import curl-7.76.1-19.el9

c9 imports/c9/curl-7.76.1-19.el9
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit 40b6246889

@ -0,0 +1 @@
d38ab79ef7a6d92df91ca8dfcf9a5eaf7e25b725 SOURCES/curl-7.76.1.tar.xz

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/curl-7.76.1.tar.xz

@ -0,0 +1,133 @@
From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 30 Apr 2021 18:14:45 +0200
Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Closes #6986
Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http2.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/lib/http2.c b/lib/http2.c
index ce9a0d3..d5ba89b 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
CURLU *u = curl_url();
CURLUcode uc;
char *url;
+ int rc = 0;
v = curl_pushheader_byname(hp, ":scheme");
if(v) {
uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
- if(uc)
- return 1;
+ if(uc) {
+ rc = 1;
+ goto fail;
+ }
}
v = curl_pushheader_byname(hp, ":authority");
if(v) {
uc = curl_url_set(u, CURLUPART_HOST, v, 0);
- if(uc)
- return 2;
+ if(uc) {
+ rc = 2;
+ goto fail;
+ }
}
v = curl_pushheader_byname(hp, ":path");
if(v) {
uc = curl_url_set(u, CURLUPART_PATH, v, 0);
- if(uc)
- return 3;
+ if(uc) {
+ rc = 3;
+ goto fail;
+ }
}
uc = curl_url_get(u, CURLUPART_URL, &url, 0);
if(uc)
- return 4;
+ rc = 4;
+ fail:
curl_url_cleanup(u);
+ if(rc)
+ return rc;
if(data->state.url_alloc)
free(data->state.url);
--
2.30.2
From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 30 Apr 2021 18:18:02 +0200
Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
Closes #6986
Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/http2.c b/lib/http2.c
index d5ba89b..d0f69ea 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
rv = set_transfer_url(newhandle, &heads);
if(rv) {
+ (void)Curl_close(&newhandle);
rv = CURL_PUSH_DENY;
goto fail;
}
--
2.30.2

@ -0,0 +1,31 @@
From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001
From: Harry Sintonen <sintonen@iki.fi>
Date: Fri, 7 May 2021 13:09:57 +0200
Subject: [PATCH] telnet: check sscanf() for correct number of matches
CVE-2021-22898
Bug: https://curl.se/docs/CVE-2021-22898.html
Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/telnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/telnet.c b/lib/telnet.c
index f96a4cb..4551435 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data)
size_t tmplen = (strlen(v->data) + 1);
/* Add the variable only if it fits */
if(len + tmplen < (int)sizeof(temp)-6) {
- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
msnprintf((char *)&temp[len], sizeof(temp) - len,
"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
CURL_NEW_ENV_VALUE, varval);
--
2.31.1

File diff suppressed because it is too large Load Diff

@ -0,0 +1,44 @@
From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Fri, 23 Apr 2021 00:33:46 +0200
Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure
Fixes the segfault in ldaps disconnect.
Reported-by: Illarion Taev
Fixes #6934
Closes #6937
Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/vtls.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 22cfb88..fa8a6fa 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
if(!result)
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
+ else
+ conn->ssl[sockindex].use = FALSE;
return result;
}
@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
/* mark this is being ssl requested from here on. */
conn->ssl[sockindex].use = TRUE;
result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
- if(!result && *done)
+ if(result)
+ conn->ssl[sockindex].use = FALSE;
+ else if(*done)
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
return result;
}
--
2.31.1

@ -0,0 +1,279 @@
From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 19 Jun 2021 00:42:28 +0200
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
sensitivity
CVE-2021-22924
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2021-22924.html
Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 10 ++++++----
lib/urldata.h | 4 ++--
lib/vtls/gtls.c | 10 +++++-----
lib/vtls/nss.c | 4 ++--
lib/vtls/openssl.c | 18 +++++++++---------
lib/vtls/vtls.c | 26 +++++++++++++++++++++-----
6 files changed, 45 insertions(+), 27 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 9f2c9f2..bdcb095 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
*/
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
data->set.ssl.primary.cipher_list =
@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.primary.pinned_key =
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
+ data->set.proxy_ssl.primary.issuercert =
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.proxy_ssl.primary.issuercert_blob =
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
data->set.ssl.key = data->set.str[STRING_KEY];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
#endif
#endif
-
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
&conn->ssl_config)) {
diff --git a/lib/urldata.h b/lib/urldata.h
index 2bb7d81..7cf63d0 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -246,6 +246,7 @@ struct ssl_primary_config {
long version_max; /* max supported version the client wants to use*/
char *CApath; /* certificate dir (doesn't work on windows) */
char *CAfile; /* certificate to verify peer against */
+ char *issuercert; /* optional issuer certificate filename */
char *clientcert;
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
@@ -253,6 +254,7 @@ struct ssl_primary_config {
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
char *pinned_key;
struct curl_blob *cert_blob;
+ struct curl_blob *issuercert_blob;
char *curves; /* list of curves to use */
BIT(verifypeer); /* set TRUE if this is desired */
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
@@ -264,8 +266,6 @@ struct ssl_config_data {
struct ssl_primary_config primary;
long certverifyresult; /* result from the certificate verification */
char *CRLfile; /* CRL to check certificate revocation */
- char *issuercert;/* optional issuer certificate filename */
- struct curl_blob *issuercert_blob;
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
char *cert_type; /* format for certificate (default: PEM)*/
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index ea54fe3..ccc5ce8 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
if(!chainp) {
if(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost) ||
- SSL_SET_OPTION(issuercert)) {
+ SSL_CONN_CONFIG(issuercert)) {
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL
@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
gnutls_x509_crt_t format */
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
- if(SSL_SET_OPTION(issuercert)) {
+ if(SSL_CONN_CONFIG(issuercert)) {
gnutls_x509_crt_init(&x509_issuer);
- issuerp = load_file(SSL_SET_OPTION(issuercert));
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
gnutls_x509_crt_deinit(x509_issuer);
unload_file(issuerp);
if(rc <= 0) {
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
gnutls_x509_crt_deinit(x509_cert);
return CURLE_SSL_ISSUER_ERROR;
}
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
}
size = sizeof(certname);
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index ae3945c..b0b1e8c 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
if(result)
goto error;
- if(SSL_SET_OPTION(issuercert)) {
+ if(SSL_CONN_CONFIG(issuercert)) {
SECStatus ret = SECFailure;
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
if(nickname) {
/* we support only nicknames in case of issuercert for now */
ret = check_issuer_cert(backend->handle, nickname);
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2404393..be7b811 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
deallocating the certificate. */
/* e.g. match issuer name with provided issuer certificate */
- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
- if(SSL_SET_OPTION(issuercert_blob))
- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
- (int)SSL_SET_OPTION(issuercert_blob)->len);
+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
+ if(SSL_CONN_CONFIG(issuercert_blob))
+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
else {
fp = BIO_new(BIO_s_file());
if(fp == NULL) {
@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
return CURLE_OUT_OF_MEMORY;
}
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
if(strict)
failf(data, "SSL: Unable to open issuer cert (%s)",
- SSL_SET_OPTION(issuercert));
+ SSL_CONN_CONFIG(issuercert));
BIO_free(fp);
X509_free(backend->server_cert);
backend->server_cert = NULL;
@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
if(!issuer) {
if(strict)
failf(data, "SSL: Unable to read issuer cert (%s)",
- SSL_SET_OPTION(issuercert));
+ SSL_CONN_CONFIG(issuercert));
BIO_free(fp);
X509_free(issuer);
X509_free(backend->server_cert);
@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
if(strict)
failf(data, "SSL: Certificate issuer check failed (%s)",
- SSL_SET_OPTION(issuercert));
+ SSL_CONN_CONFIG(issuercert));
BIO_free(fp);
X509_free(issuer);
X509_free(backend->server_cert);
@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
}
infof(data, " SSL certificate issuer check ok (%s)\n",
- SSL_SET_OPTION(issuercert));
+ SSL_CONN_CONFIG(issuercert));
BIO_free(fp);
X509_free(issuer);
}
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index fa8a6fa..1aa6fc8 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
return !memcmp(first->data, second->data, first->len); /* same data */
}
+static bool safecmp(char *a, char *b)
+{
+ if(a && b)
+ return !strcmp(a, b);
+ else if(!a && !b)
+ return TRUE; /* match */
+ return FALSE; /* no match */
+}
+
+
bool
Curl_ssl_config_matches(struct ssl_primary_config *data,
struct ssl_primary_config *needle)
@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
(data->verifyhost == needle->verifyhost) &&
(data->verifystatus == needle->verifystatus) &&
blobcmp(data->cert_blob, needle->cert_blob) &&
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+ safecmp(data->CApath, needle->CApath) &&
+ safecmp(data->CAfile, needle->CAfile) &&
+ safecmp(data->issuercert, needle->issuercert) &&
+ safecmp(data->clientcert, needle->clientcert) &&
+ safecmp(data->random_file, needle->random_file) &&
+ safecmp(data->egdsocket, needle->egdsocket) &&
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
Curl_safe_strcasecompare(data->curves, needle->curves) &&
@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
dest->sessionid = source->sessionid;
CLONE_BLOB(cert_blob);
+ CLONE_BLOB(issuercert_blob);
CLONE_STRING(CApath);
CLONE_STRING(CAfile);
+ CLONE_STRING(issuercert);
CLONE_STRING(clientcert);
CLONE_STRING(random_file);
CLONE_STRING(egdsocket);
@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
{
Curl_safefree(sslc->CApath);
Curl_safefree(sslc->CAfile);
+ Curl_safefree(sslc->issuercert);
Curl_safefree(sslc->clientcert);
Curl_safefree(sslc->random_file);
Curl_safefree(sslc->egdsocket);
@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
Curl_safefree(sslc->cipher_list13);
Curl_safefree(sslc->pinned_key);
Curl_safefree(sslc->cert_blob);
+ Curl_safefree(sslc->issuercert_blob);
Curl_safefree(sslc->curves);
}
--
2.31.1

