packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!114 fix CVE-2022-27781 CVE-2022-27782

Browse Source 
From: @eaglegai 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng
This commit is contained in:
openeuler-ci-bot 2022-05-18 01:06:13 +00:00 committed by Gitee
commit eb15c986d2
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 560 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
backport-CVE-2022-27781.patch Normal file
View File

@ -0,0 +1,42 @@
Backport of:
From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 09:24:56 +0200
Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2022-27781
Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
---
lib/vtls/nss.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -949,6 +949,9 @@ static void display_cert_info(struct Cur
PR_Free(common_name);
}
+/* A number of certs that will never occur in a real server handshake */
+#define TOO_MANY_CERTS 300
+
static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
{
CURLcode result = CURLE_OK;
@@ -985,6 +988,11 @@ static CURLcode display_conn_info(struct
cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
while(cert2) {
i++;
+ if(i >= TOO_MANY_CERTS) {
+ CERT_DestroyCertificate(cert2);
+ failf(conn->data, "certificate loop");
+ return CURLE_SSL_CERTPROBLEM;
+ }
if(cert2->isRoot) {
CERT_DestroyCertificate(cert2);
break;

476
backport-CVE-2022-27782.patch Normal file
View File

@ -0,0 +1,476 @@
Backport of:
From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 6 May 2022 10:48:58 +0200
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
CVE-2022-27782
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
---
lib/setopt.c | 29 +++++++++++++++++------------
lib/url.c | 23 ++++++++++++++++-------
lib/urldata.h | 13 +++++++------
lib/vtls/gtls.c | 32 +++++++++++++++++---------------
lib/vtls/openssl.c | 10 +++++-----
lib/vtls/vtls.c | 21 +++++++++++++++++++++
6 files changed, 83 insertions(+), 45 deletions(-)
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2217,6 +2217,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
case CURLOPT_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
@@ -2228,6 +2229,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.proxy_ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
@@ -2643,49 +2645,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *
case CURLOPT_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
break;
case CURLOPT_PROXY_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
va_arg(param, char *));
#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
+ SRP */
#endif
break;
case CURLOPT_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
break;
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
va_arg(param, char *));
#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
#endif
break;
case CURLOPT_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#endif
#endif
--- a/lib/url.c
+++ b/lib/url.c
@@ -524,7 +524,7 @@ CURLcode Curl_init_userdefined(struct Cu
set->ssl.primary.verifypeer = TRUE;
set->ssl.primary.verifyhost = TRUE;
#ifdef USE_TLS_SRP
- set->ssl.authtype = CURL_TLSAUTH_NONE;
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
#endif
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
type */
@@ -1046,6 +1046,12 @@ static void prune_dead_connections(struc
}
}
+static bool ssh_config_matches(struct connectdata *one,
+ struct connectdata *two)
+{
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+}
/*
* Given one filled in connection struct (named needle), this function should
* detect if there already is one that has all the significant details
@@ -1293,6 +1299,11 @@ ConnectionExists(struct Curl_easy *data,
}
}
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+
if((needle->handler->flags&PROTOPT_SSL)
#ifndef CURL_DISABLE_PROXY
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
@@ -1696,11 +1707,17 @@ static struct connectdata *allocate_conn
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#ifndef CURL_DISABLE_PROXY
conn->proxy_ssl_config.verifystatus =
data->set.proxy_ssl.primary.verifystatus;
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#endif
conn->ip_version = data->set.ipver;
conn->bits.connect_only = data->set.connect_only;
@@ -3697,7 +3714,8 @@ static CURLcode create_conn(struct Curl_
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+ data->set.proxy_ssl.primary.CRLfile =
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
@@ -3705,19 +3723,21 @@ static CURLcode create_conn(struct Curl_
data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
#ifdef USE_TLS_SRP
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
#ifndef CURL_DISABLE_PROXY
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ data->set.proxy_ssl.primary.username =
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+ data->set.proxy_ssl.primary.password =
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
#endif
#endif
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -228,8 +228,15 @@ struct ssl_primary_config {
char *cipher_list; /* list of ciphers to use */
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
char *pinned_key;
+ char *CRLfile; /* CRL to check certificate revocation */
struct curl_blob *cert_blob;
struct curl_blob *issuercert_blob;
+#ifdef USE_TLS_SRP
+ char *username; /* TLS username (for, e.g., SRP) */
+ char *password; /* TLS password (for, e.g., SRP) */
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+#endif
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
BIT(verifypeer); /* set TRUE if this is desired */
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
BIT(verifystatus); /* set TRUE if certificate status must be checked */
@@ -240,7 +247,6 @@ struct ssl_primary_config {
struct ssl_config_data {
struct ssl_primary_config primary;
long certverifyresult; /* result from the certificate verification */
- char *CRLfile; /* CRL to check certificate revocation */
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
char *cert; /* client certificate file name */
@@ -248,11 +254,6 @@ struct ssl_config_data {
struct curl_blob *key_blob;
char *key_type; /* format for private key (default: PEM) */
char *key_passwd; /* plain text private key password */
-#ifdef USE_TLS_SRP
- char *username; /* TLS username (for, e.g., SRP) */
- char *password; /* TLS password (for, e.g., SRP) */
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
-#endif
BIT(certinfo); /* gather lots of certificate info */
BIT(falsestart);
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -428,9 +428,10 @@ gtls_connect_step1(struct connectdata *c
