首頁 探索 說明
登入
iank
/
libreCMC
派生自 libreCMC/libreCMC
1
0
複刻 0
檔案
分支: v1.4
分支列表 標籤列表
libreCMC
/
package
/
network
/
utils
/
curl
/
patches
/
102-CVE-2017-7468.patch

102-CVE-2017-7468.patch 9.1 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264 
  1. From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jay Satiro <raysatiro@yahoo.com>
    3. 

  3. Date: Wed, 22 Mar 2017 01:59:49 -0400
    4. 

  4. Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
    5. 

  5.  used
    6. 

  6. 

  7. - Move the sessionid flag to ssl_primary_config so that ssl and
    8. 

  8.   proxy_ssl will each have their own sessionid flag.
    9. 

  9. 

  10. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
    11. 

  11. this issue had been fixed in 247d890, CVE-2016-5419.
    12. 

  12. 

  13. Bug: https://github.com/curl/curl/issues/1341
    14. 

  14. Reported-by: lijian996@users.noreply.github.com
    15. 

  15. ---
    16. 

  16.  lib/url.c            | 5 +++--
    17. 

  17.  lib/urldata.h        | 2 +-
    18. 

  18.  lib/vtls/axtls.c     | 4 ++--
    19. 

  19.  lib/vtls/cyassl.c    | 4 ++--
    20. 

  20.  lib/vtls/darwinssl.c | 2 +-
    21. 

  21.  lib/vtls/gtls.c      | 4 ++--
    22. 

  22.  lib/vtls/mbedtls.c   | 4 ++--
    23. 

  23.  lib/vtls/nss.c       | 2 +-
    24. 

  24.  lib/vtls/openssl.c   | 4 ++--
    25. 

  25.  lib/vtls/polarssl.c  | 4 ++--
    26. 

  26.  lib/vtls/schannel.c  | 4 ++--
    27. 

  27.  lib/vtls/vtls.c      | 9 ++++++---
    28. 

  28.  12 files changed, 26 insertions(+), 22 deletions(-)
    29. 

  29. 

  30. --- a/lib/url.c
    31. 

  31. +++ b/lib/url.c
    32. 

  32. @@ -548,7 +548,7 @@ CURLcode Curl_init_userdefined(struct Us
    33. 

  33.  #endif
    34. 

  34.    set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
    35. 

  35.                                                        type */
    36. 

  36. -  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
    37. 

  37. +  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
    38. 

  38.                                          default */
    39. 

  39.    set->proxy_ssl = set->ssl;
    40. 

  40.  
    41. 

  41. @@ -2470,8 +2470,9 @@ CURLcode Curl_setopt(struct Curl_easy *d
    42. 

  42.      break;
    43. 

  43.  
    44. 

  44.    case CURLOPT_SSL_SESSIONID_CACHE:
    45. 

  45. -    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
    46. 

  46. +    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
    47. 

  47.                                        TRUE : FALSE;
    48. 

  48. +    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
    49. 

  49.      break;
    50. 

  50.  
    51. 

  51.  #ifdef USE_LIBSSH2
    52. 

  52. --- a/lib/urldata.h
    53. 

  53. +++ b/lib/urldata.h
    54. 

  54. @@ -354,6 +354,7 @@ struct ssl_primary_config {
    55. 

  55.    char *random_file;     /* path to file containing "random" data */
    56. 

  56.    char *egdsocket;       /* path to file containing the EGD daemon socket */
    57. 

  57.    char *cipher_list;     /* list of ciphers to use */
    58. 

  58. +  bool sessionid;        /* cache session IDs or not */
    59. 

  59.  };
    60. 

  60.  
    61. 

  61.  struct ssl_config_data {
    62. 

  62. @@ -383,7 +384,6 @@ struct ssl_config_data {
    63. 

  63.  };
    64. 

  64.  
    65. 

  65.  struct ssl_general_config {
    66. 

  66. -  bool sessionid; /* cache session IDs or not */
    67. 

  67.    size_t max_ssl_sessions; /* SSL session id cache size */
    68. 