@ -0,0 +1,47 @@
From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 12 Jun 2021 18:25:15 +0200
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
CVE-2021-22925
Reported-by: Red Hat Product Security
Bug: https://curl.se/docs/CVE-2021-22925.html
Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/telnet.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/lib/telnet.c b/lib/telnet.c
index fdd137f..567c22c 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
size_t tmplen = (strlen(v->data) + 1);
/* Add the variable only if it fits */
if(len + tmplen < (int)sizeof(temp)-6) {
- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
- msnprintf((char *)&temp[len], sizeof(temp) - len,
- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
- CURL_NEW_ENV_VALUE, varval);
- len += tmplen;
- }
+ int rv;
+ char sep[2] = "";
+ varval[0] = 0;
+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
+ if(rv == 1)
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+ "%c%s", CURL_NEW_ENV_VAR, varname);
+ else if(rv >= 2)
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+ CURL_NEW_ENV_VALUE, varval);
}
}
msnprintf((char *)&temp[len], sizeof(temp) - len,
--
2.31.1

@ -0,0 +1,33 @@
From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
From: z2_ on hackerone <>
Date: Tue, 24 Aug 2021 09:50:33 +0200
Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
CVE-2021-22945
Bug: https://curl.se/docs/CVE-2021-22945.html
Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/mqtt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/mqtt.c b/lib/mqtt.c
index d88fa73..f3fc045 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
mq->sendleftovers = sendleftovers;
mq->nsend = nsend;
}
+ else {
+ mq->sendleftovers = NULL;
+ mq->nsend = 0;
+ }
return result;
}
--
2.31.1

@ -0,0 +1,331 @@
From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Wed, 8 Sep 2021 11:56:22 +0200
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
In imap and pop3, check if TLS is required even when capabilities
request has failed.
In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.
Bug: https://curl.se/docs/CVE-2021-22946.html
CVE-2021-22946
Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ftp.c | 9 ++++---
lib/imap.c | 24 ++++++++----------
lib/pop3.c | 33 +++++++++++-------------
tests/data/Makefile.inc | 2 ++
tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
7 files changed, 195 insertions(+), 36 deletions(-)
create mode 100644 tests/data/test984
create mode 100644 tests/data/test985
create mode 100644 tests/data/test986
diff --git a/lib/ftp.c b/lib/ftp.c
index 5ef1e2e..71f998e 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
/* we have now received a full FTP server response */
switch(ftpc->state) {
case FTP_WAIT220:
- if(ftpcode == 230)
- /* 230 User logged in - already! */
- return ftp_state_user_resp(data, ftpcode, ftpc->state);
+ if(ftpcode == 230) {
+ /* 230 User logged in - already! Take as 220 if TLS required. */
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
+ conn->bits.ftp_use_control_ssl)
+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
+ }
else if(ftpcode != 220) {
failf(data, "Got a %03d ftp-server response when 220 was expected",
ftpcode);
diff --git a/lib/imap.c b/lib/imap.c
index e50d7fd..feb7445 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
line += wordlen;
}
}
- else if(imapcode == IMAP_RESP_OK) {
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
- if(imapc->tls_supported)
- /* Switch to TLS connection now */
- result = imap_perform_starttls(data, conn);
- else if(data->set.use_ssl == CURLUSESSL_TRY)
- /* Fallback and carry on with authentication */
- result = imap_perform_authentication(data, conn);
- else {
- failf(data, "STARTTLS not supported.");
- result = CURLE_USE_SSL_FAILED;
- }
+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+ /* PREAUTH is not compatible with STARTTLS. */
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
+ /* Switch to TLS connection now */
+ result = imap_perform_starttls(data, conn);
}
- else
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
result = imap_perform_authentication(data, conn);
+ else {
+ failf(data, "STARTTLS not available.");
+ result = CURLE_USE_SSL_FAILED;
+ }
}
else
result = imap_perform_authentication(data, conn);
diff --git a/lib/pop3.c b/lib/pop3.c
index 6168b12..7698d1c 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
}
}
}
- else if(pop3code == '+') {
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
- if(pop3c->tls_supported)
- /* Switch to TLS connection now */
- result = pop3_perform_starttls(data, conn);
- else if(data->set.use_ssl == CURLUSESSL_TRY)
- /* Fallback and carry on with authentication */
- result = pop3_perform_authentication(data, conn);
- else {
- failf(data, "STLS not supported.");
- result = CURLE_USE_SSL_FAILED;
- }
- }
- else
- result = pop3_perform_authentication(data, conn);
- }
else {
/* Clear text is supported when CAPA isn't recognised */
- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ if(pop3code != '+')
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- result = pop3_perform_authentication(data, conn);
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
+ result = pop3_perform_authentication(data, conn);
+ else if(pop3code == '+' && pop3c->tls_supported)
+ /* Switch to TLS connection now */
+ result = pop3_perform_starttls(data, conn);
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
+ /* Fallback and carry on with authentication */
+ result = pop3_perform_authentication(data, conn);
+ else {
+ failf(data, "STLS not supported.");
+ result = CURLE_USE_SSL_FAILED;
+ }
}
return result;
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index d083baf..163ce59 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
\
+test984 test985 test986 \
+\
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
diff --git a/tests/data/test984 b/tests/data/test984
new file mode 100644
index 0000000..e573f23
--- /dev/null
+++ b/tests/data/test984
@@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPABILITY A001 BAD Not implemented
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP require STARTTLS with failing capabilities
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+A001 CAPABILITY
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test985 b/tests/data/test985
new file mode 100644
index 0000000..d0db4aa
--- /dev/null
+++ b/tests/data/test985
@@ -0,0 +1,54 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPA -ERR Not implemented
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+ yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 require STARTTLS with failing capabilities
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+CAPA
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test986 b/tests/data/test986
new file mode 100644
index 0000000..a709437
--- /dev/null
+++ b/tests/data/test986
@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY welcome 230 Welcome
+REPLY AUTH 500 unknown command
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP require STARTTLS while preauthenticated
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+ to
+ see
+that FTPS
+works
+ so does it?
+</file>
+ <command>
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+AUTH SSL
+AUTH TLS
+</protocol>
+</verify>
+</testcase>
--
2.31.1

