265 lines
12 KiB
Diff
265 lines
12 KiB
Diff
From 904c5168ce544ac5b7764130cf35765192ff7f73 Mon Sep 17 00:00:00 2001
|
|
From: <quanhongfei@huawei.com>
|
|
Date: Tue, 27 Jul 2021 11:06:54 +0800
|
|
Subject: [PATCH 2/2] fix CVE-2021-22924
|
|
|
|
---
|
|
lib/url.c | 7 ++++---
|
|
lib/urldata.h | 4 ++--
|
|
lib/vtls/gtls.c | 10 +++++-----
|
|
lib/vtls/nss.c | 4 ++--
|
|
lib/vtls/openssl.c | 18 +++++++++---------
|
|
lib/vtls/vtls.c | 24 +++++++++++++++++++-----
|
|
6 files changed, 41 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/lib/url.c b/lib/url.c
|
|
index 41029d6..205338b 100644
|
|
--- a/lib/url.c
|
|
+++ b/lib/url.c
|
|
@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
*/
|
|
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
|
|
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
|
|
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
|
|
+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
|
|
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
|
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
|
data->set.ssl.primary.cipher_list =
|
|
@@ -3625,8 +3627,9 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
data->set.proxy_ssl.primary.pinned_key =
|
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
|
|
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
|
|
+ data->set.proxy_ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
|
+ data->set.proxy_ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
|
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
|
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
|
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
|
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
|
@@ -3637,7 +3640,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
|
#endif
|
|
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
|
|
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
|
|
data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
|
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
|
|
data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
|
|
@@ -3655,7 +3657,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
|
|
data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
|
|
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
|
|
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
|
|
|
|
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
|
&conn->ssl_config)) {
|
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
index 6d8eb69..8fd9e26 100644
|
|
--- a/lib/urldata.h
|
|
+++ b/lib/urldata.h
|
|
@@ -223,6 +223,7 @@ struct ssl_primary_config {
|
|
long version_max; /* max supported version the client wants to use*/
|
|
char *CApath; /* certificate dir (doesn't work on windows) */
|
|
char *CAfile; /* certificate to verify peer against */
|
|
+ char *issuercert; /* optional issuer certificate filename */
|
|
char *clientcert;
|
|
char *random_file; /* path to file containing "random" data */
|
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
|
@@ -230,6 +231,7 @@ struct ssl_primary_config {
|
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
|
char *pinned_key;
|
|
struct curl_blob *cert_blob;
|
|
+ struct curl_blob *issuercert_blob;
|
|
BIT(verifypeer); /* set TRUE if this is desired */
|
|
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
|
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
|
@@ -240,8 +242,6 @@ struct ssl_config_data {
|
|
struct ssl_primary_config primary;
|
|
long certverifyresult; /* result from the certificate verification */
|
|
char *CRLfile; /* CRL to check certificate revocation */
|
|
- char *issuercert;/* optional issuer certificate filename */
|
|
- struct curl_blob *issuercert_blob;
|
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
|
void *fsslctxp; /* parameter for call back */
|
|
char *cert; /* client certificate file name */
|
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
|
index 9412814..4ea3d5e 100644
|
|
--- a/lib/vtls/gtls.c
|
|
+++ b/lib/vtls/gtls.c
|
|
@@ -852,7 +852,7 @@ gtls_connect_step3(struct connectdata *conn,
|
|
if(!chainp) {
|
|
if(SSL_CONN_CONFIG(verifypeer) ||
|
|
SSL_CONN_CONFIG(verifyhost) ||
|
|
- SSL_SET_OPTION(issuercert)) {
|
|
+ SSL_CONN_CONFIG(issuercert)) {
|
|
#ifdef USE_TLS_SRP
|
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
|
&& SSL_SET_OPTION(username) != NULL
|
|
@@ -1036,21 +1036,21 @@ gtls_connect_step3(struct connectdata *conn,
|
|
gnutls_x509_crt_t format */
|
|
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
|
|
|
|
- if(SSL_SET_OPTION(issuercert)) {
|
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
|
gnutls_x509_crt_init(&x509_issuer);
|
|
- issuerp = load_file(SSL_SET_OPTION(issuercert));
|
|
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
|
|
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
|
|
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
|
|
gnutls_x509_crt_deinit(x509_issuer);
|
|
unload_file(issuerp);
|
|
if(rc <= 0) {
|
|
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
|
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
|
gnutls_x509_crt_deinit(x509_cert);
|
|
return CURLE_SSL_ISSUER_ERROR;
|
|
}
|
|
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
|
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
|
}
|
|