  68.  };
    69. 

  69.  
    70. 

  70. --- a/lib/vtls/axtls.c
    71. 

  71. +++ b/lib/vtls/axtls.c
    72. 

  72. @@ -256,7 +256,7 @@ static CURLcode connect_prep(struct conn
    73. 

  73.     * 2) setting up callbacks.  these seem gnutls specific
    74. 

  74.     */
    75. 

  75.  
    76. 

  76. -  if(data->set.general_ssl.sessionid) {
    77. 

  77. +  if(SSL_SET_OPTION(primary.sessionid)) {
    78. 

  78.      const uint8_t *ssl_sessionid;
    79. 

  79.      size_t ssl_idsize;
    80. 

  80.  
    81. 

  81. @@ -386,7 +386,7 @@ static CURLcode connect_finish(struct co
    82. 

  82.    conn->send[sockindex] = axtls_send;
    83. 

  83.  
    84. 

  84.    /* Put our freshly minted SSL session in cache */
    85. 

  85. -  if(data->set.general_ssl.sessionid) {
    86. 

  86. +  if(SSL_SET_OPTION(primary.sessionid)) {
    87. 

  87.      const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
    88. 

  88.      size_t ssl_idsize = ssl_get_session_id(ssl);
    89. 

  89.      Curl_ssl_sessionid_lock(conn);
    90. 

  90. --- a/lib/vtls/cyassl.c
    91. 

  91. +++ b/lib/vtls/cyassl.c
    92. 

  92. @@ -383,7 +383,7 @@ cyassl_connect_step1(struct connectdata
    93. 

  93.  #endif /* HAVE_ALPN */
    94. 

  94.  
    95. 

  95.    /* Check if there's a cached ID we can/should use here! */
    96. 

  96. -  if(data->set.general_ssl.sessionid) {
    97. 

  97. +  if(SSL_SET_OPTION(primary.sessionid)) {
    98. 

  98.      void *ssl_sessionid = NULL;
    99. 

  99.  
    100. 

  100.      Curl_ssl_sessionid_lock(conn);
    101. 

  101. @@ -597,7 +597,7 @@ cyassl_connect_step3(struct connectdata
    102. 

  102.  
    103. 

  103.    DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
    104. 

  104.  
    105. 

  105. -  if(data->set.general_ssl.sessionid) {
    106. 

  106. +  if(SSL_SET_OPTION(primary.sessionid)) {
    107. 

  107.      bool incache;
    108. 

  108.      SSL_SESSION *our_ssl_sessionid;
    109. 

  109.      void *old_ssl_sessionid = NULL;
    110. 

  110. --- a/lib/vtls/darwinssl.c
    111. 

  111. +++ b/lib/vtls/darwinssl.c
    112. 

  112. @@ -1541,7 +1541,7 @@ static CURLcode darwinssl_connect_step1(
    113. 

  113.  #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
    114. 

  114.  
    115. 

  115.    /* Check if there's a cached ID we can/should use here! */
    116. 

  116. -  if(data->set.general_ssl.sessionid) {
    117. 

  117. +  if(SSL_SET_OPTION(primary.sessionid)) {
    118. 

  118.      char *ssl_sessionid;
    119. 

  119.      size_t ssl_sessionid_len;
    120. 

  120.  
    121. 

  121. --- a/lib/vtls/gtls.c
    122. 

  122. +++ b/lib/vtls/gtls.c
    123. 

  123. @@ -782,7 +782,7 @@ gtls_connect_step1(struct connectdata *c
    124. 

  124.  
    125. 

  125.    /* This might be a reconnect, so we check for a session ID in the cache
    126. 

  126.       to speed up things */
    127. 

  127. -  if(data->set.general_ssl.sessionid) {
    128. 

  128. +  if(SSL_SET_OPTION(primary.sessionid)) {
    129. 

  129.      void *ssl_sessionid;
    130. 

  130.      size_t ssl_idsize;
    131. 

  131.  
    132. 