@ -0,0 +1,354 @@
From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Tue, 7 Sep 2021 13:26:42 +0200
Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
pipelining
If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.
This fix detects pipelined STARTTLS responses and rejects them with an
error.
CVE-2021-22947
Bug: https://curl.se/docs/CVE-2021-22947.html
Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ftp.c | 3 +++
lib/imap.c | 4 +++
lib/pop3.c | 4 +++
lib/smtp.c | 4 +++
tests/data/Makefile.inc | 2 +-
tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
9 files changed, 236 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test980
create mode 100644 tests/data/test981
create mode 100644 tests/data/test982
create mode 100644 tests/data/test983
diff --git a/lib/ftp.c b/lib/ftp.c
index 71f998e..e920138 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
case FTP_AUTH:
/* we have gotten the response to a previous AUTH command */
+ if(pp->cache_size)
+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
+
/* RFC2228 (page 5) says:
*
* If the server is willing to accept the named security mechanism,
diff --git a/lib/imap.c b/lib/imap.c
index feb7445..09bc5d6 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
(void)instate; /* no use for this yet */
+ /* Pipelining in response is forbidden. */
+ if(data->conn->proto.imapc.pp.cache_size)
+ return CURLE_WEIRD_SERVER_REPLY;
+
if(imapcode != IMAP_RESP_OK) {
if(data->set.use_ssl != CURLUSESSL_TRY) {
failf(data, "STARTTLS denied");
diff --git a/lib/pop3.c b/lib/pop3.c
index 7698d1c..dccfced 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
CURLcode result = CURLE_OK;
(void)instate; /* no use for this yet */
+ /* Pipelining in response is forbidden. */
+ if(data->conn->proto.pop3c.pp.cache_size)
+ return CURLE_WEIRD_SERVER_REPLY;
+
if(pop3code != '+') {
if(data->set.use_ssl != CURLUSESSL_TRY) {
failf(data, "STARTTLS denied");
diff --git a/lib/smtp.c b/lib/smtp.c
index 1defb25..1f89777 100644
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
CURLcode result = CURLE_OK;
(void)instate; /* no use for this yet */
+ /* Pipelining in response is forbidden. */
+ if(data->conn->proto.smtpc.pp.cache_size)
+ return CURLE_WEIRD_SERVER_REPLY;
+
if(smtpcode != 220) {
if(data->set.use_ssl != CURLUSESSL_TRY) {
failf(data, "STARTTLS denied, code %d", smtpcode);
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 163ce59..42b0569 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
\
-test984 test985 test986 \
+test980 test981 test982 test983 test984 test985 test986 \
\
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
diff --git a/tests/data/test980 b/tests/data/test980
new file mode 100644
index 0000000..97567f8
--- /dev/null
+++ b/tests/data/test980
@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+SMTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STARTTLS
+AUTH PLAIN
+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
+REPLY AUTH 535 5.7.8 Authentication credentials invalid
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+smtp
+</server>
+ <name>
+SMTP STARTTLS pipelined server response
+ </name>
+<stdin>
+mail body
+</stdin>
+ <command>
+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+EHLO %TESTNUMBER
+STARTTLS
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test981 b/tests/data/test981
new file mode 100644
index 0000000..2b98ce4
--- /dev/null
+++ b/tests/data/test981
@@ -0,0 +1,59 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STARTTLS
+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
+REPLY LOGIN A003 BAD Authentication credentials invalid
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP STARTTLS pipelined server response
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+A001 CAPABILITY
+A002 STARTTLS
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test982 b/tests/data/test982
new file mode 100644
index 0000000..9e07cc0
--- /dev/null
+++ b/tests/data/test982
@@ -0,0 +1,57 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STLS USER
+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
+REPLY PASS -ERR Authentication credentials invalid
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+ yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 STARTTLS pipelined server response
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+CAPA
+STLS
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test983 b/tests/data/test983
new file mode 100644
index 0000000..300ec45
--- /dev/null
+++ b/tests/data/test983
@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
+REPLY PASS 530 Login incorrect
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP STARTTLS pipelined server response
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+ to
+ see
+that FTPS
+works
+ so does it?
+</file>
+ <command>
+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+AUTH SSL
+</protocol>
+</verify>
+</testcase>
--
2.31.1

@ -0,0 +1,148 @@
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Mon, 25 Apr 2022 11:44:05 +0200
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug: https://curl.se/docs/CVE-2022-22576.html
CVE-2022-22576
Closes #8746
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/strcase.c | 10 ++++++++++
lib/strcase.h | 2 ++
lib/url.c | 13 ++++++++++++-
lib/urldata.h | 1 +
lib/vtls/vtls.c | 21 ++++++---------------
5 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/lib/strcase.c b/lib/strcase.c
index dd46ca1..692a3f1 100644
--- a/lib/strcase.c
+++ b/lib/strcase.c
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
} while(*src++ && --n);
}
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
+ * null pointers. Return true if arguments match.
+ */
+bool Curl_safecmp(char *a, char *b)
+{
+ if(a && b)
+ return !strcmp(a, b);
+ return !a && !b;
+}
+
/* --- public functions --- */
int curl_strequal(const char *first, const char *second)
diff --git a/lib/strcase.h b/lib/strcase.h
index b628656..382b80a 100644
--- a/lib/strcase.h
+++ b/lib/strcase.h
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
void Curl_strntoupper(char *dest, const char *src, size_t n);
void Curl_strntolower(char *dest, const char *src, size_t n);
+bool Curl_safecmp(char *a, char *b);
+
#endif /* HEADER_CURL_STRCASE_H */
diff --git a/lib/url.c b/lib/url.c
index adef2cd..94e3406 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
Curl_safefree(conn->passwd);
Curl_safefree(conn->sasl_authzid);
Curl_safefree(conn->options);
+ Curl_safefree(conn->oauth_bearer);
Curl_dyn_free(&conn->trailer);
Curl_safefree(conn->host.rawalloc); /* host name buffer */
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
/* This protocol requires credentials per connection,
so verify that we're using the same name and password as well */
if(strcmp(needle->user, check->user) ||
- strcmp(needle->passwd, check->passwd)) {
+ strcmp(needle->passwd, check->passwd) ||
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
/* one of them was different */
continue;
}
@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
}
}
+ if(data->set.str[STRING_BEARER]) {
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
+ if(!conn->oauth_bearer) {
+ result = CURLE_OUT_OF_MEMORY;
+ goto out;
+ }
+ }
+
#ifdef USE_UNIX_SOCKETS
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
diff --git a/lib/urldata.h b/lib/urldata.h
index cc8a600..03da59a 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -991,6 +991,7 @@ struct connectdata {
char *passwd; /* password string, allocated */
char *options; /* options string, allocated */
char *sasl_authzid; /* authorisation identity string, allocated */
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
unsigned char httpversion; /* the HTTP version*10 reported by the server */
struct curltime now; /* "current" time */
struct curltime created; /* creation time */
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 03b85ba..a40ac06 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
return !memcmp(first->data, second->data, first->len); /* same data */
}
-static bool safecmp(char *a, char *b)
-{
- if(a && b)
- return !strcmp(a, b);
- else if(!a && !b)
- return TRUE; /* match */
- return FALSE; /* no match */
-}
-
bool
Curl_ssl_config_matches(struct ssl_primary_config *data,
@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
(data->verifystatus == needle->verifystatus) &&
blobcmp(data->cert_blob, needle->cert_blob) &&
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
- safecmp(data->CApath, needle->CApath) &&
- safecmp(data->CAfile, needle->CAfile) &&
- safecmp(data->issuercert, needle->issuercert) &&
- safecmp(data->clientcert, needle->clientcert) &&
- safecmp(data->random_file, needle->random_file) &&
- safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safecmp(data->CApath, needle->CApath) &&
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
+ Curl_safecmp(data->issuercert, needle->issuercert) &&
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
+ Curl_safecmp(data->random_file, needle->random_file) &&
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
Curl_safe_strcasecompare(data->curves, needle->curves) &&
--
2.34.1

@ -0,0 +1,40 @@
From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 11:48:00 +0200
Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
Make connections to two separate IPv6 zone ids create separate
connections.
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27775.html
Closes #8747
Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/conncache.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/conncache.c b/lib/conncache.c
index cd5756a..9b9f683 100644
--- a/lib/conncache.c
+++ b/lib/conncache.c
@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf,
/* report back which name we used */
*hostp = hostname;
- /* put the number first so that the hostname gets cut off if too long */
- msnprintf(buf, len, "%ld%s", port, hostname);
+ /* put the numbers first so that the hostname gets cut off if too long */
+#ifdef ENABLE_IPV6
+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
+#else
+ msnprintf(buf, len, "%ld/%s", port, hostname);
+#endif
}
/* Returns number of connections currently held in the connection cache.
--
2.34.1