}
#ifdef USE_TLS_SRP
- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
Curl_allow_auth_to_host(data)) {
- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
+ infof(data, "Using TLS-SRP username: %s\n",
+ SSL_SET_OPTION(primary.username));
rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
@@ -440,8 +441,8 @@ gtls_connect_step1(struct connectdata *c
}
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
- SSL_SET_OPTION(username),
- SSL_SET_OPTION(password));
+ SSL_SET_OPTION(primary.username),
+ SSL_SET_OPTION(primary.password));
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
@@ -497,19 +498,19 @@ gtls_connect_step1(struct connectdata *c
}
#endif
- if(SSL_SET_OPTION(CRLfile)) {
+ if(SSL_SET_OPTION(primary.CRLfile)) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(backend->cred,
- SSL_SET_OPTION(CRLfile),
+ SSL_SET_OPTION(primary.CRLfile),
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
failf(data, "error reading crl file %s (%s)",
- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
return CURLE_SSL_CRL_BADFILE;
}
else
infof(data, "found %d CRL in %s\n",
- rc, SSL_SET_OPTION(CRLfile));
+ rc, SSL_SET_OPTION(primary.CRLfile));
}
/* Initialize TLS session as a client */
@@ -584,7 +585,7 @@ gtls_connect_step1(struct connectdata *c
#ifdef USE_TLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
size_t len = strlen(prioritylist);
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
@@ -676,7 +677,7 @@ gtls_connect_step1(struct connectdata *c
#ifdef USE_TLS_SRP
/* put the credentials to the current session */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
backend->srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
@@ -857,8 +858,8 @@ gtls_connect_step3(struct connectdata *c
SSL_CONN_CONFIG(verifyhost) ||
SSL_CONN_CONFIG(issuercert)) {
#ifdef USE_TLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username)
&& !SSL_CONN_CONFIG(verifypeer)
&& gnutls_cipher_get(session)) {
/* no peer cert, but auth is ok if we have SRP user and cipher and no
@@ -916,7 +917,8 @@ gtls_connect_step3(struct connectdata *c
failf(data, "server certificate verification failed. CAfile: %s "
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
"none",
- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
+ SSL_SET_OPTION(primary.CRLfile) ?
+ SSL_SET_OPTION(primary.CRLfile) : "none");
return CURLE_PEER_FAILED_VERIFICATION;
}
else
@@ -1520,8 +1522,8 @@ static int Curl_gtls_shutdown(struct con
gnutls_certificate_free_credentials(backend->cred);
#ifdef USE_TLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL)
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
#endif
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struc
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef USE_TLS_SRP
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(cert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
@@ -2539,7 +2539,7 @@ static CURLcode ossl_connect_step1(struc
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
char error_buffer[256];
struct ssl_backend_data *backend = connssl->backend;
bool imported_native_ca = false;
@@ -2858,15 +2858,15 @@ static CURLcode ossl_connect_step1(struc
#ifdef USE_TLS_SRP
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
Curl_allow_auth_to_host(data)) {
- char * const ssl_username = SSL_SET_OPTION(username);
-
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
failf(data, "Unable to set SRP user name");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
failf(data, "failed setting SRP password");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -128,6 +128,7 @@ Curl_ssl_config_matches(struct ssl_prima
{
if((data->version == needle->version) &&
(data->version_max == needle->version_max) &&
+ (data->ssl_options == needle->ssl_options) &&
(data->verifypeer == needle->verifypeer) &&
(data->verifyhost == needle->verifyhost) &&
(data->verifystatus == needle->verifystatus) &&
@@ -139,8 +140,14 @@ Curl_ssl_config_matches(struct ssl_prima
Curl_safecmp(data->clientcert, needle->clientcert) &&
Curl_safecmp(data->random_file, needle->random_file) &&
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+#ifdef USE_TLS_SRP
+ Curl_safecmp(data->username, needle->username) &&
+ Curl_safecmp(data->password, needle->password) &&
+ (data->authtype == needle->authtype) &&
+#endif
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
return TRUE;
@@ -158,6 +165,10 @@ Curl_clone_primary_ssl_config(struct ssl
dest->verifyhost = source->verifyhost;
dest->verifystatus = source->verifystatus;
dest->sessionid = source->sessionid;
+ dest->ssl_options = source->ssl_options;
+#ifdef USE_TLS_SRP
+ dest->authtype = source->authtype;
+#endif
CLONE_BLOB(cert_blob);
CLONE_BLOB(issuercert_blob);
@@ -171,6 +182,11 @@ Curl_clone_primary_ssl_config(struct ssl
CLONE_STRING(cipher_list);
CLONE_STRING(cipher_list13);
CLONE_STRING(pinned_key);
+ CLONE_STRING(CRLfile);
+#ifdef USE_TLS_SRP
+ CLONE_STRING(username);
+ CLONE_STRING(password);
+#endif
return TRUE;
}
@@ -189,6 +205,11 @@ void Curl_free_primary_ssl_config(struct
Curl_safefree(sslc->pinned_key);
Curl_safefree(sslc->cert_blob);
Curl_safefree(sslc->issuercert_blob);
+ Curl_safefree(sslc->CRLfile);
+#ifdef USE_TLS_SRP
+ Curl_safefree(sslc->username);
+ Curl_safefree(sslc->password);
+#endif
}
#ifdef USE_SSL
--- a/lib/vssh/ssh.h
+++ b/lib/vssh/ssh.h
@@ -120,8 +120,8 @@ struct ssh_conn {
/* common */
const char *passphrase; /* pass-phrase to use */
- char *rsa_pub; /* path name */
- char *rsa; /* path name */
+ char *rsa_pub; /* strdup'ed public key file */
+ char *rsa; /* strdup'ed private key file */
bool authed; /* the connection has been authenticated fine */
sshstate state; /* always use ssh.c:state() to change state! */
sshstate nextstate; /* the state to goto after stopping */
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1964,13 +1964,13 @@ static CURLcode nss_setup_connect(struct
}
}
- if(SSL_SET_OPTION(CRLfile)) {
- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
+ if(SSL_SET_OPTION(primary.CRLfile)) {
+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
if(rv) {
result = rv;
goto error;
}
- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
+ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile));
}
if(SSL_SET_OPTION(cert)) {
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 975094f4fa795..b60b9cac50d4f 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
char * const ssl_cert = SSL_SET_OPTION(cert);
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;