  132. @@ -1311,7 +1311,7 @@ gtls_connect_step3(struct connectdata *c
    133. 

  133.    conn->recv[sockindex] = gtls_recv;
    134. 

  134.    conn->send[sockindex] = gtls_send;
    135. 

  135.  
    136. 

  136. -  if(data->set.general_ssl.sessionid) {
    137. 

  137. +  if(SSL_SET_OPTION(primary.sessionid)) {
    138. 

  138.      /* we always unconditionally get the session id here, as even if we
    139. 

  139.         already got it from the cache and asked to use it in the connection, it
    140. 

  140.         might've been rejected and then a new one is in use now and we need to
    141. 

  141. --- a/lib/vtls/mbedtls.c
    142. 

  142. +++ b/lib/vtls/mbedtls.c
    143. 

  143. @@ -374,7 +374,7 @@ mbed_connect_step1(struct connectdata *c
    144. 

  144.                                  mbedtls_ssl_list_ciphersuites());
    145. 

  145.  
    146. 

  146.    /* Check if there's a cached ID we can/should use here! */
    147. 

  147. -  if(data->set.general_ssl.sessionid) {
    148. 

  148. +  if(SSL_SET_OPTION(primary.sessionid)) {
    149. 

  149.      void *old_session = NULL;
    150. 

  150.  
    151. 

  151.      Curl_ssl_sessionid_lock(conn);
    152. 

  152. @@ -618,7 +618,7 @@ mbed_connect_step3(struct connectdata *c
    153. 

  153.  
    154. 

  154.    DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
    155. 

  155.  
    156. 

  156. -  if(data->set.general_ssl.sessionid) {
    157. 

  157. +  if(SSL_SET_OPTION(primary.sessionid)) {
    158. 

  158.      int ret;
    159. 

  159.      mbedtls_ssl_session *our_ssl_sessionid;
    160. 

  160.      void *old_ssl_sessionid = NULL;
    161. 

  161. --- a/lib/vtls/nss.c
    162. 

  162. +++ b/lib/vtls/nss.c
    163. 

  163. @@ -1696,7 +1696,7 @@ static CURLcode nss_setup_connect(struct
    164. 

  164.      goto error;
    165. 

  165.  
    166. 

  166.    /* do not use SSL cache if disabled or we are not going to verify peer */
    167. 

  167. -  ssl_no_cache = (data->set.general_ssl.sessionid
    168. 

  168. +  ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
    169. 

  169.                    && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
    170. 

  170.    if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
    171. 

  171.      goto error;
    172. 

  172. --- a/lib/vtls/openssl.c
    173. 

  173. +++ b/lib/vtls/openssl.c
    174. 

  174. @@ -2161,7 +2161,7 @@ static CURLcode ossl_connect_step1(struc
    175. 

  175.  #endif
    176. 

  176.  
    177. 

  177.    /* Check if there's a cached ID we can/should use here! */
    178. 

  178. -  if(data->set.general_ssl.sessionid) {
    179. 

  179. +  if(SSL_SET_OPTION(primary.sessionid)) {
    180. 

  180.      void *ssl_sessionid = NULL;
    181. 

  181.  
    182. 

  182.      Curl_ssl_sessionid_lock(conn);
    183. 

  183. @@ -2915,7 +2915,7 @@ static CURLcode ossl_connect_step3(struc
    184. 

  184.  
    185. 

  185.    DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
    186. 

  186.  
    187. 

  187. -  if(data->set.general_ssl.sessionid) {
    188. 

  188. +  if(SSL_SET_OPTION(primary.sessionid)) {
    189. 

  189.      bool incache;
    190. 

  190.      SSL_SESSION *our_ssl_sessionid;
    191. 

  191.      void *old_ssl_sessionid = NULL;
    192. 

  192. --- a/lib/vtls/polarssl.c
    193. 

  193. +++ b/lib/vtls/polarssl.c
    194. 

  194. @@ -327,7 +327,7 @@ polarssl_connect_step1(struct connectdat
    195. 

  195.    ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
    196. 

