful info but only makes the names longer.
|
||||
|
||||
Closes #6624
|
||||
|
||||
Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/doh.c | 12 ++++++------
|
||||
lib/setopt.c | 38 +++++++++++++++++++-------------------
|
||||
lib/url.c | 42 +++++++++++++++++++++---------------------
|
||||
lib/urldata.h | 34 +++++++++++++++++-----------------
|
||||
lib/vtls/gskit.c | 2 +-
|
||||
lib/vtls/gtls.c | 2 +-
|
||||
lib/vtls/mbedtls.c | 4 ++--
|
||||
lib/vtls/nss.c | 2 +-
|
||||
lib/vtls/openssl.c | 2 +-
|
||||
lib/vtls/schannel.c | 2 +-
|
||||
lib/vtls/sectransp.c | 7 ++++---
|
||||
lib/vtls/wolfssl.c | 4 ++--
|
||||
12 files changed, 76 insertions(+), 75 deletions(-)
|
||||
|
||||
diff --git a/lib/doh.c b/lib/doh.c
|
||||
index ebb2c24..cbd34f6 100644
|
||||
--- a/lib/doh.c
|
||||
+++ b/lib/doh.c
|
||||
@@ -318,17 +318,17 @@ static CURLcode dohprobe(struct Curl_easy *data,
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
|
||||
if(data->set.ssl.primary.verifystatus)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
|
||||
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
|
||||
+ if(data->set.str[STRING_SSL_CAFILE]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CAINFO,
|
||||
- data->set.str[STRING_SSL_CAFILE_ORIG]);
|
||||
+ data->set.str[STRING_SSL_CAFILE]);
|
||||
}
|
||||
- if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
|
||||
+ if(data->set.str[STRING_SSL_CAPATH]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CAPATH,
|
||||
- data->set.str[STRING_SSL_CAPATH_ORIG]);
|
||||
+ data->set.str[STRING_SSL_CAPATH]);
|
||||
}
|
||||
- if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
|
||||
+ if(data->set.str[STRING_SSL_CRLFILE]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CRLFILE,
|
||||
- data->set.str[STRING_SSL_CRLFILE_ORIG]);
|
||||
+ data->set.str[STRING_SSL_CRLFILE]);
|
||||
}
|
||||
if(data->set.ssl.certinfo)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L);
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index d621335..58d92e2 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -174,7 +174,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
break;
|
||||
case CURLOPT_SSL_CIPHER_LIST:
|
||||
/* set a list of cipher we want to use in the SSL connection */
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -187,7 +187,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
case CURLOPT_TLS13_CIPHERS:
|
||||
if(Curl_ssl_tls13_ciphersuites()) {
|
||||
/* set preferred list of TLS 1.3 cipher suites */
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],
|
||||
va_arg(param, char *));
|
||||
}
|
||||
else
|
||||
@@ -1643,14 +1643,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* String that holds file name of the SSL certificate to use
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_CERT],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
case CURLOPT_SSLCERT_BLOB:
|
||||
/*
|
||||
* Blob that holds file name of the SSL certificate to use
|
||||
*/
|
||||
- result = Curl_setblobopt(&data->set.blobs[BLOB_CERT_ORIG],
|
||||
+ result = Curl_setblobopt(&data->set.blobs[BLOB_CERT],
|
||||
va_arg(param, struct curl_blob *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1673,7 +1673,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* String that holds file type of the SSL certificate to use
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1689,14 +1689,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* String that holds file name of the SSL key to use
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_KEY],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
case CURLOPT_SSLKEY_BLOB:
|
||||
/*
|
||||
* Blob that holds file name of the SSL key to use
|
||||
*/
|
||||
- result = Curl_setblobopt(&data->set.blobs[BLOB_KEY_ORIG],
|
||||
+ result = Curl_setblobopt(&data->set.blobs[BLOB_KEY],
|
||||
va_arg(param, struct curl_blob *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1719,7 +1719,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* String that holds file type of the SSL key to use
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1735,7 +1735,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* String that holds the SSL or SSH private key password.
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1944,7 +1944,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
*/
|
||||
#ifdef USE_SSL
|
||||
if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
|
||||
va_arg(param, char *));
|
||||
else
|
||||
#endif
|
||||
@@ -1969,7 +1969,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
/*
|
||||
* Set CA info for SSL connection. Specify file name of the CA certificate
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -1990,7 +1990,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
#ifdef USE_SSL
|
||||
if(Curl_ssl->supports & SSLSUPP_CA_PATH)
|
||||
/* This does not work on windows. */
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],
|
||||
va_arg(param, char *));
|
||||
else
|
||||
#endif
|
||||
@@ -2017,7 +2017,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
* Set CRL file info for SSL connection. Specify file name of the CRL
|
||||
* to check certificates revocation
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -2035,14 +2035,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
* Set Issuer certificate file
|
||||
* to check certificates issuer
|
||||
*/
|
||||
- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
|
||||
va_arg(param, char *));
|
||||
break;
|
||||
case CURLOPT_ISSUERCERT_BLOB:
|
||||
/*
|
||||
* Blob that holds Issuer certificate to check certificates issuer
|
||||
*/
|
||||
- result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG],
|
||||
+ result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT],
|
||||
va_arg(param, struct curl_blob *));
|
||||
break;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
@@ -2638,9 +2638,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
#endif
|
||||
#ifdef USE_TLS_SRP
|
||||
case CURLOPT_TLSAUTH_USERNAME:
|
||||
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||
va_arg(param, char *));
|
||||
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
|
||||
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||
break;
|
||||
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||
@@ -2653,9 +2653,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
#endif
|
||||
break;
|
||||
case CURLOPT_TLSAUTH_PASSWORD:
|
||||
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||
va_arg(param, char *));
|
||||
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
|
||||
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||
break;
|
||||
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 307b66e..dd18c63 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -543,7 +543,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||
*/
|
||||
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
|
||||
#if defined(CURL_CA_BUNDLE)
|
||||
- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
|
||||
+ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
@@ -553,7 +553,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||
return result;
|
||||
#endif
|
||||
#if defined(CURL_CA_PATH)
|
||||
- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);
|
||||
+ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
@@ -3600,17 +3600,17 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
that will be freed as part of the Curl_easy struct, but all cloned
|
||||
copies will be separately allocated.