@ -0,0 +1,243 @@
From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 13:05:40 +0200
Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
CVE-2022-27776
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27776.html
Closes #8749
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http.c | 33 +++++++++++++++++++++------------
lib/urldata.h | 16 +++++++++-------
2 files changed, 30 insertions(+), 19 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 799d4fb..0791dcf 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
return CURLE_OK;
}
+/*
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+ * data" can (still) be sent to this host.
+ */
+static bool allow_auth_to_host(struct Curl_easy *data)
+{
+ struct connectdata *conn = data->conn;
+ return (!data->state.this_is_a_follow ||
+ data->set.allow_auth_to_other_hosts ||
+ (data->state.first_host &&
+ strcasecompare(data->state.first_host, conn->host.name) &&
+ (data->state.first_remote_port == conn->remote_port) &&
+ (data->state.first_remote_protocol == conn->handler->protocol)));
+}
+
/**
* Curl_http_output_auth() setups the authentication headers for the
* host/proxy and the correct authentication
@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data,
with it */
authproxy->done = TRUE;
- /* To prevent the user+password to get sent to other than the original
- host due to a location-follow, we do some weirdo checks here */
- if(!data->state.this_is_a_follow ||
- conn->bits.netrc ||
- !data->state.first_host ||
- data->set.allow_auth_to_other_hosts ||
- strcasecompare(data->state.first_host, conn->host.name)) {
+ /* To prevent the user+password to get sent to other than the original host
+ due to a location-follow */
+ if(allow_auth_to_host(data)
+ || conn->bits.netrc)
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
- }
else
authhost->done = TRUE;
@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
checkprefix("Cookie:", compare)) &&
/* be careful of sending this potentially sensitive header to
other hosts */
- (data->state.this_is_a_follow &&
- data->state.first_host &&
- !data->set.allow_auth_to_other_hosts &&
- !strcasecompare(data->state.first_host, conn->host.name)))
+ !allow_auth_to_host(data))
;
else {
#ifdef USE_HYPER
@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
return CURLE_OUT_OF_MEMORY;
data->state.first_remote_port = conn->remote_port;
+ data->state.first_remote_protocol = conn->handler->protocol;
}
Curl_safefree(data->state.aptr.host);
diff --git a/lib/urldata.h b/lib/urldata.h
index 03da59a..f92052a 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1336,14 +1336,16 @@ struct UrlState {
char *ulbuf; /* allocated upload buffer or NULL */
curl_off_t current_speed; /* the ProgressShow() function sets this,
bytes / second */
- char *first_host; /* host name of the first (not followed) request.
- if set, this should be the host name that we will
- sent authorization to, no else. Used to make Location:
- following not keep sending user+password... This is
- strdup() data.
- */
+
+ /* host name, port number and protocol of the first (not followed) request.
+ if set, this should be the host name that we will sent authorization to,
+ no else. Used to make Location: following not keep sending user+password.
+ This is strdup()ed data. */
+ char *first_host;
+ int first_remote_port;
+ unsigned int first_remote_protocol;
+
int retrycount; /* number of retries on a new connection */
- int first_remote_port; /* remote port of the first (not followed) request */
struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
long sessionage; /* number of the most recent session */
struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
--
2.34.1
From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 13:05:47 +0200
Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
Do not pass on Authorization headers on redirects to another port
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 2 +-
tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test898
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 59d46bc..7ae2cf8 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
test863 test864 test865 test866 test867 test868 test869 test870 test871 \
test872 test873 test874 test875 test876 test877 test878 test879 test880 \
test881 test882 test883 test884 test885 test886 test887 test888 test889 \
-test890 test891 test892 test893 test894 test895 test896 \
+test890 test891 test892 test893 test894 test895 test896 test898 \
\
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
diff --git a/tests/data/test898 b/tests/data/test898
new file mode 100644
index 0000000..5cbb7d8
--- /dev/null
+++ b/tests/data/test898
@@ -0,0 +1,90 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location
+Authorization
+Cookie
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with custom auth and cookies redirected to HTTP on a diff port
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: Basic am9lOnNlY3JldA==
+Cookie: userpwd=am9lOnNlY3JldA==
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
--
2.34.1

@ -0,0 +1,635 @@
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
To make it available after the connection ended.
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/connect.c | 1 +
lib/urldata.h | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/connect.c b/lib/connect.c
index 64f9511..7518807 100644
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
data->info.conn_scheme = conn->handler->scheme;
data->info.conn_protocol = conn->handler->protocol;
data->info.conn_primary_port = conn->port;
+ data->info.conn_remote_port = conn->remote_port;
data->info.conn_local_port = local_port;
}
diff --git a/lib/urldata.h b/lib/urldata.h
index f92052a..5218f76 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1167,7 +1167,11 @@ struct PureInfo {
reused, in the connection cache. */
char conn_primary_ip[MAX_IPADR_LEN];
- int conn_primary_port;
+ int conn_primary_port; /* this is the destination port to the connection,
+ which might have been a proxy */
+ int conn_remote_port; /* this is the "remote port", which is the port
+ number of the used URL, independent of proxy or
+ not */
char conn_local_ip[MAX_IPADR_LEN];
int conn_local_port;
const char *conn_scheme;
--
2.34.1
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
auth
... unless explicitly permitted.
Bug: https://curl.se/docs/CVE-2022-27774.html
Reported-by: Harry Sintonen
Closes #8748
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/lib/transfer.c b/lib/transfer.c
index 1f8019b..752fe14 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
return CURLE_OUT_OF_MEMORY;
}
else {
-
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
if(uc)
return Curl_uc_to_curlcode(uc);
+
+ /* Clear auth if this redirects to a different port number or protocol,
+ unless permitted */
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
+ char *portnum;
+ int port;
+ bool clear = FALSE;
+
+ if(data->set.use_port && data->state.allow_port)
+ /* a custom port is used */
+ port = (int)data->set.use_port;
+ else {
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
+ CURLU_DEFAULT_PORT);
+ if(uc) {
+ free(newurl);
+ return Curl_uc_to_curlcode(uc);
+ }
+ port = atoi(portnum);
+ free(portnum);
+ }
+ if(port != data->info.conn_remote_port) {
+ infof(data, "Clear auth, redirects to port from %u to %u",
+ data->info.conn_remote_port, port);
+ clear = TRUE;
+ }
+ else {
+ char *scheme;
+ const struct Curl_handler *p;
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
+ if(uc) {
+ free(newurl);
+ return Curl_uc_to_curlcode(uc);
+ }
+
+ p = Curl_builtin_scheme(scheme);
+ if(p && (p->protocol != data->info.conn_protocol)) {
+ infof(data, "Clear auth, redirects scheme from %s to %s",
+ data->info.conn_scheme, scheme);
+ clear = TRUE;
+ }
+ free(scheme);
+ }
+ if(clear) {
+ Curl_safefree(data->state.aptr.user);
+ Curl_safefree(data->state.aptr.passwd);
+ }
+ }
}
if(type == FOLLOW_FAKE) {
--
2.34.1
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
- Test 973 redirects from HTTP to FTP, clear auth
- Test 974 redirects from HTTP to HTTP different port, clear auth
- Test 975 redirects from HTTP to FTP, permitted to keep auth
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
auth
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 1 +
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 352 insertions(+)
create mode 100644 tests/data/test973
create mode 100644 tests/data/test974
create mode 100644 tests/data/test975
create mode 100644 tests/data/test976
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 7ae2cf8..175fc43 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+test973 test974 test975 test976 \
\
test980 test981 test982 test983 test984 test985 test986 \
\
diff --git a/tests/data/test973 b/tests/data/test973
new file mode 100644
index 0000000..6ced107
--- /dev/null
+++ b/tests/data/test973
@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+FTP
+--location
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+data
+ to
+ see
+that FTP
+works
+ so does it?
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+data
+ to
+ see
+that FTP
+works
+ so does it?
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+ftp
+</server>
+ <name>
+HTTP with auth redirected to FTP w/o auth
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD a
+CWD path
+EPSV
+TYPE I
+SIZE %TESTNUMBER0002
+RETR %TESTNUMBER0002
+QUIT
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test974 b/tests/data/test974
new file mode 100644
index 0000000..ac4e641
--- /dev/null
+++ b/tests/data/test974
@@ -0,0 +1,87 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with auth redirected to HTTP on a diff port w/o auth
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test975 b/tests/data/test975
new file mode 100644
index 0000000..85e03e4
--- /dev/null
+++ b/tests/data/test975
@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+FTP
+--location-trusted
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+data
+ to
+ see
+that FTP
+works
+ so does it?
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+data
+ to
+ see
+that FTP
+works
+ so does it?
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+ftp
+</server>
+ <name>
+HTTP with auth redirected to FTP allowing auth to continue
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+
+USER joe
+PASS secret
+PWD
+CWD a
+CWD path
+EPSV
+TYPE I
+SIZE %TESTNUMBER0002
+RETR %TESTNUMBER0002
+QUIT
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test976 b/tests/data/test976
new file mode 100644
index 0000000..c4dd61e
--- /dev/null
+++ b/tests/data/test976
@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location-trusted
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with auth redirected to HTTP on a diff port --location-trusted
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
--
2.34.1
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 17:59:15 +0200
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
either
Follow-up to 620ea21410030
Reported-by: Harry Sintonen
Closes #8751
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http.c | 10 +++++-----
lib/http.h | 6 ++++++
lib/vtls/openssl.c | 3 ++-
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 0791dcf..4433824 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
}
/*
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
*/
-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
{
struct connectdata *conn = data->conn;
return (!data->state.this_is_a_follow ||
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
/* To prevent the user+password to get sent to other than the original host
due to a location-follow */
- if(allow_auth_to_host(data)
+ if(Curl_allow_auth_to_host(data)
|| conn->bits.netrc)
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
else
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
checkprefix("Cookie:", compare)) &&
/* be careful of sending this potentially sensitive header to
other hosts */
- !allow_auth_to_host(data))
+ !Curl_allow_auth_to_host(data))
;
else {
#ifdef USE_HYPER
diff --git a/lib/http.h b/lib/http.h
index 07e963d..9000bae 100644
--- a/lib/http.h
+++ b/lib/http.h
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
bool proxytunnel); /* TRUE if this is the request setting
up the proxy tunnel */
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
#endif /* HEADER_CURL_HTTP_H */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1bafe96..97c5666 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
#endif
#ifdef USE_OPENSSL_SRP
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
char * const ssl_username = SSL_SET_OPTION(username);
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
--
2.34.1

