File curl-CVE-2021-22924.patch of Package curl.28980

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2021-22924.patch of Package curl.28980

From 6c07d0c65e2c8d381efe100947d20e147da2217b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 19 Jun 2021 00:42:28 +0200
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
 sensitivity

CVE-2021-22924

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2021-22924.html
---
 lib/url.c          | 10 ++++++----
 lib/urldata.h      |  4 ++--
 lib/vtls/gtls.c    | 10 +++++-----
 lib/vtls/nss.c     |  4 ++--
 lib/vtls/openssl.c | 18 +++++++++---------
 lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
 6 files changed, 45 insertions(+), 27 deletions(-)

Index: curl-7.66.0/lib/url.c
===================================================================
--- curl-7.66.0.orig/lib/url.c
+++ curl-7.66.0/lib/url.c
@@ -3513,6 +3513,8 @@ static CURLcode create_conn(struct Curl_
   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+  data->set.proxy_ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
   data->set.proxy_ssl.primary.random_file =
     data->set.str[STRING_SSL_RANDOM_FILE];
@@ -3529,8 +3531,6 @@ static CURLcode create_conn(struct Curl_
 
   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
Index: curl-7.66.0/lib/urldata.h
===================================================================
--- curl-7.66.0.orig/lib/urldata.h
+++ curl-7.66.0/lib/urldata.h
@@ -217,6 +217,7 @@ struct ssl_primary_config {
   long version_max;      /* max supported version the client wants to use*/
   char *CApath;          /* certificate dir (doesn't work on windows) */
   char *CAfile;          /* certificate to verify peer against */
+  char *issuercert;      /* optional issuer certificate filename */
   char *clientcert;
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
@@ -232,7 +233,6 @@ struct ssl_config_data {
   struct ssl_primary_config primary;
   long certverifyresult; /* result from the certificate verification */
   char *CRLfile;   /* CRL to check certificate revocation */
-  char *issuercert;/* optional issuer certificate filename */
   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
   void *fsslctxp;        /* parameter for call back */
   char *cert; /* client certificate file name */
Index: curl-7.66.0/lib/vtls/gtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/gtls.c
+++ curl-7.66.0/lib/vtls/gtls.c
@@ -1055,7 +1055,7 @@ gtls_connect_step3(struct connectdata *c
   if(!chainp) {
     if(SSL_CONN_CONFIG(verifypeer) ||
        SSL_CONN_CONFIG(verifyhost) ||
-       SSL_SET_OPTION(issuercert)) {
+       SSL_CONN_CONFIG(issuercert)) {
 #ifdef USE_TLS_SRP
       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
          && SSL_SET_OPTION(username) != NULL
@@ -1237,21 +1237,21 @@ gtls_connect_step3(struct connectdata *c
        gnutls_x509_crt_t format */
     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
 
-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
     gnutls_x509_crt_init(&x509_issuer);
-    issuerp = load_file(SSL_SET_OPTION(issuercert));
+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
     gnutls_x509_crt_deinit(x509_issuer);
     unload_file(issuerp);
     if(rc <= 0) {
       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
       gnutls_x509_crt_deinit(x509_cert);
       return CURLE_SSL_ISSUER_ERROR;
     }
     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
   }
 
   size = sizeof(certbuf);
Index: curl-7.66.0/lib/vtls/nss.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/nss.c
+++ curl-7.66.0/lib/vtls/nss.c
@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct co
   if(result)
     goto error;
 
-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
     SECStatus ret = SECFailure;
-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
     if(nickname) {
       /* we support only nicknames in case of issuercert for now */
       ret = check_issuer_cert(BACKEND->handle, nickname);
Index: curl-7.66.0/lib/vtls/openssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/openssl.c
+++ curl-7.66.0/lib/vtls/openssl.c
@@ -3565,7 +3565,7 @@ static CURLcode servercert(struct connec
        deallocating the certificate. */
 
     /* e.g. match issuer name with provided issuer certificate */
-    if(SSL_SET_OPTION(issuercert)) {
+    if(SSL_CONN_CONFIG(issuercert)) {
       fp = BIO_new(BIO_s_file());
       if(fp == NULL) {
         failf(data,
@@ -3578,10 +3578,10 @@ static CURLcode servercert(struct connec
         return CURLE_OUT_OF_MEMORY;
       }
 
-      if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
+      if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
         if(strict)
           failf(data, "SSL: Unable to open issuer cert (%s)",
-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
         BIO_free(fp);
         X509_free(BACKEND->server_cert);
         BACKEND->server_cert = NULL;
@@ -3592,7 +3592,7 @@ static CURLcode servercert(struct connec
       if(!issuer) {
         if(strict)
           failf(data, "SSL: Unable to read issuer cert (%s)",
-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
         BIO_free(fp);
         X509_free(issuer);
         X509_free(BACKEND->server_cert);
@@ -3603,7 +3603,7 @@ static CURLcode servercert(struct connec
       if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
         if(strict)
           failf(data, "SSL: Certificate issuer check failed (%s)",
-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
         BIO_free(fp);
         X509_free(issuer);
         X509_free(BACKEND->server_cert);
@@ -3612,7 +3612,7 @@ static CURLcode servercert(struct connec
       }
 
       infof(data, " SSL certificate issuer check ok (%s)\n",
-            SSL_SET_OPTION(issuercert));
+            SSL_CONN_CONFIG(issuercert));
       BIO_free(fp);
       X509_free(issuer);
     }
Index: curl-7.66.0/lib/vtls/vtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/vtls.c
+++ curl-7.66.0/lib/vtls/vtls.c
@@ -93,6 +93,7 @@ Curl_ssl_config_matches(struct ssl_prima
      (data->verifystatus == needle->verifystatus) &&
      Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
      Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+     Curl_safe_strcasecompare(data->issuercert, needle->issuercert) &&
      Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
      Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
      Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
@@ -116,6 +117,7 @@ Curl_clone_primary_ssl_config(struct ssl
 
   CLONE_STRING(CApath);
   CLONE_STRING(CAfile);
+  CLONE_STRING(issuercert);
   CLONE_STRING(clientcert);
   CLONE_STRING(random_file);
   CLONE_STRING(egdsocket);
@@ -129,6 +131,7 @@ void Curl_free_primary_ssl_config(struct
 {
   Curl_safefree(sslc->CApath);
   Curl_safefree(sslc->CAfile);
+  Curl_safefree(sslc->issuercert);
   Curl_safefree(sslc->clientcert);
   Curl_safefree(sslc->random_file);
   Curl_safefree(sslc->egdsocket);

Places

File curl-CVE-2021-22924.patch of Package curl.28980

Places