|
||||
*/
|
||||
- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
|
||||
- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
|
||||
+ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
|
||||
+ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
||||
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||
data->set.ssl.primary.cipher_list =
|
||||
- data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
|
||||
+ data->set.str[STRING_SSL_CIPHER_LIST];
|
||||
data->set.ssl.primary.cipher_list13 =
|
||||
- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
|
||||
+ data->set.str[STRING_SSL_CIPHER13_LIST];
|
||||
data->set.ssl.primary.pinned_key =
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
- data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
+ data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
|
||||
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
|
||||
@@ -3636,26 +3636,26 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
|
||||
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||||
#endif
|
||||
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
|
||||
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
|
||||
- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
|
||||
- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
|
||||
- data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
|
||||
- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
|
||||
- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
|
||||
- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
|
||||
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||
+ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||
+ data->set.ssl.cert = data->set.str[STRING_CERT];
|
||||
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||
+ data->set.ssl.key = data->set.str[STRING_KEY];
|
||||
+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||||
+ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
||||
+ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||||
#ifdef USE_TLS_SRP
|
||||
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
|
||||
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
|
||||
+ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||
+ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||
data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||
#endif
|
||||
#endif
|
||||
|
||||
- data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
|
||||
- data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
|
||||
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
|
||||
+ data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
|
||||
+ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||||
+ data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
||||
|
||||
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
||||
&conn->ssl_config)) {
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index df9d998..0fb046f 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1491,9 +1491,9 @@ struct Curl_multi; /* declared and used only in multi.c */
|
||||
* are catered for in curl_easy_setopt_ccsid()
|
||||
*/
|
||||
enum dupstring {
|
||||
- STRING_CERT_ORIG, /* client certificate file name */
|
||||
+ STRING_CERT, /* client certificate file name */
|
||||
STRING_CERT_PROXY, /* client certificate file name */
|
||||
- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/
|
||||
+ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/
|
||||
STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/
|
||||
STRING_COOKIE, /* HTTP cookie string to send */
|
||||
STRING_COOKIEJAR, /* dump all cookies to this file */
|
||||
@@ -1504,11 +1504,11 @@ enum dupstring {
|
||||
STRING_FTP_ACCOUNT, /* ftp account data */
|
||||
STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */
|
||||
STRING_FTPPORT, /* port to send with the FTP PORT command */
|
||||
- STRING_KEY_ORIG, /* private key file name */
|
||||
+ STRING_KEY, /* private key file name */
|
||||
STRING_KEY_PROXY, /* private key file name */
|
||||
- STRING_KEY_PASSWD_ORIG, /* plain text private key password */
|
||||
+ STRING_KEY_PASSWD, /* plain text private key password */
|
||||
STRING_KEY_PASSWD_PROXY, /* plain text private key password */
|
||||
- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */
|
||||
+ STRING_KEY_TYPE, /* format for private key (default: PEM) */
|
||||
STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */
|
||||
STRING_KRB_LEVEL, /* krb security level */
|
||||
STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
|
||||
@@ -1518,22 +1518,22 @@ enum dupstring {
|
||||
STRING_SET_RANGE, /* range, if used */
|
||||
STRING_SET_REFERER, /* custom string for the HTTP referer field */
|
||||
STRING_SET_URL, /* what original URL to work on */
|
||||
- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */
|
||||
+ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */
|
||||
STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
|
||||
- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
|
||||
+ STRING_SSL_CAFILE, /* certificate file to verify peer against */
|
||||
STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
|
||||
- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
|
||||
+ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
|
||||
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
|
||||
- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
|
||||
+ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */
|
||||
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
|
||||
- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
|
||||
+ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */
|
||||
STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
|
||||
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
|
||||
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
|
||||
STRING_USERAGENT, /* User-Agent string */
|
||||
- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
|
||||
+ STRING_SSL_CRLFILE, /* crl file to check certificate */
|
||||
STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
|
||||
- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
|
||||
+ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
|
||||
STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
|
||||
STRING_SSL_ENGINE, /* name of ssl engine */
|
||||
STRING_USERNAME, /* <username>, if used */
|
||||
@@ -1557,9 +1557,9 @@ enum dupstring {
|
||||
STRING_MAIL_FROM,
|
||||
STRING_MAIL_AUTH,
|
||||
|
||||
- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth <username> */
|
||||
+ STRING_TLSAUTH_USERNAME, /* TLS auth <username> */
|
||||
STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */
|
||||
- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth <password> */
|
||||
+ STRING_TLSAUTH_PASSWORD, /* TLS auth <password> */
|
||||
STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
|
||||
|
||||
STRING_BEARER, /* <bearer>, if used */
|
||||
@@ -1593,11 +1593,11 @@ enum dupstring {
|
||||
};
|
||||
|
||||
enum dupblob {
|
||||
- BLOB_CERT_ORIG,
|
||||
+ BLOB_CERT,
|
||||
BLOB_CERT_PROXY,
|
||||
- BLOB_KEY_ORIG,
|
||||
+ BLOB_KEY,
|
||||
BLOB_KEY_PROXY,
|
||||
- BLOB_SSL_ISSUERCERT_ORIG,
|
||||
+ BLOB_SSL_ISSUERCERT,
|
||||
BLOB_SSL_ISSUERCERT_PROXY,
|
||||
BLOB_LAST
|
||||
};
|
||||
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
|
||||
index 0538e4a..de9a9db 100644
|
||||
--- a/lib/vtls/gskit.c
|
||||
+++ b/lib/vtls/gskit.c
|
||||
@@ -1039,7 +1039,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
|
||||
|
||||
/* Check pinned public key. */
|
||||
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
if(!result && ptr) {
|
||||
curl_X509certificate x509;
|
||||
curl_asn1Element *p;
|
||||
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||
index 9b4c365..2ce5749 100644
|
||||
--- a/lib/vtls/gtls.c
|
||||
+++ b/lib/vtls/gtls.c
|
||||
@@ -1184,7 +1184,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
}
|
||||
|
||||
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
if(ptr) {
|
||||
result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
|
||||
if(result != CURLE_OK) {
|
||||
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
||||
index 545f824..bf3683d 100644
|
||||
--- a/lib/vtls/mbedtls.c
|
||||
+++ b/lib/vtls/mbedtls.c
|
||||
@@ -546,10 +546,10 @@ mbed_connect_step2(struct connectdata *conn,
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
#else
|
||||
const char * const pinnedpubkey =
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
#endif
|
||||
|
||||
conn->recv[sockindex] = mbed_recv;
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index fca2926..9dad33f 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -2131,7 +2131,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
|
||||
|
||||
/* check timeout situation */
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 16276f3..acf6577 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -3965,7 +3965,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
result = CURLE_OK;
|
||||
|
||||
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
if(!result && ptr) {
|
||||
result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr);
|
||||
if(result)
|
||||
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
|
||||
index 1996526..ba82513 100644
|
||||
--- a/lib/vtls/schannel.c
|
||||
+++ b/lib/vtls/schannel.c
|
||||
@@ -1243,7 +1243,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
|
||||
|
||||
pubkey_ptr = SSL_IS_PROXY() ?