@ -0,0 +1,461 @@
From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 28 Jan 2022 16:48:38 +0100
Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
Closes #8350
Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/setopt.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/setopt.c b/lib/setopt.c
index 08827d1..9eaa187 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
break;
+#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
va_arg(param, char *));
-#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
!data->set.proxy_ssl.authtype)
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-#endif
break;
+#endif
case CURLOPT_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
va_arg(param, char *));
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
break;
+#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
va_arg(param, char *));
-#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
!data->set.proxy_ssl.authtype)
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-#endif
break;
+#endif
case CURLOPT_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
--
2.34.1
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 23:13:53 +0200
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
CVE-2022-27782
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/setopt.c | 29 +++++++++++++++++------------
lib/url.c | 23 ++++++++++++++++-------
lib/urldata.h | 13 +++++++------
lib/vtls/openssl.c | 10 +++++-----
lib/vtls/vtls.c | 21 +++++++++++++++++++++
5 files changed, 66 insertions(+), 30 deletions(-)
diff --git a/lib/setopt.c b/lib/setopt.c
index 8e1bf12..7aa6fdb 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
case CURLOPT_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.proxy_ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
case CURLOPT_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
va_arg(param, char *));
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
+ SRP */
break;
#endif
case CURLOPT_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
va_arg(param, char *));
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
break;
#endif
case CURLOPT_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#endif
#endif
diff --git a/lib/url.c b/lib/url.c
index 94e3406..5ebf5e2 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
set->ssl.primary.verifypeer = TRUE;
set->ssl.primary.verifyhost = TRUE;
#ifdef USE_TLS_SRP
- set->ssl.authtype = CURL_TLSAUTH_NONE;
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
#endif
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
type */
@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#ifndef CURL_DISABLE_PROXY
conn->proxy_ssl_config.verifystatus =
data->set.proxy_ssl.primary.verifystatus;
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#endif
conn->ip_version = data->set.ipver;
conn->bits.connect_only = data->set.connect_only;
@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.primary.issuercert_blob =
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+ data->set.proxy_ssl.primary.CRLfile =
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
data->set.ssl.key = data->set.str[STRING_KEY];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
#ifdef USE_TLS_SRP
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
#ifndef CURL_DISABLE_PROXY
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ data->set.proxy_ssl.primary.username =
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+ data->set.proxy_ssl.primary.password =
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
#endif
#endif
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
diff --git a/lib/urldata.h b/lib/urldata.h
index 5218f76..e006495 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -253,9 +253,16 @@ struct ssl_primary_config {
char *cipher_list; /* list of ciphers to use */
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
char *pinned_key;
+ char *CRLfile; /* CRL to check certificate revocation */
struct curl_blob *cert_blob;
struct curl_blob *issuercert_blob;
+#ifdef USE_TLS_SRP
+ char *username; /* TLS username (for, e.g., SRP) */
+ char *password; /* TLS password (for, e.g., SRP) */
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+#endif
char *curves; /* list of curves to use */
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
BIT(verifypeer); /* set TRUE if this is desired */
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
BIT(verifystatus); /* set TRUE if certificate status must be checked */
@@ -265,7 +272,6 @@ struct ssl_primary_config {
struct ssl_config_data {
struct ssl_primary_config primary;
long certverifyresult; /* result from the certificate verification */
- char *CRLfile; /* CRL to check certificate revocation */
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
char *cert_type; /* format for certificate (default: PEM)*/
@@ -273,11 +279,6 @@ struct ssl_config_data {
struct curl_blob *key_blob;
char *key_type; /* format for private key (default: PEM) */
char *key_passwd; /* plain text private key password */
-#ifdef USE_TLS_SRP
- char *username; /* TLS username (for, e.g., SRP) */
- char *password; /* TLS password (for, e.g., SRP) */
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
-#endif
BIT(certinfo); /* gather lots of certificate info */
BIT(falsestart);
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 97c5666..a4ef9d1 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef USE_OPENSSL_SRP
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
char error_buffer[256];
struct ssl_backend_data *backend = connssl->backend;
bool imported_native_ca = false;
@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
#ifdef USE_OPENSSL_SRP
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
Curl_allow_auth_to_host(data)) {
- char * const ssl_username = SSL_SET_OPTION(username);
-
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
failf(data, "Unable to set SRP user name");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
failf(data, "failed setting SRP password");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index a40ac06..e2d3438 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
{
if((data->version == needle->version) &&
(data->version_max == needle->version_max) &&
+ (data->ssl_options == needle->ssl_options) &&
(data->verifypeer == needle->verifypeer) &&
(data->verifyhost == needle->verifyhost) &&
(data->verifystatus == needle->verifystatus) &&
@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
Curl_safecmp(data->clientcert, needle->clientcert) &&
Curl_safecmp(data->random_file, needle->random_file) &&
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+#ifdef USE_TLS_SRP
+ Curl_safecmp(data->username, needle->username) &&
+ Curl_safecmp(data->password, needle->password) &&
+ (data->authtype == needle->authtype) &&
+#endif
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
Curl_safe_strcasecompare(data->curves, needle->curves) &&
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
return TRUE;
@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
dest->verifyhost = source->verifyhost;
dest->verifystatus = source->verifystatus;
dest->sessionid = source->sessionid;
+ dest->ssl_options = source->ssl_options;
+#ifdef USE_TLS_SRP
+ dest->authtype = source->authtype;
+#endif
CLONE_BLOB(cert_blob);
CLONE_BLOB(issuercert_blob);
@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
CLONE_STRING(cipher_list13);
CLONE_STRING(pinned_key);
CLONE_STRING(curves);
+ CLONE_STRING(CRLfile);
+#ifdef USE_TLS_SRP
+ CLONE_STRING(username);
+ CLONE_STRING(password);
+#endif
return TRUE;
}
@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
Curl_safefree(sslc->cert_blob);
Curl_safefree(sslc->issuercert_blob);
Curl_safefree(sslc->curves);
+ Curl_safefree(sslc->CRLfile);
+#ifdef USE_TLS_SRP
+ Curl_safefree(sslc->username);
+ Curl_safefree(sslc->password);
+#endif
}
#ifdef USE_SSL
--
2.34.1
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 23:13:53 +0200
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
CVE-2022-27782
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 11 +++++++++++
lib/vssh/ssh.h | 6 +++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 5ebf5e2..c713e54 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
}
}
+static bool ssh_config_matches(struct connectdata *one,
+ struct connectdata *two)
+{
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+}
/*
* Given one filled in connection struct (named needle), this function should
* detect if there already is one that has all the significant details
@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
}
}
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+
if((needle->handler->flags&PROTOPT_SSL)
#ifndef CURL_DISABLE_PROXY
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
index 7972081..30d82e5 100644
--- a/lib/vssh/ssh.h
+++ b/lib/vssh/ssh.h
@@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -131,8 +131,8 @@ struct ssh_conn {
/* common */
const char *passphrase; /* pass-phrase to use */
- char *rsa_pub; /* path name */
- char *rsa; /* path name */
+ char *rsa_pub; /* strdup'ed public key file */
+ char *rsa; /* strdup'ed private key file */
bool authed; /* the connection has been authenticated fine */
bool acceptfail; /* used by the SFTP_QUOTE (continue if
quote command fails) */
--
2.34.1