|
|
size = sizeof(certname);
|
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
index fca2926..3db2fec 100644
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
|
if(result)
|
|
goto error;
|
|
|
|
- if(SSL_SET_OPTION(issuercert)) {
|
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
|
SECStatus ret = SECFailure;
|
|
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
|
|
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
|
|
if(nickname) {
|
|
/* we support only nicknames in case of issuercert for now */
|
|
ret = check_issuer_cert(backend->handle, nickname);
|
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
index 3208762..ffbc7a6 100644
|
|
--- a/lib/vtls/openssl.c
|
|
+++ b/lib/vtls/openssl.c
|
|
@@ -3870,10 +3870,10 @@ static CURLcode servercert(struct connectdata *conn,
|
|
deallocating the certificate. */
|
|
|
|
/* e.g. match issuer name with provided issuer certificate */
|
|
- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
|
|
- if(SSL_SET_OPTION(issuercert_blob))
|
|
- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
|
|
- (int)SSL_SET_OPTION(issuercert_blob)->len);
|
|
+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
|
|
+ if(SSL_CONN_CONFIG(issuercert_blob))
|
|
+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
|
|
+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
|
|
else {
|
|
fp = BIO_new(BIO_s_file());
|
|
if(fp == NULL) {
|
|
@@ -3887,10 +3887,10 @@ static CURLcode servercert(struct connectdata *conn,
|
|
return CURLE_OUT_OF_MEMORY;
|
|
}
|
|
|
|
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
|
|
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
|
|
if(strict)
|
|
failf(data, "SSL: Unable to open issuer cert (%s)",
|
|
- SSL_SET_OPTION(issuercert));
|
|
+ SSL_CONN_CONFIG(issuercert));
|
|
BIO_free(fp);
|
|
X509_free(backend->server_cert);
|
|
backend->server_cert = NULL;
|
|
@@ -3902,7 +3902,7 @@ static CURLcode servercert(struct connectdata *conn,
|
|
if(!issuer) {
|
|
if(strict)
|
|
failf(data, "SSL: Unable to read issuer cert (%s)",
|
|
- SSL_SET_OPTION(issuercert));
|
|
+ SSL_CONN_CONFIG(issuercert));
|
|
BIO_free(fp);
|
|
X509_free(issuer);
|
|
X509_free(backend->server_cert);
|
|
@@ -3913,7 +3913,7 @@ static CURLcode servercert(struct connectdata *conn,
|
|
if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
|
|
if(strict)
|
|
failf(data, "SSL: Certificate issuer check failed (%s)",
|
|
- SSL_SET_OPTION(issuercert));
|
|
+ SSL_CONN_CONFIG(issuercert));
|
|
BIO_free(fp);
|
|
X509_free(issuer);
|
|
X509_free(backend->server_cert);
|
|
@@ -3922,7 +3922,7 @@ static CURLcode servercert(struct connectdata *conn,
|
|
}
|
|
|
|
infof(data, " SSL certificate issuer check ok (%s)\n",
|
|
- SSL_SET_OPTION(issuercert));
|
|
+ SSL_CONN_CONFIG(issuercert));
|
|
BIO_free(fp);
|
|
X509_free(issuer);
|
|
}
|
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
index e50fdd2..3ad5b21 100644
|
|
--- a/lib/vtls/vtls.c
|
|
+++ b/lib/vtls/vtls.c
|
|
@@ -121,6 +121,15 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
|
return !memcmp(first->data, second->data, first->len); /* same data */
|
|
}
|
|
|
|
+static bool safecmp(char *a, char *b)
|
|
+{
|
|
+ if(a && b)
|
|
+ return !strcmp(a, b);
|
|
+ else if(!a && !b)
|
|
+ return TRUE; /* match */
|
|
+ return FALSE; /* no match */
|
|
+}
|
|
+
|
|
bool
|
|
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
struct ssl_primary_config *needle)
|
|
@@ -131,11 +140,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
(data->verifyhost == needle->verifyhost) &&
|
|
(data->verifystatus == needle->verifystatus) &&
|
|
blobcmp(data->cert_blob, needle->cert_blob) &&
|
|
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
|
|
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
|
|
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
|
|
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
|
|
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
|
|
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
|
+ safecmp(data->CApath, needle->CApath) &&
|
|
+ safecmp(data->CAfile, needle->CAfile) &&
|
|
+ safecmp(data->clientcert, needle->clientcert) &&
|
|
+ safecmp(data->random_file, needle->random_file) &&
|
|
+ safecmp(data->egdsocket, needle->egdsocket) &&
|
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
|
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
|
@@ -156,8 +166,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
|
dest->sessionid = source->sessionid;
|
|
|
|
CLONE_BLOB(cert_blob);
|
|
+ CLONE_BLOB(issuercert_blob);
|
|
CLONE_STRING(CApath);
|
|
CLONE_STRING(CAfile);
|
|
+ CLONE_STRING(issuercert);
|
|
CLONE_STRING(clientcert);
|
|
CLONE_STRING(random_file);
|
|
CLONE_STRING(egdsocket);
|
|
@@ -172,6 +184,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
|
{
|
|
Curl_safefree(sslc->CApath);
|
|
Curl_safefree(sslc->CAfile);
|
|
+ Curl_safefree(sslc->issuercert);
|
|
Curl_safefree(sslc->clientcert);
|
|
Curl_safefree(sslc->random_file);
|
|
Curl_safefree(sslc->egdsocket);
|
|
@@ -179,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
|
Curl_safefree(sslc->cipher_list13);
|
|
Curl_safefree(sslc->pinned_key);
|
|
Curl_safefree(sslc->cert_blob);
|
|
+ Curl_safefree(sslc->issuercert_blob);
|
|
}
|
|
|
|
#ifdef USE_SSL
|
|
--
|
|
2.27.0
|