  196.  
    197. 

  197.    /* Check if there's a cached ID we can/should use here! */
    198. 

  198. -  if(data->set.general_ssl.sessionid) {
    199. 

  199. +  if(SSL_SET_OPTION(primary.sessionid)) {
    200. 

  200.      void *old_session = NULL;
    201. 

  201.  
    202. 

  202.      Curl_ssl_sessionid_lock(conn);
    203. 

  203. @@ -555,7 +555,7 @@ polarssl_connect_step3(struct connectdat
    204. 

  204.  
    205. 

  205.    DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
    206. 

  206.  
    207. 

  207. -  if(data->set.general_ssl.sessionid) {
    208. 

  208. +  if(SSL_SET_OPTION(primary.sessionid)) {
    209. 

  209.      int ret;
    210. 

  210.      ssl_session *our_ssl_sessionid;
    211. 

  211.      void *old_ssl_sessionid = NULL;
    212. 

  212. --- a/lib/vtls/schannel.c
    213. 

  213. +++ b/lib/vtls/schannel.c
    214. 

  214. @@ -145,7 +145,7 @@ schannel_connect_step1(struct connectdat
    215. 

  215.    connssl->cred = NULL;
    216. 

  216.  
    217. 

  217.    /* check for an existing re-usable credential handle */
    218. 

  218. -  if(data->set.general_ssl.sessionid) {
    219. 

  219. +  if(SSL_SET_OPTION(primary.sessionid)) {
    220. 

  220.      Curl_ssl_sessionid_lock(conn);
    221. 

  221.      if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
    222. 

  222.        connssl->cred = old_cred;
    223. 

  223. @@ -714,7 +714,7 @@ schannel_connect_step3(struct connectdat
    224. 

  224.  #endif
    225. 

  225.  
    226. 

  226.    /* save the current session data for possible re-use */
    227. 

  227. -  if(data->set.general_ssl.sessionid) {
    228. 

  228. +  if(SSL_SET_OPTION(primary.sessionid)) {
    229. 

  229.      bool incache;
    230. 

  230.      struct curl_schannel_cred *old_cred = NULL;
    231. 

  231.  
    232. 

  232. --- a/lib/vtls/vtls.c
    233. 

  233. +++ b/lib/vtls/vtls.c
    234. 

  234. @@ -120,6 +120,9 @@ Curl_clone_primary_ssl_config(struct ssl
    235. 

  235.    CLONE_STRING(egdsocket);
    236. 

  236.    CLONE_STRING(random_file);
    237. 

  237.    CLONE_STRING(clientcert);
    238. 

  238. +
    239. 

  239. +  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
    240. 

  240. +  dest->sessionid = (dest->clientcert ? false : source->sessionid);
    241. 

  241.    return TRUE;
    242. 

  242.  }
    243. 

  243.  
    244. 

  244. @@ -293,9 +296,9 @@ bool Curl_ssl_getsessionid(struct connec
    245. 

  245.    int port = isProxy ? (int)conn->port : conn->remote_port;
    246. 

  246.    *ssl_sessionid = NULL;
    247. 

  247.  
    248. 

  248. -  DEBUGASSERT(data->set.general_ssl.sessionid);
    249. 

  249. +  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
    250. 

  250.  
    251. 

  251. -  if(!data->set.general_ssl.sessionid)
    252. 

  252. +  if(!SSL_SET_OPTION(primary.sessionid))
    253. 

  253.      /* session ID re-use is disabled */
    254. 

  254.      return TRUE;
    255. 

  255.  
    256. 

  256. @@ -397,7 +400,7 @@ CURLcode Curl_ssl_addsessionid(struct co
    257. 

  257.                                             &conn->proxy_ssl_config :
    258. 

  258.                                             &conn->ssl_config;
    259. 

  259.  
    260. 

  260. -  DEBUGASSERT(data->set.general_ssl.sessionid);
    261. 

  261. +  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
    262. 

  262.  
    263. 

  263.    clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
    264. 

  264.    if(!clone_host)
    265.