@ -0,0 +1,101 @@
From 85a8c0e9992cee271145ecf009f60b9bee9b7a60 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 15 Sep 2021 09:59:14 +0200
Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1
... by not using options with no argument where an argument is required:
=== Start of file tests/log/ssh_server.log
curl_sshd_config line 6: no argument after keyword "DenyGroups"
curl_sshd_config line 7: no argument after keyword "AllowGroups"
curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
curl_sshd_config line 40: Deprecated option RSAAuthentication
curl_sshd_config line 41: Deprecated option ServerKeyBits
curl_sshd_config line 45: Deprecated option UseLogin
curl_sshd_config line 56: no argument after keyword "AcceptEnv"
curl_sshd_config: terminating, 3 bad configuration options
=== End of file tests/log/ssh_server.log
=== Start of file log/sftp_server.log
curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
curl_sftp_config line 34: Unsupported option "rsaauthentication"
curl_sftp_config line 52: no argument after keyword "sendenv"
curl_sftp_config: terminating, 1 bad configuration options
Connection closed.
Connection closed
=== End of file log/sftp_server.log
Closes #7724
Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/sshserver.pl | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/tests/sshserver.pl b/tests/sshserver.pl
index 9441939..2afaace 100644
--- a/tests/sshserver.pl
+++ b/tests/sshserver.pl
@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) {
# ssh daemon configuration file options we might use and version support
#
# AFSTokenPassing : OpenSSH 1.2.1 and later [1]
-# AcceptEnv : OpenSSH 3.9.0 and later
# AddressFamily : OpenSSH 4.0.0 and later
-# AllowGroups : OpenSSH 1.2.1 and later
# AllowTcpForwarding : OpenSSH 2.3.0 and later
# AllowUsers : OpenSSH 1.2.1 and later
# AuthorizedKeysFile : OpenSSH 2.9.9 and later
@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
# ClientAliveCountMax : OpenSSH 2.9.0 and later
# ClientAliveInterval : OpenSSH 2.9.0 and later
# Compression : OpenSSH 3.3.0 and later
-# DenyGroups : OpenSSH 1.2.1 and later
# DenyUsers : OpenSSH 1.2.1 and later
# ForceCommand : OpenSSH 4.4.0 and later [3]
# GatewayPorts : OpenSSH 2.1.0 and later
@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
push @cfgarr, "AllowUsers $username";
}
-push @cfgarr, 'DenyGroups';
-push @cfgarr, 'AllowGroups';
-push @cfgarr, '#';
push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
push @cfgarr, "HostKey $hstprvkeyf_config";
@@ -684,9 +678,6 @@ push @cfgarr, '#';
#***************************************************************************
# Options that might be supported or not in sshd OpenSSH 2.9.9 and later
#
-if(sshd_supports_opt('AcceptEnv','')) {
- push @cfgarr, 'AcceptEnv';
-}
if(sshd_supports_opt('AddressFamily','any')) {
# Address family must be specified before ListenAddress
splice @cfgarr, 14, 0, 'AddressFamily any';
@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
# RemoteForward : OpenSSH 1.2.1 and later [3]
# RhostsRSAAuthentication : OpenSSH 1.2.1 and later
# RSAAuthentication : OpenSSH 1.2.1 and later
-# SendEnv : OpenSSH 3.9.0 and later
# ServerAliveCountMax : OpenSSH 3.8.0 and later
# ServerAliveInterval : OpenSSH 3.8.0 and later
# SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
push @cfgarr, 'RekeyLimit 1G';
}
-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
- push @cfgarr, 'SendEnv';
-}
-
if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
(($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
push @cfgarr, 'ServerAliveCountMax 3';
--
2.34.1

@ -0,0 +1,70 @@
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Jun 2022 09:27:24 +0200
Subject: [PATCH] krb5: return error properly on decode errors
Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/krb5.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/lib/krb5.c b/lib/krb5.c
index 787137c..6f9e1f7 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
enc.value = buf;
enc.length = len;
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
- if(maj != GSS_S_COMPLETE) {
- if(len >= 4)
- strcpy(buf, "599 ");
+ if(maj != GSS_S_COMPLETE)
return -1;
- }
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn,
{
int len;
CURLcode result;
+ int nread;
result = socket_read(fd, &len, sizeof(len));
if(result)
@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- buf->data = Curl_saferealloc(buf->data, len);
+ if(len > CURL_MAX_INPUT_LENGTH)
+ len = 0;
+ else
+ buf->data = Curl_saferealloc(buf->data, len);
}
if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn,
result = socket_read(fd, buf->data, len);
if(result)
return result;
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
- conn->data_prot, conn);
+ nread = conn->mech->decode(conn->app_data, buf->data, len,
+ conn->data_prot, conn);
+ if(nread < 0)
+ return CURLE_RECV_ERROR;
+ buf->size = (size_t)nread;
buf->index = 0;
return CURLE_OK;
}
--
2.35.3

@ -0,0 +1,143 @@
From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 May 2022 16:28:13 +0200
Subject: [PATCH 1/2] content_encoding: return error on too many compression
steps
The max allowed steps is arbitrarily set to 5.
Bug: https://curl.se/docs/CVE-2022-32206.html
CVE-2022-32206
Reported-by: Harry Sintonen
Closes #9049
Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/content_encoding.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index c03637a..6f994b3 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name,
return NULL;
}
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
/* Set-up the unencoding stack from the Content-Encoding header value.
* See RFC 7231 section 3.1.2.2. */
CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
const char *enclist, int maybechunked)
{
struct SingleRequest *k = &data->req;
+ int counter = 0;
do {
const char *name;
@@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
if(!encoding)
encoding = &error_encoding; /* Defer error at stack use. */
+ if(++counter >= MAX_ENCODE_STACK) {
+ failf(data, "Reject response due to %u content encodings",
+ counter);
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
/* Stack the unencoding stage. */
writer = new_unencoding_writer(data, encoding, k->writer_stack);
if(!writer)
--
2.35.3
From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 May 2022 16:29:07 +0200
Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 1 +
tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
create mode 100644 tests/data/test387
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 98d5516..9b5f4fb 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \
test352 test353 test354 test355 test356 test357 test358 test359 test360 \
test361 test362 \
\
+test387 \
test393 test394 test395 test396 test397 \
\
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
diff --git a/tests/data/test387 b/tests/data/test387
new file mode 100644
index 0000000..015ec25
--- /dev/null
+++ b/tests/data/test387
@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+gzip
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Response with overly long compression chain
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+
+# CURLE_BAD_CONTENT_ENCODING is 61
+<errorcode>
+61
+</errorcode>
+<stderr mode="text">
+curl: (61) Reject response due to 5 content encodings
+</stderr>
+</verify>
+</testcase>
--
2.35.3

