Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP6:Update
curl.28863
curl-CVE-2023-28321.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2023-28321.patch of Package curl.28863
From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Mon, 24 Apr 2023 21:07:02 +0200 Subject: [PATCH] hostcheck: fix host name wildcard checking The leftmost "label" of the host name can now only match against single '*'. Like the browsers have worked for a long time. - extended unit test 1397 for this - move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc Reported-by: Hiroki Kurosawa Closes #11018 --- lib/vtls/hostcheck.c | 50 +++++++-------- tests/data/test1397 | 10 ++- tests/unit/Makefile.am | 94 ---------------------------- tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- 5 files changed, 202 insertions(+), 180 deletions(-) Index: curl-8.0.1/lib/vtls/hostcheck.c =================================================================== --- curl-8.0.1.orig/lib/vtls/hostcheck.c +++ curl-8.0.1/lib/vtls/hostcheck.c @@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, * apparent distinction between a name and an IP. We need to detect the use of * an IP address and not wildcard match on such names. * + * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor + * "*b". + * * Return TRUE on a match. FALSE if not. + * + * @unittest: 1397 */ static bool hostmatch(const char *hostname, @@ -79,53 +84,42 @@ static bool hostmatch(const char *hostna const char *pattern, size_t patternlen) { - const char *pattern_label_end, *wildcard, *hostname_label_end; - size_t prefixlen, suffixlen; + const char *pattern_label_end; - /* normalize pattern and hostname by stripping off trailing dots */ + DEBUGASSERT(pattern); DEBUGASSERT(patternlen); + DEBUGASSERT(hostname); + DEBUGASSERT(hostlen); + + /* normalize pattern and hostname by stripping off trailing dots */ if(hostname[hostlen-1]=='.') hostlen--; if(pattern[patternlen-1]=='.') patternlen--; - wildcard = memchr(pattern, '*', patternlen); - if(!wildcard) + if(strncmp(pattern, "*.", 2)) return pmatch(hostname, hostlen, pattern, patternlen); /* detect IP address as hostname and fail the match if so */ - if(Curl_host_is_ipnum(hostname)) + else if(Curl_host_is_ipnum(hostname)) return FALSE; /* We require at least 2 dots in the pattern to avoid too wide wildcard match. */ pattern_label_end = memchr(pattern, '.', patternlen); if(!pattern_label_end || - (memrchr(pattern, '.', patternlen) == pattern_label_end) || - strncasecompare(pattern, "xn--", 4)) + (memrchr(pattern, '.', patternlen) == pattern_label_end)) return pmatch(hostname, hostlen, pattern, patternlen); - - hostname_label_end = memchr(hostname, '.', hostlen); - if(!hostname_label_end) - return FALSE; else { - size_t skiphost = hostname_label_end - hostname; - size_t skiplen = pattern_label_end - pattern; - if(!pmatch(hostname_label_end, hostlen - skiphost, - pattern_label_end, patternlen - skiplen)) - return FALSE; + const char *hostname_label_end = memchr(hostname, '.', hostlen); + if(hostname_label_end) { + size_t skiphost = hostname_label_end - hostname; + size_t skiplen = pattern_label_end - pattern; + return pmatch(hostname_label_end, hostlen - skiphost, + pattern_label_end, patternlen - skiplen); + } } - /* The wildcard must match at least one character, so the left-most - label of the hostname is at least as large as the left-most label - of the pattern. */ - if(hostname_label_end - hostname < pattern_label_end - pattern) - return FALSE; - - prefixlen = wildcard - pattern; - suffixlen = pattern_label_end - (wildcard + 1); - return