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
if(pubkey_ptr) {
|
||||
result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
|
||||
if(result) {
|
||||
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
|
||||
index 2627aff..120df3a 100644
|
||||
--- a/lib/vtls/sectransp.c
|
||||
+++ b/lib/vtls/sectransp.c
|
||||
@@ -2609,9 +2609,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
|
||||
connssl->connecting_state = ssl_connect_3;
|
||||
|
||||
#ifdef SECTRANSP_PINNEDPUBKEY
|
||||
- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
|
||||
- CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx,
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
|
||||
+ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
|
||||
+ CURLcode result =
|
||||
+ pkp_pin_peer_pubkey(data, backend->ssl_ctx,
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
|
||||
if(result) {
|
||||
failf(data, "SSL: public key does not match pinned public key!");
|
||||
return result;
|
||||
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
|
||||
index 7b2a124..fc41748 100644
|
||||
--- a/lib/vtls/wolfssl.c
|
||||
+++ b/lib/vtls/wolfssl.c
|
||||
@@ -549,12 +549,12 @@ wolfssl_connect_step2(struct connectdata *conn,
|
||||
conn->http_proxy.host.dispname : conn->host.dispname;
|
||||
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
#else
|
||||
const char * const hostname = conn->host.name;
|
||||
const char * const dispname = conn->host.dispname;
|
||||
const char * const pinnedpubkey =
|
||||
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||
#endif
|
||||
|
||||
conn->recv[sockindex] = wolfssl_recv;
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From fea46e2ddc6050b0aa008033325afbb0606d2b55 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 19 Jun 2021 00:42:28 +0200
|
||||
Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and
|
||||
case sensitivity
|
||||
|
||||
CVE-2021-22924
|
||||
|
||||
Reported-by: Harry Sintonen
|
||||
Bug: https://curl.se/docs/CVE-2021-22924.html
|
||||
|
||||
Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/url.c | 9 ++++++---
|
||||
lib/urldata.h | 4 ++--
|
||||
lib/vtls/gtls.c | 10 +++++-----
|
||||
lib/vtls/nss.c | 4 ++--
|
||||
lib/vtls/openssl.c | 18 +++++++++---------
|
||||
lib/vtls/vtls.c | 26 +++++++++++++++++++++-----
|
||||
6 files changed, 45 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index dd18c63..71e226e 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
*/
|
||||
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
|
||||
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
||||
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||
+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
||||
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||
data->set.ssl.primary.cipher_list =
|
||||
@@ -3625,8 +3627,11 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
data->set.proxy_ssl.primary.pinned_key =
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
|
||||
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
|
||||
+ data->set.proxy_ssl.primary.issuercert =
|
||||
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||
+ data->set.proxy_ssl.primary.issuercert_blob =
|
||||
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
||||
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
|
||||
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||||
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||||
@@ -3637,7 +3642,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||||
#endif
|
||||
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||
data->set.ssl.cert = data->set.str[STRING_CERT];
|
||||
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||
data->set.ssl.key = data->set.str[STRING_KEY];
|
||||
@@ -3655,7 +3659,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
|
||||
data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
|
||||
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||||
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
||||
|
||||
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
||||
&conn->ssl_config)) {
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index 0fb046f..8b5b597 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -223,6 +223,7 @@ struct ssl_primary_config {
|
||||
long version_max; /* max supported version the client wants to use*/
|
||||
char *CApath; /* certificate dir (doesn't work on windows) */
|
||||
char *CAfile; /* certificate to verify peer against */
|
||||
+ char *issuercert; /* optional issuer certificate filename */
|
||||
char *clientcert;
|
||||
char *random_file; /* path to file containing "random" data */
|
||||
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||
@@ -230,6 +231,7 @@ struct ssl_primary_config {
|
||||
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||
char *pinned_key;
|
||||
struct curl_blob *cert_blob;
|
||||
+ struct curl_blob *issuercert_blob;
|
||||
BIT(verifypeer); /* set TRUE if this is desired */
|
||||
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
||||
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
||||
@@ -240,8 +242,6 @@ struct ssl_config_data {
|
||||
struct ssl_primary_config primary;
|
||||
long certverifyresult; /* result from the certificate verification */
|
||||
char *CRLfile; /* CRL to check certificate revocation */
|
||||
- char *issuercert;/* optional issuer certificate filename */
|
||||
- struct curl_blob *issuercert_blob;
|
||||
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||
void *fsslctxp; /* parameter for call back */
|
||||
char *cert; /* client certificate file name */
|
||||
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||
index 2ce5749..1b87085 100644
|
||||
--- a/lib/vtls/gtls.c
|
||||
+++ b/lib/vtls/gtls.c
|
||||
@@ -851,7 +851,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
if(!chainp) {
|
||||
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||
SSL_CONN_CONFIG(verifyhost) ||
|
||||
- SSL_SET_OPTION(issuercert)) {
|
||||
+ SSL_CONN_CONFIG(issuercert)) {
|
||||
#ifdef USE_TLS_SRP
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||
&& SSL_SET_OPTION(username) != NULL
|
||||
@@ -1035,21 +1035,21 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
gnutls_x509_crt_t format */
|
||||
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
|
||||
|
||||
- if(SSL_SET_OPTION(issuercert)) {
|
||||
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||
gnutls_x509_crt_init(&x509_issuer);
|
||||
- issuerp = load_file(SSL_SET_OPTION(issuercert));
|
||||
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
|
||||
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
|
||||
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
|
||||
gnutls_x509_crt_deinit(x509_issuer);
|
||||
unload_file(issuerp);
|
||||
if(rc <= 0) {
|
||||
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
|
||||
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||
gnutls_x509_crt_deinit(x509_cert);
|
||||
return CURLE_SSL_ISSUER_ERROR;
|
||||
}
|
||||
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
|
||||
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||
}
|
||||
|
||||
size = sizeof(certname);
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index 9dad33f..d1b0016 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
if(result)
|
||||
goto error;
|
||||
|
||||
- if(SSL_SET_OPTION(issuercert)) {
|
||||
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||
SECStatus ret = SECFailure;
|
||||
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
|
||||
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
|
||||
if(nickname) {
|
||||
/* we support only nicknames in case of issuercert for now */
|
||||
ret = check_issuer_cert(backend->handle, nickname);
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index acf6577..56171ae 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -3871,10 +3871,10 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
deallocating the certificate. */
|
||||
|
||||
/* e.g. match issuer name with provided issuer certificate */
|
||||
- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
|
||||
- if(SSL_SET_OPTION(issuercert_blob))
|
||||
- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
|
||||
- (int)SSL_SET_OPTION(issuercert_blob)->len);
|
||||
+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
|
||||
+ if(SSL_CONN_CONFIG(issuercert_blob))
|
||||
+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
|
||||
+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
|
||||
else {
|
||||
fp = BIO_new(BIO_s_file());
|
||||
if(fp == NULL) {
|
||||
@@ -3888,10 +3888,10 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
|
||||
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
|
||||
if(strict)
|
||||
failf(data, "SSL: Unable to open issuer cert (%s)",
|
||||
- SSL_SET_OPTION(issuercert));
|
||||
+ SSL_CONN_CONFIG(issuercert));
|
||||
BIO_free(fp);
|
||||
X509_free(backend->server_cert);
|
||||
backend->server_cert = NULL;
|
||||
@@ -3903,7 +3903,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
if(!issuer) {
|
||||
if(strict)
|
||||
failf(data, "SSL: Unable to read issuer cert (%s)",
|
||||
- SSL_SET_OPTION(issuercert));
|
||||
+ SSL_CONN_CONFIG(issuercert));
|
||||
BIO_free(fp);
|
||||
X509_free(issuer);
|
||||
X509_free(backend->server_cert);
|
||||
@@ -3914,7 +3914,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
|
||||
if(strict)
|
||||
failf(data, "SSL: Certificate issuer check failed (%s)",
|
||||
- SSL_SET_OPTION(issuercert));
|
||||
+ SSL_CONN_CONFIG(issuercert));
|
||||
BIO_free(fp);
|
||||
X509_free(issuer);
|
||||
X509_free(backend->server_cert);
|
||||
@@ -3923,7 +3923,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
}
|
||||
|
||||
infof(data, " SSL certificate issuer check ok (%s)\n",
|
||||
- SSL_SET_OPTION(issuercert));
|
||||
+ SSL_CONN_CONFIG(issuercert));
|
||||
BIO_free(fp);
|
||||
X509_free(issuer);
|
||||
}
|
||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||
index e50fdd2..855ee66 100644
|
||||
--- a/lib/vtls/vtls.c
|
||||
+++ b/lib/vtls/vtls.c
|
||||
@@ -121,6 +121,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
||||
return !memcmp(first->data, second->data, first->len); /* same data */
|
||||
}
|
||||
|
||||
+static bool safecmp(char *a, char *b)
|
||||
+{
|
||||
+ if(a && b)
|
||||
+ return !strcmp(a, b);
|
||||
+ else if(!a && !b)
|
||||
+ return TRUE; /* match */
|
||||
+ return FALSE; /* no match */
|
||||
+}
|
||||
+
|
||||
+
|
||||
bool
|
||||
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||
struct ssl_primary_config *needle)
|
||||
@@ -131,11 +141,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||
(data->verifyhost == needle->verifyhost) &&
|
||||
(data->verifystatus == needle->verifystatus) &&
|
||||
blobcmp(data->cert_blob, needle->cert_blob) &&
|
||||
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
|
||||
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
|
||||
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
|
||||
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
|
||||
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
|
||||
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
||||
+ safecmp(data->CApath, needle->CApath) &&
|
||||
+ safecmp(data->CAfile, needle->CAfile) &&
|
||||
+ safecmp(data->issuercert, needle->issuercert) &&
|
||||
+ safecmp(data->clientcert, needle->clientcert) &&
|
||||
+ safecmp(data->random_file, needle->random_file) &&
|
||||
+ safecmp(data->egdsocket, needle->egdsocket) &&
|
||||
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
||||
@@ -156,8 +168,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||
dest->sessionid = source->sessionid;
|
||||
|
||||
CLONE_BLOB(cert_blob);
|
||||
+ CLONE_BLOB(issuercert_blob);
|
||||
CLONE_STRING(CApath);
|
||||
CLONE_STRING(CAfile);
|
||||
+ CLONE_STRING(issuercert);
|
||||
CLONE_STRING(clientcert);
|
||||
CLONE_STRING(random_file);
|
||||
CLONE_STRING(egdsocket);
|
||||
@@ -172,6 +186,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||
{
|
||||
Curl_safefree(sslc->CApath);
|
||||
Curl_safefree(sslc->CAfile);
|
||||
+ Curl_safefree(sslc->issuercert);
|
||||
Curl_safefree(sslc->clientcert);
|
||||
Curl_safefree(sslc->random_file);
|
||||
Curl_safefree(sslc->egdsocket);
|
||||
@@ -179,6 +194,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||
Curl_safefree(sslc->cipher_list13);
|
||||
Curl_safefree(sslc->pinned_key);
|
||||
Curl_safefree(sslc->cert_blob);
|
||||
+ Curl_safefree(sslc->issuercert_blob);
|
||||
}
|
||||
|
||||
#ifdef USE_SSL
|
||||
--
|
||||
2.31.1
|
||||
|
31
0011-curl-7.71.1-CVE-2021-22898.patch
Normal file
31
0011-curl-7.71.1-CVE-2021-22898.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001
|
||||
From: Harry Sintonen <sintonen@iki.fi>
|
||||
Date: Fri, 7 May 2021 13:09:57 +0200
|
||||
Subject: [PATCH] telnet: check sscanf() for correct number of matches
|
||||
|
||||
CVE-2021-22898
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2021-22898.html
|
||||
|
||||
Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/telnet.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||
index 1fc5af1..ea6bc71 100644
|
||||
--- a/lib/telnet.c
|
||||
+++ b/lib/telnet.c
|
||||
@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn)
|
||||
size_t tmplen = (strlen(v->data) + 1);
|
||||
/* Add the variable only if it fits */
|
||||
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||
- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
|
||||
+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||
"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||
CURL_NEW_ENV_VALUE, varval);
|
||||
--
|
||||
2.31.1
|
||||
|
47
0012-curl-7.71.1-CVE-2021-22925.patch
Normal file
47
0012-curl-7.71.1-CVE-2021-22925.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 12 Jun 2021 18:25:15 +0200
|
||||
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
|
||||
|
||||
CVE-2021-22925
|
||||
|
||||
Reported-by: Red Hat Product Security
|
||||
Bug: https://curl.se/docs/CVE-2021-22925.html
|
||||
|
||||
Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/telnet.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||
index ea6bc71..f8428b8 100644
|
||||
--- a/lib/telnet.c
|
||||
+++ b/lib/telnet.c
|
||||
@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
|
||||
size_t tmplen = (strlen(v->data) + 1);
|
||||
/* Add the variable only if it fits */
|
||||
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||
- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||
- msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||
- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||
- CURL_NEW_ENV_VALUE, varval);
|
||||
- len += tmplen;
|
||||
- }
|
||||
+ int rv;
|
||||
+ char sep[2] = "";
|
||||
+ varval[0] = 0;
|
||||
+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
|
||||
+ if(rv == 1)
|
||||
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||
+ "%c%s", CURL_NEW_ENV_VAR, varname);
|
||||
+ else if(rv >= 2)
|
||||
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||
+ CURL_NEW_ENV_VALUE, varval);
|
||||
}
|
||||
}
|
||||
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||
--
|
||||
2.31.1
|
||||
|
33
0013-curl-7.71.1-CVE-2021-22945.patch
Normal file
33
0013-curl-7.71.1-CVE-2021-22945.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
|
||||
From: z2_ on hackerone <>
|
||||
Date: Tue, 24 Aug 2021 09:50:33 +0200
|
||||
Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
|
||||
|
||||
CVE-2021-22945
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2021-22945.html
|
||||
|
||||
Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/mqtt.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/mqtt.c b/lib/mqtt.c
|
||||
index d88fa73..f3fc045 100644
|
||||
--- a/lib/mqtt.c
|
||||
+++ b/lib/mqtt.c
|
||||
@@ -123,6 +123,10 @@ static CURLcode mqtt_send(struct connectdata *conn,
|
||||
mq->sendleftovers = sendleftovers;
|
||||
mq->nsend = nsend;
|
||||
}
|
||||
+ else {
|
||||
+ mq->sendleftovers = NULL;
|
||||
+ mq->nsend = 0;
|
||||
+ }
|
||||
return result;
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
331
0014-curl-7.71.1-CVE-2021-22946.patch
Normal file
331
0014-curl-7.71.1-CVE-2021-22946.patch
Normal file
@ -0,0 +1,331 @@
|
||||
From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Monnerat <patrick@monnerat.net>
|
||||
Date: Wed, 8 Sep 2021 11:56:22 +0200
|
||||
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
|
||||
|
||||
In imap and pop3, check if TLS is required even when capabilities
|
||||
request has failed.
|
||||
|
||||
In ftp, ignore preauthentication (230 status of server greeting) if TLS
|
||||
is required.