@ -0,0 +1,425 @@
From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 25 May 2022 10:09:53 +0200
Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
Bug: https://curl.se/docs/CVE-2022-32207.html
CVE-2022-32207
Reported-by: Harry Sintonen
Closes #9050
Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
CMakeLists.txt | 1 +
configure.ac | 1 +
lib/Makefile.inc | 2 +
lib/cookie.c | 17 ++----
lib/curl_config.h.cmake | 3 ++
lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
lib/fopen.h | 30 +++++++++++
7 files changed, 154 insertions(+), 13 deletions(-)
create mode 100644 lib/fopen.c
create mode 100644 lib/fopen.h
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b77de6d..a0bfaad 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -982,6 +982,7 @@ elseif(HAVE_LIBSOCKET)
set(CMAKE_REQUIRED_LIBRARIES socket)
endif()
+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
diff --git a/configure.ac b/configure.ac
index d431870..7433bb9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4516,6 +4516,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
AC_CHECK_FUNCS([fnmatch \
+ fchmod \
geteuid \
getpass_r \
getppid \
diff --git a/lib/Makefile.inc b/lib/Makefile.inc
index e8f110f..5139b03 100644
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@@ -130,6 +130,7 @@ LIB_CFILES = \
escape.c \
file.c \
fileinfo.c \
+ fopen.c \
formdata.c \
ftp.c \
ftplistparser.c \
@@ -261,6 +262,7 @@ LIB_HFILES = \
escape.h \
file.h \
fileinfo.h \
+ fopen.h \
formdata.h \
ftp.h \
ftplistparser.h \
diff --git a/lib/cookie.c b/lib/cookie.c
index 8a6aa1a..cb0c03b 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -97,8 +97,8 @@ Example set of cookies:
#include "curl_memrchr.h"
#include "inet_pton.h"
#include "parsedate.h"
-#include "rand.h"
#include "rename.h"
+#include "fopen.h"
/* The last 3 #include files should be in this order */
#include "curl_printf.h"
@@ -1537,17 +1537,8 @@ static int cookie_output(struct Curl_easy *data,
use_stdout = TRUE;
}
else {
- unsigned char randsuffix[9];
-
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
- return 2;
-
- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
- if(!tempstore)
- return 1;
-
- out = fopen(tempstore, FOPEN_WRITETEXT);
- if(!out)
+ error = Curl_fopen(data, filename, &out, &tempstore);
+ if(error)
goto error;
}
@@ -1594,7 +1585,7 @@ static int cookie_output(struct Curl_easy *data,
if(!use_stdout) {
fclose(out);
out = NULL;
- if(Curl_rename(tempstore, filename)) {
+ if(tempstore && Curl_rename(tempstore, filename)) {
unlink(tempstore);
goto error;
}
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index d2a0f43..c254359 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -148,6 +148,9 @@
/* Define to 1 if you have the <assert.h> header file. */
#cmakedefine HAVE_ASSERT_H 1
+/* Define to 1 if you have the `fchmod' function. */
+#cmakedefine HAVE_FCHMOD 1
+
/* Define to 1 if you have the `basename' function. */
#cmakedefine HAVE_BASENAME 1
diff --git a/lib/fopen.c b/lib/fopen.c
new file mode 100644
index 0000000..ad3691b
--- /dev/null
+++ b/lib/fopen.c
@@ -0,0 +1,113 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
+ defined(USE_HSTS)
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#include "urldata.h"
+#include "rand.h"
+#include "fopen.h"
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+#include "memdebug.h"
+
+/*
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
+ * to the final name when completed. If there is an existing file using this
+ * name at the time of the open, this function will clone the mode from that
+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
+ * written.
+ */
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+ FILE **fh, char **tempname)
+{
+ CURLcode result = CURLE_WRITE_ERROR;
+ unsigned char randsuffix[9];
+ char *tempstore = NULL;
+ struct_stat sb;
+ int fd = -1;
+ *tempname = NULL;
+
+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+ /* a non-regular file, fallback to direct fopen() */
+ *fh = fopen(filename, FOPEN_WRITETEXT);
+ if(*fh)
+ return CURLE_OK;
+ goto fail;
+ }
+
+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+ if(result)
+ goto fail;
+
+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+ if(!tempstore) {
+ result = CURLE_OUT_OF_MEMORY;
+ goto fail;
+ }
+
+ result = CURLE_WRITE_ERROR;
+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ if(fd == -1)
+ goto fail;
+
+#ifdef HAVE_FCHMOD
+ {
+ struct_stat nsb;
+ if((fstat(fd, &nsb) != -1) &&
+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
+ /* if the user and group are the same, clone the original mode */
+ if(fchmod(fd, sb.st_mode) == -1)
+ goto fail;
+ }
+ }
+#endif
+
+ *fh = fdopen(fd, FOPEN_WRITETEXT);
+ if(!*fh)
+ goto fail;
+
+ *tempname = tempstore;
+ return CURLE_OK;
+
+fail:
+ if(fd != -1) {
+ close(fd);
+ unlink(tempstore);
+ }
+
+ free(tempstore);
+
+ *tempname = NULL;
+ return result;
+}
+
+#endif /* ! disabled */
diff --git a/lib/fopen.h b/lib/fopen.h
new file mode 100644
index 0000000..289e55f
--- /dev/null
+++ b/lib/fopen.h
@@ -0,0 +1,30 @@
+#ifndef HEADER_CURL_FOPEN_H
+#define HEADER_CURL_FOPEN_H
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+ FILE **fh, char **tempname);
+
+#endif
--
2.35.3
From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 25 May 2022 10:09:53 +0200
Subject: [PATCH 2/3] altsvc: use Curl_fopen()
Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/altsvc.c | 22 ++++++----------------
1 file changed, 6 insertions(+), 16 deletions(-)
diff --git a/lib/altsvc.c b/lib/altsvc.c
index 242733b..4dc4078 100644
--- a/lib/altsvc.c
+++ b/lib/altsvc.c
@@ -34,7 +34,7 @@
#include "parsedate.h"
#include "sendf.h"
#include "warnless.h"
-#include "rand.h"
+#include "fopen.h"
#include "rename.h"
/* The last 3 #include files should be in this order */
@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
struct Curl_llist_element *n;
CURLcode result = CURLE_OK;
FILE *out;
- char *tempstore;
- unsigned char randsuffix[9];
+ char *tempstore = NULL;
if(!altsvc)
/* no cache activated */
@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
/* marked as read-only, no file or zero length file name */
return CURLE_OK;
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
- return CURLE_FAILED_INIT;
-
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
- if(!tempstore)
- return CURLE_OUT_OF_MEMORY;
-
- out = fopen(tempstore, FOPEN_WRITETEXT);
- if(!out)
- result = CURLE_WRITE_ERROR;
- else {
+ result = Curl_fopen(data, file, &out, &tempstore);
+ if(!result) {
fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
"# This file was generated by libcurl! Edit at your own risk.\n",
out);
@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
break;
}
fclose(out);
- if(!result && Curl_rename(tempstore, file))
+ if(!result && tempstore && Curl_rename(tempstore, file))
result = CURLE_WRITE_ERROR;
- if(result)
+ if(result && tempstore)
unlink(tempstore);
}
free(tempstore);
--
2.35.3
From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 25 May 2022 10:09:54 +0200
Subject: [PATCH 3/3] hsts: use Curl_fopen()
Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/hsts.c | 22 ++++++----------------
1 file changed, 6 insertions(+), 16 deletions(-)
diff --git a/lib/hsts.c b/lib/hsts.c
index b9fa6f7..9d54c82 100644
--- a/lib/hsts.c
+++ b/lib/hsts.c
@@ -35,7 +35,7 @@
#include "sendf.h"
#include "strtoofft.h"
#include "parsedate.h"
-#include "rand.h"
+#include "fopen.h"
#include "rename.h"
/* The last 3 #include files should be in this order */
@@ -316,8 +316,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
struct Curl_llist_element *n;
CURLcode result = CURLE_OK;
FILE *out;
- char *tempstore;
- unsigned char randsuffix[9];
+ char *tempstore = NULL;
if(!h)
/* no cache activated */
@@ -331,17 +330,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
/* marked as read-only, no file or zero length file name */
goto skipsave;
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
- return CURLE_FAILED_INIT;
-
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
- if(!tempstore)
- return CURLE_OUT_OF_MEMORY;
-
- out = fopen(tempstore, FOPEN_WRITETEXT);
- if(!out)
- result = CURLE_WRITE_ERROR;
- else {
+ result = Curl_fopen(data, file, &out, &tempstore);
+ if(!result) {
fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
"# This file was generated by libcurl! Edit at your own risk.\n",
out);
@@ -353,10 +343,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
break;
}
fclose(out);
- if(!result && Curl_rename(tempstore, file))
+ if(!result && tempstore && Curl_rename(tempstore, file))
result = CURLE_WRITE_ERROR;
- if(result)
+ if(result && tempstore)
unlink(tempstore);
}
free(tempstore);
--
2.35.3

