Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
curl-mini.21191
curl-CVE-2021-22924.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2021-22924.patch of Package curl-mini.21191
From 6c07d0c65e2c8d381efe100947d20e147da2217b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Sat, 19 Jun 2021 00:42:28 +0200 Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case sensitivity CVE-2021-22924 Reported-by: Harry Sintonen Bug: https://curl.se/docs/CVE-2021-22924.html --- lib/url.c | 10 ++++++---- lib/urldata.h | 4 ++-- lib/vtls/gtls.c | 10 +++++----- lib/vtls/nss.c | 4 ++-- lib/vtls/openssl.c | 18 +++++++++--------- lib/vtls/vtls.c | 26 +++++++++++++++++++++----- 6 files changed, 45 insertions(+), 27 deletions(-) Index: curl-7.66.0/lib/url.c =================================================================== --- curl-7.66.0.orig/lib/url.c +++ curl-7.66.0/lib/url.c @@ -3513,6 +3513,8 @@ static CURLcode create_conn(struct Curl_ data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; + data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; + data->set.proxy_ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; data->set.proxy_ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; @@ -3529,8 +3531,6 @@ static CURLcode create_conn(struct Curl_ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; - data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; - data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; Index: curl-7.66.0/lib/urldata.h =================================================================== --- curl-7.66.0.orig/lib/urldata.h +++ curl-7.66.0/lib/urldata.h @@ -217,6 +217,7 @@ struct ssl_primary_config { long version_max; /* max supported version the client wants to use*/ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ + char *issuercert; /* optional issuer certificate filename */ char *clientcert; char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ @@ -232,7 +233,6 @@ struct ssl_config_data { struct ssl_primary_config primary; long certverifyresult; /* result from the certificate verification */ char *CRLfile; /* CRL to check certificate revocation */ - char *issuercert;/* optional issuer certificate filename */ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ void *fsslctxp; /* parameter for call back */ char *cert; /* client certificate file name */ Index: curl-7.66.0/lib/vtls/gtls.c =================================================================== --- curl-7.66.0.orig/lib/vtls/gtls.c +++ curl-7.66.0/lib/vtls/gtls.c @@ -1055,7 +1055,7 @@ gtls_connect_step3(struct connectdata *c if(!chainp) { if(SSL_CONN_CONFIG(verifypeer) || SSL_CONN_CONFIG(verifyhost) || - SSL_SET_OPTION(issuercert)) { + SSL_CONN_CONFIG(issuercert)) { #ifdef USE_TLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP && SSL_SET_OPTION(username) != NULL @@ -1237,21 +1237,21 @@ gtls_connect_step3(struct connectdata *c gnutls_x509_crt_t format */ gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); - if(SSL_SET_OPTION(issuercert)) { + if(SSL_CONN_CONFIG(issuercert)) { gnutls_x509_crt_init(&x509_issuer); - issuerp = load_file(SSL_SET_OPTION(issuercert)); + issuerp = load_file(SSL_CONN_CONFIG(issuercert)); gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); gnutls_x509_crt_deinit(x509_issuer); unload_file(issuerp); if(rc <= 0) { failf(data, "server certificate issuer check failed (IssuerCert: %s)", - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); gnutls_x509_crt_deinit(x509_cert); return CURLE_SSL_ISSUER_ERROR; } infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); } size = sizeof(certbuf); Index: curl-7.66.0/lib/vtls/nss.c =================================================================== --- curl-7.66.0.orig/lib/vtls/nss.c +++ curl-7.66.0/lib/vtls/nss.c @@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct co if(result) goto error; - if(SSL_SET_OPTION(issuercert)) { + if(SSL_CONN_CONFIG(issuercert)) { SECStatus ret = SECFailure; - char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); + char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); if(nickname) { /* we support only nicknames in case of issuercert for now */ ret = check_issuer_cert(BACKEND->handle, nickname); Index: curl-7.66.0/lib/vtls/openssl.c =================================================================== --- curl-7.66.0.orig/lib/vtls/openssl.c +++ curl-7.66.0/lib/vtls/openssl.c @@ -3565,7 +3565,7 @@ static CURLcode servercert(struct connec deallocating the certificate. */ /* e.g. match issuer name with provided issuer certificate */ - if(SSL_SET_OPTION(issuercert)) { + if(SSL_CONN_CONFIG(issuercert)) { fp = BIO_new(BIO_s_file()); if(fp == NULL) { failf(data, @@ -3578,10 +3578,10 @@ static CURLcode servercert(struct connec return CURLE_OUT_OF_MEMORY; } - if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { + if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { if(strict) failf(data, "SSL: Unable to open issuer cert (%s)", - SSL_SET_OPTION(issuercert)); + SSL_CONN_CONFIG(issuercert)); BIO_free(fp); X509_free(BACKEND->server_cert); BACKEND->server_cert = NULL; @@ -3592,7 +3592,7 @@ static CURLcode servercert(struct connec if(!issuer) { if(strict) failf(data, "SSL: Unable to read issuer cert (%s)", - SSL_SET_OPTION(issuercert)); + SSL_CONN_CONFIG(issuercert)); BIO_free(fp); X509_free(issuer); X509_free(BACKEND->server_cert); @@ -3603,7 +3603,7 @@ static CURLcode servercert(struct connec if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { if(strict) failf(data, "SSL: Certificate issuer check failed (%s)", - SSL_SET_OPTION(issuercert)); + SSL_CONN_CONFIG(issuercert)); BIO_free(fp); X509_free(issuer); X509_free(BACKEND->server_cert); @@ -3612,7 +3612,7 @@ static CURLcode servercert(struct connec } infof(data, " SSL certificate issuer check ok (%s)\n", - SSL_SET_OPTION(issuercert)); + SSL_CONN_CONFIG(issuercert)); BIO_free(fp); X509_free(issuer); } Index: curl-7.66.0/lib/vtls/vtls.c =================================================================== --- curl-7.66.0.orig/lib/vtls/vtls.c +++ curl-7.66.0/lib/vtls/vtls.c @@ -93,6 +93,7 @@ Curl_ssl_config_matches(struct ssl_prima (data->verifystatus == needle->verifystatus) && Curl_safe_strcasecompare(data->CApath, needle->CApath) && Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && + Curl_safe_strcasecompare(data->issuercert, needle->issuercert) && Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && Curl_safe_strcasecompare(data->random_file, needle->random_file) && Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && @@ -116,6 +117,7 @@ Curl_clone_primary_ssl_config(struct ssl CLONE_STRING(CApath); CLONE_STRING(CAfile); + CLONE_STRING(issuercert); CLONE_STRING(clientcert); CLONE_STRING(random_file); CLONE_STRING(egdsocket); @@ -129,6 +131,7 @@ void Curl_free_primary_ssl_config(struct { Curl_safefree(sslc->CApath); Curl_safefree(sslc->CAfile); + Curl_safefree(sslc->issuercert); Curl_safefree(sslc->clientcert); Curl_safefree(sslc->random_file); Curl_safefree(sslc->egdsocket);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor