File curl-CVE-2022-27782.patch of Package curl.28253

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2022-27782.patch of Package curl.28253

From c3f8e4e2b4a334697e7ce3168495f20a46b398bd Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 09:31:11 +0200
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse

CVE-2022-27782

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
---
 lib/setopt.c       | 29 +++++++++++++++++------------
 lib/url.c          | 23 ++++++++++++++++-------
 lib/urldata.h      | 13 +++++++------
 lib/vtls/gtls.c    | 32 +++++++++++++++++---------------
 lib/vtls/openssl.c | 10 +++++-----
 lib/vtls/vtls.c    | 20 ++++++++++++++++++++
 6 files changed, 82 insertions(+), 45 deletions(-)

Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c
+++ curl-7.37.0/lib/url.c
@@ -150,6 +150,7 @@ static CURLcode parse_url_login(struct S
 CURLcode parse_login_details(const char *login, const size_t len,
                              char **userptr, char **passwdptr,
                              char **optionsptr);
+static unsigned int get_protocol_family(unsigned int protocol);
 
 /*
  * Protocol table.
@@ -2133,6 +2134,7 @@ CURLcode Curl_setopt(struct SessionHandl
 
   case CURLOPT_SSL_OPTIONS:
     arg = va_arg(param, long);
+    data->set.ssl.ssl_options = (unsigned char)(arg & 0xff);
     data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
     break;
 
@@ -2922,6 +2924,17 @@ find_oldest_idle_connection_in_bundle(st
   return conn_candidate;
 }
 
+static bool ssh_config_matches(struct connectdata *one,
+                               struct connectdata *two)
+{
+#ifdef USE_LIBSSH2
+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+#else
+  return TRUE;
+#endif
+}
+
 /*
  * Given one filled in connection struct (named needle), this function should
  * detect if there already is one that has all the significant details
@@ -3062,6 +3075,12 @@ ConnectionExists(struct SessionHandle *d
         }
       }
 
+      if(get_protocol_family(needle->handler) == CURLPROTO_SFTP ||
+         get_protocol_family(needle->handler) == CURLPROTO_SCP ) {
+        if(!ssh_config_matches(needle, check))
+          continue;
+      }
+
       if((needle->handler->flags&PROTOPT_SSL) !=
          (check->handler->flags&PROTOPT_SSL))
         /* don't do mixed SSL and non-SSL connections */
@@ -3673,6 +3692,8 @@ static struct connectdata *allocate_conn
   conn->verifypeer = data->set.ssl.verifypeer;
   conn->verifyhost = data->set.ssl.verifyhost;
 
+  conn->ssl_config.ssl_options = data->set.ssl.ssl_options;
+
   conn->ip_version = data->set.ipver;
 
 #if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
@@ -6042,3 +6063,112 @@ CURLcode Curl_do_more(struct connectdata
   return result;
 }
 
+/*
+* get_protocol_family()
+*
+* This is used to return the protocol family for a given protocol.
+*
+* Parameters:
+*
+* protocol  [in]  - A single bit protocol identifier such as HTTP or HTTPS.
+*
+* Returns the family as a single bit protocol identifier.
+*/
+
+static unsigned int get_protocol_family(unsigned int protocol)
+{
+  unsigned int family;
+
+  switch(protocol) {
+  case CURLPROTO_HTTP:
+  case CURLPROTO_HTTPS:
+    family = CURLPROTO_HTTP;
+    break;
+
+  case CURLPROTO_FTP:
+  case CURLPROTO_FTPS:
+    family = CURLPROTO_FTP;
+    break;
+
+  case CURLPROTO_SCP:
+    family = CURLPROTO_SCP;
+    break;
+
+  case CURLPROTO_SFTP:
+    family = CURLPROTO_SFTP;
+    break;
+
+  case CURLPROTO_TELNET:
+    family = CURLPROTO_TELNET;
+    break;
+
+  case CURLPROTO_LDAP:
+  case CURLPROTO_LDAPS:
+    family = CURLPROTO_LDAP;
+    break;
+
+  case CURLPROTO_DICT:
+    family = CURLPROTO_DICT;
+    break;
+
+  case CURLPROTO_FILE:
+    family = CURLPROTO_FILE;
+    break;
+
+  case CURLPROTO_TFTP:
+    family = CURLPROTO_TFTP;
+    break;
+
+  case CURLPROTO_IMAP:
+  case CURLPROTO_IMAPS:
+    family = CURLPROTO_IMAP;
+    break;
+
+  case CURLPROTO_POP3:
+  case CURLPROTO_POP3S:
+    family = CURLPROTO_POP3;
+    break;
+
+  case CURLPROTO_SMTP:
+  case CURLPROTO_SMTPS:
+      family = CURLPROTO_SMTP;
+      break;
+
+  case CURLPROTO_RTSP:
+    family = CURLPROTO_RTSP;
+    break;
+
+  case CURLPROTO_RTMP:
+  case CURLPROTO_RTMPS:
+    family = CURLPROTO_RTMP;
+    break;
+
+  case CURLPROTO_RTMPT:
+  case CURLPROTO_RTMPTS:
+    family = CURLPROTO_RTMPT;
+    break;
+
+  case CURLPROTO_RTMPE:
+    family = CURLPROTO_RTMPE;
+    break;
+
+  case CURLPROTO_RTMPTE:
+    family = CURLPROTO_RTMPTE;
+    break;
+
+  case CURLPROTO_GOPHER:
+    family = CURLPROTO_GOPHER;
+    break;
+
+  // case CURLPROTO_SMB:
+  // case CURLPROTO_SMBS:
+  //   family = CURLPROTO_SMB;
+  //   break;
+
+  default:
+      family = 0;
+      break;
+  }
+
+  return family;
+}
\ No newline at end of file
Index: curl-7.37.0/lib/urldata.h
===================================================================
--- curl-7.37.0.orig/lib/urldata.h
+++ curl-7.37.0/lib/urldata.h
@@ -370,6 +370,7 @@ struct ssl_config_data {
   char *CAfile;          /* certificate to verify peer against */
   const char *CRLfile;   /* CRL to check certificate revocation */
   const char *issuercert;/* optional issuer certificate filename */
+  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
   char *clientcert;
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
Index: curl-7.37.0/lib/vtls/vtls.c
===================================================================
--- curl-7.37.0.orig/lib/vtls/vtls.c
+++ curl-7.37.0/lib/vtls/vtls.c
@@ -105,6 +105,7 @@ Curl_ssl_config_matches(struct ssl_confi
                         struct ssl_config_data* needle)
 {
   if((data->version == needle->version) &&
+     (data->ssl_options == needle->ssl_options) &&
      (data->verifypeer == needle->verifypeer) &&
      (data->verifyhost == needle->verifyhost) &&
      Curl_safecmp(data->CApath, needle->CApath) &&
@@ -113,6 +114,12 @@ Curl_ssl_config_matches(struct ssl_confi
      Curl_safecmp(data->clientcert, needle->clientcert) &&
      Curl_safecmp(data->random_file, needle->random_file) &&
      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+#ifdef USE_TLS_SRP
+     Curl_safecmp(data->username, needle->username) &&
+     Curl_safecmp(data->password, needle->password) &&
+     (data->authtype == needle->authtype) &&
+#endif
+     Curl_safecmp(data->CRLfile, needle->CRLfile) &&
      safe_strequal(data->cipher_list, needle->cipher_list))
     return TRUE;
 
@@ -127,6 +134,10 @@ Curl_clone_ssl_config(struct ssl_config_
   dest->verifyhost = source->verifyhost;
   dest->verifypeer = source->verifypeer;
   dest->version = source->version;
+  dest->ssl_options = source->ssl_options;
+#ifdef USE_TLS_SRP
+  dest->authtype = source->authtype;
+#endif
 
   if(source->CAfile) {
     dest->CAfile = strdup(source->CAfile);
@@ -185,6 +196,32 @@ Curl_clone_ssl_config(struct ssl_config_
   else
     dest->clientcert = NULL;
 
+  if(source->CRLfile) {
+    dest->CRLfile = strdup(source->CRLfile);
+    if(!dest->CRLfile)
+      return FALSE;
+  }
+  else
+    dest->CRLfile = NULL;
+
+#ifdef USE_TLS_SRP
+  if(source->username) {
+    dest->username = strdup(source->username);
+    if(!dest->username)
+      return FALSE;
+  }
+  else
+    dest->username = NULL;
+
+  if(source->password) {
+    dest->password = strdup(source->password);
+    if(!dest->password)
+      return FALSE;
+  }
+  else
+    dest->password = NULL;
+#endif
+
   return TRUE;
 }
 
@@ -197,6 +234,12 @@ void Curl_free_ssl_config(struct ssl_con
   Curl_safefree(sslc->egdsocket);
   Curl_safefree(sslc->random_file);
   Curl_safefree(sslc->clientcert);
+
+  Curl_safefree(sslc->CRLfile);
+#ifdef USE_TLS_SRP
+  Curl_safefree(sslc->username);
+  Curl_safefree(sslc->password);
+#endif
 }
 
 
Index: curl-7.37.0/lib/ssh.h
===================================================================
--- curl-7.37.0.orig/lib/ssh.h
+++ curl-7.37.0/lib/ssh.h
@@ -108,8 +108,8 @@ struct ssh_conn {
   const char *authlist;       /* List of auth. methods, managed by libssh2 */
 #ifdef USE_LIBSSH2
   const char *passphrase;     /* pass-phrase to use */
-  char *rsa_pub;              /* path name */
-  char *rsa;                  /* path name */
+  char *rsa_pub;              /* strdup'ed public key file */
+  char *rsa;                  /* strdup'ed private key file */
   bool authed;                /* the connection has been authenticated fine */
   sshstate state;             /* always use ssh.c:state() to change state! */
   sshstate nextstate;         /* the state to goto after stopping */

Places

File curl-CVE-2022-27782.patch of Package curl.28253

Places