@ -0,0 +1,186 @@
From c2acc48854be9f8590e57a7b44b649fb8537bed4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 May 2021 16:14:13 +0200
Subject: [PATCH] openldap: replace ldap_ prefix on private functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
least) there's a symbol collision because of that.
The private functions now use the 'oldap_' prefix where it previously
used 'ldap_'.
Reported-by: 3eka on github
Fixes #7004
Closes #7005
Upstream-commit: 8bdde6b14ce3b5fd71c772a578fcbd4b6fa6df19
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/openldap.c | 67 +++++++++++++++++++++++++-------------------------
1 file changed, 34 insertions(+), 33 deletions(-)
diff --git a/lib/openldap.c b/lib/openldap.c
index b515554..5a32c74 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -76,16 +76,16 @@ extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url,
LDAP **ld);
#endif
-static CURLcode ldap_setup_connection(struct Curl_easy *data,
- struct connectdata *conn);
-static CURLcode ldap_do(struct Curl_easy *data, bool *done);
-static CURLcode ldap_done(struct Curl_easy *data, CURLcode, bool);
-static CURLcode ldap_connect(struct Curl_easy *data, bool *done);
-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done);
-static CURLcode ldap_disconnect(struct Curl_easy *data,
- struct connectdata *conn, bool dead);
+static CURLcode oldap_setup_connection(struct Curl_easy *data,
+ struct connectdata *conn);
+static CURLcode oldap_do(struct Curl_easy *data, bool *done);
+static CURLcode oldap_done(struct Curl_easy *data, CURLcode, bool);
+static CURLcode oldap_connect(struct Curl_easy *data, bool *done);
+static CURLcode oldap_connecting(struct Curl_easy *data, bool *done);
+static CURLcode oldap_disconnect(struct Curl_easy *data,
+ struct connectdata *conn, bool dead);
-static Curl_recv ldap_recv;
+static Curl_recv oldap_recv;
/*
* LDAP protocol handler.
@@ -93,18 +93,18 @@ static Curl_recv ldap_recv;
const struct Curl_handler Curl_handler_ldap = {
"LDAP", /* scheme */
- ldap_setup_connection, /* setup_connection */
- ldap_do, /* do_it */
- ldap_done, /* done */
+ oldap_setup_connection, /* setup_connection */
+ oldap_do, /* do_it */
+ oldap_done, /* done */
ZERO_NULL, /* do_more */
- ldap_connect, /* connect_it */
- ldap_connecting, /* connecting */
+ oldap_connect, /* connect_it */
+ oldap_connecting, /* connecting */
ZERO_NULL, /* doing */
ZERO_NULL, /* proto_getsock */
ZERO_NULL, /* doing_getsock */
ZERO_NULL, /* domore_getsock */
ZERO_NULL, /* perform_getsock */
- ldap_disconnect, /* disconnect */
+ oldap_disconnect, /* disconnect */
ZERO_NULL, /* readwrite */
ZERO_NULL, /* connection_check */
ZERO_NULL, /* attach connection */
@@ -121,18 +121,18 @@ const struct Curl_handler Curl_handler_ldap = {
const struct Curl_handler Curl_handler_ldaps = {
"LDAPS", /* scheme */
- ldap_setup_connection, /* setup_connection */
- ldap_do, /* do_it */
- ldap_done, /* done */
+ oldap_setup_connection, /* setup_connection */
+ oldap_do, /* do_it */
+ oldap_done, /* done */
ZERO_NULL, /* do_more */
- ldap_connect, /* connect_it */
- ldap_connecting, /* connecting */
+ oldap_connect, /* connect_it */
+ oldap_connecting, /* connecting */
ZERO_NULL, /* doing */
ZERO_NULL, /* proto_getsock */
ZERO_NULL, /* doing_getsock */
ZERO_NULL, /* domore_getsock */
ZERO_NULL, /* perform_getsock */
- ldap_disconnect, /* disconnect */
+ oldap_disconnect, /* disconnect */
ZERO_NULL, /* readwrite */
ZERO_NULL, /* connection_check */
ZERO_NULL, /* attach connection */
@@ -173,8 +173,8 @@ struct ldapreqinfo {
int nument;
};
-static CURLcode ldap_setup_connection(struct Curl_easy *data,
- struct connectdata *conn)
+static CURLcode oldap_setup_connection(struct Curl_easy *data,
+ struct connectdata *conn)
{
struct ldapconninfo *li;
LDAPURLDesc *lud;
@@ -209,7 +209,7 @@ static CURLcode ldap_setup_connection(struct Curl_easy *data,
static Sockbuf_IO ldapsb_tls;
#endif
-static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
+static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
{
struct connectdata *conn = data->conn;
struct ldapconninfo *li = conn->proto.ldapc;
@@ -257,7 +257,7 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
return CURLE_OK;
}
-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
+static CURLcode oldap_connecting(struct Curl_easy *data, bool *done)
{
struct connectdata *conn = data->conn;
struct ldapconninfo *li = conn->proto.ldapc;
@@ -356,14 +356,15 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
if(info)
ldap_memfree(info);
- conn->recv[FIRSTSOCKET] = ldap_recv;
+ conn->recv[FIRSTSOCKET] = oldap_recv;
*done = TRUE;
return CURLE_OK;
}
-static CURLcode ldap_disconnect(struct Curl_easy *data,
- struct connectdata *conn, bool dead_connection)
+static CURLcode oldap_disconnect(struct Curl_easy *data,
+ struct connectdata *conn,
+ bool dead_connection)
{
struct ldapconninfo *li = conn->proto.ldapc;
(void) dead_connection;
@@ -384,7 +385,7 @@ static CURLcode ldap_disconnect(struct Curl_easy *data,
return CURLE_OK;
}
-static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+static CURLcode oldap_do(struct Curl_easy *data, bool *done)
{
struct connectdata *conn = data->conn;
struct ldapconninfo *li = conn->proto.ldapc;
@@ -429,8 +430,8 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
return CURLE_OK;
}
-static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
- bool premature)
+static CURLcode oldap_done(struct Curl_easy *data, CURLcode res,
+ bool premature)
{
struct connectdata *conn = data->conn;
struct ldapreqinfo *lr = data->req.p.ldap;
@@ -452,8 +453,8 @@ static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
return CURLE_OK;
}
-static ssize_t ldap_recv(struct Curl_easy *data, int sockindex, char *buf,
- size_t len, CURLcode *err)
+static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf,
+ size_t len, CURLcode *err)
{
struct connectdata *conn = data->conn;
struct ldapconninfo *li = conn->proto.ldapc;
--
2.35.3

@ -0,0 +1,91 @@
From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 12 Apr 2013 12:04:05 +0200
Subject: [PATCH] prevent multilib conflicts on the curl-config script
---
curl-config.in | 23 +++++------------------
docs/curl-config.1 | 4 +++-
libcurl.pc.in | 1 +
3 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/curl-config.in b/curl-config.in
index 150004d..95d0759 100644
--- a/curl-config.in
+++ b/curl-config.in
@@ -76,7 +76,7 @@ while test $# -gt 0; do
;;
--cc)
- echo "@CC@"
+ echo "gcc"
;;
--prefix)
@@ -155,32 +155,19 @@ while test $# -gt 0; do
;;
--libs)
- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
- CURLLIBDIR="-L@libdir@ "
- else
- CURLLIBDIR=""
- fi
- if test "X@ENABLE_SHARED@" = "Xno"; then
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
- else
- echo ${CURLLIBDIR}-lcurl
- fi
+ echo -lcurl
;;
--ssl-backends)
echo "@SSL_BACKENDS@"
;;
--static-libs)
- if test "X@ENABLE_STATIC@" != "Xno" ; then
- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
- else
- echo "curl was built with static libraries disabled" >&2
- exit 1
- fi
+ echo "curl was built with static libraries disabled" >&2
+ exit 1
;;
--configure)
- echo @CONFIGURE_OPTIONS@
+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
;;
*)
diff --git a/docs/curl-config.1 b/docs/curl-config.1
index 14a9d2b..ffcc004 100644
--- a/docs/curl-config.1
+++ b/docs/curl-config.1
@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
comma-separated. (Added in 7.58.0)
.IP "--static-libs"
Shows the complete set of libs and other linker options you will need in order
-to link your application with libcurl statically. (Added in 7.17.1)
+to link your application with libcurl statically. Note that Fedora/RHEL libcurl
+packages do not provide any static libraries, thus cannot be linked statically.
+(Added in 7.17.1)
.IP "--version"
Outputs version information about the installed libcurl.
.IP "--vernum"
diff --git a/libcurl.pc.in b/libcurl.pc.in
index 2ba9c39..f8f8b00 100644
--- a/libcurl.pc.in
+++ b/libcurl.pc.in
@@ -29,6 +29,7 @@ libdir=@libdir@
includedir=@includedir@
supported_protocols="@SUPPORT_PROTOCOLS@"
supported_features="@SUPPORT_FEATURES@"
+configure_options=@CONFIGURE_OPTIONS@
Name: libcurl
URL: https://curl.se/
--
2.26.2

@ -0,0 +1,61 @@
From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 31 Oct 2012 11:38:30 +0100
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
(#496778)
---
m4/curl-compilers.m4 | 26 ++++++--------------------
1 file changed, 6 insertions(+), 20 deletions(-)
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
index c64db4bc6..d115a4aed 100644
--- a/m4/curl-compilers.m4
+++ b/m4/curl-compilers.m4
@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
clangvhi=`echo $clangver | cut -d . -f1`
clangvlo=`echo $clangver | cut -d . -f2`
compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
- flags_dbg_all="$flags_dbg_all -ggdb"
- flags_dbg_all="$flags_dbg_all -gstabs"
- flags_dbg_all="$flags_dbg_all -gstabs+"
- flags_dbg_all="$flags_dbg_all -gcoff"
- flags_dbg_all="$flags_dbg_all -gxcoff"
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
- flags_dbg_all="$flags_dbg_all -gvms"
+ flags_dbg_all=""
flags_dbg_yes="-g"
flags_dbg_off=""
- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
- flags_opt_yes="-Os"
+ flags_opt_all=""
+ flags_opt_yes=""
flags_opt_off="-O0"
else
AC_MSG_RESULT([no])
@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
- flags_dbg_all="$flags_dbg_all -ggdb"
- flags_dbg_all="$flags_dbg_all -gstabs"
- flags_dbg_all="$flags_dbg_all -gstabs+"
- flags_dbg_all="$flags_dbg_all -gcoff"
- flags_dbg_all="$flags_dbg_all -gxcoff"
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
- flags_dbg_all="$flags_dbg_all -gvms"
+ flags_dbg_all=""
flags_dbg_yes="-g"
flags_dbg_off=""
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
- flags_opt_yes="-O2"
+ flags_opt_all=""
+ flags_opt_yes=""
flags_opt_off="-O0"
CURL_CHECK_DEF([_WIN32], [], [silent])
else
--
1.7.1

@ -0,0 +1,39 @@
From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 4 Feb 2019 17:32:56 +0100
Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
... to prevent valgrind from reporting false positives on x86_64:
Conditional jump or move depends on uninitialised value(s)
at 0x10BCAA: part2id (lib1560.c:489)
by 0x10BCAA: updateurl (lib1560.c:521)
by 0x10BCAA: set_parts (lib1560.c:630)
by 0x10BCAA: test (lib1560.c:802)
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
Conditional jump or move depends on uninitialised value(s)
at 0x10BCC3: part2id (lib1560.c:491)
by 0x10BCC3: updateurl (lib1560.c:521)
by 0x10BCC3: set_parts (lib1560.c:630)
by 0x10BCC3: test (lib1560.c:802)
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
---
tests/libtest/Makefile.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
index 080421b..ea3b806 100644
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
lib1559_LDADD = $(TESTUTIL_LIBS)
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
lib1560_LDADD = $(TESTUTIL_LIBS)
lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--
2.17.2

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save