32
backport-pre-CVE-2022-27782.patch Normal file
View File

@ -0,0 +1,32 @@
From 093531556203decd92d92bccd431edbe5561781c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 26 Apr 2022 07:46:19 +0200
Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects
Follow-up to 620ea21410030 and 139a54ed0a172a
Reported-by: Harry Sintonen
Closes #8752
---
lib/vtls/gtls.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 9c3a68f0ac6b..0535011911d5 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data,
}
#ifdef USE_TLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
- rc = gnutls_srp_allocate_client_credentials(
- &backend->srp_client_cred);
+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
gnutls_strerror(rc));

11
curl.spec
View File

@ -6,7 +6,7 @@
Name: curl
Version: 7.71.1
Release: 13
Release: 14
Summary: Curl is used in command lines or scripts to transfer data
License: MIT
URL: https://curl.haxx.se/
@ -39,6 +39,9 @@ Patch125: backport-CVE-2022-27776.patch
Patch126: backport-pre-CVE-2022-27774.patch
Patch127: backport-001-CVE-2022-27774.patch
Patch128: backport-002-CVE-2022-27774.patch
Patch129: backport-CVE-2022-27781.patch
Patch130: backport-pre-CVE-2022-27782.patch
Patch131: backport-CVE-2022-27782.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
@ -180,6 +183,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_mandir}/man3/*
%changelog
* Tue May 17 2022 gaihuiying <eaglegai@163.com> - 7.71.1-14
- Type:cves
- CVE:CVE-2022-27781 CVE-2022-27782
- SUG:NA
- DESC:fix CVE-2022-27781 CVE-2022-27782
* Fri May 06 2022 gaihuiying <eaglegai@163.com> - 7.71.1-13
- Type:cves
- CVE:CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776