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2021-22946.html
|
||||
|
||||
CVE-2021-22946
|
||||
|
||||
Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ftp.c | 9 ++++---
|
||||
lib/imap.c | 24 ++++++++----------
|
||||
lib/pop3.c | 33 +++++++++++-------------
|
||||
tests/data/Makefile.inc | 2 ++
|
||||
tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
|
||||
7 files changed, 195 insertions(+), 36 deletions(-)
|
||||
create mode 100644 tests/data/test984
|
||||
create mode 100644 tests/data/test985
|
||||
create mode 100644 tests/data/test986
|
||||
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index 71c9642..30ebeaa 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||
/* we have now received a full FTP server response */
|
||||
switch(ftpc->state) {
|
||||
case FTP_WAIT220:
|
||||
- if(ftpcode == 230)
|
||||
- /* 230 User logged in - already! */
|
||||
- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
|
||||
+ if(ftpcode == 230) {
|
||||
+ /* 230 User logged in - already! Take as 220 if TLS required. */
|
||||
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
|
||||
+ conn->ssl[FIRSTSOCKET].use)
|
||||
+ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
|
||||
+ }
|
||||
else if(ftpcode != 220) {
|
||||
failf(data, "Got a %03d ftp-server response when 220 was expected",
|
||||
ftpcode);
|
||||
diff --git a/lib/imap.c b/lib/imap.c
|
||||
index bda23a5..7e159d4 100644
|
||||
--- a/lib/imap.c
|
||||
+++ b/lib/imap.c
|
||||
@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
|
||||
line += wordlen;
|
||||
}
|
||||
}
|
||||
- else if(imapcode == IMAP_RESP_OK) {
|
||||
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||
- if(imapc->tls_supported)
|
||||
- /* Switch to TLS connection now */
|
||||
- result = imap_perform_starttls(conn);
|
||||
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||
- /* Fallback and carry on with authentication */
|
||||
- result = imap_perform_authentication(conn);
|
||||
- else {
|
||||
- failf(data, "STARTTLS not supported.");
|
||||
- result = CURLE_USE_SSL_FAILED;
|
||||
- }
|
||||
+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||
+ /* PREAUTH is not compatible with STARTTLS. */
|
||||
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
|
||||
+ /* Switch to TLS connection now */
|
||||
+ result = imap_perform_starttls(conn);
|
||||
}
|
||||
- else
|
||||
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||
result = imap_perform_authentication(conn);
|
||||
+ else {
|
||||
+ failf(data, "STARTTLS not available.");
|
||||
+ result = CURLE_USE_SSL_FAILED;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
result = imap_perform_authentication(conn);
|
||||
diff --git a/lib/pop3.c b/lib/pop3.c
|
||||
index 04cc887..3e916ce 100644
|
||||
--- a/lib/pop3.c
|
||||
+++ b/lib/pop3.c
|
||||
@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
|
||||
}
|
||||
}
|
||||
}
|
||||
- else if(pop3code == '+') {
|
||||
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||
- if(pop3c->tls_supported)
|
||||
- /* Switch to TLS connection now */
|
||||
- result = pop3_perform_starttls(conn);
|
||||
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||
- /* Fallback and carry on with authentication */
|
||||
- result = pop3_perform_authentication(conn);
|
||||
- else {
|
||||
- failf(data, "STLS not supported.");
|
||||
- result = CURLE_USE_SSL_FAILED;
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- result = pop3_perform_authentication(conn);
|
||||
- }
|
||||
else {
|
||||
/* Clear text is supported when CAPA isn't recognised */
|
||||
- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
||||
+ if(pop3code != '+')
|
||||
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
||||
|
||||
- result = pop3_perform_authentication(conn);
|
||||
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
|
||||
+ result = pop3_perform_authentication(conn);
|
||||
+ else if(pop3code == '+' && pop3c->tls_supported)
|
||||
+ /* Switch to TLS connection now */
|
||||
+ result = pop3_perform_starttls(conn);
|
||||
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||
+ /* Fallback and carry on with authentication */
|
||||
+ result = pop3_perform_authentication(conn);
|
||||
+ else {
|
||||
+ failf(data, "STLS not supported.");
|
||||
+ result = CURLE_USE_SSL_FAILED;
|
||||
+ }
|
||||
}
|
||||
|
||||
return result;
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index ef9252b..1ba482b 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||
\
|
||||
+test984 test985 test986 \
|
||||
+\
|
||||
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
|
||||
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
|
||||
test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
|
||||
diff --git a/tests/data/test984 b/tests/data/test984
|
||||
new file mode 100644
|
||||
index 0000000..e573f23
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test984
|
||||
@@ -0,0 +1,56 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+IMAP
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+REPLY CAPABILITY A001 BAD Not implemented
|
||||
+</servercmd>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+imap
|
||||
+</server>
|
||||
+ <name>
|
||||
+IMAP require STARTTLS with failing capabilities
|
||||
+ </name>
|
||||
+ <command>
|
||||
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
|
||||
+</command>
|
||||
+<file name="log/upload%TESTNUMBER">
|
||||
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
|
||||
+From: Fred Foobar <foobar@example.COM>
|
||||
+Subject: afternoon meeting
|
||||
+To: joe@example.com
|
||||
+Message-Id: <B27397-0100000@example.COM>
|
||||
+MIME-Version: 1.0
|
||||
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
|
||||
+
|
||||
+Hello Joe, do you think we can meet at 3:30 tomorrow?
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 64 is CURLE_USE_SSL_FAILED
|
||||
+<errorcode>
|
||||
+64
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+A001 CAPABILITY
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test985 b/tests/data/test985
|
||||
new file mode 100644
|
||||
index 0000000..d0db4aa
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test985
|
||||
@@ -0,0 +1,54 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+POP3
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+REPLY CAPA -ERR Not implemented
|
||||
+</servercmd>
|
||||
+<data nocheck="yes">
|
||||
+From: me@somewhere
|
||||
+To: fake@nowhere
|
||||
+
|
||||
+body
|
||||
+
|
||||
+--
|
||||
+ yours sincerely
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+pop3
|
||||
+</server>
|
||||
+ <name>
|
||||
+POP3 require STARTTLS with failing capabilities
|
||||
+ </name>
|
||||
+ <command>
|
||||
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
|
||||
+ </command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 64 is CURLE_USE_SSL_FAILED
|
||||
+<errorcode>
|
||||
+64
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+CAPA
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test986 b/tests/data/test986
|
||||
new file mode 100644
|
||||
index 0000000..a709437
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test986
|
||||
@@ -0,0 +1,53 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+FTP
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+REPLY welcome 230 Welcome
|
||||
+REPLY AUTH 500 unknown command
|
||||
+</servercmd>
|
||||
+</reply>
|
||||
+
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+ftp
|
||||
+</server>
|
||||
+ <name>
|
||||
+FTP require STARTTLS while preauthenticated
|
||||
+ </name>
|
||||
+<file name="log/test%TESTNUMBER.txt">
|
||||
+data
|
||||
+ to
|
||||
+ see
|
||||
+that FTPS
|
||||
+works
|
||||
+ so does it?
|
||||
+</file>
|
||||
+ <command>
|
||||
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 64 is CURLE_USE_SSL_FAILED
|
||||
+<errorcode>
|
||||
+64
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+AUTH SSL
|
||||
+AUTH TLS
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.31.1
|
||||
|
354
0015-curl-7.71.1-CVE-2021-22947.patch
Normal file
354
0015-curl-7.71.1-CVE-2021-22947.patch
Normal file
@ -0,0 +1,354 @@
|
||||
From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Monnerat <patrick@monnerat.net>
|
||||
Date: Tue, 7 Sep 2021 13:26:42 +0200
|
||||
Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
|
||||
pipelining
|
||||
|
||||
If a server pipelines future responses within the STARTTLS response, the
|
||||
former are preserved in the pingpong cache across TLS negotiation and
|
||||
used as responses to the encrypted commands.
|
||||
|
||||
This fix detects pipelined STARTTLS responses and rejects them with an
|
||||
error.