strncasecompare(pattern, hostname, prefixlen) && - strncasecompare(wildcard + 1, hostname_label_end - suffixlen, - suffixlen) ? TRUE : FALSE; + return FALSE; } /* Index: curl-8.0.1/tests/data/test1397 =================================================================== --- curl-8.0.1.orig/tests/data/test1397 +++ curl-8.0.1/tests/data/test1397 @@ -2,8 +2,7 @@ <info> <keywords> unittest -ssl -wildcard +Curl_cert_hostcheck </keywords> </info> @@ -16,9 +15,8 @@ none <features> unittest </features> - <name> -Check wildcard certificate matching function Curl_cert_hostcheck - </name> +<name> +Curl_cert_hostcheck unit tests +</name> </client> - </testcase> Index: curl-8.0.1/tests/unit/Makefile.am =================================================================== --- curl-8.0.1.orig/tests/unit/Makefile.am +++ curl-8.0.1/tests/unit/Makefile.am @@ -67,91 +67,3 @@ noinst_PROGRAMS = $(UNITPROGS) else noinst_PROGRAMS = endif - -unit1300_SOURCES = unit1300.c $(UNITFILES) - -unit1302_SOURCES = unit1302.c $(UNITFILES) - -unit1303_SOURCES = unit1303.c $(UNITFILES) - -unit1304_SOURCES = unit1304.c $(UNITFILES) - -unit1305_SOURCES = unit1305.c $(UNITFILES) - -unit1307_SOURCES = unit1307.c $(UNITFILES) - -unit1308_SOURCES = unit1308.c $(UNITFILES) - -unit1309_SOURCES = unit1309.c $(UNITFILES) - -unit1323_SOURCES = unit1323.c $(UNITFILES) - -unit1330_SOURCES = unit1330.c $(UNITFILES) - -unit1394_SOURCES = unit1394.c $(UNITFILES) -unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ -unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la -unit1394_LIBS = - -unit1395_SOURCES = unit1395.c $(UNITFILES) - -unit1396_SOURCES = unit1396.c $(UNITFILES) - -unit1397_SOURCES = unit1397.c $(UNITFILES) - -unit1398_SOURCES = unit1398.c $(UNITFILES) - -unit1399_SOURCES = unit1399.c $(UNITFILES) - -unit1600_SOURCES = unit1600.c $(UNITFILES) - -unit1601_SOURCES = unit1601.c $(UNITFILES) - -unit1602_SOURCES = unit1602.c $(UNITFILES) - -unit1603_SOURCES = unit1603.c $(UNITFILES) - -unit1604_SOURCES = unit1604.c $(UNITFILES) - -unit1605_SOURCES = unit1605.c $(UNITFILES) - -unit1606_SOURCES = unit1606.c $(UNITFILES) - -unit1607_SOURCES = unit1607.c $(UNITFILES) - -unit1608_SOURCES = unit1608.c $(UNITFILES) - -unit1609_SOURCES = unit1609.c $(UNITFILES) - -unit1610_SOURCES = unit1610.c $(UNITFILES) - -unit1611_SOURCES = unit1611.c $(UNITFILES) - -unit1612_SOURCES = unit1612.c $(UNITFILES) - -unit1614_SOURCES = unit1614.c $(UNITFILES) - -unit1620_SOURCES = unit1620.c $(UNITFILES) - -unit1621_SOURCES = unit1621.c $(UNITFILES) -unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@ - -unit1650_SOURCES = unit1650.c $(UNITFILES) - -unit1651_SOURCES = unit1651.c $(UNITFILES) - -unit1652_SOURCES = unit1652.c $(UNITFILES) - -unit1653_SOURCES = unit1653.c $(UNITFILES) - -unit1654_SOURCES = unit1654.c $(UNITFILES) - -unit1655_SOURCES = unit1655.c $(UNITFILES) - -unit1660_SOURCES = unit1660.c $(UNITFILES) - -unit1661_SOURCES = unit1661.c $(UNITFILES) - -unit2600_SOURCES = unit2600.c $(UNITFILES) - -unit3200_SOURCES = unit3200.c $(UNITFILES) Index: curl-8.0.1/tests/unit/Makefile.inc =================================================================== --- curl-8.0.1.orig/tests/unit/Makefile.inc +++ curl-8.0.1/tests/unit/Makefile.inc @@ -40,3 +40,91 @@ UNITPROGS = unit1300 unit1302 u unit1660 unit1661 \ unit2600 \ unit3200 + +unit1300_SOURCES = unit1300.c $(UNITFILES) + +unit1302_SOURCES = unit1302.c $(UNITFILES) + +unit1303_SOURCES = unit1303.c $(UNITFILES) + +unit1304_SOURCES = unit1304.c $(UNITFILES) + +unit1305_SOURCES = unit1305.c $(UNITFILES) + +unit1307_SOURCES = unit1307.c $(UNITFILES) + +unit1308_SOURCES = unit1308.c $(UNITFILES) + +unit1309_SOURCES = unit1309.c $(UNITFILES) + +unit1323_SOURCES = unit1323.c $(UNITFILES) + +unit1330_SOURCES = unit1330.c $(UNITFILES) + +unit1394_SOURCES = unit1394.c $(UNITFILES) +unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ +unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la +unit1394_LIBS = + +unit1395_SOURCES = unit1395.c $(UNITFILES) + +unit1396_SOURCES = unit1396.c $(UNITFILES) + +unit1397_SOURCES = unit1397.c $(UNITFILES) + +unit1398_SOURCES = unit1398.c $(UNITFILES) + +unit1399_SOURCES = unit1399.c $(UNITFILES) + +unit1600_SOURCES = unit1600.c $(UNITFILES) + +unit1601_SOURCES = unit1601.c $(UNITFILES) + +unit1602_SOURCES = unit1602.c $(UNITFILES) + +unit1603_SOURCES = unit1603.c $(UNITFILES) + +unit1604_SOURCES = unit1604.c $(UNITFILES) + +unit1605_SOURCES = unit1605.c $(UNITFILES) + +unit1606_SOURCES = unit1606.c $(UNITFILES) + +unit1607_SOURCES = unit1607.c $(UNITFILES) + +unit1608_SOURCES = unit1608.c $(UNITFILES) + +unit1609_SOURCES = unit1609.c $(UNITFILES) + +unit1610_SOURCES = unit1610.c $(UNITFILES) + +unit1611_SOURCES = unit1611.c $(UNITFILES) + +unit1612_SOURCES = unit1612.c $(UNITFILES) + +unit1614_SOURCES = unit1614.c $(UNITFILES) + +unit1620_SOURCES = unit1620.c $(UNITFILES) + +unit1621_SOURCES = unit1621.c $(UNITFILES) +unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@ + +unit1650_SOURCES = unit1650.c $(UNITFILES) + +unit1651_SOURCES = unit1651.c $(UNITFILES) + +unit1652_SOURCES = unit1652.c $(UNITFILES) + +unit1653_SOURCES = unit1653.c $(UNITFILES) + +unit1654_SOURCES = unit1654.c $(UNITFILES) + +unit1655_SOURCES = unit1655.c $(UNITFILES) + +unit1660_SOURCES = unit1660.c $(UNITFILES) + +unit1661_SOURCES = unit1661.c $(UNITFILES) + +unit2600_SOURCES = unit2600.c $(UNITFILES) + +unit3200_SOURCES = unit3200.c $(UNITFILES) Index: curl-8.0.1/tests/unit/unit1397.c =================================================================== --- curl-8.0.1.orig/tests/unit/unit1397.c +++ curl-8.0.1/tests/unit/unit1397.c @@ -23,7 +23,6 @@ ***************************************************************************/ #include "curlcheck.h" -#include "vtls/hostcheck.h" /* from the lib dir */ static CURLcode unit_setup(void) { @@ -32,63 +31,94 @@ static CURLcode unit_setup(void) static void unit_stop(void) { - /* done before shutting down and exiting */ } -UNITTEST_START - /* only these backends define the tested functions */ -#if defined(USE_OPENSSL) || defined(USE_GSKIT) - - /* here you start doing things and checking that the results are good */ +#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL) +#include "vtls/hostcheck.h" +struct testcase { + const char *host; + const char *pattern; + bool match; +}; + +static struct testcase tests[] = { + {"", "", FALSE}, + {"a", "", FALSE}, + {"", "b", FALSE}, + {"a", "b", FALSE}, + {"aa", "bb", FALSE}, + {"\xff", "\xff", TRUE}, + {"aa.aa.aa", "aa.aa.bb", FALSE}, + {"aa.aa.aa", "aa.aa.aa", TRUE}, + {"aa.aa.aa", "*.aa.bb", FALSE}, + {"aa.aa.aa", "*.aa.aa", TRUE}, + {"192.168.0.1", "192.168.0.1", TRUE}, + {"192.168.0.1", "*.168.0.1", FALSE}, + {"192.168.0.1", "*.0.1", FALSE}, + {"h.ello", "*.ello", FALSE}, + {"h.ello.", "*.ello", FALSE}, + {"h.ello", "*.ello.", FALSE}, + {"h.e.llo", "*.e.llo", TRUE}, + {"h.e.llo", " *.e.llo", FALSE}, + {" h.e.llo", "*.e.llo", TRUE}, + {"h.e.llo.", "*.e.llo", TRUE}, + {"*.e.llo.", "*.e.llo", TRUE}, + {"************.e.llo.", "*.e.llo", TRUE}, + {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" + "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" + "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" + "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" + ".e.llo.", "*.e.llo", TRUE}, + {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, + {"h.e.llo.", "*.e.llo.", TRUE}, + {"h.e.llo", "*.e.llo.", TRUE}, + {".h.e.llo", "*.e.llo.", FALSE}, + {"h.e.llo", "*.*.llo.", FALSE}, + {"h.e.llo", "h.*.llo", FALSE}, + {"h.e.llo", "h.e.*", FALSE}, + {"hello", "*.ello", FALSE}, + {"hello", "**llo", FALSE}, + {"bar.foo.example.com", "*.example.com", FALSE}, + {"foo.example.com", "*.example.com", TRUE}, + {"baz.example.net", "b*z.example.net", FALSE}, + {"foobaz.example.net", "*baz.example.net", FALSE}, + {"xn--l8j.example.local", "x*.example.local", FALSE}, + {"xn--l8j.example.net", "*.example.net", TRUE}, + {"xn--l8j.example.net", "*j.example.net", FALSE}, + {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, + {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, + {"xl8j.example.net", "*.example.net", TRUE}, + {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, + {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, + {NULL, NULL, FALSE} +}; -fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"), - STRCONST("www.example.com")), "good 1"); -fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"), - STRCONST("www.example.com")), - "good 2"); -fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"), - STRCONST("xxxwww.example.com")), "good 3"); -fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"), - STRCONST("foo.example.com")), "good 4"); -fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"), - STRCONST("192.168.0.0")), "good 5"); - -fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"), - STRCONST("www.example.com")), "bad 1"); -fail_if(Curl_cert_hostcheck(STRCONST("*"), - STRCONST("www.example.com")),"bad 2"); -fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"), - STRCONST("www.example.com")), "bad 3"); -fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"), - STRCONST("baa.foo.example.com")), "bad 4"); -fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"), - STRCONST("baa.example.com")), "bad 5"); -fail_if(Curl_cert_hostcheck(STRCONST("*.com"), - STRCONST("example.com")), "bad 6"); -fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"), - STRCONST("example.com")), "bad 7"); -fail_if(Curl_cert_hostcheck(STRCONST("*.example."), - STRCONST("www.example.")), "bad 8"); -fail_if(Curl_cert_hostcheck(STRCONST("*.example."), - STRCONST("www.example")), "bad 9"); -fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10"); -fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11"); -fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"), - STRCONST("192.168.0.0")), "bad 12"); -fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"), - STRCONST("192.168.0.0")), "bad 13"); - -#ifdef ENABLE_IPV6 -fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"), - STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14"); -fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"), - STRCONST("fe80::3285:a9ff:fe46:b619")), - "good 6"); -#endif +UNITTEST_START +{ + int i; + for(i = 0; tests[i].host; i++) { + if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, + strlen(tests[i].pattern), + tests[i].host, + strlen(tests[i].host))) { + fprintf(stderr, + "HOST: %s\n" + "PTRN: %s\n" + "did %sMATCH\n", + tests[i].host, + tests[i].pattern, + tests[i].match ? "NOT ": ""); + unitfail++; + } + } +} -#endif +UNITTEST_STOP +#else - /* you end the test code like this: */ +UNITTEST_START UNITTEST_STOP +#endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