|
||||
|
||||
CVE-2021-22947
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2021-22947.html
|
||||
|
||||
Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ftp.c | 3 +++
|
||||
lib/imap.c | 4 +++
|
||||
lib/pop3.c | 4 +++
|
||||
lib/smtp.c | 4 +++
|
||||
tests/data/Makefile.inc | 2 +-
|
||||
tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
|
||||
9 files changed, 236 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/data/test980
|
||||
create mode 100644 tests/data/test981
|
||||
create mode 100644 tests/data/test982
|
||||
create mode 100644 tests/data/test983
|
||||
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index 71f998e..e920138 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -2692,6 +2692,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||
case FTP_AUTH:
|
||||
/* we have gotten the response to a previous AUTH command */
|
||||
|
||||
+ if(pp->cache_size)
|
||||
+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
|
||||
+
|
||||
/* RFC2228 (page 5) says:
|
||||
*
|
||||
* If the server is willing to accept the named security mechanism,
|
||||
diff --git a/lib/imap.c b/lib/imap.c
|
||||
index feb7445..09bc5d6 100644
|
||||
--- a/lib/imap.c
|
||||
+++ b/lib/imap.c
|
||||
@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
|
||||
|
||||
(void)instate; /* no use for this yet */
|
||||
|
||||
+ /* Pipelining in response is forbidden. */
|
||||
+ if(data->conn->proto.imapc.pp.cache_size)
|
||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||
+
|
||||
if(imapcode != IMAP_RESP_OK) {
|
||||
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||
failf(data, "STARTTLS denied");
|
||||
diff --git a/lib/pop3.c b/lib/pop3.c
|
||||
index 7698d1c..dccfced 100644
|
||||
--- a/lib/pop3.c
|
||||
+++ b/lib/pop3.c
|
||||
@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
|
||||
|
||||
(void)instate; /* no use for this yet */
|
||||
|
||||
+ /* Pipelining in response is forbidden. */
|
||||
+ if(data->conn->proto.pop3c.pp.cache_size)
|
||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||
+
|
||||
if(pop3code != '+') {
|
||||
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||
failf(data, "STARTTLS denied");
|
||||
diff --git a/lib/smtp.c b/lib/smtp.c
|
||||
index 1defb25..1f89777 100644
|
||||
--- a/lib/smtp.c
|
||||
+++ b/lib/smtp.c
|
||||
@@ -817,6 +817,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
|
||||
|
||||
(void)instate; /* no use for this yet */
|
||||
|
||||
+ /* Pipelining in response is forbidden. */
|
||||
+ if(data->conn->proto.smtpc.pp.cache_size)
|
||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||
+
|
||||
if(smtpcode != 220) {
|
||||
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||
failf(data, "STARTTLS denied, code %d", smtpcode);
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 163ce59..42b0569 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||
\
|
||||
-test984 test985 test986 \
|
||||
+test980 test981 test982 test983 test984 test985 test986 \
|
||||
\
|
||||
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
|
||||
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
|
||||
diff --git a/tests/data/test980 b/tests/data/test980
|
||||
new file mode 100644
|
||||
index 0000000..97567f8
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test980
|
||||
@@ -0,0 +1,52 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+SMTP
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+CAPA STARTTLS
|
||||
+AUTH PLAIN
|
||||
+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
|
||||
+REPLY AUTH 535 5.7.8 Authentication credentials invalid
|
||||
+</servercmd>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+smtp
|
||||
+</server>
|
||||
+ <name>
|
||||
+SMTP STARTTLS pipelined server response
|
||||
+ </name>
|
||||
+<stdin>
|
||||
+mail body
|
||||
+</stdin>
|
||||
+ <command>
|
||||
+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||
+<errorcode>
|
||||
+8
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+EHLO %TESTNUMBER
|
||||
+STARTTLS
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test981 b/tests/data/test981
|
||||
new file mode 100644
|
||||
index 0000000..2b98ce4
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test981
|
||||
@@ -0,0 +1,59 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+IMAP
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+CAPA STARTTLS
|
||||
+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
|
||||
+REPLY LOGIN A003 BAD Authentication credentials invalid
|
||||
+</servercmd>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+imap
|
||||
+</server>
|
||||
+ <name>
|
||||
+IMAP STARTTLS pipelined server response
|
||||
+ </name>
|
||||
+ <command>
|
||||
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
|
||||
+</command>
|
||||
+<file name="log/upload%TESTNUMBER">
|
||||
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
|
||||
+From: Fred Foobar <foobar@example.COM>
|
||||
+Subject: afternoon meeting
|
||||
+To: joe@example.com
|
||||
+Message-Id: <B27397-0100000@example.COM>
|
||||
+MIME-Version: 1.0
|
||||
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
|
||||
+
|
||||
+Hello Joe, do you think we can meet at 3:30 tomorrow?
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||
+<errorcode>
|
||||
+8
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+A001 CAPABILITY
|
||||
+A002 STARTTLS
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test982 b/tests/data/test982
|
||||
new file mode 100644
|
||||
index 0000000..9e07cc0
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test982
|
||||
@@ -0,0 +1,57 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+POP3
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+CAPA STLS USER
|
||||
+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
|
||||
+REPLY PASS -ERR Authentication credentials invalid
|
||||
+</servercmd>
|
||||
+<data nocheck="yes">
|
||||
+From: me@somewhere
|
||||
+To: fake@nowhere
|
||||
+
|
||||
+body
|
||||
+
|
||||
+--
|
||||
+ yours sincerely
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+pop3
|
||||
+</server>
|
||||
+ <name>
|
||||
+POP3 STARTTLS pipelined server response
|
||||
+ </name>
|
||||
+ <command>
|
||||
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
|
||||
+ </command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||
+<errorcode>
|
||||
+8
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+CAPA
|
||||
+STLS
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test983 b/tests/data/test983
|
||||
new file mode 100644
|
||||
index 0000000..300ec45
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test983
|
||||
@@ -0,0 +1,52 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+FTP
|
||||
+STARTTLS
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<servercmd>
|
||||
+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
|
||||
+REPLY PASS 530 Login incorrect
|
||||
+</servercmd>
|
||||
+</reply>
|
||||
+
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+SSL
|
||||
+</features>
|
||||
+<server>
|
||||
+ftp
|
||||
+</server>
|
||||
+ <name>
|
||||
+FTP STARTTLS pipelined server response
|
||||
+ </name>
|
||||
+<file name="log/test%TESTNUMBER.txt">
|
||||
+data
|
||||
+ to
|
||||
+ see
|
||||
+that FTPS
|
||||
+works
|
||||
+ so does it?
|
||||
+</file>
|
||||
+ <command>
|
||||
+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||
+<errorcode>
|
||||
+8
|
||||
+</errorcode>
|
||||
+<protocol>
|
||||
+AUTH SSL
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.31.1
|
||||
|
@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
|
||||
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
||||
|
||||
---
|
||||
curl-config.in | 21 +++------------------
|
||||
docs/curl-config.1 | 4 +++-
|
||||
libcurl.pc.in | 1 +
|
||||
3 files changed, 7 insertions(+), 19 deletions(-)
|
||||
curl-config.in | 23 +++++------------------
|
||||
docs/curl-config.1 | 4 +++-
|
||||
libcurl.pc.in | 1 +
|
||||
3 files changed, 9 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/curl-config.in b/curl-config.in
|
||||
index 150004d..95d0759 100644
|
||||
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
|
||||
;;
|
||||
|
||||
--prefix)
|
||||
@@ -155,32 +155,17 @@ while test $# -gt 0; do
|
||||
@@ -155,32 +155,19 @@ while test $# -gt 0; do
|
||||
;;
|
||||
|
||||
--libs)
|
||||
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
|
||||
- else
|
||||
- CURLLIBDIR=""
|
||||
- fi
|
||||
- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
|
||||
- if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
|
||||
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
||||
- else
|
||||
- echo ${CURLLIBDIR}-lcurl
|
||||
@ -49,6 +49,8 @@ index 150004d..95d0759 100644
|
||||
- echo "curl was built with static libraries disabled" >&2
|
||||
- exit 1
|
||||
- fi
|
||||
+ echo "curl was built with static libraries disabled" >&2
|
||||
+ exit 1
|
||||
;;
|
||||
|
||||
--configure)
|
||||
|
@ -1,21 +1,21 @@
|
||||
From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
|
||||
From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Wed, 31 Oct 2012 11:38:30 +0100
|
||||
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
|
||||
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
|
||||
(#496778)
|
||||
|
||||
---
|
||||
configure | 13 +++----------
|
||||
m4/curl-compilers.m4 | 13 +++----------
|
||||
2 files changed, 6 insertions(+), 20 deletions(-)
|
||||
m4/curl-compilers.m4 | 26 ++++++--------------------
|
||||
1 file changed, 6 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 8f079a3..53b4774 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
|
||||
gccvhi=`echo $gccver | cut -d . -f1`
|
||||
gccvlo=`echo $gccver | cut -d . -f2`
|
||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
||||
index c64db4bc6..d115a4aed 100644
|
||||
--- a/m4/curl-compilers.m4
|
||||
+++ b/m4/curl-compilers.m4
|
||||
@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
|
||||
clangvhi=`echo $clangver | cut -d . -f1`
|
||||
clangvlo=`echo $clangver | cut -d . -f2`
|
||||
compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
|
||||
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
||||
- flags_dbg_all="$flags_dbg_all -ggdb"
|
||||
- flags_dbg_all="$flags_dbg_all -gstabs"
|
||||
@ -27,18 +27,14 @@ index 8f079a3..53b4774 100755
|
||||
+ flags_dbg_all=""
|
||||
flags_dbg_yes="-g"
|
||||
flags_dbg_off=""
|
||||
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
|
||||
- flags_opt_yes="-O2"
|
||||
- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
|
||||
- flags_opt_yes="-Os"
|
||||
+ flags_opt_all=""
|
||||
+ flags_opt_yes=""
|
||||
flags_opt_off="-O0"
|
||||
|
||||
OLDCPPFLAGS=$CPPFLAGS
|
||||
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
||||
index 0cbba7a..9175b5b 100644
|
||||
--- a/m4/curl-compilers.m4
|
||||
+++ b/m4/curl-compilers.m4
|
||||
@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
||||
gccvhi=`echo $gccver | cut -d . -f1`
|
||||
gccvlo=`echo $gccver | cut -d . -f2`
|
||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 14:49:56 +0100
|
||||
Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
|
||||
|
||||
Unfortunately, smbserver.py does not work with Python 3 because
|
||||
there is no 'impacket' module available for Python 3:
|
||||
|
||||
https://github.com/CoreSecurity/impacket/issues/61
|
||||
---
|
||||
tests/negtelnetserver.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
|
||||
index 8cfd409..72ee771 100755
|
||||
--- a/tests/negtelnetserver.py
|
||||
+++ b/tests/negtelnetserver.py
|
||||
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
|
||||
response_data = response.encode('ascii')
|
||||
else:
|
||||
log.debug("Received normal request - echoing back")
|
||||
- response_data = data.strip()
|
||||
+ response_data = data.decode('utf8').strip()
|
||||
|
||||
if response_data:
|
||||
log.debug("Sending %r", response_data)
|
||||
- self.request.sendall(response_data)
|
||||
+ self.request.sendall(response_data.encode('utf8'))
|
||||
|
||||
except IOError:
|
||||
log.exception("IOError hit during request")
|
||||
--
|
||||
2.14.3
|
||||
|
@ -26,14 +26,14 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||
index 080421b..ea3b806 100644
|
||||
--- a/tests/libtest/Makefile.inc
|
||||
+++ b/tests/libtest/Makefile.inc
|
||||
@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||
|
||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
||||
lib1560_LDADD = $(TESTUTIL_LIBS)
|
||||
|
||||
lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
--
|
||||
2.17.2
|
||||
|
||||
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
|
||||
EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
|
||||
kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
|
||||
O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
|
||||
s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
|
||||
ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
|
||||
3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
|
||||
=5gov
|
||||
-----END PGP SIGNATURE-----
|
11
curl-7.71.1.tar.xz.asc
Normal file
11
curl-7.71.1.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
|
||||
EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
|
||||
9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
|
||||
ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
|
||||
yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
|
||||
6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
|
||||
FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
|
||||
=0YwO
|
||||
-----END PGP SIGNATURE-----
|
177
curl.spec
177
curl.spec
@ -1,12 +1,51 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.67.0
|
||||
Release: 2%{?dist}
|
||||
Version: 7.71.1
|
||||
Release: 11%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
# fix infinite loop on upload using a glob (#1771025)
|
||||
Patch1: 0001-curl-7.67.0-upload-glob.patch
|
||||
# curl: make the --krb option work again (#1833193)
|
||||
Patch1: 0001-curl-7.71.1-tool-krb-opt.patch
|
||||
|
||||
# setopt: unset NOBODY switches to GET if still HEAD
|
||||
Patch2: 0002-curl-7.71.1-unset-nobody.patch
|
||||
|
||||
# libcurl: wrong connect-only connection (CVE-2020-8231)
|
||||
Patch4: 0004-curl-7.71.1-CVE-2020-8231.patch
|
||||
|
||||
# curl: trusting FTP PASV responses (CVE-2020-8284)
|
||||
Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch
|
||||
|
||||
# libcurl: FTP wildcard stack overflow (CVE-2020-8285)
|
||||
Patch6: 0006-curl-7.71.1-CVE-2020-8285.patch
|
||||
|
||||
# curl: Inferior OCSP verification (CVE-2020-8286)
|
||||
Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch
|
||||
|
||||
# prevent automatic referer from leaking credentials (CVE-2021-22876)
|
||||
Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch
|
||||
|
||||
# fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890)
|
||||
Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch
|
||||
|
||||
# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
|
||||
Patch10: 0010-curl-7.71.1-CVE-2021-22924.patch
|
||||
|
||||
# fix TELNET stack contents disclosure (CVE-2021-22898)
|
||||
Patch11: 0011-curl-7.71.1-CVE-2021-22898.patch
|
||||
|
||||
# fix TELNET stack contents disclosure again (CVE-2021-22925)
|
||||
Patch12: 0012-curl-7.71.1-CVE-2021-22925.patch
|
||||
|
||||
# fix use-after-free and double-free in MQTT sending (CVE-2021-22945)
|
||||
Patch13: 0013-curl-7.71.1-CVE-2021-22945.patch
|
||||
|
||||
# fix protocol downgrade required TLS bypass (CVE-2021-22946)
|
||||
Patch14: 0014-curl-7.71.1-CVE-2021-22946.patch
|
||||
|
||||
# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
|
||||
Patch15: 0015-curl-7.71.1-CVE-2021-22947.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
@ -14,9 +53,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
# prevent configure script from discarding -g in CFLAGS (#496778)
|
||||
Patch102: 0102-curl-7.36.0-debug.patch
|
||||
|
||||
# migrate tests/http_pipe.py to Python 3
|
||||
Patch103: 0103-curl-7.59.0-python3.patch
|
||||
|
||||
# use localhost6 instead of ip6-localhost in the curl test-suite
|
||||
Patch104: 0104-curl-7.19.7-localhost6.patch
|
||||
|
||||
@ -33,10 +69,10 @@ BuildRequires: gcc
|
||||
BuildRequires: groff
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: libidn2-devel
|
||||
BuildRequires: libmetalink-devel
|
||||
BuildRequires: libnghttp2-devel
|
||||
BuildRequires: libpsl-devel
|
||||
BuildRequires: libssh-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: make
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: openssh-clients
|
||||
@ -61,6 +97,9 @@ BuildRequires: perl(warnings)
|
||||
# gnutls-serv is used by the upstream test-suite
|
||||
BuildRequires: gnutls-utils
|
||||
|
||||
# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot
|
||||
BuildRequires: hostname
|
||||
|
||||
# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
|
||||
BuildRequires: nghttp2
|
||||
|
||||
@ -159,7 +198,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
|
||||
Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
|
||||
Provides: libcurl = %{version}-%{release}
|
||||
Provides: libcurl%{?_isa} = %{version}-%{release}
|
||||
Conflicts: libcurl
|
||||
Conflicts: libcurl%{?_isa}
|
||||
RemovePathPostfixes: .minimal
|
||||
# needed for RemovePathPostfixes to work with shared libraries
|
||||
%undefine __brp_ldconfig
|
||||
@ -175,20 +214,31 @@ be installed.
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
%patch104 -p1
|
||||
%patch105 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
|
||||
# regenerate Makefile.in files
|
||||
aclocal -I m4
|
||||
automake
|
||||
# regenerate the configure script and Makefile.in files
|
||||
autoreconf -fiv
|
||||
|
||||
# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
|
||||
# with errno 98: Address already in use' in Koji environment), and test 1801
|
||||
@ -207,6 +257,11 @@ echo "1319" >> tests/data/DISABLED
|
||||
echo "582" >> tests/data/DISABLED
|
||||
%endif
|
||||
|
||||
# temporarily disable tests 702 703 716 on armv7hl (#1829180)
|
||||
%ifarch armv7hl
|
||||
printf "702\n703\n716\n" >> tests/data/DISABLED
|
||||
%endif
|
||||
|
||||
# adapt test 323 for updated OpenSSL
|
||||
sed -e 's/^35$/35,52/' -i tests/data/test323
|
||||
|
||||
@ -218,6 +273,7 @@ export common_configure_opts=" \
|
||||
--enable-symbol-hiding \
|
||||
--enable-ipv6 \
|
||||
--enable-threaded-resolver \
|
||||
--without-libmetalink \
|
||||
--with-gssapi \
|
||||
--with-nghttp2 \
|
||||
--with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
|
||||
@ -233,7 +289,6 @@ export common_configure_opts=" \
|
||||
--disable-manual \
|
||||
--without-brotli \
|
||||
--without-libidn2 \
|
||||
--without-libmetalink \
|
||||
--without-libpsl \
|
||||
--without-libssh
|
||||
)
|
||||
@ -247,7 +302,6 @@ export common_configure_opts=" \
|
||||
--enable-manual \
|
||||
--with-brotli \
|
||||
--with-libidn2 \
|
||||
--with-libmetalink \
|
||||
--with-libpsl \
|
||||
--with-libssh
|
||||
)
|
||||
@ -257,8 +311,8 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \
|
||||
-e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
|
||||
-i build-{full,minimal}/libtool
|
||||
|
||||
make %{?_smp_mflags} V=1 -C build-minimal
|
||||
make %{?_smp_mflags} V=1 -C build-full
|
||||
%make_build V=1 -C build-minimal
|
||||
%make_build V=1 -C build-full
|
||||
|
||||
%check
|
||||
# we have to override LD_LIBRARY_PATH because we eliminated rpath
|
||||
@ -267,7 +321,7 @@ export LD_LIBRARY_PATH
|
||||
|
||||
# compile upstream test-cases
|
||||
cd build-full/tests
|
||||
make %{?_smp_mflags} V=1
|
||||
%make_build V=1
|
||||
|
||||
# relax crypto policy for the test-suite to make it pass again (#1610888)
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
|
||||
@ -278,14 +332,14 @@ srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
|
||||
|
||||
%install
|
||||
# install and rename the library that will be packaged as libcurl-minimal
|
||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
|
||||
%make_install -C build-minimal/lib
|
||||
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
|
||||
for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
|
||||
mv -v $i $i.minimal
|
||||
done
|
||||
|
||||
# install and rename the executable that will be packaged as curl-minimal
|
||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
|
||||
%make_install -C build-minimal/src
|
||||
mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
|
||||
|
||||
# install libcurl.m4
|
||||
@ -294,12 +348,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
|
||||
|
||||
# install the executable and library that will be packaged as curl and libcurl
|
||||
cd build-full
|
||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
|
||||
%make_install
|
||||
|
||||
# install zsh completion for curl
|
||||
# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
|
||||
LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
|
||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
|
||||
%make_install -C scripts
|
||||
|
||||
# do not install /usr/share/fish/completions/curl.fish which is also installed
|
||||
# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
|
||||
@ -331,7 +385,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
|
||||
%files -n libcurl-devel
|
||||
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
|
||||
%doc docs/CONTRIBUTE.md docs/libcurl/ABI
|
||||
%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
|
||||
%{_bindir}/curl-config*
|
||||
%{_includedir}/curl
|
||||
%{_libdir}/*.so
|
||||
@ -350,10 +404,83 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
|
||||
* Fri Sep 17 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-11
|
||||
- fix STARTTLS protocol injection via MITM (CVE-2021-22947)
|
||||
- fix protocol downgrade required TLS bypass (CVE-2021-22946)
|
||||
- fix use-after-free and double-free in MQTT sending (CVE-2021-22945)
|
||||
|
||||
* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-10
|
||||
- fix TELNET stack contents disclosure again (CVE-2021-22925)
|
||||
- fix TELNET stack contents disclosure (CVE-2021-22898)
|
||||
- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
|
||||
- disable metalink support to fix the following vulnerabilities
|
||||
CVE-2021-22923 - metalink download sends credentials
|
||||
CVE-2021-22922 - wrong content via metalink not discarded
|
||||
|
||||
* Wed Mar 31 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-9
|
||||
- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890)
|
||||
- prevent automatic referer from leaking credentials (CVE-2021-22876)
|
||||
|
||||
* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-8
|
||||
- curl: Inferior OCSP verification (CVE-2020-8286)
|
||||
- libcurl: FTP wildcard stack overflow (CVE-2020-8285)
|
||||
- curl: trusting FTP PASV responses (CVE-2020-8284)
|
||||
|
||||
* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.71.1-7
|
||||
- fix multiarch conflicts in libcurl-minimal (#1877671)
|
||||
|
||||
* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-6
|
||||
- libcurl: wrong connect-only connection (CVE-2020-8231)
|
||||
|
||||
* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
|
||||
- setopt: unset NOBODY switches to GET if still HEAD
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2
|
||||
- curl: make the --krb option work again (#1833193)
|
||||
|
||||
* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1
|
||||
- new upstream release
|
||||
|
||||
* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
|
||||
- new upstream release, which fixes the following vulnerabilities
|
||||
CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
|
||||
CVE-2020-8177 - curl: overwrite local file with -J
|
||||
|
||||
* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
|
||||
- new upstream release
|
||||
|
||||
* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
|
||||
- SSH: use new ECDSA key types to check known hosts (#1824926)
|
||||
|
||||
* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
|
||||
- Prevent discarding of -g when compiling with clang
|
||||
|
||||
* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1
|
||||
- new upstream release
|
||||
|
||||
* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2
|
||||
- make Flatpak work again (#1810989)
|
||||
|
||||
* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1
|
||||
- new upstream release
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1
|
||||
- new upstream release
|
||||
|
||||
* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2
|
||||
- fix infinite loop on upload using a glob (#1771025)
|
||||
|
||||
* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
|
||||
* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1
|
||||
- new upstream release
|
||||
|
||||
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
|
||||
SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b
|
||||
|
Loading…
Reference in New Issue
Block a user